From 32a78f3d263c0d9d0bad6882ada92f5ce1ffb78d Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 20 Nov 2023 09:29:05 -0800 Subject: [PATCH 01/10] [threat-actors] Add PerSwaysion --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1a9539b..18cf13a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13236,6 +13236,18 @@ }, "uuid": "9c102b55-29ea-4d90-9b36-33ba42f65d79", "value": "DefrayX" + }, + { + "description": "PerSwaysion is a threat actor known for conducting phishing campaigns targeting high-level executives. They have been active since at least August 2019 and are believed to be based in Vietnam. PerSwaysion has recently updated their techniques, using more direct phishing methods and leveraging Microsoft 365 to steal credentials.", + "meta": { + "country": "VN", + "refs": [ + "https://blog.group-ib.com/perswaysion", + "https://blog.scarletshark.com/perswaysion-threat-actor-updates-their-techniques-and-infrastructure-e9465157a653" + ] + }, + "uuid": "a413c605-0e0a-41ca-bae2-5623908fda3a", + "value": "PerSwaysion" } ], "version": 294 From 2ac369ac617c0adee54802d79cb32f7d5e74a37b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 20 Nov 2023 09:29:05 -0800 Subject: [PATCH 02/10] [threat-actors] Add Webworm --- clusters/threat-actor.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 18cf13a..2049a12 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13248,6 +13248,22 @@ }, "uuid": "a413c605-0e0a-41ca-bae2-5623908fda3a", "value": "PerSwaysion" + }, + { + "description": "Space Pirates is a cybercrime group that has been active since at least 2017. They primarily target Russian companies and have been observed using various malware, including Deed RAT and ShadowPad. The group uses a combination of publicly available tools and their own protocols to communicate with their command-and-control servers.", + "meta": { + "country": "CN", + "refs": [ + "http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/", + "https://blog.polyswarm.io/space-pirates-target-russian-aerospace" + ], + "synonyms": [ + "Space Pirates" + ] + }, + "uuid": "ee306b4d-1b2b-4872-a8f1-d07e7fbab2f0", + "value": "Webworm" } ], "version": 294 From d477275a535991e8ee95c11892cd0c9e2e1489b2 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 20 Nov 2023 09:29:05 -0800 Subject: [PATCH 03/10] [threat-actors] Add N4ughtysecTU --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2049a12..bf4aa6e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13264,6 +13264,19 @@ }, "uuid": "ee306b4d-1b2b-4872-a8f1-d07e7fbab2f0", "value": "Webworm" + }, + { + "description": "In March 2022, a hacking group calling themselves N4ughtySecTU claimed to have breached TransUnion’s systems and threatened to leak four terabytes of data if the credit bureau didn’t pay a $15-million (R242-million) ransom.", + "meta": { + "country": "BR", + "refs": [ + "https://mybroadband.co.za/news/security/438982-how-bank-customers-can-protect-themselves-after-hackers-leak-transunion-data.html", + "https://cisoseries.com/cyber-security-headlines-march-21-2022/", + "https://mybroadband.co.za/news/security/443090-cybercriminals-love-south-africa-study.html" + ] + }, + "uuid": "43236d8e-27ee-40f1-ad15-a2ad23738a76", + "value": "N4ughtysecTU" } ], "version": 294 From 93d9db10a3dbe336092af6e9c2784c5fc353d3b8 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 20 Nov 2023 09:29:05 -0800 Subject: [PATCH 04/10] [threat-actors] Add Moshen Dragon --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index bf4aa6e..c881b72 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13277,6 +13277,17 @@ }, "uuid": "43236d8e-27ee-40f1-ad15-a2ad23738a76", "value": "N4ughtysecTU" + }, + { + "description": "Moshen Dragon is a Chinese-aligned cyberespionage threat actor operating in Central Asia. They have been observed deploying multiple malware triads and utilizing DLL search order hijacking to sideload ShadowPad and PlugX variants. The threat actor also employs various tools, including an LSA notification package and a passive backdoor known as GUNTERS. Their activities involve targeting the telecommunication sector and leveraging Impacket for lateral movement and data exfiltration.", + "meta": { + "country": "CN", + "refs": [ + "https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/" + ] + }, + "uuid": "41243ff2-e4f1-4605-9259-ab494c1c8c04", + "value": "Moshen Dragon" } ], "version": 294 From a08311c5f18bdf4de6e69e65d7c5b588a8080c71 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 20 Nov 2023 09:29:06 -0800 Subject: [PATCH 05/10] [threat-actors] Add TiltedTemple --- clusters/threat-actor.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c881b72..b61d5b2 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13288,6 +13288,22 @@ }, "uuid": "41243ff2-e4f1-4605-9259-ab494c1c8c04", "value": "Moshen Dragon" + }, + { + "description": "One of their notable tools is a custom backdoor called SockDetour, which operates filelessly and socketlessly on compromised Windows servers. The group's activities have been linked to the exploitation of vulnerabilities in Zoho ManageEngine ADSelfService Plus and ServiceDesk Plus.", + "meta": { + "country": "CN", + "refs": [ + "https://unit42.paloaltonetworks.com/sockdetour/", + "https://blog.fox-it.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnerability-cve-2021-35211-for-initial-access/", + "https://www.microsoft.com/en-us/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/" + ], + "synonyms": [ + "DEV-0322" + ] + }, + "uuid": "aca6b3d2-1c3b-4674-9de8-975e35723bcf", + "value": "TiltedTemple" } ], "version": 294 From c4142b2ee7ae7d8fdeea6a122582e4772077b4a7 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 20 Nov 2023 09:29:06 -0800 Subject: [PATCH 06/10] [threat-actors] Add OldGremlin --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b61d5b2..b75af79 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13304,6 +13304,19 @@ }, "uuid": "aca6b3d2-1c3b-4674-9de8-975e35723bcf", "value": "TiltedTemple" + }, + { + "description": "OldGremlin is a Russian-speaking ransomware group that has been active for several years. They primarily target organizations in Russia, including banks, logistics, industrial, insurance, retail, and IT companies. OldGremlin is known for using phishing emails as an initial infection vector and has developed custom malware for both Windows and Linux systems. They have conducted multiple malicious email campaigns and demand large ransoms from their victims, with some reaching millions of dollars.", + "meta": { + "country": "RU", + "refs": [ + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-new-ransomware-actor-oldgremlin-hits-multiple-organizations", + "https://www.group-ib.com/blog/oldgremlin-comeback/", + "https://www.group-ib.com/media-center/press-releases/oldgremlin/" + ] + }, + "uuid": "ad8b73df-c526-4a32-b52f-c7c3c4c058d2", + "value": "OldGremlin" } ], "version": 294 From 4c9063b772a80675ee28fa28005bc9fa5cc77a34 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 20 Nov 2023 09:29:06 -0800 Subject: [PATCH 07/10] [threat-actors] Add Storm Cloud --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b75af79..2c3da14 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13317,6 +13317,18 @@ }, "uuid": "ad8b73df-c526-4a32-b52f-c7c3c4c058d2", "value": "OldGremlin" + }, + { + "description": "Storm Cloud is a Chinese espionage threat actor known for targeting organizations across Asia, particularly Tibetan organizations and individuals. They use a variety of malware families, including GIMMICK and GOSLU, which are feature-rich and multi-platform. Storm Cloud leverages public cloud hosting services like Google Drive for command-and-control channels, making it difficult to detect their activities.", + "meta": { + "country": "CN", + "refs": [ + "https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-gimmick-malware-active-iocs" + ] + }, + "uuid": "3baec27f-3827-4a38-82c8-7195a18193f9", + "value": "Storm Cloud" } ], "version": 294 From 00ca4c865fa8944c0ca721b24f66cae35b21767b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 20 Nov 2023 09:29:07 -0800 Subject: [PATCH 08/10] [threat-actors] Add CostaRicto --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2c3da14..f7d4221 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13329,6 +13329,17 @@ }, "uuid": "3baec27f-3827-4a38-82c8-7195a18193f9", "value": "Storm Cloud" + }, + { + "description": "CostaRicto is a cyber-espionage threat actor that operates as a mercenary group, offering its services to various clients globally. They use bespoke malware tools and sophisticated techniques like VPN proxy and SSH tunnelling. While their targets are scattered across different regions, there is a concentration in South Asia.", + "meta": { + "refs": [ + "https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced", + "https://www.cybersecurityintelligence.com/blog/outsourced-cyber-spying-5335.html" + ] + }, + "uuid": "5587f082-349b-46ab-9e6f-303d9bfd1e1b", + "value": "CostaRicto" } ], "version": 294 From ee2a8bec3212779e0522901017ad0677f224d91f Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 20 Nov 2023 09:29:07 -0800 Subject: [PATCH 09/10] [threat-actors] Add TA402 --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f7d4221..2aaafb3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13340,6 +13340,18 @@ }, "uuid": "5587f082-349b-46ab-9e6f-303d9bfd1e1b", "value": "CostaRicto" + }, + { + "description": "TA402 is an APT group that has been tracked by Proofpoint since 2020. They primarily target government entities in the Middle East and North Africa, with a focus on intelligence collection. TA402 is known for using sophisticated phishing campaigns and constantly updating their malware implants and delivery methods to evade detection. They have been observed using cloud services like Dropbox and Google Drive for hosting malicious payloads and command-and-control infrastructure.", + "meta": { + "country": "PS", + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/ta402-uses-complex-ironwind-infection-chains-target-middle-east-based-government", + "https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage" + ] + }, + "uuid": "aad291eb-08d1-4af4-9dd1-e90fe1f2d6c6", + "value": "TA402" } ], "version": 294 From 29baf77740d4698b985b7f238fa4f6310b166938 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 20 Nov 2023 09:29:07 -0800 Subject: [PATCH 10/10] [threat-actors] Add SilverFish --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2aaafb3..b9f1763 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13352,6 +13352,18 @@ }, "uuid": "aad291eb-08d1-4af4-9dd1-e90fe1f2d6c6", "value": "TA402" + }, + { + "description": "SilverFish is believed to be a Russian cyberespionage group that has been involved in various cyberattacks, including the use of the SolarWinds breach as an attack vector. SilverFish has been linked to the Wasted Locker ransomware and has displayed a high level of skill and organization in their cyber operations. There are also connections between SilverFish and the threat actor Evil Corp, suggesting a possible evolution or collaboration between the two groups.", + "meta": { + "refs": [ + "https://www.truesec.com/hub/blog/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies", + "https://www.prodaft.com/resource/detail/silverfish-global-cyber-espionage-campaign-case-report", + "https://www.mandiant.com/resources/blog/unc2165-shifts-to-evade-sanctions" + ] + }, + "uuid": "55bcc595-2442-4f98-9477-7fe9b507607c", + "value": "SilverFish" } ], "version": 294