From fb177f95dbb64712879ebd66fad3670552865ff1 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 18 Jun 2024 04:51:29 -0700 Subject: [PATCH 1/9] [threat-actors] Add UTG-Q-008 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 418b273c..90864661 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16089,6 +16089,16 @@ }, "uuid": "4b32ad58-972e-4aa2-be3d-ff875ed06eba", "value": "Hunt3r Kill3rs" + }, + { + "description": "UTG-Q-008 is a threat actor targeting Linux platforms, primarily focusing on government and enterprise entities in China. They utilize a massive botnet network for espionage activities, including reconnaissance, brute-forcing, and Trojan component delivery. The actor has a history of compromising thousands of servers in China using a password dictionary based on Chinese Pinyin. UTG-Q-008 operates during standard working hours in the UTC+8 time zone, with potential ties to Eastern Europe.", + "meta": { + "refs": [ + "https://ti.qianxin.com/blog/articles/Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector-EN/" + ] + }, + "uuid": "fd17cd3c-5131-4907-be7d-83a0c7dabd36", + "value": "UTG-Q-008" } ], "version": 310 From b317c4ff6b52508f0101eb5240abb850935fd38c Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 18 Jun 2024 04:51:29 -0700 Subject: [PATCH 2/9] [threat-actors] Add Gitloker --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 90864661..b73a7196 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16099,6 +16099,17 @@ }, "uuid": "fd17cd3c-5131-4907-be7d-83a0c7dabd36", "value": "UTG-Q-008" + }, + { + "description": "Gitloker is a threat actor group targeting GitHub repositories, wiping their contents, and extorting victims for their data. They use stolen credentials to compromise accounts, claim to have created a backup, and instruct victims to contact them on Telegram. The attackers leave a ransom note in the form of a README file, urging victims to negotiate the return of their data. GitHub is working to combat these evolving attacks and the vulnerabilities they exploit.", + "meta": { + "refs": [ + "https://www.itsecurityguru.org/2024/06/13/guest-blog-proactive-application-security-learning-from-the-recent-github-extortion-campaigns/", + "https://www.bleepingcomputer.com/news/security/new-gitloker-attacks-wipe-github-repos-in-extortion-scheme/" + ] + }, + "uuid": "75cc313a-6a95-4ab8-b7f8-bfd7e4a7fe00", + "value": "Gitloker" } ], "version": 310 From e7bb6de04af7c40d949e320e8064a6ab674d40de Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 18 Jun 2024 04:51:29 -0700 Subject: [PATCH 3/9] [threat-actors] Add UNC5537 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b73a7196..b3a01fb2 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16110,6 +16110,17 @@ }, "uuid": "75cc313a-6a95-4ab8-b7f8-bfd7e4a7fe00", "value": "Gitloker" + }, + { + "description": "UNC5537 is a financially motivated threat actor targeting Snowflake customer databases. They use stolen credentials obtained from infostealer malware to access and exfiltrate large volumes of data. The compromised accounts lack multi-factor authentication, allowing UNC5537 to conduct data theft and extortion.", + "meta": { + "refs": [ + "https://research.checkpoint.com/2024/17th-june-threat-intelligence-report/", + "https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion" + ] + }, + "uuid": "b8c6da46-4c9a-4075-b9f3-3b5ef7bd3534", + "value": "UNC5537" } ], "version": 310 From 8ba48b446af7720d38ffa46aa12de7f87d4d328a Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 18 Jun 2024 04:51:29 -0700 Subject: [PATCH 4/9] [threat-actors] Add Sp1d3r --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b3a01fb2..ab3d9ced 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16121,6 +16121,17 @@ }, "uuid": "b8c6da46-4c9a-4075-b9f3-3b5ef7bd3534", "value": "UNC5537" + }, + { + "description": "Sp1d3r, a threat actor, has been involved in multiple data breaches targeting companies like Truist Bank, Cylance, and Advance Auto Parts. They have stolen and attempted to sell sensitive information, including customer and employee emails, account numbers, and source code. Sp1d3r has also claimed to have obtained data from a third-party platform and a cloud storage vendor. They have utilized hacking forums to sell the stolen data for significant sums of money.", + "meta": { + "refs": [ + "https://www.cysecurity.news/2024/06/truist-bank-confirms-data-breach-after.html", + "https://research.checkpoint.com/2024/17th-june-threat-intelligence-report/" + ] + }, + "uuid": "2be04e23-4376-4333-87df-27d635e43a98", + "value": "Sp1d3r" } ], "version": 310 From 93cc634d1c329bd94f1a6d40f360ae31d548e8ba Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 18 Jun 2024 04:51:29 -0700 Subject: [PATCH 5/9] [threat-actors] Add TA571 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ab3d9ced..b493b241 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16132,6 +16132,17 @@ }, "uuid": "2be04e23-4376-4333-87df-27d635e43a98", "value": "Sp1d3r" + }, + { + "description": "TA571 is a spam distributor actor known for delivering a variety of malware, including DarkGate, NetSupport RAT, and information stealers. They use phishing emails with macro-enabled attachments to spread malicious PDFs containing rogue OneDrive links. TA571 has been observed using unique filtering techniques with intermediary \"gates\" to target specific users and bypass automated sandboxing. Proofpoint assesses with high confidence that TA571 infections can lead to ransomware.", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta571-delivers-icedid-forked-loader", + "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn" + ] + }, + "uuid": "0245113e-cef3-4638-9532-3bf235b07d49", + "value": "TA571" } ], "version": 310 From c8e623e84ce4cb9a4bdde0c02ce9398db164fcce Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 18 Jun 2024 04:51:30 -0700 Subject: [PATCH 6/9] [threat-actors] Add Bondnet --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b493b241..93f8fa6d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16143,6 +16143,18 @@ }, "uuid": "0245113e-cef3-4638-9532-3bf235b07d49", "value": "TA571" + }, + { + "description": "Bondnet is a threat actor that deploys backdoors and cryptocurrency miners. They use high-performance bots as C2 servers and configure reverse RDP environments on compromised systems. Bondnet has infected over 15,000 Windows server machines worldwide, primarily targeting Windows Server 2008 R2 systems. The botnet is used for mining cryptocurrencies like Monero, ByteCoin, RieCoin, and ZCash, potentially earning the operator thousands of dollars per day.", + "meta": { + "refs": [ + "https://asec.ahnlab.com/en/66662/", + "https://www.akamai.com/blog/security/the-bondnet-army", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/" + ] + }, + "uuid": "78e8bc1a-0be3-4792-a911-9d4813dd7bc3", + "value": "Bondnet" } ], "version": 310 From 4cabbe3bc9745b60f3f3d105cf0c98205d4cb2a0 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 18 Jun 2024 04:51:30 -0700 Subject: [PATCH 7/9] [threat-actors] Add UAC-0020 --- clusters/threat-actor.json | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 93f8fa6d..14118065 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16155,6 +16155,23 @@ }, "uuid": "78e8bc1a-0be3-4792-a911-9d4813dd7bc3", "value": "Bondnet" + }, + { + "description": "Vermin is a threat actor group linked to the Luhansk People’s Republic and believed to be acting on behalf of the Kremlin. They have targeted Ukrainian government infrastructure using malware like Spectr and legitimate tools like SyncThing for data exfiltration. Vermin has been active since at least 2018, using custom-made RATs like Vermin and open-source tools like Quasar for cyber-espionage. The group has resurfaced after periods of inactivity to conduct espionage operations against Ukraine's military and defense sectors.", + "meta": { + "country": "RU", + "refs": [ + "https://socprime.com/blog/vermin-uac-0020-hacking-collective-hits-ukrainian-government-and-military-with-spectr-malware/", + "https://therecord.media/russian-vermin-hackers-target-ukraine", + "https://cert.gov.ua/article/6279600" + ], + "synonyms": [ + "Vermin", + "SickSync" + ] + }, + "uuid": "318be739-26fd-4f4d-bac8-aa20ec8273b7", + "value": "UAC-0020" } ], "version": 310 From 950a6bfa4ec56a6eab6bd004fff39c9ca4d5d9f7 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 18 Jun 2024 04:51:30 -0700 Subject: [PATCH 8/9] [threat-actors] Add TraderTraitor aliases --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 14118065..764b7034 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13279,11 +13279,13 @@ "refs": [ "https://www.mandiant.com/resources/blog/north-korea-supply-chain", "https://us-cert.cisa.gov/ncas/alerts/aa22-108a", - "https://www.mandiant.com/resources/blog/north-korea-cyber-structure-alignment-2023" + "https://www.mandiant.com/resources/blog/north-korea-cyber-structure-alignment-2023", + "https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil" ], "synonyms": [ "Jade Sleet", - "UNC4899" + "UNC4899", + "Pukchong" ] }, "uuid": "825abfd9-7238-4438-a9e7-c08791f4df4e", From 212dba1e10eb077b7aae15547711029f6de6d360 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Tue, 18 Jun 2024 15:03:45 +0300 Subject: [PATCH 9/9] update readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9c31660d..3a30a5b7 100644 --- a/README.md +++ b/README.md @@ -535,7 +535,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *686* elements +Category: *actor* - source: *MISP Project* - total: *693* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]