MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #898 from Mathieu4141/threat-actors/2d4f4a51-5a1e-4d21-acdc-5516fe781ba2 

[threat-actors] add 10 actors
pull/902/head
Alexandre Dulaunoy 2023-11-20 19:40:08 +01:00 committed by GitHub
parent d98e8d27af 29baf77740
commit c8fa369d21
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 128 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

128
clusters/threat-actor.json
View File

@ -13236,6 +13236,134 @@
},
"uuid": "9c102b55-29ea-4d90-9b36-33ba42f65d79",
"value": "DefrayX"
},
{
"description": "PerSwaysion is a threat actor known for conducting phishing campaigns targeting high-level executives. They have been active since at least August 2019 and are believed to be based in Vietnam. PerSwaysion has recently updated their techniques, using more direct phishing methods and leveraging Microsoft 365 to steal credentials.",
"meta": {
"country": "VN",
"refs": [
"https://blog.group-ib.com/perswaysion",
"https://blog.scarletshark.com/perswaysion-threat-actor-updates-their-techniques-and-infrastructure-e9465157a653"
]
},
"uuid": "a413c605-0e0a-41ca-bae2-5623908fda3a",
"value": "PerSwaysion"
},
{
"description": "Space Pirates is a cybercrime group that has been active since at least 2017. They primarily target Russian companies and have been observed using various malware, including Deed RAT and ShadowPad. The group uses a combination of publicly available tools and their own protocols to communicate with their command-and-control servers.",
"meta": {
"country": "CN",
"refs": [
"http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats",
"https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/",
"https://blog.polyswarm.io/space-pirates-target-russian-aerospace"
],
"synonyms": [
"Space Pirates"
]
},
"uuid": "ee306b4d-1b2b-4872-a8f1-d07e7fbab2f0",
"value": "Webworm"
},
{
"description": "In March 2022, a hacking group calling themselves N4ughtySecTU claimed to have breached TransUnions systems and threatened to leak four terabytes of data if the credit bureau didnt pay a $15-million (R242-million) ransom.",
"meta": {
"country": "BR",
"refs": [
"https://mybroadband.co.za/news/security/438982-how-bank-customers-can-protect-themselves-after-hackers-leak-transunion-data.html",
"https://cisoseries.com/cyber-security-headlines-march-21-2022/",
"https://mybroadband.co.za/news/security/443090-cybercriminals-love-south-africa-study.html"
]
},
"uuid": "43236d8e-27ee-40f1-ad15-a2ad23738a76",
"value": "N4ughtysecTU"
},
{
"description": "Moshen Dragon is a Chinese-aligned cyberespionage threat actor operating in Central Asia. They have been observed deploying multiple malware triads and utilizing DLL search order hijacking to sideload ShadowPad and PlugX variants. The threat actor also employs various tools, including an LSA notification package and a passive backdoor known as GUNTERS. Their activities involve targeting the telecommunication sector and leveraging Impacket for lateral movement and data exfiltration.",
"meta": {
"country": "CN",
"refs": [
"https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/"
]
},
"uuid": "41243ff2-e4f1-4605-9259-ab494c1c8c04",
"value": "Moshen Dragon"
},
{
"description": "One of their notable tools is a custom backdoor called SockDetour, which operates filelessly and socketlessly on compromised Windows servers. The group's activities have been linked to the exploitation of vulnerabilities in Zoho ManageEngine ADSelfService Plus and ServiceDesk Plus.",
"meta": {
"country": "CN",
"refs": [
"https://unit42.paloaltonetworks.com/sockdetour/",
"https://blog.fox-it.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnerability-cve-2021-35211-for-initial-access/",
"https://www.microsoft.com/en-us/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/"
],
"synonyms": [
"DEV-0322"
]
},
"uuid": "aca6b3d2-1c3b-4674-9de8-975e35723bcf",
"value": "TiltedTemple"
},
{
"description": "OldGremlin is a Russian-speaking ransomware group that has been active for several years. They primarily target organizations in Russia, including banks, logistics, industrial, insurance, retail, and IT companies. OldGremlin is known for using phishing emails as an initial infection vector and has developed custom malware for both Windows and Linux systems. They have conducted multiple malicious email campaigns and demand large ransoms from their victims, with some reaching millions of dollars.",
"meta": {
"country": "RU",
"refs": [
"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-new-ransomware-actor-oldgremlin-hits-multiple-organizations",
"https://www.group-ib.com/blog/oldgremlin-comeback/",
"https://www.group-ib.com/media-center/press-releases/oldgremlin/"
]
},
"uuid": "ad8b73df-c526-4a32-b52f-c7c3c4c058d2",
"value": "OldGremlin"
},
{
"description": "Storm Cloud is a Chinese espionage threat actor known for targeting organizations across Asia, particularly Tibetan organizations and individuals. They use a variety of malware families, including GIMMICK and GOSLU, which are feature-rich and multi-platform. Storm Cloud leverages public cloud hosting services like Google Drive for command-and-control channels, making it difficult to detect their activities.",
"meta": {
"country": "CN",
"refs": [
"https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/",
"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-gimmick-malware-active-iocs"
]
},
"uuid": "3baec27f-3827-4a38-82c8-7195a18193f9",
"value": "Storm Cloud"
},
{
"description": "CostaRicto is a cyber-espionage threat actor that operates as a mercenary group, offering its services to various clients globally. They use bespoke malware tools and sophisticated techniques like VPN proxy and SSH tunnelling. While their targets are scattered across different regions, there is a concentration in South Asia.",
"meta": {
"refs": [
"https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced",
"https://www.cybersecurityintelligence.com/blog/outsourced-cyber-spying-5335.html"
]
},
"uuid": "5587f082-349b-46ab-9e6f-303d9bfd1e1b",
"value": "CostaRicto"
},
{
"description": "TA402 is an APT group that has been tracked by Proofpoint since 2020. They primarily target government entities in the Middle East and North Africa, with a focus on intelligence collection. TA402 is known for using sophisticated phishing campaigns and constantly updating their malware implants and delivery methods to evade detection. They have been observed using cloud services like Dropbox and Google Drive for hosting malicious payloads and command-and-control infrastructure.",
"meta": {
"country": "PS",
"refs": [
"https://www.proofpoint.com/us/blog/threat-insight/ta402-uses-complex-ironwind-infection-chains-target-middle-east-based-government",
"https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage"
]
},
"uuid": "aad291eb-08d1-4af4-9dd1-e90fe1f2d6c6",
"value": "TA402"
},
{
"description": "SilverFish is believed to be a Russian cyberespionage group that has been involved in various cyberattacks, including the use of the SolarWinds breach as an attack vector. SilverFish has been linked to the Wasted Locker ransomware and has displayed a high level of skill and organization in their cyber operations. There are also connections between SilverFish and the threat actor Evil Corp, suggesting a possible evolution or collaboration between the two groups.",
"meta": {
"refs": [
"https://www.truesec.com/hub/blog/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies",
"https://www.prodaft.com/resource/detail/silverfish-global-cyber-espionage-campaign-case-report",
"https://www.mandiant.com/resources/blog/unc2165-shifts-to-evade-sanctions"
]
},
"uuid": "55bcc595-2442-4f98-9477-7fe9b507607c",
"value": "SilverFish"
}
],
"version": 294