chg: [galaxy] updated to the latest version

pull/6/head
Alexandre Dulaunoy 2018-09-19 07:13:25 +02:00
parent f983cfdad1
commit 674d524e9c
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
2 changed files with 67232 additions and 66208 deletions

View File

@ -96842,6 +96842,9 @@ Threat actor is a cluster galaxy available in JSON format at <a href="https://gi
<li>
<p>Transparent Tribe</p>
</li>
<li>
<p>Mythic Leopard</p>
</li>
</ul>
</div>
<table class="tableblock frame-all grid-all stretch">
@ -96862,6 +96865,9 @@ Threat actor is a cluster galaxy available in JSON format at <a href="https://gi
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www.amnesty.org/en/documents/asa33/8366/2018/en/">https://www.amnesty.org/en/documents/asa33/8366/2018/en/</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/">https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/</a></p></td>
</tr>
</tbody>
</table>
</div>
@ -99617,33 +99623,13 @@ Threat actor is a cluster galaxy available in JSON format at <a href="https://gi
</table>
</div>
<div class="sect2">
<h3 id="_operation_parliament"><a class="anchor" href="#_operation_parliament"></a><a class="link" href="#_operation_parliament">Operation Parliament</a></h3>
<div class="paragraph">
<p>Kaspersky Lab has been tracking a series of attacks utilizing unknown malware since early 2017. The attacks appear to be geopolitically motivated and target high profile organizations. The objective of the attacks is clearly espionage they involve gaining access to top legislative, executive and judicial bodies around the world.</p>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2709. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Links</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://securelist.com/operation-parliament-who-is-doing-what/85237/">https://securelist.com/operation-parliament-who-is-doing-what/85237/</a></p></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_orangeworm"><a class="anchor" href="#_orangeworm"></a><a class="link" href="#_orangeworm">Orangeworm</a></h3>
<div class="paragraph">
<p>Symantec has identified a previously unknown group called Orangeworm that has been observed installing a custom backdoor called Trojan.Kwampirs within large international corporations that operate within the healthcare sector in the United States, Europe, and Asia.
First identified in January 2015, Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims. Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage.</p>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2710. Table References</caption>
<caption class="title">Table 2709. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
@ -99673,7 +99659,7 @@ First identified in January 2015, Orangeworm has also conducted targeted attacks
</ul>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2711. Table References</caption>
<caption class="title">Table 2710. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
@ -99710,7 +99696,7 @@ This threat actor targets organizations involved in oil, gas, and electricity pr
</ul>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2712. Table References</caption>
<caption class="title">Table 2711. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
@ -99750,7 +99736,7 @@ This threat actor compromises the networks of companies involved in electric pow
</ul>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2713. Table References</caption>
<caption class="title">Table 2712. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
@ -99791,7 +99777,7 @@ This threat actor targets industrial control systems in Turkey, Europe, and Nort
</ul>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2714. Table References</caption>
<caption class="title">Table 2713. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
@ -99827,7 +99813,7 @@ This threat actor targets industrial control systems in Turkey, Europe, and Nort
</ul>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2715. Table References</caption>
<caption class="title">Table 2714. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
@ -99856,7 +99842,7 @@ This threat actor targets industrial control systems in Turkey, Europe, and Nort
<p>XENOTIME is also known as:</p>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2716. Table References</caption>
<caption class="title">Table 2715. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
@ -99876,7 +99862,7 @@ This threat actor targets industrial control systems in Turkey, Europe, and Nort
<p>ZooPark is a cyberespionage operation that has been focusing on Middle Eastern targets since at least June 2015. The threat actors behind ZooPark infect Android devices using several generations of malware we label from v1-v4, with v4 being the most recent version deployed in 2017.</p>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2717. Table References</caption>
<caption class="title">Table 2716. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
@ -99921,7 +99907,7 @@ This threat actor targets industrial control systems in Turkey, Europe, and Nort
</ul>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2718. Table References</caption>
<caption class="title">Table 2717. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
@ -99951,26 +99937,6 @@ This threat actor targets industrial control systems in Turkey, Europe, and Nort
</table>
</div>
<div class="sect2">
<h3 id="_thrip"><a class="anchor" href="#_thrip"></a><a class="link" href="#_thrip">Thrip</a></h3>
<div class="paragraph">
<p>Symantec have been monitoring Thrip since 2013 when they uncovered a spying campaign being orchestrated from systems based in China. Since their initial discovery, the group has changed its tactics and broadened the range of tools it used. Initially, it relied heavily on custom malware, but in this most recent wave of attacks, which began in 2017, the group has switched to a mixture of custom malware and living off the land tools. All of these tools, with the exception of Mimikatz (which is almost always used maliciously), have legitimate uses.</p>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2719. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Links</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets">https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets</a></p></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_rancor"><a class="anchor" href="#_rancor"></a><a class="link" href="#_rancor">RANCOR</a></h3>
<div class="paragraph">
<p>The Rancor groups attacks use two primary malware families which are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers toolkit. Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to Singapore and Cambodia.</p>
@ -99986,7 +99952,7 @@ This threat actor targets industrial control systems in Turkey, Europe, and Nort
</ul>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2720. Table References</caption>
<caption class="title">Table 2718. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
@ -100009,7 +99975,7 @@ This threat actor targets industrial control systems in Turkey, Europe, and Nort
<p>While it is not clear exactly what the attacker is looking for, what is clear is that once he finds it, a second stage of the attack awaits, fetching additional modules and/or malware from the Command and Control server. This then is a surveillance attack in progress and has been dubbed Big Bang due to the attackers fondness for the Big Bang Theory TV show, after which some of the malwares modules are named.</p>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2721. Table References</caption>
<caption class="title">Table 2719. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
@ -100032,7 +99998,7 @@ This threat actor targets industrial control systems in Turkey, Europe, and Nort
<p>In mid-July, Palo Alto Networks Unit 42 identified a small targeted phishing campaign aimed at a government organization. While tracking the activities of this campaign, we identified a repository of additional malware, including a web server that was used to host the payloads used for both this attack as well as others.</p>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2722. Table References</caption>
<caption class="title">Table 2720. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
@ -100052,7 +100018,7 @@ This threat actor targets industrial control systems in Turkey, Europe, and Nort
<p>Unit 42 researchers have been tracking Subaat, an attacker, since 2017. Recently Subaat drew our attention due to renewed targeted attack activity. Part of monitoring Subaat included realizing the actor was possibly part of a larger crew of individuals responsible for carrying out targeted attacks against worldwide governmental organizations. Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec, in which they found interesting connections to a larger group of attackers Unit 42 researchers have been tracking, which we are calling Gorgon Group.</p>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2723. Table References</caption>
<caption class="title">Table 2721. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
@ -100072,7 +100038,7 @@ This threat actor targets industrial control systems in Turkey, Europe, and Nort
<p>In July 2018, Unit 42 analyzed a targeted attack using a novel file type against at least one government agency in the Middle East. It was carried out by a previously unpublished threat group we track as DarkHydrus. Based on our telemetry, we were able to uncover additional artifacts leading us to believe this adversary group has been in operation with their current playbook since early 2016. This attack diverged from previous attacks we observed from this group as it involved spear-phishing emails sent to targeted organizations with password protected RAR archive attachments that contained malicious Excel Web Query files (.iqy).</p>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2724. Table References</caption>
<caption class="title">Table 2722. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
@ -100092,7 +100058,7 @@ This threat actor targets industrial control systems in Turkey, Europe, and Nort
<p>Recorded Futures Insikt Group has identified two new cyberespionage campaigns targeting the Tibetan Community over the past two years. The campaigns, which we are collectively naming RedAlpha, combine light reconnaissance, selective targeting, and diverse malicious tooling. We discovered this activity as the result of pivoting off of a new malware sample observed targeting the Tibetan community based in India.</p>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2725. Table References</caption>
<caption class="title">Table 2723. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
@ -100125,7 +100091,7 @@ This threat actor targets industrial control systems in Turkey, Europe, and Nort
</ul>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2726. Table References</caption>
<caption class="title">Table 2724. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
@ -100145,7 +100111,7 @@ This threat actor targets industrial control systems in Turkey, Europe, and Nort
<p>This threat actor targets organizations in the finance, defense, aerospace, technology, health-care, and automotive sectors and media organizations in East Asia for the purpose of espionage. Believed to be responsible for the targeting of South Korean actors prior to the meeting of Donald J. Trump and Kim Jong-un</p>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2727. Table References</caption>
<caption class="title">Table 2725. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
@ -100160,12 +100126,12 @@ This threat actor targets industrial control systems in Turkey, Europe, and Nort
</table>
</div>
<div class="sect2">
<h3 id="_operation_parliament_2"><a class="anchor" href="#_operation_parliament_2"></a><a class="link" href="#_operation_parliament_2">Operation Parliament</a></h3>
<h3 id="_operation_parliament"><a class="anchor" href="#_operation_parliament"></a><a class="link" href="#_operation_parliament">Operation Parliament</a></h3>
<div class="paragraph">
<p>This threat actor uses spear-phishing techniques to target parliaments, government ministries, academics, and media organizations, primarily in the Middle East, for the purpose of espionage.</p>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2728. Table References</caption>
<caption class="title">Table 2726. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
@ -100176,6 +100142,9 @@ This threat actor targets industrial control systems in Turkey, Europe, and Nort
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www.cfr.org/interactive/cyber-operations/operation-parliament">https://www.cfr.org/interactive/cyber-operations/operation-parliament</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://securelist.com/operation-parliament-who-is-doing-what/85237/">https://securelist.com/operation-parliament-who-is-doing-what/85237/</a></p></td>
</tr>
</tbody>
</table>
</div>
@ -100185,7 +100154,7 @@ This threat actor targets industrial control systems in Turkey, Europe, and Nort
<p>This threat actor uses spear-phishing techniques to target private-sector energy, defense, aerospace, research, and media organizations and embassies in Africa, Europe, and the Middle East, for the purpose of espionage.</p>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2729. Table References</caption>
<caption class="title">Table 2727. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
@ -100206,7 +100175,7 @@ This threat actor targets industrial control systems in Turkey, Europe, and Nort
Believed to be associated with the Axiom, APT 17, and Mirage threat actors. Believed to share the same tools and infrastructure as the threat actors that carried out Operation Aurora, the 2015 targeting of video game companies, the 2015 targeting of the Thai government, and the 2017 targeting of Chinese-language news websites</p>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2730. Table References</caption>
<caption class="title">Table 2728. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
@ -100226,7 +100195,7 @@ Believed to be associated with the Axiom, APT 17, and Mirage threat actors. Beli
<p>This threat actor targets Uighurs—a minority ethnic group located primarily in northwestern China—and devices from Chinese mobile phone manufacturer Xiaomi, for espionage purposes.</p>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2731. Table References</caption>
<caption class="title">Table 2729. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
@ -100246,7 +100215,7 @@ Believed to be associated with the Axiom, APT 17, and Mirage threat actors. Beli
<p>This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes.</p>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2732. Table References</caption>
<caption class="title">Table 2730. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
@ -100261,12 +100230,12 @@ Believed to be associated with the Axiom, APT 17, and Mirage threat actors. Beli
</table>
</div>
<div class="sect2">
<h3 id="_thrip_2"><a class="anchor" href="#_thrip_2"></a><a class="link" href="#_thrip_2">Thrip</a></h3>
<h3 id="_thrip"><a class="anchor" href="#_thrip"></a><a class="link" href="#_thrip">Thrip</a></h3>
<div class="paragraph">
<p>This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.</p>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2733. Table References</caption>
<caption class="title">Table 2731. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
@ -100277,6 +100246,9 @@ Believed to be associated with the Axiom, APT 17, and Mirage threat actors. Beli
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www.cfr.org/interactive/cyber-operations/thrip">https://www.cfr.org/interactive/cyber-operations/thrip</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets">https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets</a></p></td>
</tr>
</tbody>
</table>
</div>
@ -100286,7 +100258,7 @@ Believed to be associated with the Axiom, APT 17, and Mirage threat actors. Beli
<p>This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.</p>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2734. Table References</caption>
<caption class="title">Table 2732. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
@ -100324,7 +100296,7 @@ Believed to be associated with the Axiom, APT 17, and Mirage threat actors. Beli
<p>The researchers say that PowerPool developers did not use the binary version of the exploit, deciding instead to make some subtle changes to the source code before recompiling it.</p>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2735. Table References</caption>
<caption class="title">Table 2733. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
@ -100338,6 +100310,112 @@ Believed to be associated with the Axiom, APT 17, and Mirage threat actors. Beli
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_bahamut"><a class="anchor" href="#_bahamut"></a><a class="link" href="#_bahamut">Bahamut</a></h3>
<div class="paragraph">
<p>Bahamut is a threat actor primarily operating in Middle East and Central Asia, suspected to be a private contractor to several state sponsored actors. They were observed conduct phishing as well as desktop and mobile malware campaigns.</p>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2734. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Links</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/">https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/</a></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/">https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/</a></p></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_iron_group"><a class="anchor" href="#_iron_group"></a><a class="link" href="#_iron_group">Iron Group</a></h3>
<div class="paragraph">
<p>Iron group has developed multiple types of malware (backdoors, crypto-miners, and ransomware) for Windows, Linux and Android platforms. They have used their malware to successfully infect, at least, a few thousand victims.</p>
</div>
<div class="paragraph">
<p>Iron Group is also known as:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>I</p>
</li>
<li>
<p>r</p>
</li>
<li>
<p>o</p>
</li>
<li>
<p>n</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>*</p>
</div>
<div class="ulist">
<ul>
<li>
<p>C</p>
</li>
<li>
<p>y</p>
</li>
<li>
<p>b</p>
</li>
<li>
<p>e</p>
</li>
<li>
<p>r</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>*</p>
</div>
<div class="ulist">
<ul>
<li>
<p>G</p>
</li>
<li>
<p>r</p>
</li>
<li>
<p>o</p>
</li>
<li>
<p>u</p>
</li>
<li>
<p>p</p>
</li>
</ul>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 2735. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Links</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/">https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/</a></p></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="sect1">
@ -109330,12 +109408,32 @@ Members of the family can also change search results, which can generate money f
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_xbash"><a class="anchor" href="#_xbash"></a><a class="link" href="#_xbash">Xbash</a></h3>
<div class="paragraph">
<p>Xbash is a malware family that is targeting Linux and Microsoft Windows servers. We can tie this malware, which we have named Xbash, to the Iron Group, a threat actor group known for previous ransomware attacks.</p>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 3089. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Links</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/">https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/</a></p></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<div id="footer">
<div id="footer-text">
Last updated 2018-09-17 19:52:47 CEST
Last updated 2018-09-19 07:09:33 CEST
</div>
</div>
</body>

133206
galaxy.pdf

File diff suppressed because one or more lines are too long