MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #579 from danielplohmann/ta413-evilnum 

Adding TA413 and Evilnum
pull/580/head
Alexandre Dulaunoy 2020-09-16 08:26:45 +02:00 committed by GitHub
parent ee968d7715 7b00674c77
commit b989916caf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 26 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
clusters/threat-actor.json
View File

@ -8339,7 +8339,32 @@
],
"uuid": "e400b6c5-77cf-453d-ba0f-44575583ac6c",
"value": "GALLIUM"
},
{
"description": "Proofpoint researchers observed a phishing campaign impersonating the World Health Organizations (WHO) guidance on COVID-19 critical preparedness to deliver a new malware family that researchers have dubbed Sepulcher. This campaign targeted European diplomatic and legislative bodies, non-profit policy research organizations, and global organizations dealing with economic affairs. Additionally, a sender email identified in this campaign has been linked to historic Chinese APT targeting of the international Tibetan community using payloads linked to LuckyCat malware. Subsequently, a phishing campaign from July 2020 targeting Tibetan dissidents was identified delivering the same strain of Sepulcher malware. Operator email accounts identified in this campaign have been publicly linked to historic Chinese APT campaigns targeting the Tibetan community delivering ExileRAT malware. Based on the use of publicly known sender addresses associated with Tibetan dissident targeting and the delivery of Sepulcher malware payloads, Proofpoint researchers have attributed both campaigns to the APT actor TA413, which has previously been documented in association with ExileRAT. The usage of publicly known Tibetan-themed sender accounts to deliver Sepulcher malware demonstrates a short-term realignment of TA413s targets of interest. While best known for their campaigns against the Tibetan diaspora, this APT group associated with the Chinese state interest prioritized intelligence collection around Western economies reeling from COVID-19 in March 2020 before resuming more conventional targeting later this year.",
"meta": {
"country": "CN",
"refs": [
"https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic"
]
},
"uuid": "cbf94f8d-20f2-45a0-b78b-54715b6b4e18",
"value": "TA413"
},
{
"description": "ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against financial technology companies. While said malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates. The groups targets remain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service (MaaS) provider whose infamous customers include FIN6 and Cobalt Group.",
"meta": {
"refs": [
"https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/",
"https://securelist.com/deathstalker-mercenary-triumvirate/98177/"
],
"synonyms": [
"DeathStalker"
]
},
"uuid": "b6f3150f-2240-4c57-9dda-5144c5077058",
"value": "Evilnum"
}
],
"version": 177
"version": 178
}