mirror of https://github.com/MISP/misp-website
chg: [misp-galaxy] updated
parent
a6c7c4116a
commit
fc1a5ecc2b
144
galaxy.html
144
galaxy.html
|
|
@ -95775,6 +95775,9 @@ Threat actor is a cluster galaxy available in JSON format at <a href="https://gi
|
|||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns">https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns</a></p></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/">https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/</a></p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
|
|
@ -107884,12 +107887,151 @@ Talos have identified the samples, with moderate confidence, used in this attack
|
|||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
<div class="sect2">
|
||||
<h3 id="_sekur"><a class="anchor" href="#_sekur"></a><a class="link" href="#_sekur">Sekur</a></h3>
|
||||
<div class="paragraph">
|
||||
<p>Sekur has been CARBON SPIDER’s primary tool for several years, although usage over the last year appears to have declined. It contains all the functionality you would expect from a RAT, allowing the adversary to execute commands, manage the file system, manage processes, and collect data. In addition, it can record videos of victim sessions, log keystrokes, enable remote desktop, or install Ammyy Admin or VNC modules. From July 2014 on, samples were compiled with the capability to target Epicor POS systems and to collect credit card data.</p>
|
||||
</div>
|
||||
<table class="tableblock frame-all grid-all stretch">
|
||||
<caption class="title">Table 3034. Table References</caption>
|
||||
<colgroup>
|
||||
<col style="width: 100%;">
|
||||
</colgroup>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">Links</p></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/">https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/</a></p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
<div class="sect2">
|
||||
<h3 id="_agent_orm"><a class="anchor" href="#_agent_orm"></a><a class="link" href="#_agent_orm">Agent ORM</a></h3>
|
||||
<div class="paragraph">
|
||||
<p>Agent ORM began circulating alongside Skeur in campaigns throughout the second half of 2015. The malware collects basic system information and is able to take screenshots of victim systems. It is used to download next-stage payloads when systems of interest are identified. It is strongly suspected that Agent ORM has been deprecated in favor of script-based first-stage implants (VB Flash, JS Flash, and Bateleur).</p>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>Agent ORM is also known as:</p>
|
||||
</div>
|
||||
<div class="ulist">
|
||||
<ul>
|
||||
<li>
|
||||
<p>Tosliph</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>DRIFTPIN</p>
|
||||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
<table class="tableblock frame-all grid-all stretch">
|
||||
<caption class="title">Table 3035. Table References</caption>
|
||||
<colgroup>
|
||||
<col style="width: 100%;">
|
||||
</colgroup>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">Links</p></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/">https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/</a></p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
<div class="sect2">
|
||||
<h3 id="_vb_flash"><a class="anchor" href="#_vb_flash"></a><a class="link" href="#_vb_flash">VB Flash</a></h3>
|
||||
<div class="paragraph">
|
||||
<p>VB Flash was first observed being deployed alongside Agent ORM in September 2015. It is likely that this was developed as a replacement to Agent ORM and contained similar capabilities. The first observed instance of VB Flash included comments and was easy to analyze—later versions soon began to integrate multiple layers of obfuscation. Several versions of VB Flash were developed including ones that utilized Google Forms, Google Macros, and Google Spreadsheets together to make a command-and-control (C2) channel. This variant would POST victim data to a specified Google form, then make a request to a Google macro script, receiving an address for a Google Spreadsheet from which to request commands.</p>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>VB Flash is also known as:</p>
|
||||
</div>
|
||||
<div class="ulist">
|
||||
<ul>
|
||||
<li>
|
||||
<p>HALFBAKED</p>
|
||||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
<table class="tableblock frame-all grid-all stretch">
|
||||
<caption class="title">Table 3036. Table References</caption>
|
||||
<colgroup>
|
||||
<col style="width: 100%;">
|
||||
</colgroup>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">Links</p></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/">https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/</a></p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
<div class="sect2">
|
||||
<h3 id="_js_flash"><a class="anchor" href="#_js_flash"></a><a class="link" href="#_js_flash">JS Flash</a></h3>
|
||||
<div class="paragraph">
|
||||
<p>JS Flash capabilities closely resemble those of VB Flash and leverage interesting techniques in deployment via batch scripts embedded as OLE objects in malicious documents. Many iterations of JS Flash were observed being tested before deployment, containing minor changes to obfuscation and more complex additions, such as the ability to download TinyMet (a cutdown of the Metasploit Meterpreter payload). PowerShell was also used heavily for the execution of commands and arbitrary script execution. No JS Flash samples were observed being deployed after November 2017.</p>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>JS Flash is also known as:</p>
|
||||
</div>
|
||||
<div class="ulist">
|
||||
<ul>
|
||||
<li>
|
||||
<p>JavaScript variant of HALFBAKED</p>
|
||||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
<table class="tableblock frame-all grid-all stretch">
|
||||
<caption class="title">Table 3037. Table References</caption>
|
||||
<colgroup>
|
||||
<col style="width: 100%;">
|
||||
</colgroup>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">Links</p></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/">https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/</a></p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
<div class="sect2">
|
||||
<h3 id="_bateleur"><a class="anchor" href="#_bateleur"></a><a class="link" href="#_bateleur">Bateleur</a></h3>
|
||||
<div class="paragraph">
|
||||
<p>Bateleur deployments began not long after JS Flash and were also written in JavaScript. Deployments were more infrequent and testing was not observed. It is likely that Bateleur was run in parallel as an alternative tool and eventually replaced JS Flash as CARBON SPIDER’s first stage tool of choice. Although much simpler in design than JS Flash, all executing out of a single script with more basic obfuscation, Bateleur has a wealth of capabilities—including the ability to download arbitrary scripts and executables, deploy TinyMet, execute commands via PowerShell, deploy a credential stealer, and collect victim system information such as screenshots.</p>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>Bateleur is also known as:</p>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>*</p>
|
||||
</div>
|
||||
<table class="tableblock frame-all grid-all stretch">
|
||||
<caption class="title">Table 3038. Table References</caption>
|
||||
<colgroup>
|
||||
<col style="width: 100%;">
|
||||
</colgroup>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">Links</p></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/">https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/</a></p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div id="footer">
|
||||
<div id="footer-text">
|
||||
Last updated 2018-07-31 15:38:35 CEST
|
||||
Last updated 2018-08-02 10:40:08 CEST
|
||||
</div>
|
||||
</div>
|
||||
</body>
|
||||
|
|
|
|||
44655
galaxy.pdf
44655
galaxy.pdf
File diff suppressed because one or more lines are too long
Loading…
Reference in New Issue