MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #686 from Delta-Sierra/main 

update threat actors meta
pull/688/head
Alexandre Dulaunoy 2022-03-07 22:04:22 +01:00 committed by GitHub
parent 8e09c9b30c 957327383d
commit b978bb1c86
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 158 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
clusters/botnet.json
View File

@ -1235,7 +1235,17 @@
],
"uuid": "25a745c8-0d2a-40e1-9bb2-3704d1bd49e3",
"value": "DDG"
},
{
"description": "A multi-component botnet targeting Windows Computer. Glupteba is known to steal user credentials and cookies, mine cryptocurrencies on infected hosts, deploy and operate proxy components targeting Windows systems and IoT devices. The botnet has been observed targeting victims worldwide, including the US, India, Brazil and Southeast Asia. The Glupteba malware family is primarily distributed through pay per install (PPI) networks and via traffic purchased from traffic distribution systems (TDS).",
"meta": {
"refs": [
"https://blog.google/threat-analysis-group/disrupting-glupteba-operation/"
]
},
"uuid": "37c5d3ad-9057-4fcb-9fb3-4f7e5377a304",
"value": "Glupteba"
}
],
"version": 23
"version": 24
}

159
clusters/threat-actor.json
View File

@ -2813,8 +2813,11 @@
],
"synonyms": [
"CARBON SPIDER",
"Carbon Spider",
"GOLD NIAGARA",
"Calcium"
"Calcium",
"Carbanak",
"FIN 7"
]
},
"related": [
@ -2927,7 +2930,9 @@
"https://attack.mitre.org/groups/G0085/"
],
"synonyms": [
"FIN4"
"FIN4",
"FIN 4",
"Wolf Spider"
]
},
"uuid": "ff449346-aa9f-45f6-b482-71e886a5cf57",
@ -3607,6 +3612,9 @@
"country": "CN",
"refs": [
"https://www.proofpoint.com/uk/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene"
],
"synonyms": [
"TA 530"
]
},
"uuid": "4b79d1f6-8333-44b6-ac32-d1ea7e47e77f",
@ -3669,10 +3677,12 @@
],
"synonyms": [
"SKELETON SPIDER",
"Sketelon Spider",
"ITG08",
"MageCart Group 6",
"White Giant",
"GOLD FRANKLIN"
"GOLD FRANKLIN",
"FIN 6"
]
},
"related": [
@ -4595,6 +4605,9 @@
"https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf",
"https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html",
"https://attack.mitre.org/groups/G0061"
],
"synonyms": [
"FIN 8"
]
},
"related": [
@ -4690,6 +4703,9 @@
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts",
"https://attack.mitre.org/groups/G0062/"
],
"synonyms": [
"TA 459"
]
},
"related": [
@ -6689,8 +6705,12 @@
{
"description": "INDRIK SPIDER is a sophisticated eCrime group that has been operating Dridex since June 2014. In 2015 and 2016, Dridex was one of the most prolific eCrime banking trojans on the market and, since 2014, those efforts are thought to have netted INDRIK SPIDER millions of dollars in criminal profits. Throughout its years of operation, Dridex has received multiple updates with new modules developed and new anti-analysis features added to the malware.\nIn August 2017, a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K.s National Health Service (NHS), with a high ransom demand of 53 BTC (approximately $200,000 USD). The targeting of an organization rather than individuals, and the high ransom demands, made BitPaymer stand out from other contemporary ransomware at the time. Though the encryption and ransom functionality of BitPaymer was not technically sophisticated, the malware contained multiple anti-analysis features that overlapped with Dridex. Later technical analysis of BitPaymer indicated that it had been developed by INDRIK SPIDER, suggesting the group had expanded its criminal operation to include ransomware as a monetization strategy.",
"meta": {
"country": "RU",
"refs": [
"https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/"
],
"synonyms": [
"Indrik Spider"
]
},
"uuid": "658314bc-3bb8-48d2-913a-c528607b75c8",
@ -6805,6 +6825,7 @@
{
"description": "TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.",
"meta": {
"country": "RU",
"refs": [
"https://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/",
"https://www.proofpoint.com/sites/default/files/ta505_timeline_final4_0.png",
@ -6827,7 +6848,10 @@
"SectorJ04 Group",
"GRACEFUL SPIDER",
"GOLD TAHOE",
"Dudear"
"Dudear",
"TA 505",
"Graceful Spider",
"TEMP.Warlock"
]
},
"uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f",
@ -6850,6 +6874,7 @@
{
"description": "Wizard Spider is reportedly associated with Grim Spider and Lunar Spider.\nThe WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which GRIM SPIDER appears to be a subset. The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function.\nGRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.",
"meta": {
"country": "RU",
"refs": [
"https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/",
"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
@ -6866,7 +6891,10 @@
],
"synonyms": [
"TEMP.MixMaster",
"GOLD BLACKBURN"
"GOLD BLACKBURN",
"Wizard Spider",
"FIN12",
"FIN 12"
]
},
"uuid": "bdf4fe4f-af8a-495f-a719-cf175cecda1f",
@ -6884,7 +6912,9 @@
],
"synonyms": [
"TA542",
"GOLD CRESTWOOD"
"GOLD CRESTWOOD",
"Mummy Spider",
"TA 542"
]
},
"uuid": "c93281be-f6cd-4cd0-a5a3-defde9d77d8b",
@ -7200,6 +7230,7 @@
{
"description": "Last Friday, Deputy Attorney General Rod Rosenstein announced the indictment of nine Iranians who worked for an organization named the Mabna Institute. According to prosecutors, the defendants stole more than 31 terabytes of data from universities, companies, and government agencies around the world. The cost to the universities alone reportedly amounted to approximately $3.4 billion. The information stolen from these universities was used by the Islamic Revolutionary Guard Corps (IRGC) or sold for profit inside Iran. PhishLabs has been tracking this same threat group since late-2017, designating them Silent Librarian. Since discovery, we have been working with the FBI, ISAC partners, and other international law enforcement agencies to help understand and mitigate these attacks.",
"meta": {
"country": "IR",
"refs": [
"https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment",
"https://info.phishlabs.com/blog/silent-librarian-university-attacks-continue-unabated-in-days-following-indictment",
@ -7215,7 +7246,8 @@
"synonyms": [
"COBALT DICKENS",
"Mabna Institute",
"TA407"
"TA407",
"TA 407"
]
},
"uuid": "5059b44d-2753-4977-b987-4922f09afe6b",
@ -7314,6 +7346,9 @@
"refs": [
"https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?",
"https://attack.mitre.org/groups/G0053/"
],
"synonyms": [
"FIN 5"
]
},
"uuid": "44dc2f9c-8c28-11e9-9b9a-7fdced8cbf70",
@ -7322,8 +7357,12 @@
{
"description": "FireEye first identified this activity during a recent investigation at an organization in the financial industry. They identified the presence of a financially motivated threat group that they track as FIN1, whose activity at the organization dated back several years. The threat group deployed numerous malicious files and utilities, all of which were part of a malware ecosystem referred to as Nemesis by the malware developer(s), and used this malware to access the victim environment and steal cardholder data. FIN1, which may be located in Russia or a Russian-speaking country based on language settings in many of their custom tools, is known for stealing data that is easily monetized from financial services organizations such as banks, credit unions, ATM operations, and financial transaction processing and financial business services companies.",
"meta": {
"country": "RU",
"refs": [
"https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html"
],
"synonyms": [
"FIN 1"
]
},
"uuid": "13289552-596e-4592-9c81-eeb4db6baf3c",
@ -7335,6 +7374,9 @@
"refs": [
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf",
"https://attack.mitre.org/groups/G0051/"
],
"synonyms": [
"FIN 10"
]
},
"uuid": "f2d02410-8c2c-11e9-8df1-a31c1fb33d79",
@ -7611,6 +7653,11 @@
"country": "CN",
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology"
],
"synonyms": [
"Temp.Hex",
"Vicious Panda",
"TA 428"
]
},
"uuid": "5533d062-18ab-4c70-9472-0eac03f95a1d",
@ -7730,6 +7777,10 @@
"https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals",
"https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks",
"https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new"
],
"synonyms": [
"LookBack",
"TA 410"
]
},
"uuid": "5cd95926-0098-435e-892d-9c9f61763ad7",
@ -7798,7 +7849,9 @@
"synonyms": [
"Maze Team",
"TWISTED SPIDER",
"GOLD VILLAGE"
"GOLD VILLAGE",
"TA 2101",
"Maze"
]
},
"uuid": "39925aa0-c7bf-4b9b-97d6-7d600329453d",
@ -8037,7 +8090,9 @@
],
"synonyms": [
"GOLD ESSEX",
"TA544"
"TA544",
"TA 544",
"Narwhal Spider"
]
},
"uuid": "fda9cdea-0017-495e-879d-0f348db2aa07",
@ -8230,6 +8285,9 @@
"country": "CN",
"refs": [
"https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic"
],
"synonyms": [
"TA 413"
]
},
"uuid": "cbf94f8d-20f2-45a0-b78b-54715b6b4e18",
@ -8323,7 +8381,10 @@
"https://www.brighttalk.com/webcast/7451/447347"
],
"synonyms": [
"TEMP.Warlock"
"TEMP.Warlock",
"FIN 11",
"UNC902",
"Graceful Spider"
]
},
"uuid": "c01aadc6-1087-4e8e-8d5c-a27eba409fe3",
@ -8475,6 +8536,11 @@
"https://twitter.com/hatr/status/1377220336597483520",
"https://www.mandiant.com/resources/unc1151-linked-to-belarus-government",
"https://www.bleepingcomputer.com/news/security/meta-ukrainian-officials-military-targeted-by-ghostwriter-hackers/"
],
"synonyms": [
"UNC1151",
"TA 445",
"TA445"
]
},
"uuid": "749aaa11-f0fd-416b-bf6c-112f9b5930a5",
@ -8691,7 +8757,9 @@
],
"synonyms": [
"Shakthak",
"TA551"
"TA551",
"TA 551",
"Lunar Spider"
]
},
"uuid": "36e8c848-4d20-47ea-9fc2-31aa17bf82d1",
@ -8905,8 +8973,12 @@
{
"description": "Since 2017, Mandiant has been tracking FIN13, an industrious and versatile financially motivated threat actor conducting long-term intrusions in Mexico with an activity timeframe stretching back as early as 2016. Although their operations continue through the present day, in many ways FIN13's intrusions are like a time capsule of traditional financial cybercrime from days past. Instead of today's prevalent smash-and-grab ransomware groups, FIN13 takes their time to gather information to perform fraudulent money transfers. Rather than relying heavily on attack frameworks such as Cobalt Strike, the majority of FIN13 intrusions involve heavy use of custom passive backdoors and tools to lurk in environments for the long haul.",
"meta": {
"country": "RU",
"refs": [
"https://www.mandiant.com/resources/fin13-cybercriminal-mexico"
],
"synonyms": [
"FIN 13"
]
},
"uuid": "60fa684d-c738-4b77-98fb-3f6605e2bb82",
@ -8965,6 +9037,69 @@
"uuid": "a57e5bf5-d7f4-43a1-9c15-8a44cdb95079",
"value": "TA2541"
},
{
"description": "This actor typically distributes instances of the SmokeLoader intermediate downloader, which, in turn, downloads additional malware of the actors choice -- often banking Trojans. Figure 3 shows a lure document from a November campaign in which TA516 distributed fake resumes with malicious macros that, if enabled, launch a PowerShell script that downloads SmokeLoader. In this instance, we observed SmokeLoader downloading a Monero coinminer. Since the middle of 2017, TA516 has used similar macro-laden documents as well as malicious JavaScript hosted on Google Drive to distribute both Panda Banker and a coinminer executable via SmokeLoader, often in the same campaigns.",
"meta": {
"refs": [
"https://www.thaicert.or.th/downloads/files/Threat_Group_Cards_v2.0.pdf"
],
"synonyms": [
"TA 516"
]
},
"uuid": "0466bbf1-a187-4b3d-b558-a31e5ca11ea7",
"value": "TA516"
},
{
"description": "TA547 is responsible for many other campaigns since at least November 2017. The other campaigns by the actor were often localized to countries such as Australia, Germany, the United Kingdom, and Italy. Delivered malware included ZLoader (a.k.a. Terdot), Gootkit, Ursnif, Corebot, Panda Banker, Atmos, Mazar Bot, and Red Alert Android malware.",
"meta": {
"refs": [
"https://www.thaicert.or.th/downloads/files/Threat_Group_Cards_v2.0.pdf"
],
"synonyms": [
"Scully Spider",
"TA 547"
]
},
"uuid": "29fbc8d4-1e6e-4edc-9887-bdf47f36e4c1",
"value": "TA547"
},
{
"description": "Since May 2018, Proofpoint researchers have observed email campaigns using a new downloader called sLoad. sLoad is a PowerShell downloader that most frequently delivers Ramnit banker and includes noteworthy reconnaissance features. The malware gathers information about the infected system including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. sLoad can also take screenshots and check the DNS cache for specific domains (e.g., targeted banks), as well as load external binaries.\nWhile initial versions of sLoad appeared in May 2018, we began tracking the campaigns from this actor (internally named TA554) since at least the beginning of 2017.",
"meta": {
"refs": [
"https://www.thaicert.or.th/downloads/files/Threat_Group_Cards_v2.0.pdf"
],
"synonyms": [
"TH-163"
]
},
"uuid": "36f1a1b8-e03a-484f-95a3-005345679cbe",
"value": "TA554"
},
{
"description": "Beginning in May 2018, Proofpoint researchers observed a previously undocumented downloader dubbed AdvisorsBot appearing in malicious email campaigns. The campaigns appear to primarily target hotels, restaurants, and telecommunications, and are distributed by an actor we track as TA555. To date, we have observed AdvisorsBot used as a first-stage payload, loading a fingerprinting module that, as with Marap, is presumably used to identify targets of interest to further infect with additional modules or payloads. AdvisorsBot is under active development and we have also observed another version of the malware completely rewritten in PowerShell and .NET.",
"meta": {
"refs": [
"https://www.thaicert.or.th/downloads/files/Threat_Group_Cards_v2.0.pdf"
]
},
"uuid": "d0d26dae-195f-4503-a6a9-ebb1ec0e07f9",
"value": "TA555"
},
{
"description": "This attacker is an affiliate distributor of the The Trick, also known as Trickbot, and BazaLoader. (For more on how affiliates work, see the description of TA573).\nTA800 has targeted a wide range of industries in North America, infecting victims with banking Trojans and malware loaders (malware designed to download other malware onto a compromised device). Malicious emails have often included recipients names, titles and employers along with phishing pages designed to look like the targeted company. Lures have included hard-to-resist subjects such as related to payment, meetings, termination, bonuses and complaints in the subject line or body of the email.",
"meta": {
"refs": [
"https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes"
],
"synonyms": [
"TA 800"
]
},
"uuid": "75fac2e9-8f2c-4620-a1cc-4b8a61c1bb48",
"value": "TA800"
},
{
"description": "Cybereason Nocturnus describes Moses Staff as an Iranian hacker group, first spotted in October 2021. Their motivation appears to be to harm Israeli companies by leaking sensitive, stolen data.",
"meta": {
@ -8983,5 +9118,5 @@
"value": "MosesStaff"
}
],
"version": 213
"version": 214
}