From d3836318a24a5d88442052a0920e7d5884315165 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 17 Nov 2023 02:59:55 -0800 Subject: [PATCH 1/9] [threat-actors] Add UNC4841 --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index afc5ec0..87d7abc 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13125,6 +13125,19 @@ }, "uuid": "e284c356-4b77-4f86-a8f2-7793cbe8662b", "value": "AppMilad" + }, + { + "description": "UNC4841 is a well-resourced threat actor that has utilized a wide range of malware and purpose-built tooling to enable their global espionage operations. They have been observed selectively deploying specific malware families at high priority targets, with SKIPJACK being the most widely deployed. UNC4841 primarily targeted government and technology organizations, but they have also been observed targeting other verticals.", + "meta": { + "country": "CN", + "refs": [ + "https://blog.polyswarm.io/unc4841-targeting-government-entities-with-barracuda-esg-0day-cve-2023-2868", + "https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation", + "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally" + ] + }, + "uuid": "8959fbb4-95f0-485d-bba2-db9140b95386", + "value": "UNC4841" } ], "version": 294 From ed0d3c6f57abd5b89dd47835e3694e60d66eeee3 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 17 Nov 2023 02:59:55 -0800 Subject: [PATCH 2/9] [threat-actors] Add CL-STA-0043 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 87d7abc..bcd9653 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13138,6 +13138,17 @@ }, "uuid": "8959fbb4-95f0-485d-bba2-db9140b95386", "value": "UNC4841" + }, + { + "description": "CL-STA-0043 is a highly skilled and sophisticated threat actor, believed to be a nation-state, targeting governmental entities in the Middle East and Africa. They exploit vulnerabilities in on-premises Internet Information Services and Microsoft Exchange servers to infiltrate target networks. They engage in reconnaissance, locate vital assets, and have been observed using native Windows tools for privilege escalation.", + "meta": { + "refs": [ + "https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-june-2023/", + "https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/" + ] + }, + "uuid": "5d0aee14-f18a-44da-a44d-28d950f06b9c", + "value": "CL-STA-0043" } ], "version": 294 From 68f70a1831281aabd009c5d31f61cf6e92856467 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 17 Nov 2023 02:59:55 -0800 Subject: [PATCH 3/9] [threat-actors] Add DEV-0928 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index bcd9653..c603f47 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13149,6 +13149,16 @@ }, "uuid": "5d0aee14-f18a-44da-a44d-28d950f06b9c", "value": "CL-STA-0043" + }, + { + "description": "DEV-0928 is a threat actor that has been tracked by Microsoft since September 2022. They are known for their involvement in high-volume phishing campaigns, using tools offered by DEV-1101. DEV-0928 sends phishing emails to targets and has been observed launching campaigns involving millions of emails. They also utilize evasion techniques, such as redirection to benign pages, to avoid detection.", + "meta": { + "refs": [ + "http://www.microsoft.com/en-us/security/blog/2023/03/13/dev-1101-enables-high-volume-aitm-campaigns-with-open-source-phishing-kit/" + ] + }, + "uuid": "8345dd24-7884-48e3-b231-4791d31afe3d", + "value": "DEV-0928" } ], "version": 294 From e333b150638ecc0081dbf6580aef6fd7703de5a9 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 17 Nov 2023 02:59:55 -0800 Subject: [PATCH 4/9] [threat-actors] Add TEMP_Heretic --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c603f47..1c65bf6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13159,6 +13159,18 @@ }, "uuid": "8345dd24-7884-48e3-b231-4791d31afe3d", "value": "DEV-0928" + }, + { + "description": "TEMP_Heretic is a threat actor that has been observed engaging in targeted spear-phishing campaigns. They exploit vulnerabilities in email platforms, such as Zimbra, to exfiltrate emails from government, military, and media organizations. They use multiple outlook.com email addresses and manually craft content for each email before sending it.", + "meta": { + "country": "CN", + "refs": [ + "https://www.welivesecurity.com/en/eset-research/mass-spreading-campaign-targeting-zimbra-users/", + "https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/" + ] + }, + "uuid": "8dfac62e-395e-4e47-b6b6-8ab817ac25c1", + "value": "TEMP_Heretic" } ], "version": 294 From 3c9f09edfcb7ca06243cc4a2036c3830927ee95d Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 17 Nov 2023 02:59:56 -0800 Subject: [PATCH 5/9] [threat-actors] Add WeedSec --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1c65bf6..b088671 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13171,6 +13171,16 @@ }, "uuid": "8dfac62e-395e-4e47-b6b6-8ab817ac25c1", "value": "TEMP_Heretic" + }, + { + "description": "WeedSec is a threat actor group that recently targeted the online learning and course management platform Moodle. They posted sample databases of Moodle on their Telegram channel, which is widely used by educational institutions and workplaces.", + "meta": { + "refs": [ + "https://socradar.io/cyber-awakeness-month-takedown-of-trigona-hive-ransomware-resurges-ransomedforum-and-new-raas-qbit/" + ] + }, + "uuid": "000a2535-8fbf-459d-a067-d10528496a92", + "value": "WeedSec" } ], "version": 294 From d3c15e1652a470d839d9c8a25033f8f6fabbc267 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 17 Nov 2023 02:59:56 -0800 Subject: [PATCH 6/9] [threat-actors] Add TA444 --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b088671..0c5f2f2 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13181,6 +13181,19 @@ }, "uuid": "000a2535-8fbf-459d-a067-d10528496a92", "value": "WeedSec" + }, + { + "description": "TA444 is a North Korea state-sponsored threat actor that primarily focuses on financially motivated operations. They have been active since at least 2017 and have recently shifted their attention to targeting cryptocurrencies. TA444 employs various infection methods and has a diverse range of malware and backdoors at their disposal. They have been attributed to stealing hundreds of millions of dollars' worth of cryptocurrency and related assets.", + "meta": { + "country": "KP", + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds", + "https://cyberscoop.com/north-korean-cryptocurrency-hackers-education-government/", + "https://www.darkreading.com/remote-workforce/north-korea-apt-swindled-1b-crypto-investors-2022" + ] + }, + "uuid": "5a38db83-16b3-477f-a045-66a922868eea", + "value": "TA444" } ], "version": 294 From 5b993d2517ab90481c890acfe1d8d0ae53cb6d3b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 17 Nov 2023 02:59:56 -0800 Subject: [PATCH 7/9] [threat-actors] Add UAC-0006 --- clusters/threat-actor.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0c5f2f2..6dc1add 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13194,6 +13194,22 @@ }, "uuid": "5a38db83-16b3-477f-a045-66a922868eea", "value": "TA444" + }, + { + "description": "UAC-0006 is a financially motivated threat actor that has been active since at least 2013. They primarily target Ukrainian organizations, particularly accountants, with phishing emails containing the SmokeLoader malware. Their goal is to steal credentials and execute unauthorized fund transfers, posing a significant risk to financial systems.", + "meta": { + "refs": [ + "https://socprime.com/blog/smokeloader-detection-uac-0006-group-launches-a-new-phishing-campaign-against-ukraine/", + "https://socprime.com/blog/smokeloader-malware-detection-uac-0006-hackers-launch-a-wave-of-phishing-attacks-against-ukraine-targeting-accountants/", + "https://socprime.com/blog/detecting-smokeloader-campaign-uac-0006-keep-targeting-ukrainian-financial-institutions-in-a-series-of-phishing-attacks/", + "https://socprime.com/blog/latest-threats/detect-smokeloader-malware-uac-0006-strikes-again-to-target-ukraine-in-a-series-of-phishing-attacks/", + "https://socprime.com/blog/smokeloader-malware-detection-uac-0006-group-reemerges-to-launch-phishing-attacks-against-ukraine-using-financial-subject-lures/", + "https://cert.gov.ua/article/4555802", + "https://cert.gov.ua/article/6123309" + ] + }, + "uuid": "013f56ea-a441-483f-812c-c384c790e474", + "value": "UAC-0006" } ], "version": 294 From a81ac9687f17f7d42a3967aad552afb57ac47287 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 17 Nov 2023 02:59:56 -0800 Subject: [PATCH 8/9] [threat-actors] Add NewsPenguin --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 6dc1add..8ead5ee 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13210,6 +13210,17 @@ }, "uuid": "013f56ea-a441-483f-812c-c384c790e474", "value": "UAC-0006" + }, + { + "description": "NewsPenguin is threat actor that has been targeting organizations in Pakistan. They use a complex payload delivery mechanism and exploit the upcoming Pakistan International Maritime Expo & Conference as a lure to trick their victims. The group has been linked to a phishing campaign that leverages spear-phishing emails and weaponized documents to deliver an advanced espionage tool.", + "meta": { + "refs": [ + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-newspenguin-threat-actors-targeting-pakistani-entities-with-malicious-campaign-active-iocs", + "https://blogs.blackberry.com/en/2023/02/newspenguin-a-previously-unknown-threat-actor-targets-pakistan-with-advanced-espionage-tool" + ] + }, + "uuid": "4c4a8cb7-b4c4-4637-8e41-dfe19a6b40c7", + "value": "NewsPenguin" } ], "version": 294 From fc2cb9e253da66bc412c84808015903e64dd4ab8 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 17 Nov 2023 02:59:57 -0800 Subject: [PATCH 9/9] [threat-actors] Add DefrayX --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8ead5ee..1a9539b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13221,6 +13221,21 @@ }, "uuid": "4c4a8cb7-b4c4-4637-8e41-dfe19a6b40c7", "value": "NewsPenguin" + }, + { + "description": "DefrayX is a threat actor group known for their RansomExx ransomware operations. They primarily target Linux operating systems, but also release versions for Windows. The group has been active since 2018 and has targeted various sectors, including healthcare and manufacturing. They have also developed other malware strains such as PyXie RAT, Vatet loader, and Defray ransomware.", + "meta": { + "refs": [ + "https://securityaffairs.co/wordpress/138933/malware/ransomexx-ransomware-rust-language.html", + "https://research.checkpoint.com/2022/28th-november-threat-intelligence-report/", + "https://securityintelligence.com/posts/ransomexx-upgrades-rust/" + ], + "synonyms": [ + "Hive0091" + ] + }, + "uuid": "9c102b55-29ea-4d90-9b36-33ba42f65d79", + "value": "DefrayX" } ], "version": 294