Update Medusa Locker and others

2022-07-06 08:43:59 +02:00 · 2022-07-06 08:43:59 +02:00 · c2e7ef4fab
parent cef6b90c06
commit c2e7ef4fab
2 changed files with 91 additions and 0 deletions
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@ -21648,6 +21648,61 @@
    },
    {
      "description": "ransomware",
+      "meta": {
+        "extensions": [
+          ".1btc",
+          ".matlock20",
+          ".marlock02",
+          ".readinstructions",
+          ".bec",
+          ".mylock",
+          ".jpz.nz",
+          ".marlock11",
+          ".cn",
+          ".NET1",
+          ".key1",
+          ".fileslocked",
+          ".datalock",
+          ".NZ",
+          ".lock",
+          ".lockfilesUS",
+          ".deadfilesgr",
+          ".tyco",
+          ".lockdata7",
+          ".rs",
+          ".faratak",
+          ".uslockhh",
+          ".lockfiles",
+          ".tyco",
+          ".fileslock",
+          ".zoomzoom",
+          ".perfection",
+          ".uslockhh",
+          ".marlock13",
+          "n.exe",
+          ".Readinstruction",
+          ".marlock08",
+          ".marlock25",
+          "nt_lock20",
+          ".READINSTRUCTION",
+          ".marlock6",
+          ".marlock01",
+          ".ReadInstructions"
+        ],
+        "ransomnotes-filenames": [
+          "how_to_ recover_data.html",
+          "how_to_recover_data.html.marlock01",
+          "instructions.html",
+          "READINSTRUCTION.html",
+          "!!!HOW_TO_DECRYPT!!!",
+          "How_to_recovery.txt",
+          "readinstructions.html",
+          "readme_to_recover_files",
+          "recovery_instructions.html",
+          "HOW_TO_RECOVER_DATA.html",
+          "recovery_instruction.html"
+        ]
+      },
      "uuid": "627d603a-906f-4fbf-b922-f03eea4578fe",
      "value": "MedusaLocker"
    },
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -7255,6 +7255,7 @@
    {
      "description": "BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years. Multiple papers and talks have been released covering this campaign, which used the ELIRKS backdoor when it was first discovered in 2012. It is known for using blogs and microblogging services to hide the location of its actual command-and-control (C&C) servers. This allows an attacker to change the C&C server used quickly by changing the information in these posts.\nLike most campaigns, BLACKGEAR has evolved over time. Our research indicates that it has started targeting Japanese users. Two things led us to this conclusion: first, the fake documents that are used as part of its infection routines are now in Japanese. Secondly, it is now using blogging sites and microblogging services based in Japan for its C&C activity.",
      "meta": {
+        "country": "CN",
        "refs": [
          "https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/",
          "https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-cyberespionage-campaign-resurfaces-abuses-social-media-for-cc-communication/"
@ -7275,6 +7276,9 @@
          "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/",
          "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html",
          "https://attack.mitre.org/groups/G0063/"
+        ],
+        "synonyms": [
+          "G0063"
        ]
      },
      "uuid": "8fbd195f-5e03-4e85-8ca5-4f1dff300bec",
@ -9098,6 +9102,38 @@
      },
      "uuid": "ef59014b-79bb-408f-97f1-3c585a240ca7",
      "value": "Scarab"
+    },
+    {
+      "description": "BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names of some of their C&C servers, BlackTech’s campaigns are likely designed to steal their target’s technology. Following their activities and evolving tactics and techniques helped us uncover the proverbial red string of fate that connected three seemingly disparate campaigns: PLEAD, Shrouded Crossbow, and of late, Waterbear. PLEAD is an information theft campaign with a penchant for confidential documents. Active since 2012, it has so far targeted Taiwanese government agencies and private organizations. PLEAD’s toolset includes the self-named PLEAD backdoor and the DRIGO exfiltration tool. PLEAD uses spear-phishing emails to deliver and install their backdoor, either as an attachment or through links to cloud storage services. Some of the cloud storage accounts used to deliver PLEAD are also used as drop off points for exfiltrated documents stolen by DRIGO. PLEAD actors use a router scanner tool to scan for vulnerable routers, after which the attackers will enable the router’s VPN feature then register a machine as virtual server. This virtual server will be used either as a C&C server or an HTTP server that delivers PLEAD malware to their targets.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://malpedia.caad.fkie.fraunhofer.de/actor/blacktech"
+        ],
+        "synonyms": [
+          "CIRCUIT PANDA",
+          "Temp.Overboard",
+          "HUAPI",
+          "Palmerworm",
+          "G0098",
+          "T-APT-03"
+        ]
+      },
+      "uuid": "79488f2e-b858-4155-a743-e962a0fab99c",
+      "value": "BlackTech"
+    },
+    {
+      "description": "",
+      "meta": {
+        "refs": [
+          ""
+        ],
+        "synonyms": [
+          ""
+        ]
+      },
+      "uuid": "7c27120d-00ab-4ab4-b0e9-07e0ab2c1a94",
+      "value": ""
    }
  ],
  "version": 215