From 8aeed60a249592bb0a8075fabc0120e9e7dd50da Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Mon, 11 Feb 2019 16:30:46 +0100
Subject: [PATCH 1/3] Add Siesta campaign

---
 clusters/threat-actor.json | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 3a0fc8a..e88965b 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -999,7 +999,8 @@
         "refs": [
           "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/",
           "https://www.cfr.org/interactive/cyber-operations/apt-10",
-          "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf"
+          "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf",
+          "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf"
         ],
         "synonyms": [
           "APT10",
@@ -6221,6 +6222,16 @@
       },
       "uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b",
       "value": "APT39"
+    },
+    {
+      "description": "FireEye recently looked deeper into the activity discussed in TrendMicro’s blog and dubbed the “Siesta” campaign. The tools, modus operandi, and infrastructure used in the campaign present two possibilities: either the Chinese cyber-espionage unit APT1 is perpetrating this activity, or another group is using the same tactics and tools as the legacy APT1.\nThe Siesta campaign reinforces the fact that analysts and network defenders should remain on the lookout for known, public indicators and for shared attributes that allow security experts to detect multiple actors with one signature.",
+      "meta": {
+        "refs": [
+          "https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-the-siesta-campaign.html"
+        ]
+      },
+      "uuid": "27c97181-b8e9-43e1-93c0-f953cac45326",
+      "value": "Siesta"
     }
   ],
   "version": 89

From 2794a2058995141cfc0bbe7dfb3834559dd2ae95 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Thu, 14 Feb 2019 12:42:28 +0100
Subject: [PATCH 2/3] add OSX/Shlayer and some refs

---
 clusters/ransomware.json   |  5 +++--
 clusters/threat-actor.json |  3 ++-
 clusters/tool.json         | 12 +++++++++++-
 3 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index 9f5d814..4a0b8e8 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -11005,7 +11005,8 @@
           "Attention!\n\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KEYPASS\n\nThe only method of recovering files is to purchase an decrypt software and unique private key.\n\nAfter purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.\n\nOnly we can give you this key and only we can recover your files.\n\nYou need to contact us by e-mail keypass@bitmessage.ch send us your personal ID and wait for further instructions.\n\nFor you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.\n\nPrice for decryption $300.\n\nThis price avaliable if you contact us first 72 hours.\n\nE-mail address to contact us:\n\nkeypass@bitmessage.ch\n\n\n\nReserve e-mail address to contact us:\n\nkeypass@india.com\n\n\n\nYour personal id:\n[id]"
         ],
         "refs": [
-          "https://www.bleepingcomputer.com/news/security/new-keypass-ransomware-campaign-underway/"
+          "https://www.bleepingcomputer.com/news/security/new-keypass-ransomware-campaign-underway/",
+          "https://www.kaspersky.com/blog/keypass-ransomware/23447/"
         ],
         "synonyms": [
           "KeyPass"
@@ -11750,5 +11751,5 @@
       "value": "LockerGoga"
     }
   ],
-  "version": 50
+  "version": 51
 }
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index e88965b..c225dad 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -1006,6 +1006,7 @@
           "APT10",
           "APT 10",
           "MenuPass",
+          "Menupass Team",
           "happyyongzi",
           "POTASSIUM",
           "DustStorm",
@@ -6234,5 +6235,5 @@
       "value": "Siesta"
     }
   ],
-  "version": 89
+  "version": 90
 }
diff --git a/clusters/tool.json b/clusters/tool.json
index f27cca8..4413d7a 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -7509,7 +7509,17 @@
       },
       "uuid": "0147c0fd-ed74-4d38-a823-130542d894a3",
       "value": "OSX.BadWord"
+    },
+    {
+      "description": "The initial Trojan horse infection (the fake Flash Player installer) component of OSX/Shlayer leverages shell scripts to download additional malware or adware onto the infected system.\nThe primary goal of OSX/Shlayer is to download and install adware onto an infected Mac.\nAlthough \"adware\" may not sound like a big deal, it can be a lot more harmful than the name implies; be sure to watch our aforementioned interview with Amit Serper to learn more about one particular example of malicious Mac adware.\nAt least one variant of the malware also appears to exhibit an interesting behavior: It checks whether one of several Mac anti-virus products is installed.",
+      "meta": {
+        "refs": [
+          "https://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/"
+        ]
+      },
+      "uuid": "6e60cb73-0bcc-45bf-b14f-633aa7ffc8b4",
+      "value": "OSX/Shlayer"
     }
   ],
-  "version": 108
+  "version": 109
 }

From 9c450a80d48bb3643de79091209afe38d82a21cb Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Thu, 14 Feb 2019 16:04:54 +0100
Subject: [PATCH 3/3] add Gallmaker and other clusters

---
 clusters/ransomware.json   | 12 +++++++++++-
 clusters/threat-actor.json | 10 ++++++++++
 clusters/tool.json         |  9 +++++++++
 3 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index 4a0b8e8..fed823c 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -11749,7 +11749,17 @@
       },
       "uuid": "1e19dae5-80c3-4358-abcd-2bf0ba4c76fe",
       "value": "LockerGoga"
+    },
+    {
+      "description": "We have been observing a malvertising campaign via Rig exploit kit delivering a cryptocurrency-mining malware and the GandCrab ransomware since July 25. On August 1, we found Rig’s traffic stream dropping a then-unknown ransomware. Delving into this seemingly new ransomware, we checked its ransom payment page in the Tor network and saw it was called Princess Evolution (detected by Trend Micro as RANSOM_PRINCESSLOCKER.B), and was actually a new version of the Princess Locker ransomware that emerged in 2016. Based on its recent advertisement in underground forums, it appears that its operators are peddling Princess Evolution as a ransomware as a service (RaaS) and are looking for affiliates.\nThe new malvertising campaign we observed since July 25 is notable in that the malvertisements included Coinhive (COINMINER_MALXMR.TIDBF). Even if users aren’t diverted to the exploit kit and infected with the ransomware, the cybercriminals can still earn illicit profit through cryptocurrency mining. Another characteristic of this new campaign is that they hosted their malvertisement page on a free web hosting service and used domain name system canonical name (DNS CNAME) to map their advertisement domain on a malicious webpage on the service.",
+      "meta": {
+        "refs": [
+          "https://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-as-a-service-princess-evolution-looking-for-affiliates/"
+        ]
+      },
+      "uuid": "53da7991-62b7-4fe2-af02-447a0734f41d",
+      "value": "Princess Evolution"
     }
   ],
-  "version": 51
+  "version": 52
 }
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index c225dad..99ce77b 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -6233,6 +6233,16 @@
       },
       "uuid": "27c97181-b8e9-43e1-93c0-f953cac45326",
       "value": "Siesta"
+    },
+    {
+      "description": "Symantec researchers have uncovered a previously unknown attack group that is targeting government and military targets, including several overseas embassies of an Eastern European country, and military and defense targets in the Middle East. This group eschews custom malware and uses living off the land (LotL) tactics and publicly available hack tools to carry out activities that bear all the hallmarks of a cyber espionage campaign.\nThe group, which we have given the name Gallmaker, has been operating since at least December 2017, with its most recent activity observed in June 2018.",
+      "meta": {
+        "refs": [
+          "https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group"
+        ]
+      },
+      "uuid": "c79dab01-3f9f-491e-8a5f-6423339c9f76",
+      "value": "Gallmaker"
     }
   ],
   "version": 90
diff --git a/clusters/tool.json b/clusters/tool.json
index 4413d7a..defca1e 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -7519,6 +7519,15 @@
       },
       "uuid": "6e60cb73-0bcc-45bf-b14f-633aa7ffc8b4",
       "value": "OSX/Shlayer"
+    },
+    {
+      "meta": {
+        "refs": [
+          "https://www.virusbulletin.com/blog/2019/02/malspam-security-products-miss-banking-and-email-phishing-emotet-and-bushaloader/"
+        ]
+      },
+      "uuid": "4473f19e-ad0f-4191-bb7f-a28ef7ae3be3",
+      "value": "Bushaloader"
     }
   ],
   "version": 109