merging TG2003 / Elephant Beetle into FIN13

as indicated in the respective resources published by the organizations using these aliases.
2022-08-02 14:11:43 +02:00 · 2022-08-02 14:11:43 +02:00 · bc20a463c8
parent 2330c17602
commit bc20a463c8
1 changed files with 9 additions and 15 deletions
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -9136,7 +9136,14 @@
      "meta": {
        "country": "RU",
        "refs": [
-          "https://www.mandiant.com/resources/fin13-cybercriminal-mexico"
+          "https://www.mandiant.com/resources/fin13-cybercriminal-mexico",
+          "https://blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation",
+          "https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf",
+          "https://www.netwitness.com/wp-content/uploads/FIN13-Elephant-Beetle-NetWitness.pdf"
+        ],
+        "synonyms": [
+          "TG2003",
+          "Elephant Beetle"
        ]
      },
      "uuid": "60fa684d-c738-4b77-98fb-3f6605e2bb82",
@ -9485,19 +9492,6 @@
      "uuid": "6cce6ecc-e6f5-4ae5-b8c5-cf633b7cf973",
      "value": "ModifiedElephant"
    },
-    {
-      "description": "Financially motivated threat group targeting and infiltrating organizations from the finance and commerce sector in Latin America.",
-      "meta": {
-        "refs": [
-          "https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf"
-        ],
-        "synonyms": [
-          "TG2003"
-        ]
-      },
-      "uuid": "64930954-db40-4d97-8fc4-76079d239e15",
-      "value": "Elephant Beetle"
-    },
    {
      "description": "EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. In early September 2021, the group has been obeserved exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigation lead researchers to believe that they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike). This threat actor deploys tactics, techniques and procedures (TTPs) that are traditionally associated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a targeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation. Additionally and rather uniquely, they leverage legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload, namely BUMBLEEBEE and BAZARLOADER, further evading detection mechanisms. This level of human-interaction is rather unusual for cyber crime groups focused on mass scale operations.",
      "meta": {
@ -10012,5 +10006,5 @@
      "value": "Returned Libra"
    }
  ],
-  "version": 237
+  "version": 238
 }