MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #872 from Delta-Sierra/main 

add AtlasCross
pull/874/head
Alexandre Dulaunoy 2023-10-11 14:51:06 +02:00 committed by GitHub
parent eed0dc7747 1bb336fdbe
commit f9d6386c35
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 135 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
clusters/threat-actor.json
View File

@ -4689,6 +4689,15 @@
"the Lamberts",
"APT-C-39",
"PLATINUM TERMINAL"
],
"targeted-sector": [
"Telecoms",
"Aerospace",
"Energy",
"Education",
"Government, Administration",
"Finance",
"News - Media"
]
},
"related": [
@ -4723,6 +4732,12 @@
"TA446",
"GOSSAMER BEAR",
"BlueCharlie"
],
"targeted-sector": [
"Government, Administration",
"Military",
"Think Tanks",
"Journalist"
]
},
"related": [
@ -4788,6 +4803,11 @@
"BISMUTH",
"ATK17",
"G0050"
],
"targeted-sector": [
"Dissidents",
"Government, Administration",
"Journalist"
]
},
"related": [
@ -4868,6 +4888,13 @@
"TwoForOne",
"G0068",
"ATK33"
],
"targeted-sector": [
"Defense",
"Government, Administration",
"Diplomacy",
"Intelligence",
"Telecoms"
]
},
"related": [
@ -4902,6 +4929,9 @@
"LeafMiner",
"Raspite"
],
"targeted-sector": [
"Electric"
],
"victimology": "Electric utility sector"
},
"uuid": "2c8994ba-367c-46f6-bfb0-390c8760dd9e",
@ -4921,6 +4951,11 @@
"synonyms": [
"ATK113",
"G0061"
],
"targeted-sector": [
"Entertainment",
"Hospitality",
"Retail"
]
},
"related": [
@ -5121,6 +5156,11 @@
"MANGANESE",
"BRONZE FLEETWOOD",
"TEMP.Bottle"
],
"targeted-sector": [
"Electronic",
"Telecoms",
"Technology"
]
},
"related": [
@ -5174,6 +5214,15 @@
"G0060",
"Stalker Taurus",
"PLA Unit 61419"
],
"targeted-sector": [
"Infrastructure",
"Industrial",
"Manufacturing",
"Diplomacy",
"News - Media",
"Political party",
"Engineering"
]
},
"related": [
@ -5398,6 +5447,12 @@
"https://www.kaspersky.com/about/press-releases/2012_kaspersky-lab-and-seculert-announce--madi--a-newly-discovered-cyber-espionage-campaign-in-the-middle-east",
"https://threatpost.com/new-and-improved-madi-spyware-campaign-continues-072512/76849/",
"https://web.archive.org/web/20120718173322/https://www.symantec.com/connect/blogs/madi-attacks-series-social-engineering-campaigns"
],
"targeted-sector": [
"Infrastructure",
"Engineering",
"Government, Administration",
"Finance"
]
},
"uuid": "d5dacda0-12c2-4e80-bdf2-1c5019ec40e2",
@ -11828,7 +11883,33 @@
},
"uuid": "3b238f3a-c67a-4a9e-b474-dc3897e00129",
"value": "Scattered Spider"
},
{
"description": "NSFOCUS Security Labs recently discovered a new attack process based on phishing documents in their daily threat-hunting operations. Delving deeper into this finding through extensive research, they confirmed two new Trojan horse programs and many rare attack techniques and tactics. NSFOCUS Security Labs believes that this new attack process comes from a new APT attacker, who has a high technical level and cautious attack attitude. The phishing attack activity captured this time is part of the attackers targeted strike on specific targets and is its main means to achieve in-domain penetration. NSFOCUS Security Labs validated the high-level threat attributes of AtlasCross in terms of development technology and attack strategy through an in-depth analysis of its attack metrics. At this current stage, AtlasCross has a relatively limited scope of activity, primarily focusing on targeted attacks against specific hosts within a network domain. However, the attack processes they employ are highly robust and mature. NSFOCUS Security Labs deduce that this attacker is highly likely to deploy this attack process into larger-scale network attack operations.",
"meta": {
"refs": [
"https://nsfocusglobal.com/warning-newly-discovered-apt-attacker-atlascross-exploits-red-cross-blood-drive-phishing-for-cyberattack/"
]
},
"related": [
{
"dest-uuid": "e7628f0e-e4ae-4dde-988b-07e93a4c20e3",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "f162df7a-725b-40ef-add2-43ce74eb50a4",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
}
],
"uuid": "32eebd31-5e0f-4fb9-b478-26ff4e48aaf4",
"value": "AtlasCross"
}
],
"version": 284
"version": 285
}

54
clusters/tool.json
View File

@ -10623,7 +10623,59 @@
},
"uuid": "978e5adc-e6e4-49a9-822f-0c130ac983a3",
"value": "DarkGate"
},
{
"description": "This is a loader Trojan used by AtlasCross in this activity. Its main function is to detect the host environment and execute a built-in shellcode in its own process, and then the shellcode loads and runs subsequent Trojan programs.\nDangerAds writes major malicious code to the .NET dll programs HelpText method, so it starts when an external program invokes Help from that dll program. It should be noted that the user name and local domain name of the host will be collected before the main malicious functions of DangerAds are executed, and subsequent codes will be executed only when one of these two names contains the keyword “danger” or “ads-wcf”. Therefore, it can be judged that this attack is a targeted attack against the domain or user name containing “ads-wcf”.\nThe main body of DangerAds malicious code will determine the number of program version bits and selectively decrypt and execute an x86 or x64 shellcode. DangerAds uses multi-byte XOR for decryption, while shellcode is loaded directly in the process.\nIn the shellcode stage, DangerAds uses a set of open-source scheme sRDI (https://github.com/monoxgas/sRDI/blob/master/shellcodeRDI/shellcodeRDI.c)) to load and execute DLL programs. The shellcode finally loads the attached DLL program at its tail and calls the export function EnumWinEvent.\nThe DLL program loaded by this shellcode is the AtlasAgent Trojan developed by AtlasCross.",
"meta": {
"refs": [
"https://nsfocusglobal.com/warning-newly-discovered-apt-attacker-atlascross-exploits-red-cross-blood-drive-phishing-for-cyberattack/"
]
},
"related": [
{
"dest-uuid": "32eebd31-5e0f-4fb9-b478-26ff4e48aaf4",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
},
{
"dest-uuid": "f162df7a-725b-40ef-add2-43ce74eb50a4",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "executes"
}
],
"uuid": "e7628f0e-e4ae-4dde-988b-07e93a4c20e3",
"value": "DangerAds"
},
{
"description": "AtlasAgent used in this attack activity is Trojan horse program developed by AtlasCross. The main functions of the Trojan are to obtain host information, process information, prevent opening of multi-programs, inject specified shellcode and download files from CnC servers. The Trojan communicates with the CnC through HTTP protocol, encrypts communication data using Base64 encoding after RC4 encryption, and encrypts key APIs using two encryption methods at the same time.",
"meta": {
"refs": [
"https://nsfocusglobal.com/warning-newly-discovered-apt-attacker-atlascross-exploits-red-cross-blood-drive-phishing-for-cyberattack/"
]
},
"related": [
{
"dest-uuid": "32eebd31-5e0f-4fb9-b478-26ff4e48aaf4",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
},
{
"dest-uuid": "e7628f0e-e4ae-4dde-988b-07e93a4c20e3",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "executed-by"
}
],
"uuid": "f162df7a-725b-40ef-add2-43ce74eb50a4",
"value": "AtlasAgent"
}
],
"version": 169
"version": 170
}