Merge branch 'master' into master

pull/239/head
Deborah Servili 2018-08-03 16:11:16 +02:00 committed by GitHub
commit e5b185deee
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 116 additions and 4 deletions

View File

@ -2522,6 +2522,16 @@
"description": "The RAT is written in .NET, it uses socket.io for communication. Currently there are two variants of the malware, the 1st variant is a typical downloader whereas the 2nd one has download and C2 functionalities.",
"value": "SocketPlayer",
"uuid": "d9475765-2cea-45c0-b638-a082b9427239"
},
{
"value": "Hallaj PRO RAT",
"description": "RAT",
"uuid": "f6447046-f4e8-4977-9cc3-edee74ff0038",
"meta": {
"refs": [
"https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/"
]
}
}
],
"authors": [

View File

@ -1600,7 +1600,8 @@
"https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks",
"https://blog.cyber4sight.com/2017/04/similarities-between-carbanak-and-fin7-malware-suggest-actors-are-closely-related/",
"https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor",
"https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns"
"https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns",
"https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/"
],
"motive": "Cybercrime"
},
@ -2686,6 +2687,22 @@
},
"uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c"
},
{
"value": "RASPITE",
"description": "Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE. Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time. RASPITE leverages strategic website compromise to gain initial access to target networks. RASPITE uses the same methodology as DYMALLOY and ALLANITE in embedding a link to a resource to prompt an SMB connection, from which it harvests Windows credentials. The group then deploys install scripts for a malicious service to beacon back to RASPITE-controlled infrastructure, allowing the adversary to remotely access the victim machine.",
"uuid": "2c8994ba-367c-46f6-bfb0-390c8760dd9e",
"meta": {
"synonyms": [
"LeafMiner"
],
"since": "2017",
"victimology": "Electric utility sector",
"refs": [
"https://dragos.com/blog/20180802Raspite.html",
"https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east"
]
}
},
{
"meta": {
"refs": [
@ -3749,7 +3766,7 @@
"https://blog.talosintelligence.com/2017/06/palestine-delphi.html"
]
},
"uuid": "a6fdd972-971a-11e8-bf58-9b08a198e9a3"
"uuid": "475df014-556a-41db-ad6a-ff509dd202a1",
},
{
"value": "Subaat",
@ -3761,6 +3778,17 @@
},
"uuid": "a7bc4ef2-971a-11e8-9bf0-13aa7d6d8651"
}
},
{
"value": "The Gorgon Group",
"description": "Unit 42 researchers have been tracking Subaat, an attacker, since 2017. Recently Subaat drew our attention due to renewed targeted attack activity. Part of monitoring Subaat included realizing the actor was possibly part of a larger crew of individuals responsible for carrying out targeted attacks against worldwide governmental organizations. Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec, in which they found interesting connections to a larger group of attackers Unit 42 researchers have been tracking, which we are calling Gorgon Group.",
"uuid": "e47c2c4d-706b-4098-92a2-b93e7103e131",
"meta": {
"refs": [
"https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/"
]
}
}
],
"name": "Threat actor",
"type": "threat-actor",
@ -3774,5 +3802,5 @@
],
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
"uuid": "7cdff317-a673-4474-84ec-4f1754947823",
"version": 47
"version": 50
}

View File

@ -2,7 +2,7 @@
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
"source": "MISP Project",
"version": 79,
"version": 81,
"values": [
{
"meta": {
@ -4376,6 +4376,80 @@
"description": "Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host",
"value": "Koadic",
"uuid": "f9e0b922-253c-40fa-a6d2-e60ec9c6980b"
},
{
"value": "Bisonal",
"uuid": "23f6da78-873a-4ab0-9167-c8b0563627a5",
"description": "In early May, Unit 42 discovered an attack campaign against at least one defense company in Russia and one unidentified organization in South Korea delivering a variant of Bisonal malware. While not previously publicly documented, the variant has been in the wild since at least 2014. There are three primary differences between it and older Bisonal malware including a different cipher and encryption for C2 communication, and a large rewrite of the code for both network communication and maintaining persistence. To date, we have only collected 14 samples of this variant, indicating it may be sparingly used. The adversary behind these attacks lured the targets into launching the Microsoft Windows executable malware by masquerading it as a PDF file (using a fake PDF icon) and reusing publicly available data for the decoy PDF files contents. Attacks using Bisonal have been blogged about in the past. In 2013, both COSEINC and FireEye revealed attacks using Bisonal against Japanese organizations . In October 2017, AhnLab published a report called “Operation Bitter Biscuit,” an attack campaign against South Korea, Japan, India and Russia using Bisonal and its successors, Bioazih and Dexbia. ",
"meta": {
"refs": [
"https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/",
"https://camal.coseinc.com/publish/2013Bisonal.pdf"
]
}
},
{
"value": "Sekur",
"uuid": "ddbd9db5-7875-437b-b7c5-a17d2892d218",
"description": "Sekur has been CARBON SPIDERs primary tool for several years, although usage over the last year appears to have declined. It contains all the functionality you would expect from a RAT, allowing the adversary to execute commands, manage the file system, manage processes, and collect data. In addition, it can record videos of victim sessions, log keystrokes, enable remote desktop, or install Ammyy Admin or VNC modules. From July 2014 on, samples were compiled with the capability to target Epicor POS systems and to collect credit card data.",
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/"
]
}
},
{
"value": "Agent ORM",
"uuid": "c1159097-3dad-48ab-91cf-c055182f5785",
"description": "Agent ORM began circulating alongside Skeur in campaigns throughout the second half of 2015. The malware collects basic system information and is able to take screenshots of victim systems. It is used to download next-stage payloads when systems of interest are identified. It is strongly suspected that Agent ORM has been deprecated in favor of script-based first-stage implants (VB Flash, JS Flash, and Bateleur).",
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/"
],
"synonyms": [
"Tosliph",
"DRIFTPIN"
]
}
},
{
"value": "VB Flash",
"uuid": "2815a353-cd56-4ed0-8581-812b94f7a326",
"description": "VB Flash was first observed being deployed alongside Agent ORM in September 2015. It is likely that this was developed as a replacement to Agent ORM and contained similar capabilities. The first observed instance of VB Flash included comments and was easy to analyze—later versions soon began to integrate multiple layers of obfuscation. Several versions of VB Flash were developed including ones that utilized Google Forms, Google Macros, and Google Spreadsheets together to make a command-and-control (C2) channel. This variant would POST victim data to a specified Google form, then make a request to a Google macro script, receiving an address for a Google Spreadsheet from which to request commands.",
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/"
],
"synonyms": [
"HALFBAKED"
]
}
},
{
"value": "JS Flash",
"uuid": "bf03a7ae-3c5e-47b9-84c6-27756297f1b5",
"description": "JS Flash capabilities closely resemble those of VB Flash and leverage interesting techniques in deployment via batch scripts embedded as OLE objects in malicious documents. Many iterations of JS Flash were observed being tested before deployment, containing minor changes to obfuscation and more complex additions, such as the ability to download TinyMet (a cutdown of the Metasploit Meterpreter payload). PowerShell was also used heavily for the execution of commands and arbitrary script execution. No JS Flash samples were observed being deployed after November 2017.",
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/"
],
"synonyms": [
"JavaScript variant of HALFBAKED"
]
}
},
{
"value": "Bateleur",
"uuid": "81faf0c1-0595-436b-a66a-05d8b435bccd",
"description": "Bateleur deployments began not long after JS Flash and were also written in JavaScript. Deployments were more infrequent and testing was not observed. It is likely that Bateleur was run in parallel as an alternative tool and eventually replaced JS Flash as CARBON SPIDERs first stage tool of choice. Although much simpler in design than JS Flash, all executing out of a single script with more basic obfuscation, Bateleur has a wealth of capabilities—including the ability to download arbitrary scripts and executables, deploy TinyMet, execute commands via PowerShell, deploy a credential stealer, and collect victim system information such as screenshots.",
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/"
],
"synonyms": [
""
]
}
}
],
"authors": [