From 4130d7c6fc96a1ce3f49a5cf4965e58efab0faea Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Thu, 13 Aug 2020 12:22:36 -0400 Subject: [PATCH 1/4] Update TA APT40 --- clusters/threat-actor.json | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b141096..c138622 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5769,7 +5769,16 @@ "United States", "Hong Kong", "The Philippines", - "Asia Pacific Economic Cooperation" + "Asia Pacific Economic Cooperation", + "Cambodia", + "Belgium", + "Germany", + "Philippines", + "Malaysia", + "Norway", + "Saudi Arabia", + "Switzerland", + "United Kingdom" ], "cfr-target-category": [ "Government", @@ -5792,7 +5801,9 @@ "https://intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network", "https://intrusiontruth.wordpress.com/2020/01/14/who-is-mr-ding", "https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40", - "https://www.secureworks.com/research/threat-profiles/bronze-mohawk" + "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", + "https://www.mycert.org.my/portal/advisory?id=MA-774.022020", + "https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign" ], "synonyms": [ "TEMP.Periscope", @@ -8317,5 +8328,5 @@ "value": "GALLIUM" } ], - "version": 171 + "version": 172 } From 72554ed71cc9e04a313cc8946adbb680adfd044e Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Thu, 13 Aug 2020 15:08:32 -0400 Subject: [PATCH 2/4] Add Drovorub tool --- clusters/tool.json | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 13a5e0c..fa960a0 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8126,7 +8126,23 @@ "related": [], "uuid": "59266c02-e3c8-47a6-b00c-bbb50c8975e9", "value": "WellMail" - } + }, + { + "description": "Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server.", + "meta": { + "refs": [ + "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" + ], + "synonyms": [], + "type": [ + "Backdoor", + "Rootkit" + ] + }, + "related": [], + "uuid": "a0a46c1b-e774-410e-a84b-020b2558d851", + "value": "Drovorub" + }, ], - "version": 137 + "version": 138 } From d0c6b7b46dfb15dae2239a9fa1fe68dc2b3e027e Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Thu, 13 Aug 2020 15:57:33 -0400 Subject: [PATCH 3/4] Update Tonto Team/CactusPete threat actor --- clusters/threat-actor.json | 37 ++++++++++++++++++++++--------------- 1 file changed, 22 insertions(+), 15 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c138622..58ae36c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -175,18 +175,6 @@ "uuid": "9e71024e-817f-45b0-92a0-d886c30bc929", "value": "Dust Storm" }, - { - "description": "Adversary targeting dissident groups in China and its surroundings.", - "meta": { - "attribution-confidence": "50", - "country": "CN", - "refs": [ - "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" - ] - }, - "uuid": "06e659ff-ece8-4e6c-a110-d9692ac6d8ee", - "value": "Karma Panda" - }, { "meta": { "attribution-confidence": "50", @@ -4780,10 +4768,29 @@ { "meta": { "attribution-confidence": "50", + "cfr-suspected-state-sponsor": "China", + "cfr-suspected-victims": [ + "Eastern Europe", + "Japan", + "South Korea", + "Taiwan", + "US" + ], + "cfr-target-category": [ + "Military", + "Government", + "Private sector" + ], "country": "CN", "refs": [ - "https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403?emailToken=JRrydPtyYnqTg9EyZsw31FwuZ7JNEOKCXF7LaW/HM1DLsjnUp6e6wLgph560pnmiTAN/5ssf7moyADPQj2p2Gc+YkL1yi0zhIiUM9M6aj1HTYQ==", - "https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/" + "https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/", + "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf", + "https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/", + "https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403" + ], + "synonyms": [ + "CactusPete", + "Karma Panda" ] }, "uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26", @@ -8328,5 +8335,5 @@ "value": "GALLIUM" } ], - "version": 172 + "version": 173 } From 4009ef99977b7500589ae3a2d29796bfd7a52528 Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Fri, 14 Aug 2020 13:01:37 -0400 Subject: [PATCH 4/4] Fix: remove comma --- clusters/tool.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index fa960a0..e7f7fc1 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8142,7 +8142,7 @@ "related": [], "uuid": "a0a46c1b-e774-410e-a84b-020b2558d851", "value": "Drovorub" - }, + } ], "version": 138 }