mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-29 10:17:18 +00:00
This commit is contained in:
commit
019292a1c1
5 changed files with 3867 additions and 2664 deletions
|
@ -4,7 +4,7 @@
|
||||||
],
|
],
|
||||||
"category": "tool",
|
"category": "tool",
|
||||||
"description": "Name of ATT&CK software",
|
"description": "Name of ATT&CK software",
|
||||||
"name": "Tool",
|
"name": "mitre-tool",
|
||||||
"source": "https://github.com/mitre/cti",
|
"source": "https://github.com/mitre/cti",
|
||||||
"type": "mitre-tool",
|
"type": "mitre-tool",
|
||||||
"uuid": "d700dc5c-78f6-11e7-a476-5f748c8e4fe0",
|
"uuid": "d700dc5c-78f6-11e7-a476-5f748c8e4fe0",
|
||||||
|
@ -7239,5 +7239,5 @@
|
||||||
"value": "Mythic - S0699"
|
"value": "Mythic - S0699"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 29
|
"version": 30
|
||||||
}
|
}
|
||||||
|
|
File diff suppressed because it is too large
Load diff
|
@ -554,17 +554,6 @@
|
||||||
"uuid": "9c29b716-82ea-11ee-a0d8-325096b39f47",
|
"uuid": "9c29b716-82ea-11ee-a0d8-325096b39f47",
|
||||||
"value": "GR Sistemi"
|
"value": "GR Sistemi"
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"description": "GR Sistemi, Italian firm that's been trying to enter the crowded market of government spyware, also known by insiders as lawful interception.",
|
|
||||||
"meta": {
|
|
||||||
"refs": [
|
|
||||||
"https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf",
|
|
||||||
"https://www.vice.com/en/article/kbyg7a/government-spyware-maker-doxes-itself-by-linking-to-its-site-in-malware-code"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"uuid": "978317e8-82ea-11ee-a96b-325096b39f47",
|
|
||||||
"value": "GR Sistemi"
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"description": "SS8, US based company is selling to a range of US government agencies as well as exporting surveillance equipment abroad. SS8 were also reportedly responsible for selling intrusion systems to the United Arab Emirates.",
|
"description": "SS8, US based company is selling to a range of US government agencies as well as exporting surveillance equipment abroad. SS8 were also reportedly responsible for selling intrusion systems to the United Arab Emirates.",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
@ -612,5 +601,5 @@
|
||||||
"value": "Raxir"
|
"value": "Raxir"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 3
|
"version": 4
|
||||||
}
|
}
|
||||||
|
|
|
@ -13125,6 +13125,394 @@
|
||||||
},
|
},
|
||||||
"uuid": "c8782e46-447c-4c6e-90c0-82f3bf49d64b",
|
"uuid": "c8782e46-447c-4c6e-90c0-82f3bf49d64b",
|
||||||
"value": "Prolific Puma"
|
"value": "Prolific Puma"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "Bohrium is an Iranian threat actor that has been involved in spear-phishing operations targeting organizations in the US, Middle East, and India. They often create fake social media profiles, particularly posing as recruiters, to trick victims into running malware on their computers. Microsoft's Digital Crimes Unit has taken legal action and seized 41 domains used by Bohrium to disrupt their activities. The group has shown a particular interest in sectors such as technology, transportation, government, and education.",
|
||||||
|
"meta": {
|
||||||
|
"country": "IR",
|
||||||
|
"refs": [
|
||||||
|
"https://twitter.com/CyberAmyHB/status/1532398956918890500"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "111efc97-6a93-487b-8cb3-1e890ac51066",
|
||||||
|
"value": "Bohrium"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "KAX17 is a sophisticated threat actor that has been active since at least 2017. They have operated hundreds of malicious servers within the Tor network, primarily as entry and middle points. Their main objective appears to be collecting information on Tor users and mapping their routes within the network. Despite efforts to remove their servers, KAX17 has shown resilience and continues to operate.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.malwarebytes.com/blog/news/2021/12/was-threat-actor-kax17-de-anonymizing-the-tor-network/amp",
|
||||||
|
"https://therecord.media/a-mysterious-threat-actor-is-running-hundreds-of-malicious-tor-relays",
|
||||||
|
"https://darknetlive.com/post/who-is-responsible-for-running-hundreds-of-malicious-tor-relays/",
|
||||||
|
"https://nusenu.medium.com/is-kax17-performing-de-anonymization-attacks-against-tor-users-42e566defce8"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "615311f0-58d4-4d1d-ac86-6ba86d119317",
|
||||||
|
"value": "KAX17"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "MirrorFace is a Chinese-speaking advanced persistent threat group that has been targeting high-value organizations in Japan, including media, government, diplomatic, and political entities. They have been conducting spear-phishing campaigns, utilizing malware such as LODEINFO and MirrorStealer to steal credentials and exfiltrate sensitive data. While there is speculation about their connection to APT10, ESET currently track them as a separate entity.",
|
||||||
|
"meta": {
|
||||||
|
"country": "CN",
|
||||||
|
"refs": [
|
||||||
|
"https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/",
|
||||||
|
"https://web-assets.esetstatic.com/wls/2023/01/eset_apt_activity_report_t32022.pdf",
|
||||||
|
"https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "e992d874-604b-4a09-9c6c-0319d5be652a",
|
||||||
|
"value": "MirrorFace"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "VulzSec, also known as VulzSecTeam, is a hacktivist group that has been involved in various cyber-attacks. They have targeted government websites in retaliation for issues such as police brutality and the treatment of Indian Muslims. The group has been involved in campaigns like OpIndia2.0, where they planned to launch DDoS attacks on Indian government websites.",
|
||||||
|
"meta": {
|
||||||
|
"country": "ID",
|
||||||
|
"refs": [
|
||||||
|
"https://blog.cyble.com/2023/04/28/indian-ideology-targeted-by-hacktivists-reprisal-hacktivism-draws-more-attacks/",
|
||||||
|
"https://www.enigmasoftware.com/indonesian-sudanese-cyber-threats-continue-grow-size-scope/"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"VulzSec"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "fcb18ca2-ea45-4f5c-a827-ed8b6b697a08",
|
||||||
|
"value": "VulzSecTeam"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "Chernovite is a highly capable and sophisticated threat actor group that has developed a modular ICS malware framework called PIPEDREAM. They are known for targeting industrial control systems and operational technology environments, with the ability to disrupt, degrade, and potentially destroy physical processes. Chernovite has demonstrated a deep understanding of ICS protocols and intrusion techniques, making them a significant threat to critical infrastructure sectors.",
|
||||||
|
"meta": {
|
||||||
|
"country": "RU",
|
||||||
|
"refs": [
|
||||||
|
"https://www.dragos.com/blog/pipedream-mousehole-opcua-module/",
|
||||||
|
"https://www.dragos.com/blog/industry-news/chernovite-pipedream-malware-targeting-industrial-control-systems/",
|
||||||
|
"https://www.dragos.com/threats/the-2022-ics-ot-vulnerability-briefing-recap/",
|
||||||
|
"https://www.dragos.com/blog/responding-to-chernovites-pipedream-with-dragos-global-services/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "2ce00149-9a25-4dea-8dd5-59bdb68d11a1",
|
||||||
|
"value": "Chernovite"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "MurenShark is an advanced persistent threat group that operates primarily in the Middle East, with a focus on targeting Turkey. They have shown interest in military projects, as well as research institutes and universities. This group is highly skilled in counter-analysis and reverse traceability, using sophisticated tactics to avoid detection. They utilize compromised websites as file servers and command and control servers, and have been known to use attack tools like NiceRender for phishing purposes.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-murenshark-apt-threat-actors-aka-actor210426-active-iocs"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"Actor210426"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "e5c78742-bf60-4da8-b038-d548ae3f4ecb",
|
||||||
|
"value": "MurenShark"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "DriftingCloud is a persistent threat actor known for targeting various industries and locations. They are skilled at developing or acquiring zero-day exploits to gain unauthorized access to target networks. Compromising gateway devices is a common tactic used by DriftingCloud, making network monitoring solutions crucial for detecting their attacks.",
|
||||||
|
"meta": {
|
||||||
|
"country": "CN",
|
||||||
|
"refs": [
|
||||||
|
"https://socradar.io/driftingcloud-apt-group-exploits-zero-day-in-sophos-firewall/",
|
||||||
|
"https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/",
|
||||||
|
"https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "6f6b187b-971b-4df9-a7ef-9b3fd7e092f7",
|
||||||
|
"value": "DriftingCloud"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "UNC4191 is a China-linked threat actor that has been involved in cyber espionage campaigns targeting public and private sectors primarily in Southeast Asia. They have been known to use USB devices as an initial infection vector and have been observed deploying various malware families on infected systems. UNC4191's operations have also extended to the US, Europe, and the Asia Pacific Japan region, with a particular focus on the Philippines.",
|
||||||
|
"meta": {
|
||||||
|
"country": "CN",
|
||||||
|
"refs": [
|
||||||
|
"https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia",
|
||||||
|
"https://therecord.media/espionage-group-using-usb-devices-to-hack-targets-in-southeast-asia/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "df697450-57e0-496b-982c-a167ed41f023",
|
||||||
|
"value": "UNC4191"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "DragonSpark is a threat actor that has been conducting attacks primarily targeting organizations in East Asia. They utilize the open-source tool SparkRAT, which is a multi-platform and frequently updated remote access Trojan. The threat actor is believed to be Chinese-speaking based on their use of Chinese language support and compromised infrastructure located in China and Taiwan. They employ various techniques to evade detection, including Golang source code interpretation and the use of the China Chopper webshell.",
|
||||||
|
"meta": {
|
||||||
|
"country": "CN",
|
||||||
|
"refs": [
|
||||||
|
"https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "a219a78b-7b91-41b1-bf14-91e31e0bb9da",
|
||||||
|
"value": "DragonSpark"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "The CYFIRMA research team has identified a new up-and-coming European threat actor group known as FusionCore. Running Malware-as-a-service, along with the hacker-for- hire operation, they have a wide variety of tools and services that are being offered on their website, making it a one-stop-shop for threat actors looking to purchase cost- effective yet customizable malware. The operators have started a ransomware affiliate program that equips the attackers with the ransomware and affiliate software to manage victims. FusionCore typically provides sellers with a detailed set of instructions for any service or product being sold, enabling individuals with minimal experience to carry out complex attacks.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.cyfirma.com/?post_type=out-of-band&p=17003"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "ab376039-4ede-4dfc-a45b-c80d9d994657",
|
||||||
|
"value": "FusionCore"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "Earth Kitsune is an advanced persistent threat actor that has been active since at least 2019. They primarily target individuals interested in North Korea and use various tactics, such as compromising websites and employing social engineering, to distribute self-developed backdoors. Earth Kitsune demonstrates technical proficiency and continuously evolves their tools, tactics, and procedures. They have been associated with malware such as WhiskerSpy and SLUB.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.trendmicro.com/en_us/research/23/b/earth-kitsune-delivers-new-whiskerspy-backdoor.html",
|
||||||
|
"https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html",
|
||||||
|
"https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html",
|
||||||
|
"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-earth-kitsune-tracking-slub-s-current-operations/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "a9f29636-26e4-42f0-95d1-7a49dd6f0a79",
|
||||||
|
"value": "Earth Kitsune"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "AppMilad is an Iranian hacking group that has been identified as the source of a spyware campaign called RatMilad. This spyware is designed to silently infiltrate victims' devices and gather personal and corporate information, including private communications and photos. The group has been distributing the spyware through fake apps and targeting primarily Middle Eastern enterprises.",
|
||||||
|
"meta": {
|
||||||
|
"country": "IR",
|
||||||
|
"refs": [
|
||||||
|
"https://zimpstage.wpengine.com/blog/we-smell-a-ratmilad-mobile-spyware/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "e284c356-4b77-4f86-a8f2-7793cbe8662b",
|
||||||
|
"value": "AppMilad"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "UNC4841 is a well-resourced threat actor that has utilized a wide range of malware and purpose-built tooling to enable their global espionage operations. They have been observed selectively deploying specific malware families at high priority targets, with SKIPJACK being the most widely deployed. UNC4841 primarily targeted government and technology organizations, but they have also been observed targeting other verticals.",
|
||||||
|
"meta": {
|
||||||
|
"country": "CN",
|
||||||
|
"refs": [
|
||||||
|
"https://blog.polyswarm.io/unc4841-targeting-government-entities-with-barracuda-esg-0day-cve-2023-2868",
|
||||||
|
"https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation",
|
||||||
|
"https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "8959fbb4-95f0-485d-bba2-db9140b95386",
|
||||||
|
"value": "UNC4841"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "CL-STA-0043 is a highly skilled and sophisticated threat actor, believed to be a nation-state, targeting governmental entities in the Middle East and Africa. They exploit vulnerabilities in on-premises Internet Information Services and Microsoft Exchange servers to infiltrate target networks. They engage in reconnaissance, locate vital assets, and have been observed using native Windows tools for privilege escalation.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-june-2023/",
|
||||||
|
"https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "5d0aee14-f18a-44da-a44d-28d950f06b9c",
|
||||||
|
"value": "CL-STA-0043"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "DEV-0928 is a threat actor that has been tracked by Microsoft since September 2022. They are known for their involvement in high-volume phishing campaigns, using tools offered by DEV-1101. DEV-0928 sends phishing emails to targets and has been observed launching campaigns involving millions of emails. They also utilize evasion techniques, such as redirection to benign pages, to avoid detection.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://www.microsoft.com/en-us/security/blog/2023/03/13/dev-1101-enables-high-volume-aitm-campaigns-with-open-source-phishing-kit/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "8345dd24-7884-48e3-b231-4791d31afe3d",
|
||||||
|
"value": "DEV-0928"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "TEMP_Heretic is a threat actor that has been observed engaging in targeted spear-phishing campaigns. They exploit vulnerabilities in email platforms, such as Zimbra, to exfiltrate emails from government, military, and media organizations. They use multiple outlook.com email addresses and manually craft content for each email before sending it.",
|
||||||
|
"meta": {
|
||||||
|
"country": "CN",
|
||||||
|
"refs": [
|
||||||
|
"https://www.welivesecurity.com/en/eset-research/mass-spreading-campaign-targeting-zimbra-users/",
|
||||||
|
"https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "8dfac62e-395e-4e47-b6b6-8ab817ac25c1",
|
||||||
|
"value": "TEMP_Heretic"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "WeedSec is a threat actor group that recently targeted the online learning and course management platform Moodle. They posted sample databases of Moodle on their Telegram channel, which is widely used by educational institutions and workplaces.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://socradar.io/cyber-awakeness-month-takedown-of-trigona-hive-ransomware-resurges-ransomedforum-and-new-raas-qbit/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "000a2535-8fbf-459d-a067-d10528496a92",
|
||||||
|
"value": "WeedSec"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "TA444 is a North Korea state-sponsored threat actor that primarily focuses on financially motivated operations. They have been active since at least 2017 and have recently shifted their attention to targeting cryptocurrencies. TA444 employs various infection methods and has a diverse range of malware and backdoors at their disposal. They have been attributed to stealing hundreds of millions of dollars' worth of cryptocurrency and related assets.",
|
||||||
|
"meta": {
|
||||||
|
"country": "KP",
|
||||||
|
"refs": [
|
||||||
|
"https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds",
|
||||||
|
"https://cyberscoop.com/north-korean-cryptocurrency-hackers-education-government/",
|
||||||
|
"https://www.darkreading.com/remote-workforce/north-korea-apt-swindled-1b-crypto-investors-2022"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "5a38db83-16b3-477f-a045-66a922868eea",
|
||||||
|
"value": "TA444"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "UAC-0006 is a financially motivated threat actor that has been active since at least 2013. They primarily target Ukrainian organizations, particularly accountants, with phishing emails containing the SmokeLoader malware. Their goal is to steal credentials and execute unauthorized fund transfers, posing a significant risk to financial systems.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://socprime.com/blog/smokeloader-detection-uac-0006-group-launches-a-new-phishing-campaign-against-ukraine/",
|
||||||
|
"https://socprime.com/blog/smokeloader-malware-detection-uac-0006-hackers-launch-a-wave-of-phishing-attacks-against-ukraine-targeting-accountants/",
|
||||||
|
"https://socprime.com/blog/detecting-smokeloader-campaign-uac-0006-keep-targeting-ukrainian-financial-institutions-in-a-series-of-phishing-attacks/",
|
||||||
|
"https://socprime.com/blog/latest-threats/detect-smokeloader-malware-uac-0006-strikes-again-to-target-ukraine-in-a-series-of-phishing-attacks/",
|
||||||
|
"https://socprime.com/blog/smokeloader-malware-detection-uac-0006-group-reemerges-to-launch-phishing-attacks-against-ukraine-using-financial-subject-lures/",
|
||||||
|
"https://cert.gov.ua/article/4555802",
|
||||||
|
"https://cert.gov.ua/article/6123309"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "013f56ea-a441-483f-812c-c384c790e474",
|
||||||
|
"value": "UAC-0006"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "NewsPenguin is threat actor that has been targeting organizations in Pakistan. They use a complex payload delivery mechanism and exploit the upcoming Pakistan International Maritime Expo & Conference as a lure to trick their victims. The group has been linked to a phishing campaign that leverages spear-phishing emails and weaponized documents to deliver an advanced espionage tool.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-newspenguin-threat-actors-targeting-pakistani-entities-with-malicious-campaign-active-iocs",
|
||||||
|
"https://blogs.blackberry.com/en/2023/02/newspenguin-a-previously-unknown-threat-actor-targets-pakistan-with-advanced-espionage-tool"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "4c4a8cb7-b4c4-4637-8e41-dfe19a6b40c7",
|
||||||
|
"value": "NewsPenguin"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "DefrayX is a threat actor group known for their RansomExx ransomware operations. They primarily target Linux operating systems, but also release versions for Windows. The group has been active since 2018 and has targeted various sectors, including healthcare and manufacturing. They have also developed other malware strains such as PyXie RAT, Vatet loader, and Defray ransomware.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://securityaffairs.co/wordpress/138933/malware/ransomexx-ransomware-rust-language.html",
|
||||||
|
"https://research.checkpoint.com/2022/28th-november-threat-intelligence-report/",
|
||||||
|
"https://securityintelligence.com/posts/ransomexx-upgrades-rust/"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"Hive0091"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "9c102b55-29ea-4d90-9b36-33ba42f65d79",
|
||||||
|
"value": "DefrayX"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "PerSwaysion is a threat actor known for conducting phishing campaigns targeting high-level executives. They have been active since at least August 2019 and are believed to be based in Vietnam. PerSwaysion has recently updated their techniques, using more direct phishing methods and leveraging Microsoft 365 to steal credentials.",
|
||||||
|
"meta": {
|
||||||
|
"country": "VN",
|
||||||
|
"refs": [
|
||||||
|
"https://blog.group-ib.com/perswaysion",
|
||||||
|
"https://blog.scarletshark.com/perswaysion-threat-actor-updates-their-techniques-and-infrastructure-e9465157a653"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "a413c605-0e0a-41ca-bae2-5623908fda3a",
|
||||||
|
"value": "PerSwaysion"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "Space Pirates is a cybercrime group that has been active since at least 2017. They primarily target Russian companies and have been observed using various malware, including Deed RAT and ShadowPad. The group uses a combination of publicly available tools and their own protocols to communicate with their command-and-control servers.",
|
||||||
|
"meta": {
|
||||||
|
"country": "CN",
|
||||||
|
"refs": [
|
||||||
|
"http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats",
|
||||||
|
"https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/",
|
||||||
|
"https://blog.polyswarm.io/space-pirates-target-russian-aerospace"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"Space Pirates"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "ee306b4d-1b2b-4872-a8f1-d07e7fbab2f0",
|
||||||
|
"value": "Webworm"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "In March 2022, a hacking group calling themselves N4ughtySecTU claimed to have breached TransUnion’s systems and threatened to leak four terabytes of data if the credit bureau didn’t pay a $15-million (R242-million) ransom.",
|
||||||
|
"meta": {
|
||||||
|
"country": "BR",
|
||||||
|
"refs": [
|
||||||
|
"https://mybroadband.co.za/news/security/438982-how-bank-customers-can-protect-themselves-after-hackers-leak-transunion-data.html",
|
||||||
|
"https://cisoseries.com/cyber-security-headlines-march-21-2022/",
|
||||||
|
"https://mybroadband.co.za/news/security/443090-cybercriminals-love-south-africa-study.html"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "43236d8e-27ee-40f1-ad15-a2ad23738a76",
|
||||||
|
"value": "N4ughtysecTU"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "Moshen Dragon is a Chinese-aligned cyberespionage threat actor operating in Central Asia. They have been observed deploying multiple malware triads and utilizing DLL search order hijacking to sideload ShadowPad and PlugX variants. The threat actor also employs various tools, including an LSA notification package and a passive backdoor known as GUNTERS. Their activities involve targeting the telecommunication sector and leveraging Impacket for lateral movement and data exfiltration.",
|
||||||
|
"meta": {
|
||||||
|
"country": "CN",
|
||||||
|
"refs": [
|
||||||
|
"https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "41243ff2-e4f1-4605-9259-ab494c1c8c04",
|
||||||
|
"value": "Moshen Dragon"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "One of their notable tools is a custom backdoor called SockDetour, which operates filelessly and socketlessly on compromised Windows servers. The group's activities have been linked to the exploitation of vulnerabilities in Zoho ManageEngine ADSelfService Plus and ServiceDesk Plus.",
|
||||||
|
"meta": {
|
||||||
|
"country": "CN",
|
||||||
|
"refs": [
|
||||||
|
"https://unit42.paloaltonetworks.com/sockdetour/",
|
||||||
|
"https://blog.fox-it.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnerability-cve-2021-35211-for-initial-access/",
|
||||||
|
"https://www.microsoft.com/en-us/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"DEV-0322"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "aca6b3d2-1c3b-4674-9de8-975e35723bcf",
|
||||||
|
"value": "TiltedTemple"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "OldGremlin is a Russian-speaking ransomware group that has been active for several years. They primarily target organizations in Russia, including banks, logistics, industrial, insurance, retail, and IT companies. OldGremlin is known for using phishing emails as an initial infection vector and has developed custom malware for both Windows and Linux systems. They have conducted multiple malicious email campaigns and demand large ransoms from their victims, with some reaching millions of dollars.",
|
||||||
|
"meta": {
|
||||||
|
"country": "RU",
|
||||||
|
"refs": [
|
||||||
|
"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-new-ransomware-actor-oldgremlin-hits-multiple-organizations",
|
||||||
|
"https://www.group-ib.com/blog/oldgremlin-comeback/",
|
||||||
|
"https://www.group-ib.com/media-center/press-releases/oldgremlin/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "ad8b73df-c526-4a32-b52f-c7c3c4c058d2",
|
||||||
|
"value": "OldGremlin"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "Storm Cloud is a Chinese espionage threat actor known for targeting organizations across Asia, particularly Tibetan organizations and individuals. They use a variety of malware families, including GIMMICK and GOSLU, which are feature-rich and multi-platform. Storm Cloud leverages public cloud hosting services like Google Drive for command-and-control channels, making it difficult to detect their activities.",
|
||||||
|
"meta": {
|
||||||
|
"country": "CN",
|
||||||
|
"refs": [
|
||||||
|
"https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/",
|
||||||
|
"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-gimmick-malware-active-iocs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "3baec27f-3827-4a38-82c8-7195a18193f9",
|
||||||
|
"value": "Storm Cloud"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "CostaRicto is a cyber-espionage threat actor that operates as a mercenary group, offering its services to various clients globally. They use bespoke malware tools and sophisticated techniques like VPN proxy and SSH tunnelling. While their targets are scattered across different regions, there is a concentration in South Asia.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced",
|
||||||
|
"https://www.cybersecurityintelligence.com/blog/outsourced-cyber-spying-5335.html"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "5587f082-349b-46ab-9e6f-303d9bfd1e1b",
|
||||||
|
"value": "CostaRicto"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "TA402 is an APT group that has been tracked by Proofpoint since 2020. They primarily target government entities in the Middle East and North Africa, with a focus on intelligence collection. TA402 is known for using sophisticated phishing campaigns and constantly updating their malware implants and delivery methods to evade detection. They have been observed using cloud services like Dropbox and Google Drive for hosting malicious payloads and command-and-control infrastructure.",
|
||||||
|
"meta": {
|
||||||
|
"country": "PS",
|
||||||
|
"refs": [
|
||||||
|
"https://www.proofpoint.com/us/blog/threat-insight/ta402-uses-complex-ironwind-infection-chains-target-middle-east-based-government",
|
||||||
|
"https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "aad291eb-08d1-4af4-9dd1-e90fe1f2d6c6",
|
||||||
|
"value": "TA402"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "SilverFish is believed to be a Russian cyberespionage group that has been involved in various cyberattacks, including the use of the SolarWinds breach as an attack vector. SilverFish has been linked to the Wasted Locker ransomware and has displayed a high level of skill and organization in their cyber operations. There are also connections between SilverFish and the threat actor Evil Corp, suggesting a possible evolution or collaboration between the two groups.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.truesec.com/hub/blog/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies",
|
||||||
|
"https://www.prodaft.com/resource/detail/silverfish-global-cyber-espionage-campaign-case-report",
|
||||||
|
"https://www.mandiant.com/resources/blog/unc2165-shifts-to-evade-sanctions"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "55bcc595-2442-4f98-9477-7fe9b507607c",
|
||||||
|
"value": "SilverFish"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 294
|
"version": 294
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
{
|
{
|
||||||
"description": "Name of ATT&CK software",
|
"description": "Name of ATT&CK software",
|
||||||
"icon": "gavel",
|
"icon": "gavel",
|
||||||
"name": "Tool",
|
"name": "mitre-tool",
|
||||||
"namespace": "mitre-attack",
|
"namespace": "mitre-attack",
|
||||||
"type": "mitre-tool",
|
"type": "mitre-tool",
|
||||||
"uuid": "d5cbd1a2-78f6-11e7-a833-7b9bccca9649",
|
"uuid": "d5cbd1a2-78f6-11e7-a833-7b9bccca9649",
|
||||||
"version": 6
|
"version": 7
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue