MISP/misp-galaxy
6
0
Fork 0
mirror of https://github.com/MISP/misp-galaxy.git synced 2024-11-26 16:57:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge https://github.com/MISP/misp-galaxy

Browse source
This commit is contained in:
Delta-Sierra 2023-02-23 14:16:00 +01:00
commit 0ca7675a5f
7 changed files with 777 additions and 400 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

56
README.md
View file

@ -30,7 +30,7 @@ Category: *actor* - source: *https://apt.360.net/aptlist* - total: *42* elements
[Android](https://www.misp-project.org/galaxy.html#_android) - Android malware galaxy based on multiple open sources.
Category: *tool* - source: *Open Sources* - total: *431* elements
Category: *tool* - source: *Open Sources* - total: *433* elements
[[HTML](https://www.misp-project.org/galaxy.html#_android)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/android.json)]
@ -54,7 +54,7 @@ Category: *guidelines* - source: *Open Sources* - total: *31* elements
[Backdoor](https://www.misp-project.org/galaxy.html#_backdoor) - A list of backdoor malware.
Category: *tool* - source: *Open Sources* - total: *12* elements
Category: *tool* - source: *Open Sources* - total: *13* elements
[[HTML](https://www.misp-project.org/galaxy.html#_backdoor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/backdoor.json)]
@ -62,7 +62,7 @@ Category: *tool* - source: *Open Sources* - total: *12* elements
[Banker](https://www.misp-project.org/galaxy.html#_banker) - A list of banker malware.
Category: *tool* - source: *Open Sources* - total: *52* elements
Category: *tool* - source: *Open Sources* - total: *53* elements
[[HTML](https://www.misp-project.org/galaxy.html#_banker)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/banker.json)]
@ -78,7 +78,7 @@ Category: *mobile* - source: *https://arxiv.org/pdf/2005.05110.pdf* - total: *47
[Botnet](https://www.misp-project.org/galaxy.html#_botnet) - botnet galaxy
Category: *tool* - source: *MISP Project* - total: *73* elements
Category: *tool* - source: *MISP Project* - total: *75* elements
[[HTML](https://www.misp-project.org/galaxy.html#_botnet)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/botnet.json)]
@ -126,7 +126,7 @@ Category: *country* - source: *MISP Project* - total: *252* elements
[Cryptominers](https://www.misp-project.org/galaxy.html#_cryptominers) - A list of cryptominer and cryptojacker malware.
Category: *Cryptominers* - source: *Open Source Intelligence* - total: *4* elements
Category: *Cryptominers* - source: *Open Source Intelligence* - total: *5* elements
[[HTML](https://www.misp-project.org/galaxy.html#_cryptominers)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/cryptominers.json)]
@ -146,11 +146,19 @@ Category: *tool* - source: *MISP Project* - total: *52* elements
[[HTML](https://www.misp-project.org/galaxy.html#_exploit-kit)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/exploit-kit.json)]
## FIRST DNS Abuse Techniques Matrix
[FIRST DNS Abuse Techniques Matrix](https://www.misp-project.org/galaxy.html#_first_dns_abuse_techniques_matrix) - The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internets stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for Tmore information.
Category: *first-dns* - source: *https://www.first.org/global/sigs/dns/* - total: *21* elements
[[HTML](https://www.misp-project.org/galaxy.html#_first_dns_abuse_techniques_matrix)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/first-dns.json)]
## Malpedia
[Malpedia](https://www.misp-project.org/galaxy.html#_malpedia) - Malware galaxy cluster based on Malpedia.
Category: *tool* - source: *Malpedia* - total: *2462* elements
Category: *tool* - source: *Malpedia* - total: *2574* elements
[[HTML](https://www.misp-project.org/galaxy.html#_malpedia)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/malpedia.json)]
@ -174,7 +182,7 @@ Category: *misinformation-pattern* - source: *https://github.com/misinfosecproje
[Attack Pattern](https://www.misp-project.org/galaxy.html#_attack_pattern) - ATT&CK tactic
Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *1003* elements
Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *1086* elements
[[HTML](https://www.misp-project.org/galaxy.html#_attack_pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-attack-pattern.json)]
@ -278,7 +286,7 @@ Category: *attack-pattern* - source: *https://collaborate.mitre.org/attackics/in
[Intrusion Set](https://www.misp-project.org/galaxy.html#_intrusion_set) - Name of ATT&CK Group
Category: *actor* - source: *https://github.com/mitre/cti* - total: *138* elements
Category: *actor* - source: *https://github.com/mitre/cti* - total: *148* elements
[[HTML](https://www.misp-project.org/galaxy.html#_intrusion_set)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-intrusion-set.json)]
@ -286,7 +294,7 @@ Category: *actor* - source: *https://github.com/mitre/cti* - total: *138* elemen
[Malware](https://www.misp-project.org/galaxy.html#_malware) - Name of ATT&CK software
Category: *tool* - source: *https://github.com/mitre/cti* - total: *598* elements
Category: *tool* - source: *https://github.com/mitre/cti* - total: *633* elements
[[HTML](https://www.misp-project.org/galaxy.html#_malware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-malware.json)]
@ -350,7 +358,7 @@ Category: *actor* - source: *https://github.com/mitre/cti* - total: *7* elements
[Tool](https://www.misp-project.org/galaxy.html#_tool) - Name of ATT&CK software
Category: *tool* - source: *https://github.com/mitre/cti* - total: *80* elements
Category: *tool* - source: *https://github.com/mitre/cti* - total: *82* elements
[[HTML](https://www.misp-project.org/galaxy.html#_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-tool.json)]
@ -374,7 +382,7 @@ Category: *measure* - source: *MISP Project* - total: *20* elements
[Ransomware](https://www.misp-project.org/galaxy.html#_ransomware) - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar
Category: *tool* - source: *Various* - total: *1610* elements
Category: *tool* - source: *Various* - total: *1624* elements
[[HTML](https://www.misp-project.org/galaxy.html#_ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)]
@ -382,7 +390,7 @@ Category: *tool* - source: *Various* - total: *1610* elements
[RAT](https://www.misp-project.org/galaxy.html#_rat) - remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote "operator" to control a system as if they have physical access to that system.
Category: *tool* - source: *MISP Project* - total: *264* elements
Category: *tool* - source: *MISP Project* - total: *265* elements
[[HTML](https://www.misp-project.org/galaxy.html#_rat)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/rat.json)]
@ -390,7 +398,7 @@ Category: *tool* - source: *MISP Project* - total: *264* elements
[Regions UN M49](https://www.misp-project.org/galaxy.html#_regions_un_m49) - Regions based on UN M49.
Category: *location* - source: *https://unstats.un.org/unsd/methodology/m49/overview/* - total: *31* elements
Category: *location* - source: *https://unstats.un.org/unsd/methodology/m49/overview/* - total: *32* elements
[[HTML](https://www.misp-project.org/galaxy.html#_regions_un_m49)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/region.json)]
@ -410,6 +418,14 @@ Category: *sector* - source: *CERT-EU* - total: *117* elements
[[HTML](https://www.misp-project.org/galaxy.html#_sector)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sector.json)]
## Sigma-Rules
[Sigma-Rules](https://www.misp-project.org/galaxy.html#_sigma-rules) - MISP galaxy cluster based on Sigma Rules.
Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2665* elements
[[HTML](https://www.misp-project.org/galaxy.html#_sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)]
## Dark Patterns
[Dark Patterns](https://www.misp-project.org/galaxy.html#_dark_patterns) - Dark Patterns are user interface that tricks users into making decisions that benefit the interface's holder to the expense of the user.
@ -430,7 +446,7 @@ Category: *sod-matrix* - source: *https://github.com/cudeso/SoD-Matrix* - total:
[Stealer](https://www.misp-project.org/galaxy.html#_stealer) - A list of malware stealer.
Category: *tool* - source: *Open Sources* - total: *6* elements
Category: *tool* - source: *Open Sources* - total: *11* elements
[[HTML](https://www.misp-project.org/galaxy.html#_stealer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/stealer.json)]
@ -470,7 +486,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
[Threat Actor](https://www.misp-project.org/galaxy.html#_threat_actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
Category: *actor* - source: *MISP Project* - total: *397* elements
Category: *actor* - source: *MISP Project* - total: *408* elements
[[HTML](https://www.misp-project.org/galaxy.html#_threat_actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
@ -478,10 +494,18 @@ Category: *actor* - source: *MISP Project* - total: *397* elements
[Tool](https://www.misp-project.org/galaxy.html#_tool) - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.
Category: *tool* - source: *MISP Project* - total: *537* elements
Category: *tool* - source: *MISP Project* - total: *545* elements
[[HTML](https://www.misp-project.org/galaxy.html#_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tool.json)]
## UAVs/UCAVs
[UAVs/UCAVs](https://www.misp-project.org/galaxy.html#_uavs/ucavs) - Unmanned Aerial Vehicles / Unmanned Combat Aerial Vehicles
Category: *military equipment* - source: *Popular Mechanics* - total: *36* elements
[[HTML](https://www.misp-project.org/galaxy.html#_uavs/ucavs)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/uavs.json)]
# Online documentation
A [readable PDF overview of the MISP galaxy is available](https://www.misp.software/galaxy.pdf) or [HTML](https://www.misp.software/galaxy.html) and generated from the JSON.

394
clusters/360net.json
View file

@ -10,24 +10,22 @@
"uuid": "20de4abf-f000-48ec-a929-3cdc5c2f3c23",
"values": [
{
"description": "美国中央情报局英语Central Intelligence Agency总部位于美国弗吉尼亚州的兰利。与苏联国家安全委员会克格勃、英国军情六处和以色列摩萨德并称为“世界四大情报机构”。\n其主要任务是公开和秘密地收集和分析关于国外政府、公司、恐怖组织、个人、政治、文化、科技等方面的情报协调其它国内情报机构的活动并把这些情报报告到美国政府各个部门的工作。",
"description": "APT-C-39是一个来自美国与NSA存在联系系属于CIA的高规格高水平的APT组织。对中国关键领域进行了长达十一年的网络渗透攻击。中国航空航天、科研机构、石油行业、大型互联网公司以及政府机构等多个单位均遭到不同程度的攻击",
"meta": {
"country": "america",
"refs": [
"https://apt.360.net/report/apts/12.html",
"https://apt.360.net/report/apts/96.html"
"https://apt.360.net/report/apts/96.html",
"https://apt.360.net/report/apts/12.html"
],
"suspected-victims": [
"中国"
],
"synonyms": [
"Lamberts",
"longhorn"
],
"synonyms": [],
"target-category": [
"媒体通讯",
"工业科研",
"航空航天等重要机构"
"政府",
"教育"
]
},
"uuid": "988e1441-0350-5c39-979d-b0ca99c8d20b",
@ -38,27 +36,37 @@
"meta": {
"country": "vietnam",
"refs": [
"https://apt.360.net/report/apts/94.html",
"https://apt.360.net/report/apts/93.html",
"https://apt.360.net/report/apts/1.html",
"https://apt.360.net/report/apts/93.html"
"https://apt.360.net/report/apts/94.html"
],
"suspected-victims": [
"中国",
"越南"
"印度",
"孟加拉国",
"澳大利亚",
"马来西亚"
],
"synonyms": [
"OceanLotus"
],
"target-category": [
"政府",
"科研"
"科研",
"教育",
"信息技术",
"外交",
"医疗",
"制造",
"金融",
"国防军工"
]
},
"uuid": "ad1a6df6-2251-5e47-a245-8693c1ace8fb",
"value": "海莲花 - APT-C-00"
},
{
"description": "摩诃草组织APT-C-09又称HangOver、VICEROY TIGER、The Dropping Elephant、Patchwork是一个来自于南亚地区的境外APT组织该组织已持续活跃了7年。摩诃草组织最早由Norman安全公司于2013年曝光随后又有其他安全厂商持续追踪并披露该组织的最新活动。摩诃草组织主要针对中国、巴基斯坦等亚洲地区国家进行网络间谍活动其中以窃取敏感信息为主。相关攻击活动最早可以追溯到2009年11月至今还非常活跃。在针对中国地区的攻击中该组织主要针对政府机构、科研教育领域进行攻击其中以科研教育领域为主。",
"description": "摩诃草组织(APT-C-09)又称HangOver、VICEROY TIGER、The Dropping Elephant、Patchwork是一个来自南亚地区的境外APT组织该组织已持续活跃了12年。摩诃草组织最早由Norman安全公司于2013年曝光随后又有其他安全厂商持续追踪并披露该组织的最新活动但该组织并未由于相关攻击行动曝光而停止对相关目标的攻击相反从2015年开始更加活跃。摩诃草组织主要针对中国、巴基斯坦等亚洲地区国家进行网络间谍活动其中以窃取敏感信息为主。相关攻击活动最早可以追溯到2009年11月至今还非常活跃。在针对中国地区的攻击中该组织主要针对政府机构、科研教育领域进行攻击其中以科研教育领域为主。",
"meta": {
"country": "india",
"refs": [
@ -66,7 +74,9 @@
"https://apt.360.net/report/apts/6.html"
],
"suspected-victims": [
"中国及中国驻外大使馆"
"中国及中国驻外大使馆",
"孟加拉国",
"巴基斯坦"
],
"synonyms": [
"HangOver",
@ -76,42 +86,41 @@
],
"target-category": [
"外交军事",
"关键制造基础设施",
"政府金融等重要机构"
"信息和通信",
"科研机构",
"政府等重要机构"
]
},
"uuid": "231a81cd-4e24-590b-b084-1a4715b30d67",
"value": "摩诃草 - APT-C-09"
},
{
"description": "从2014年11月起至今黄金鼠组织APT-C-27对叙利亚地区展开了有组织、有计划、有针对性的长时间不间断攻击。攻击平台从开始的Windows平台逐渐扩展至Android平台",
"description": "从2014年11月起至今黄金鼠组织APT-C-27对叙利亚地区展开了有组织、有计划、有针对性的长时间不间断攻击。攻击平台从开始的Windows平台逐渐扩展至Android平台截至目前我们一共捕获了Android平台攻击样本29个Windows平台攻击样本55个涉及的C&C域名9个。将APT-C-27组织命名为黄金鼠主要是考虑了以下几方面的因素一是该组织在攻击过程中使用了大量的资源说明该攻击组织资源丰富而黄金鼠有长期在野外囤积粮食的习惯字面上也有丰富的含义二、该攻击组织通常是间隔一段时间出来攻击一次这跟鼠有相通的地方三是黄金仓鼠是叙利亚地区一种比较有代表性的动物。",
"meta": {
"country": "mideast",
"refs": [
"https://apt.360.net/report/apts/26.html",
"https://apt.360.net/report/apts/100.html",
"https://apt.360.net/report/apts/98.html"
"https://apt.360.net/report/apts/98.html",
"https://apt.360.net/report/apts/26.html"
],
"suspected-victims": [
"叙利亚"
"叙利亚",
"约旦",
"土耳其"
],
"synonyms": [],
"target-category": [
"军事",
"政府"
]
"synonyms": []
},
"uuid": "b3b6f113-fe2c-5d75-ba41-b333ce726f4a",
"value": "黄金鼠 - APT-C-27"
},
{
"description": "Lazarus组织是来自朝鲜的APT组织该组织长期对韩国、美国、中国、印度等国家进行渗透攻击此外还对全球的金融机构进行攻击堪称全球金融机构的最大威胁。该组织最早的攻击活动可以追溯到2007年。",
"description": "Lazarus组织是疑似来自朝鲜的APT组织该组织长期对韩国、美国进行渗透攻击此外还对全球的金融机构进行攻击堪称全球金融机构的最大威胁。该组织最早的攻击活动可以追溯到2007年。据国外安全公司的调查显示Lazarus组织与2014 年索尼影业遭黑客攻击事件2016 年孟加拉国银行数据泄露事件2017年美国国防承包商、美国能源部门及英国、韩国等比特币交易所被攻击等事件有关。而2017年席卷全球的最臭名昭著的安全事件“Wannacry”勒索病毒也被怀疑是该组织所为。",
"meta": {
"country": "korea",
"refs": [
"https://apt.360.net/report/apts/9.html",
"https://apt.360.net/report/apts/90.html",
"https://apt.360.net/report/apts/101.html"
"https://apt.360.net/report/apts/101.html",
"https://apt.360.net/report/apts/90.html"
],
"suspected-victims": [
"中国",
@ -123,41 +132,72 @@
"APT38"
],
"target-category": [
"工业科研",
"外交外贸",
"媒体金融",
"核设施"
"教育",
"通信运营商",
"制造",
"外交",
"信息技术",
"医疗",
"国防军工",
"金融",
"建筑",
"能源"
]
},
"uuid": "e6f4af06-fbb5-5471-82ae-b0bdb4d446ce",
"value": "Lazarus - APT-C-26"
},
{
"description": "黄金雕组织的活动主要影响中亚地区,大部分集中在哈萨克坦国境内攻击目标涉及教育行业、政府机关人员、科研人员、媒体工作人员、部分商务工业、军方人员、宗教人员、政府异见人士和外交人员等。该组织使用社会工程学、物理接触、无线电监听等方式进行网络攻击同时也采购了HackingTeam、NSO Group等网络军火商的武器具备0day漏洞的高级入侵能力。360参照中亚地区擅长驯养猎鹰进行狩猎的习俗特性将该组织命名为黄金雕APT-C-34",
"description": "黄金雕组织的活动主要影响中亚地区,大部分集中在哈萨克坦国境内攻击目标涉及教育行业、政府机关人员、科研人员、媒体工作人员、部分商务工业、军方人员、宗教人员、政府异见人士和外交人员等。该组织使用社会工程学、物理接触、无线电监听等方式进行网络攻击同时也采购了HackingTeam、NSO Group等网络军火商的武器具备0day漏洞的高级入侵能力。360参照中亚地区擅长驯养猎鹰进行狩猎的习俗特性将该组织命名为黄金雕APT-C-34",
"meta": {
"country": "kaz",
"refs": [
"https://apt.360.net/report/apts/11.html"
],
"synonyms": []
"suspected-victims": [
"俄罗斯",
"中国",
"哈萨克斯坦"
],
"synonyms": [],
"target-category": [
"教育",
"外交",
"医疗",
"科研",
"政府",
"国防军工"
]
},
"uuid": "03e70e52-ec27-5961-bb53-d4c8c737addc",
"value": "黄金雕 - APT-C-34"
},
{
"description": "从2018年4月起至今一个疑似来自南美洲的APT组织盲眼鹰APT-C-36针对哥伦比亚政府机构和大型公司金融、石油、制造等行业等重要领域展开了有组织、有计划、针对性的长期不间断攻击。",
"description": "从2018年4月起至今一个疑似来自南美洲的APT组织盲眼鹰APT-C-36针对哥伦比亚政府机构和大型公司金融、石油、制造等行业等重要领域展开了有组织、有计划、针对性的长期不间断攻击。其攻击平台主要为Windows攻击目标锁定为哥伦比亚政企机构。由于该组织攻击的目标中有一个特色目标是哥伦比亚盲人研究所而哥伦比亚在足球领域又被称为南美雄鹰结合该组织的一些其它特点以及360威胁情报中心对 APT 组织的命名规则我们将该组织命名为盲眼鹰APT-C-36",
"meta": {
"country": "namerica",
"refs": [
"https://apt.360.net/report/apts/83.html"
],
"synonyms": []
"suspected-victims": [
"厄瓜多尔",
"西班牙",
"哥伦比亚",
"巴拿马"
],
"synonyms": [],
"target-category": [
"通信运营商",
"医疗",
"制造",
"金融"
]
},
"uuid": "c111ae65-f889-56b0-b266-f54342977da5",
"value": "盲眼鹰 - APT-C-36"
},
{
"description": "2018年11月25日360高级威胁应对团队就在全球范围内第一时间发现了一起针对俄罗斯的APT攻击行动攻击目标则指向俄罗斯总统办公室所属的医疗机构此次攻击行动使用了Flash 0day漏洞cve-2018-15982和Hacking Team的RCS后门程序结合被攻击目标医疗机构的职能特色360将此次APT攻击命名为“毒针”行动。",
"description": "2018年11月25日360高级威胁应对团队就在全球范围内第一时间发现了一起针对俄罗斯的APT攻击行动攻击目标则指向俄罗斯总统办公室所属的医疗机构此次攻击行动使用了Flash 0day漏洞CVE-2018-15982和Hacking Team的RCS后门程序结合被攻击目标医疗机构的职能特色360将此次APT攻击命名为“毒针”行动。",
"meta": {
"country": "kaz",
"refs": [
@ -168,7 +208,8 @@
],
"synonyms": [],
"target-category": [
"政府"
"政府",
"医疗"
]
},
"uuid": "5ae4eb64-5431-5b5c-987b-891e7ab5858c",
@ -184,16 +225,13 @@
"suspected-victims": [
"伊朗"
],
"synonyms": [],
"target-category": [
"政府"
]
"synonyms": []
},
"uuid": "e66dfa3d-3295-503c-bdea-64d88e2b310d",
"value": "ArmaRat - APT-C-33"
},
{
"description": "从2015年7月起至今军刀狮组织APT-C-38在中东地区展开了有组织、有计划、针对性的不间断攻击其攻击平台为Windows和Android。由于军刀狮组织的攻击目标有一个主要的特色目标是西亚中东某国的库尔德人另Windows端RAT包含的PDB路径下出现多次的“Saber”而亚洲狮为该中东国家的代表动物结合该组织的一些其它特点以及360对 APT 组织的命名规则我们将该组织命名为军刀狮APT-C-38。",
"description": "从2015年7月起至今军刀狮组织APT-C-38在中东地区展开了有组织、有计划、针对性的不间断攻击其攻击平台为Windows和Android。由于军刀狮组织的攻击目标有一个主要的特色目标是西亚中东某国的库尔德人另Windows端RAT包含的PDB路径下出现多次的“Saber”而亚洲狮为该中东国家的代表动物结合该组织的一些其它特点以及360对 APT 组织的命名规则我们将该组织命名为军刀狮APT-C-38。",
"meta": {
"country": "mideast",
"refs": [
@ -202,10 +240,7 @@
"suspected-victims": [
"中东地区"
],
"synonyms": [],
"target-category": [
"政府"
]
"synonyms": []
},
"uuid": "671197ae-ba70-5a81-90a5-1ba5e2ad6f76",
"value": "军刀狮 - APT-C-38"
@ -215,15 +250,16 @@
"meta": {
"country": "mideast",
"refs": [
"https://apt.360.net/report/apts/103.html",
"https://apt.360.net/report/apts/28.html"
"https://apt.360.net/report/apts/28.html",
"https://apt.360.net/report/apts/103.html"
],
"suspected-victims": [
"ISIS"
"巴勒斯坦",
"叙利亚",
"以色列"
],
"synonyms": [],
"target-category": [
"军事",
"政府"
]
},
@ -231,7 +267,7 @@
"value": "拍拍熊 - APT-C-37"
},
{
"description": "APT-C-15是一个来自于中东地区的境外APT组织。 APT-C-15组织主要针对埃及,以色列等中东地区进行网络间谍活动,以窃取敏感信息为主。 活跃时间主要集中在2014年6月到2015年11月期间相关攻击活动最早可以追溯到2011年12月。主要采用利用社交网络进行水坑攻击。",
"description": "人面狮行动是活跃在中东地区的网络间谍活动,主要目标可能涉及到埃及和以色列等国家的不同组织,目的是窃取目标敏感数据信息。活跃时间主要集中在2014年6月到2015年11月期间相关攻击活动最早可以追溯到2011年12月。主要利用社交网络进行水坑攻击截止到目前总共捕获到恶意代码样本314个C&C域名7个。",
"meta": {
"country": "mideast",
"refs": [
@ -243,33 +279,38 @@
],
"synonyms": [],
"target-category": [
"政府"
"国防军工"
]
},
"uuid": "55177506-57bf-503e-8a24-9ed06bd28f16",
"value": "人面狮 - APT-C-15"
},
{
"description": "美人鱼组织APT-C-07来自于中东的境外APT组织已持续活跃了9年。 主要针对政府机构进行网络间谍活动,以窃取敏感信息为目的,已经证实有针对丹麦外交部的攻击。",
"description": "美人鱼组织APT-C-07来自于中东的境外APT组织已持续活跃了9年。 主要针对政府机构进行网络间谍活动,以窃取敏感信息为目的,已经证实有针对丹麦外交部的攻击。",
"meta": {
"country": "mideast",
"refs": [
"https://apt.360.net/report/apts/4.html"
],
"suspected-victims": [
"丹麦"
"丹麦",
"印度",
"澳大利亚",
"罗马尼亚",
"美国"
],
"synonyms": [],
"target-category": [
"政府",
"外交"
"外交",
"制造"
]
},
"uuid": "51954972-101b-5213-971c-b335ceb810ea",
"value": "美人鱼 - APT-C-07"
},
{
"description": "2016年1月起至今双尾蝎组织对巴勒斯坦教育机构、军事机构等重要领域展开了有组织、有计划、有针对性的长时间不间断攻击。攻击平台包括 Windows 与 Android攻击范围主要为中东地区",
"description": "2016年5月起至今双尾蝎组织APT-C-23对巴勒斯坦教育机构、军事机构等重要领域展开了有组织、有计划、有针对性的长时间不间断攻击。攻击平台包括Windows与Android攻击范围主要为中东地区截至目前我们一共捕获了Android样本24个Windows样本19个涉及的C&C域名29个。将APT-C-23组织命名为双尾蝎主要是考虑了以下几方面的因素一是该组织同时攻击了巴勒斯坦和以色列这两个存在一定敌对关系的国家这种情况在以往并不多见二是该组织同时在Windows和Android两种平台上发动攻击。虽然以往我们截获的APT组织中也有一些进行多平台攻击的例子如海莲花但绝大多数APT组织攻击的重心仍然是Windows平台。而同时注重两种平台并且在Android平台上攻击如此活跃的APT组织在以往并不多见。第三个原因就是蝎子在巴以地区是一种比较有代表性的动物。",
"meta": {
"country": "mideast",
"refs": [
@ -277,14 +318,18 @@
],
"suspected-victims": [
"巴勒斯坦",
"中国等驻外大使馆"
"中国等驻外大使馆",
"约旦",
"利比亚",
"加拿大"
],
"synonyms": [],
"target-category": [
"政府",
"IT",
"军事",
"教育"
"教育",
"信息技术",
"通信运营商"
]
},
"uuid": "ce0bcfbd-9924-5c82-9ad3-845db745e7f7",
@ -305,15 +350,16 @@
],
"target-category": [
"政府",
"航空航天、教育",
"军事"
"国防军工",
"科研",
"金融"
]
},
"uuid": "7094494b-a91b-532f-9968-082fa683bfc4",
"value": "蓝宝菇 - APT-C-12"
},
{
"description": "从2007年开始至今360追日团队发现毒云藤组织对中国国防、政府、科技、教育以及海事机构等重点单位和部门进行了长达数十年的网络间谍活动。该组织主要关注军工、中美关系、两岸关系和海洋相关领域。",
"description": "APT-C-01又名毒云藤是一个长期针对中国境内的APT组织至少从2007年开始活跃。曾对中国国防、政府、科技、教育以及海事机构等重点单位和部门进行了长达11年的网络间谍活动主要关注军工、中美关系、两岸关系和海洋相关领域旨在窃取重大决策及敏感信息。APT-C-01由360威胁情报中心首次披露结合该组织关联地区常见的蔓藤植物因此将其命名为“毒云藤”。",
"meta": {
"country": "taiwan",
"refs": [
@ -330,20 +376,20 @@
"target-category": [
"政府",
"科研",
"国防",
"海事机构等重要机构"
"教育",
"国防军工"
]
},
"uuid": "98df38d1-f83c-5c28-ad11-75aa6b493fe7",
"value": "毒云藤 - APT-C-01"
},
{
"description": "DarkhotelAPT-C-06组织是一个长期针对企业高管、国防工业、电子工业等重要机构实施网络间谍攻击活动的APT组织。2014年11月卡巴斯基实验室的安全专家首次发现了Darkhotel APT组织并声明该组织至少从2010年就已经开始活跃目标基本锁定在韩国、中国、俄罗斯和日本。",
"description": "DarkhotelAPT-C-06是一个长期针对企业高管、国防工业、电子工业等重要机构实施网络间谍攻击活动的APT组织。2014年11月卡巴斯基实验室的安全专家首次发现了Darkhotel APT组织并声明该组织至少从2010年就已经开始活跃目标基本锁定在韩国、中国、俄罗斯和日本。卡巴斯基将该组织命名为Darkhotel暗黑客栈是因为他们的一次攻击行动被曝光主要是利用酒店的无线网络有针对性的瞄准生产制造、国防、投资资本、私人股权投资、汽车等行业的精英管理者。",
"meta": {
"country": "southKorea",
"refs": [
"https://apt.360.net/report/apts/3.html",
"https://apt.360.net/report/apts/97.html"
"https://apt.360.net/report/apts/97.html",
"https://apt.360.net/report/apts/3.html"
],
"suspected-victims": [
"中国",
@ -359,17 +405,21 @@
"SIG25"
],
"target-category": [
"军事",
"外贸外交",
"工业能源",
"科研等重要机构"
"信息技术",
"科研",
"医疗",
"能源",
"国防军工",
"制造",
"金融",
"服务业"
]
},
"uuid": "f52ab8b8-71f2-5a88-946f-853dc3441efe",
"value": "Darkhotel - APT-C-06"
},
{
"description": "APT28(APT-C-20)又称Pawn Storm、Sofacy、Sednit、Fancy Bear和Strontium。APT28组织被怀疑幕后和俄罗斯政府有关该组织相关攻击时间最早可以追溯到2007年。其主要目标包括国防工业、军队、政府组织和媒体",
"description": "APT28(APT-C-20)又称Pawn Storm、Sofacy、Sednit、Fancy Bear和Strontium。APT28组织被怀疑幕后和俄罗斯政府有关该组织相关攻击时间最早可以追溯到2004年。其主要目标包括国防工业、军队、政府组织和媒体。期间使用了大量0day漏洞相关恶意代码除了针对windows、Linux等PC操作系统还会针对苹果IOS等移动设备操作系统。早前也曾被怀疑与北大西洋公约组织网络攻击事件有关。APT28组织在2015年第一季度有大量的活动用于攻击NATO成员国和欧洲、亚洲、中东政府。目前有许多安全厂商怀疑其与俄罗斯政府有关而早前也曾被怀疑秘密调查MH17事件。从2016年开始该组织最新的目标瞄准了土耳其高级官员。",
"meta": {
"country": "russia",
"refs": [
@ -382,6 +432,7 @@
"乌克兰"
],
"synonyms": [
"APT28",
"Pawn Storm",
"Sofacy Group",
"Sednit",
@ -399,12 +450,12 @@
"value": "奇幻熊 - APT-C-20"
},
{
"description": "沙虫组织的主要目标领域有:政府、教育、能源机构和电信运营商进一步主要针对欧美国家政府、北约以及乌克兰政府展开间谍活动其攻击在2018年呈上升趋势。该组织经常利用鱼叉式网络钓鱼方法。",
"description": "沙虫组织的主要目标领域有:政府、教育、能源机构和电信运营商。进一步主要针对欧美国家政府、北约以及乌克兰政府展开间谍活动。该组织曾使用0day漏洞(CVE-2014-4114)针对乌克兰政府发起了一次钓鱼攻击。而在威尔士举行的讨论乌克兰危机的北约峰会针对美国也进行了攻击。该组织还使用了BlackEnergy恶意软件。而且沙虫组织不仅仅只进行常规的网络间谍活动还针对SCADA系统进行了攻击研究者认为相关活动是为了之后的网络攻击进行侦查跟踪。另外有少量证据表明针对乌克兰电力系统等工业领域的网络攻击中涉及到了BlackEnergy恶意软件。如果此次攻击的确使用了BlackEnergy恶意软件的话那有可能幕后会关联到沙虫组织。",
"meta": {
"country": "russia",
"refs": [
"https://apt.360.net/report/apts/69.html",
"https://apt.360.net/report/apts/87.html"
"https://apt.360.net/report/apts/87.html",
"https://apt.360.net/report/apts/69.html"
],
"suspected-victims": [
"欧美国家",
@ -425,7 +476,7 @@
"value": "沙虫 - APT-C-13"
},
{
"description": "肚脑虫组织APT-C-35是一个来自于印度的境外APT组织该组织已持续活跃了3年。 肚脑虫组织主要针对巴基斯坦,南亚等国家地区进行网络间谍活动,以窃取敏感信息为主。 相关攻击活动最早可以追溯到2016年至今还非常活跃。",
"description": "APT-C-35肚脑虫组织又称Donot是一个针对克什米尔地区相关国家的政府机构等领域进行网络间谍活动以窃取敏感信息为主的攻击组织。该组织于2017年3月由360追日团队首次曝光随后有数个国内外安全团队持续追踪并披露该组织的最新攻击活动。攻击活动最早始于2016年4月至今活跃攻击方式主要采用鱼叉邮件进行攻击。",
"meta": {
"country": "india",
"refs": [
@ -436,10 +487,12 @@
"巴基斯坦等南亚国家"
],
"synonyms": [
"donot"
"Donot"
],
"target-category": [
"政府"
"政府",
"外交",
"国防"
]
},
"uuid": "7592ce56-59df-5cbc-9251-6928ff23e6a5",
@ -477,16 +530,17 @@
"中国",
"俄罗斯",
"比利时",
"瑞典"
"伊朗"
],
"synonyms": [
"Sauron",
"Strider"
],
"target-category": [
"军事",
"教育",
"信息和通信",
"外交",
"政府等重要机构"
"科学研究与技术服务"
]
},
"uuid": "24ce266c-1860-5e04-a107-48d1d39f8ebf",
@ -514,28 +568,32 @@
"value": "潜行者 - APT-C-30"
},
{
"description": "“响尾蛇”APT组织又名T-APT-04疑似来自印度其最早活跃时间可追溯到2012年主要针对巴基斯坦等南亚国家的军事目标进行定向攻击。",
"description": "APT-C-24又名Sidewinder、Rattlesnake等是具有印度背景的APT组织。该组织通常以巴基斯坦、中国、尼泊尔等在内的南亚及周边地区的国家为目标主要攻击该国家/地区的政府、军事、外交等领域最常见的感染媒介之一就是使用带有漏洞的恶意文档。2020年初该组织还使用与COVID-19相关的诱饵文件对孟加拉国、中国和巴基斯坦发起了网络攻击通过近年来对该组织的追踪发现Sidewinder越来越倾向于利用诸如COVID-19之类的趋势话题或各种政治问题作为一种社会工程技术来攻击其目标因此需要更加地警惕小心。",
"meta": {
"country": "india",
"refs": [
"https://apt.360.net/report/apts/92.html"
],
"suspected-victims": [
"巴基斯坦"
"巴基斯坦",
"斯里兰卡",
"孟加拉国"
],
"synonyms": [
"SideWinder"
],
"target-category": [
"政府",
"军事"
"军事",
"教育",
"信息通信"
]
},
"uuid": "3dada716-34c3-506e-aa3a-1889bd975b4b",
"value": "响尾蛇 - APT-C-24"
},
{
"description": "APT-C-28组织又名ScarCruft、APT37 Reaper、Group123是一个来自于东北亚地区的境外APT组织其相关攻击活动最早可追溯到2012年且至今依然保持活跃状态。APT-C-28组织主要针对韩国等亚洲国家进行网络间谍活动其中以窃取战略军事、政治、经济利益相关的情报和敏感数据为主。",
"description": "APT-C-28组织又名ScarCruft、APT37 Reaper、Group123是一个来自于东北亚地区的境外APT组织其相关攻击活动最早可追溯到2012年且至今依然保持活跃状态。APT-C-28组织主要针对韩国等亚洲国家进行网络间谍活动其中以窃取战略军事、政治、经济利益相关的情报和敏感数据为主。APT-C-28组织最早由卡巴斯基公司于2016年6月曝光随后各个安全厂商对其进行了持续追踪并不断曝光该组织的最新攻击活动。",
"meta": {
"country": "korea",
"refs": [
@ -551,19 +609,24 @@
],
"target-category": [
"政府",
"媒体"
"教育",
"金融",
"国防军工",
"信息技术",
"医疗",
"社会组织"
]
},
"uuid": "96c3508e-f5f9-52b4-9d1e-b246d68f643d",
"value": "ScarCruft - APT-C-28"
},
{
"description": "Turla组织的主要目标有外交、政治、私企,攻击目标遍布全球,其中以欧洲地区为主,国内也有中招用户。在攻击手法上是俄罗斯网军中技术实力很强的主力部队,曾经有过攻击卫星的历史。",
"description": "Turla Group又名Waterbug、Venomous Bear、Group 88等是具有俄罗斯背景的APT组织至少从1996年就开始活跃2015年以后攻击活动更加频繁。Turla组织的攻击目标遍及全球多个国家攻击对象涉及政府、外交、军事、教育、研究和医疗等多个领域因开展水坑攻击和鱼叉式网络钓鱼攻击以及利用定制化的恶意软件而闻名。",
"meta": {
"country": "russia",
"refs": [
"https://apt.360.net/report/apts/88.html",
"https://apt.360.net/report/apts/81.html"
"https://apt.360.net/report/apts/81.html",
"https://apt.360.net/report/apts/88.html"
],
"suspected-victims": [
"中国",
@ -571,12 +634,14 @@
"驻欧美国家外交机关"
],
"synonyms": [
"uroburos"
"Turla, Waterbug, Venomous Bear, Group 88"
],
"target-category": [
"外交",
"金融",
"工业"
"政府",
"军事",
"教育",
"医疗"
]
},
"uuid": "1972273e-2152-558c-b575-222c6d2f3e10",
@ -585,7 +650,7 @@
{
"description": "Carbanak(即Anunak)攻击组织是一个跨国网络犯罪团伙。2013年起该犯罪团伙总计向全球约30个国家和地区的100家银行、电子支付系统和其他金融机构发动了攻击目前相关攻击活动还很活跃。",
"meta": {
"country": "russia",
"country": "Ukraine",
"refs": [
"https://apt.360.net/report/apts/68.html"
],
@ -597,14 +662,15 @@
],
"target-category": [
"外贸",
"金融"
"金融",
"能源"
]
},
"uuid": "a4aba29f-fb91-50d9-bdf9-2b184922a200",
"value": "Carbanak - APT-C-11"
},
{
"description": "“飞鲨”行动相关攻击行动最早可以追溯到2013年1月持续活跃到2014年3月主要针对中国航空航天领域目的是窃取目标用户敏感数据信息近期暂无监控到相关攻击事件。",
"description": "APT-C-17是360发现的一起APT攻击我们将此次攻击行动命名为“飞鲨”行动相关攻击行动最早可以追溯到2013年1月持续活跃到2014年3月主要针对中国航空航天领域目的是窃取目标用户敏感数据信息近期暂无监控到相关攻击事件。",
"meta": {
"country": "india",
"refs": [
@ -615,10 +681,6 @@
],
"synonyms": [],
"target-category": [
"基础设施",
"IT",
"教育",
"科研",
"航空航天"
]
},
@ -626,7 +688,7 @@
"value": "飞鲨 - APT-C-17"
},
{
"description": "APT-C-40(方程式)是史上最强网络犯罪组织。该团伙已活跃近20年并且在攻击复杂性和攻击技巧方面超越了历史上所有的网络攻击组织并被认为是著名的震网Stuxnet和火焰Flame病毒幕后的操纵者。",
"description": "APT-C-40(方程式)是史上最强APT组织。该团伙已活跃近20年并且在攻击复杂性和攻击技巧方面超越了历史上所有的网络攻击组织并被认为是著名的震网Stuxnet和火焰Flame病毒幕后的操纵者。",
"meta": {
"country": "america",
"refs": [
@ -640,22 +702,23 @@
],
"synonyms": [],
"target-category": [
"关键制",
"工业科研",
"航空航天",
"政府军事等重要机构"
"信息和通信产业",
"科学研究与技术服务",
"政府机构"
]
},
"uuid": "54034021-1998-5ddf-93e7-f1f56d172f99",
"value": "方程式 - APT-C-40"
},
{
"description": "透明部落Transparent Tribe别名APT36、ProjectM、C-Major是一个具有南亚背景的APT组织其长期针对周边国家和地区特别是印度的政治、军事进行定向攻击活动其开发有自己的专属木马CrimsonRAT还曾被发现广泛传播USB蠕虫。TransparentTribe也曾经对Donot的恶意文档宏代码进行模仿两者高度相似。之前透明部落也曾经模仿响尾蛇组织进行攻击。其一直针对印度的政府、公共部门、各行各业包括但不限于医疗、电力、金融、制造业等进行攻击和信息窥探。",
"description": "Operation_C-Major又名Transparent Tribe、APT36、Mythic Leopard等是具有巴基斯坦背景的APT组织攻击活动影响范围较广但主要攻击目标为印度国家的政府、军方等组织此外为保障国家利益巴基斯坦境内的民间团体或政治家也是其主要攻击对象。该组织于2013年被首次发现近年来一直处于活跃状态。2020年初利用有关印巴两国边境争端的诱饵文档向印度政府组织、国防人员发起了鱼叉式网络攻击也就是Honey Trap行动以此来窃取国家机密及敏感数据。",
"meta": {
"country": "southeast",
"refs": [],
"suspected-victims": [
"印度"
"印度",
"欧洲"
],
"synonyms": [
"APT36",
@ -664,14 +727,15 @@
],
"target-category": [
"政府",
"军事"
"军事",
"教育"
]
},
"uuid": "084517bc-b8e7-5c86-a218-3f19e1379f3e",
"value": "透明部落 - APT-C-56"
},
{
"description": "在2020年起我们发现南亚地区中新的境外APT组织活动最早活跃可追溯到2020年1月至今还很活跃。该APT组织的攻击活动主要针对巴基斯坦、孟加拉等国家的国家机构、军工、科研、国防等重要领域进行攻击。与南亚地区中活跃的蔓灵花、响尾蛇等APT组织暂无关联属于新的攻击组织。\n该APT组织通过鱼叉邮件配合社会工程学手段进行渗透,向目标设备传播恶意程序,暗中控制目标设备,持续窃取设备上的敏感文件。由于其使用的C2、载荷下发、窃取的数据存储等均依赖于云服务且使用的木马为python语言编写所以我们将其命名为腾云蛇编号为APT-C-61。",
"description": "APT-C-61又名腾云蛇最早活跃可追溯到2020年1月至今还很活跃主要攻击目标为巴基斯坦、孟加拉等国家的国家机构、军工、科研、国防等重要领域攻击时通过鱼叉邮件配合社会工程学手段进行渗透,向目标设备传播恶意程序,暗中控制目标设备,持续窃取设备上的敏感文件。其使用的C2、载荷下发、窃取的数据存储等均依赖于云服务且使用的木马为python语言编写而得名。",
"meta": {
"country": "southeast",
"refs": [],
@ -696,21 +760,28 @@
"country": "korea",
"refs": [],
"suspected-victims": [
"韩国"
"韩国",
"美国",
"朝鲜",
"俄罗斯",
"中国",
"日本"
],
"synonyms": [],
"target-category": [
"政府",
"教育",
"外交",
"媒体"
"媒体",
"金融",
"国防军工"
]
},
"uuid": "84e18657-3995-5837-88f1-f823520382a8",
"value": "Kimsuky - APT-C-55"
},
{
"description": "2019年初国外安全厂商披露了一起疑似卢甘斯克背景的APT组织针对乌克兰政府的定向攻击活动根据相关报告分析该组织的攻击活动至少可以追溯到2014年曾大量通过网络钓鱼、水坑攻击等方式针对乌克兰政府机构进行攻击。",
"description": "2019年初国外安全厂商披露了一起疑似卢甘斯克背景的APT组织针对乌克兰政府的定向攻击活动根据相关报告分析该组织的攻击活动至少可以追溯到2014年曾大量通过网络钓鱼、水坑攻击等方式针对乌克兰政府机构进行攻击在其过去的攻击活动中曾使用过开源Quasar RAT和VERMIN等恶意软件捕获目标的音频和视频窃取密码获取机密文件等等。",
"meta": {
"country": "Ukraine",
"refs": [
@ -730,28 +801,24 @@
"value": "卢甘斯克组织 - APT-C-46"
},
{
"description": "360 安全大脑检测到多起 ClickOnce 恶意程序的攻击活动,通过 360 高级威胁研究院的深入研判分析,发现这是一起来自半岛地区未被披露 APT 组织的攻击行动,该组织的攻击活动最早可以追溯到 2018 年。目前没有任何安全厂商公开披露该组织的攻击活动,360根据用ClickOnce 攻击技术的谐音,将其命名为“旺刺”组织。",
"description": "近期,360安全大脑检测到多起ClickOnce恶意程序的攻击活动通过360高级威胁研究院的深入研判分析发现这是一起来自半岛地区未被披露APT组织的攻击行动攻击目标涉及与半岛地区有关联的实体机构和个人根据360安全大脑的数据分析显示该组织的攻击活动最早可以追溯到2018年。目前没有任何安全厂商公开披露该组织的攻击活动,也没有安全厂商公开披露利用该技术的真实APT攻击事件。由于此次攻击活动属于360全球首次捕获披露我们根据该组织擅长攻击技术的谐音,将其命名为“旺刺”组织并为其分配了新编号APT-C-47。",
"meta": {
"country": "korea",
"country": "southKorea",
"refs": [
"https://apt.360.net/report/apts/168.html"
],
"suspected-victims": [
"中国",
"朝鲜半岛"
"中国"
],
"synonyms": [
"APT-C-47"
],
"target-category": [
"商贸机构"
]
},
"uuid": "0660d5e2-f8cf-5d5e-95c8-e5af7115979e",
"value": "旺刺组织 - APT-C-47"
},
{
"description": "Domestic Kitten组织APT-C-50最早被国外安全厂商披露自2016年以来一直在进行广泛而有针对性的攻击攻击目标包括伊朗内部持不同政见者和反对派力量以及ISIS的拥护者和主要定居在伊朗西部的库尔德少数民族。值得注意的是所有攻击目标都是伊朗公民。伊斯兰革命卫队IRGC、情报部、内政部等伊朗政府机构可能为该组织提供支持",
"description": "Domestic Kitten(Check Point)别名APT-C-50。最早被国外安全厂商披露自2016年以来一直在进行广泛而有针对性的攻击攻击目标包括中东某国内部持不同政见者和反对派力量以及ISIS的拥护者和主要定居在中东某国西部的库尔德少数民族。值得注意的是所有攻击目标都是中东某国公民。伊斯兰革命卫队IRGC、情报部、内政部等中东某国政府机构可能为该组织提供支持。",
"meta": {
"country": "Iran",
"refs": [
@ -767,24 +834,33 @@
"APT-C-50"
],
"target-category": [
"政府"
"国防军工",
"社会组织"
]
},
"uuid": "a6636926-ffe4-5974-9be0-34ab5dcbd59f",
"value": "DomesticKitten - APT-C-50"
},
{
"description": "APT-C-32",
"description": "SandCat由卡巴斯基在2018年首次发现该组织一直在使用FinFisher/ FinSpy间谍软件和CHAINSHOT攻击框架,并有使用0 Day漏洞的能力曾经使用过CVE-2018-8589和CVE-2018-8611。主要攻击中东、非洲和东欧等地区的目标。",
"meta": {
"country": "Israel",
"refs": [],
"synonyms": []
"suspected-victims": [
"中国",
"乌兹别克斯坦",
"沙特阿拉伯"
],
"synonyms": [],
"target-category": [
"社会组织"
]
},
"uuid": "bf77827a-e0f1-504f-815c-4bccfe72b644",
"value": "SandCat - APT-C-32"
},
{
"description": "APT-C-48",
"description": "该组织于2019年发现,因为样本的pdb路径中有cnc_client字符所以暂时叫做CNC组织。该组织定向攻击我国教育、航天、军工和医疗等行业窃取情报。在攻击过程中会尝试使用Nday并且有能够开发GO语言木马的开发人员。",
"meta": {
"country": "india",
"refs": [],
@ -794,14 +870,16 @@
"synonyms": [],
"target-category": [
"教育",
"军事"
"军事",
"航天",
"医疗"
]
},
"uuid": "34d75138-389f-5555-85e9-f3ca5a9cce8f",
"value": "APT_CNC - APT-C-48"
"value": "CNC - APT-C-48"
},
{
"description": "蓝色魔眼APT-C-41又被称为Promethium、StrongPity该APT组织最早的攻击活动可以追溯到2012年。该组织主要针对意大利、土耳其、比利时、叙利亚、欧洲等地区和国家进行攻击活动。360安全大脑监测到该组织在2020年1月首次针对中国进行了攻击活动并捕获到了该组织最新V4版本的攻击组件。经过360高级威胁研究院的深入分析研判此次攻击的针对性极强是该组织罕见地针对我国相关重要机构发起的首起定向攻击行动。由于是首次捕获和披露该组织对我国的攻击我们为其分配了新的编号APT-C-41并根据该组织活跃地区的文化特色将其命名为“蓝色魔眼”。",
"description": "APT-C-41,是一个具有土耳其背景的APT小组该APT组织最早的攻击活动可以追溯到2012年。该组织主要针对意大利、土耳其、比利时、叙利亚、欧洲等地区和国家进行攻击活动。2020年360发现了该组织针对我国相关单位的攻击并将其命名为APT-C-41。",
"meta": {
"country": "trq",
"refs": [
@ -812,69 +890,107 @@
"意大利",
"土耳其",
"比利时",
"叙利亚"
],
"synonyms": [
"StrongPity"
"叙利亚",
"中国"
],
"synonyms": [],
"target-category": [
"基础设施"
"教育",
"金融",
"政府",
"制造"
]
},
"uuid": "75122408-5db4-5ac2-a156-88a8f149e738",
"value": "蓝色魔眼 - APT-C-41"
},
{
"description": "Machete",
"description": "El Machete由卡巴斯基首次发现最早的攻击可以追溯至2014年主要针对拉丁美洲。360白泽实验室发现了一款Python语言编写的新型后门病毒Pyark通过对该后门的深入挖掘和溯源分析我们发现了一系列从2019年起便一直活跃的高级威胁行动攻击者通过入侵委内瑞拉的多处军事机构部署后门病毒不间断的监控和窃取最新的军事机密。",
"meta": {
"country": "namerica",
"refs": [
"https://apt.360.net/report/apts/159.html"
],
"suspected-victims": [
"东南亚",
"南美",
"欧洲"
],
"synonyms": [
"Machete"
],
"target-category": [
"教育",
"通信运营商",
"外交",
"政府",
"国防军工",
"金融"
]
},
"uuid": "d0b9840d-efe2-5200-89d1-2f1a37737e30",
"value": "Machete - APT-C-43"
},
{
"description": "APT-C-53",
"description": "Gamaredon又名Primitive Bear、Winterflounder、BlueAlpha至少从2013年就开始活跃是由俄罗斯政府赞助的APT组织。Gamaredon组织主要针对乌克兰的政府、国防、外交、新闻媒体等发起网络间谍活动。近年来该组成员也不断升级其技战术开发定制化的恶意软件这也加大了安全人员对其进行捕获与追踪的难度。",
"meta": {
"country": "russia",
"refs": [],
"synonyms": []
"suspected-victims": [
"乌克兰等东欧国家"
],
"synonyms": [],
"target-category": [
"政府",
"国防",
"外交",
"新闻媒体"
]
},
"uuid": "ca52d879-f02b-531e-89ff-817ffc23ce35",
"value": "Gamaredon - APT-C-53"
},
{
"description": "360烽火实验室联合360高级威胁研究院发现一起针对阿拉伯语地区的长达三年的多次网络攻击活动。该攻击活动自2017年10月开始至今攻击平台主要为Windows和Android。通过分析我们发现此次攻击活动来自阿尔及利亚主要利用钓鱼网站和第三方文件托管网站进行载荷投递并且使用社交媒体进行传播受害者主要分布在阿拉伯语地区其中包含疑似具有军事背景的相关人员。根据此次攻击活动的伪装对象和攻击目标我们认为该组织目的是为了获取情报先机。根据该组织所属国家的地理位置以及其他特点我们将其命名为北非狐APT-C-44。",
"description": "北非狐组织APT-C-44是一个来自阿尔及利亚的境外APT组织该组织已持续活跃了3年。北非狐组织主要针对中东地区进行网络间谍活动以窃取敏感信息为主。相关攻击活动最早可以追溯到2017年11月至今仍活跃着。",
"meta": {
"country": "algeria",
"refs": [
"https://apt.360.net/report/apts/157.html"
],
"synonyms": []
"suspected-victims": [
"阿尔及利亚",
"约旦"
],
"synonyms": [],
"target-category": [
"国防军工"
]
},
"uuid": "367bfb72-da65-5886-a333-389299470722",
"value": "北非狐 - APT-C-44"
},
{
"description": "WellMess组织是一个一直未被业界认定的APT组织多方面数据显示该组织在2017至2019年间的攻击活动开始频繁活跃其中日本互联网应急响应中心于2018年曾报道过该组织的相关攻击活动但并未将其归属为APT组织。\n\n在2019年360高级威胁研究院捕获发现了WellMess组织一系列的APT攻击活动这一系列的攻击活动最早开始于2017年12月一直持续到2019年12月。在对WellMess组织的攻击研判过程中我们确定这是一个具备自身独特攻击特点和精密攻击技战术的APT组织为其分配了APT-C-42的专属APT组织编号。",
"description": "WELLMESS组织是一个较新的俄语系境外APT组织最早发现于2017年并持续至今。该组织主要针对亚洲地区进行间谍攻击并且曾进行过超两年的供应链攻击同时拥有漏洞利用能力。该组织的目标主要是政府、IT、科研等单位以窃取文件为主。",
"meta": {
"country": "russia",
"refs": [
"https://apt.360.net/report/apts/136.html"
],
"suspected-victims": [
"美国",
"中国",
"加拿大",
"日本"
],
"synonyms": [],
"target-category": [
"IT通信行业"
"政府",
"科研"
]
},
"uuid": "6560f0cf-bbbd-5bb7-8dad-b4c8ea23704f",
"value": "WellMess - APT-C-42"
}
],
"version": 1
"version": 2
}

228
clusters/first-dns.json Normal file
View file

@ -0,0 +1,228 @@
{
"authors": [
"FIRST.org",
"Andrey Meshkov (AdGuard)",
"Ángel González (INCIBE-CERT)",
"Angela Matlapeng (bwCSIRT)",
"Benedict Addis (Shadowserver)",
"Brett Carr (Nominet)",
"Carlos Alvarez (ICANN; founding member)",
"David Ruefenacht (Infoguard)",
"Gabriel Andrews (FBI)",
"John Todd (Quad9; current co-chair of DNS Abuse SIG)",
"Jonathan Matkowsky (RiskIQ / Microsoft; former co-chair)",
"Jonathan Spring (CISA; current co-chair of DNS Abuse SIG)",
"Mark Henderson (IRS)",
"Mark Svancarek (Microsoft)",
"Merike Kaeo (Double Shot Security)",
"Michael Hausding (SWITCH-CERT; former co-chair, current FIRST board member)",
"Peter Lowe (DNSFilter; current co-chair of DNS Abuse SIG)",
"Shoko Nakai (JPCERT/CC)",
"Swapneel Patnekar (Shreshta IT)",
"Trey Darley (FIRST board; founding member)"
],
"category": "first-dns",
"description": "The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internets stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information.",
"name": "FIRST DNS Abuse Techniques Matrix",
"source": "https://www.first.org/global/sigs/dns/",
"type": "first-dns",
"uuid": "67d44607-ae1d-4b01-a419-c311e68fb28a",
"values": [
{
"description": "DGAs - Domain Generation Algorithm",
"meta": {
"refs": [
"https://attack.mitre.org/techniques/T1568/002/"
]
},
"related": [
{
"dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b",
"type": "related-to"
}
],
"uuid": "bbb63c10-548a-5ddc-8c6d-c5d8712df26d",
"value": "DGAs"
},
{
"description": "The wrongfully taking control of a domain name from the rightful name holder. Compromised domains can be used for different kinds of malicious activity like sending spam or phishing, for distributing malware or as botnet command and control.",
"meta": {
"refs": [
"https://www.icann.org/groups/ssac/documents/sac-007-en"
]
},
"uuid": "1c46402d-ca07-5cd7-a49c-477a4e868d12",
"value": "Domain name compromise"
},
{
"description": "Lame delegations occur as a result of expired nameserver domains allowing attackers to take control of the domain resolution by re-registering this expired nameserver domain.",
"meta": {
"refs": [
"https://blog.apnic.net/2021/03/16/the-prevalence-persistence-perils-of-lame-nameservers/"
]
},
"uuid": "8f013ccd-6697-566d-8b83-9cbfdc802342",
"value": "Lame delegations"
},
{
"description": "DNS cache poisoning - also known as DNS spoofing, is a type of cyber attack in which an attacker corrupts a DNS resolver's cache by injecting false DNS records, causing the resolver to records controlled by the attacker.",
"meta": {
"refs": [
"https://capec.mitre.org/data/definitions/142.html"
]
},
"uuid": "3b236fe5-83c2-563b-8744-bf11e414a6ad",
"value": "DNS cache poisoning"
},
{
"description": "DNS rebinding - a type of attack where a malicious website directs a client to a local network address, allowing the attacker to bypass the same-origin policy and gain access to the victim's local resources.",
"meta": {
"refs": [
"https://capec.mitre.org/data/definitions/275.html"
]
},
"uuid": "8c30074b-e718-5262-86fe-b7a6493cf731",
"value": "DNS rebinding"
},
{
"description": "Attacker gains administrative privileges on an open recursive DNS server, authoritative DNS server, organizational recursive DNS server, or ISP-operated recursive DNS server.",
"uuid": "094f218e-51fe-5f3b-a202-1cc9b016dedc",
"value": "DNS server compromise"
},
{
"description": "The attacker compromises the Operating System of a computer or a phone with malicious code that intercepts and responds to DNS queries with rogue or malicious responses.",
"uuid": "9bbd1e65-d11b-5e29-adf2-f0a997c51547",
"value": "Stub resolver hijacking"
},
{
"description": "Consumer Premise Equipment (CPE), such as home routers, often provide DNS recursion on the local network. If the CPE device is compromised, the attacker can change the recursive resolver behavior; for example, by changing responses.",
"uuid": "ec27edc4-7908-5100-9fc7-4159c283691d",
"value": "Local recursive resolver hijacking"
},
{
"description": "Attackers intercept communication between a user and a DNS server and provide different destination IP addresses pointing to malicious sites.",
"meta": {
"refs": [
"https://www.imperva.com/learn/application-security/dns-hijacking-redirection/"
]
},
"uuid": "dea01e07-c348-56ef-b22f-312a64717431",
"value": "On-path DNS attack"
},
{
"description": "Multiple systems sending malicious traffic to a target at the same time.",
"uuid": "7cbb69c3-1cf1-5219-97e8-c908cdbedde6",
"value": "DoS against the DNS"
},
{
"description": "Adversaries may attempt to cause a denial of service by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Two prominent protocols that have enabled Reflection Amplification Floods are DNS and NTP through the use of several others in the wild have been documented. These Reflection and Amplification Floods can be directed against components of the DNS, like authoritative nameservers, rendering them unresponsive.",
"meta": {
"refs": [
"https://attack.mitre.org/techniques/T1498/002/"
]
},
"related": [
{
"dest-uuid": "d74c4a7e-ffbf-432f-9365-7ebf1f787cab",
"type": "related-to"
}
],
"uuid": "735b95e1-bd17-5375-a318-f5bf5ee014e6",
"value": "DNS as a vector for DoS"
},
{
"description": "Dynamic DNS resolution (as obfuscation technique) - Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name IP address or port number the malware uses for command and control.",
"meta": {
"refs": [
"https://attack.mitre.org/techniques/T1568/"
]
},
"related": [
{
"dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b",
"type": "related-to"
}
],
"uuid": "3664fb70-5179-5004-828a-1d090b78fa7a",
"value": "Dynamic DNS resolution"
},
{
"description": "Dynamic DNS resolution: Fast flux (as obfuscation technique) - Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name with multiple IP addresses assigned to it which are swapped with high frequency using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.",
"meta": {
"refs": [
"https://attack.mitre.org/techniques/T1568/001/"
]
},
"related": [
{
"dest-uuid": "29ba5a15-3b7b-4732-b817-65ea8f6468e6",
"type": "related-to"
}
],
"uuid": "5a99f82a-48c8-5f89-836f-78901e764677",
"value": "Dynamic DNS resolution: Fast flux"
},
{
"description": "Exfiltration via the DNS requires a delegated domain or, if the domain does not exist in the public DNS, the operation of a resolver preloaded with that domain's zone file information and configured to receive and respond to the queries sent by the compromised devices.",
"uuid": "9e98500e-4a22-578a-9839-69c169079a68",
"value": "Infiltration and exfiltration via the DNS"
},
{
"description": "For example, before attacking a victim, adversaries purchase or register domains from an ICANN-accredited registrar that can be used during targeting. See also CAPEC-630.",
"meta": {
"refs": [
"https://capec.mitre.org/data/definitions/630.html"
]
},
"uuid": "a53e05a5-0931-5975-b16a-2434a0f2356a",
"value": "Malicious registration of (effective) second level domains"
},
{
"description": "Before attacking a victim, adversaries purchase or create domains from an entity other than a registrar or registry that provides subdomains under domains they own and control. S",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Dynamic_DNS"
]
},
"uuid": "ed6477e2-426f-5c55-a740-0b6ba4547b77",
"value": "Creation of malicious subdomains under dynamic DNS providers"
},
{
"description": " - Internet attack infrastructure is a broad category, and this covers any non-DNS server. Many compromised servers, such as web servers or mail servers, interact with the DNS or may be instrumental in conducting DNS abuse. For example, compromised mail servers are one technique that may be used to send phishing emails.",
"uuid": "e4115a11-6975-57f9-aa27-89351e18a402",
"value": "Compromise of a non-DNS server to conduct abuse"
},
{
"description": "In a context where a domain name is expected (such as the From header in mail or a URL in a web page or message body), supplying a domain name not controlled by the attacker and that is not controlled by or registered to a legitimate registrant.",
"uuid": "bc197790-2b89-56e7-b019-871bdc36323a",
"value": "Spoofing or otherwise using unregistered domain names"
},
{
"description": "In a context where a domain name is expected (such as the From header in mail or a URL in a web page or message body), supplying a domain name not controlled by the attacker and that is in fact controlled by or registered to a legitimate registrant.",
"uuid": "88d804bc-f3e0-5b33-9c07-d05dfb1806df",
"value": "Spoofing of a registered domain"
},
{
"description": "DNS tunneling - tunneling another protocol over DNS - The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal expected traffic.",
"meta": {
"refs": [
"https://attack.mitre.org/techniques/T1071/004/"
]
},
"related": [
{
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
"type": "related-to"
}
],
"uuid": "b1b60f03-a603-506f-870b-7ea4da0cbeaa",
"value": "DNS tunneling"
},
{
"description": "DNS beacons - C2 communication - Successive or periodic DNS queries to a command & control server, either to exfiltrate data or await further commands from the C2.",
"uuid": "23f785fa-902f-563a-959f-67d2053cb25a",
"value": "DNS beacons - C2 communication"
}
],
"version": 2
}

462
clusters/mitre-attack-pattern.json
View file

File diff suppressed because it is too large Load diff

9
galaxies/first-dns.json Normal file
View file

@ -0,0 +1,9 @@
{
"description": "The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internets stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information.",
"icon": "database",
"name": "FIRST DNS Abuse Techniques Matrix",
"namespace": "first-dns",
"type": "first-dns",
"uuid": "67d44607-ae1d-4b01-a419-c311e68fb28a",
"version": 1
}

19
tools/gen_360net.py
View file

@ -67,24 +67,17 @@ json_galaxy = {
'uuid': "20de4abf-f000-48ec-a929-3cdc5c2f3c23",
'version': 1
}
with open(os.path.join('..', 'clusters', '360net.json'), 'r') as f:
json_cluster = json.load(f)
json_cluster = {
'authors': ["360.net"],
'category': 'actor',
'name': "360.net Threat Actors",
'description': "Known or estimated adversary groups as identified by 360.net.",
'source': 'https://apt.360.net/aptlist',
'type': "360net-threat-actor",
'uuid': "20de4abf-f000-48ec-a929-3cdc5c2f3c23",
'values': clusters,
'version': 1
}
json_cluster['values'] = clusters
json_cluster['version'] += 1
# save the Galaxy and Cluster file
with open(os.path.join('..', 'galaxies', '360net.json'), 'w') as f:
json.dump(json_galaxy, f, indent=2)
json.dump(json_galaxy, f, indent=2, sort_keys=True, ensure_ascii=False)
with open(os.path.join('..', 'clusters', '360net.json'), 'w') as f:
json.dump(json_cluster, f, indent=2)
json.dump(json_cluster, f, indent=2, sort_keys=True, ensure_ascii=False)
print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh.")

9
tools/gen_mitre.py
View file

@ -15,6 +15,8 @@ misp_dir = '../'
domains = ['enterprise-attack', 'mobile-attack', 'pre-attack']
types = ['attack-pattern', 'course-of-action', 'intrusion-set', 'malware', 'tool']
mitre_sources = ['mitre-attack', 'mitre-ics-attack', 'mitre-pre-attack', 'mitre-mobile-attack']
all_data = {} # variable that will contain everything
# read in the non-MITRE data
@ -105,8 +107,13 @@ for domain in domains:
for reference in item['external_references']:
if 'url' in reference and reference['url'] not in value['meta']['refs']:
value['meta']['refs'].append(reference['url'])
if 'external_id' in reference:
# Find Mitre external IDs from allowed sources
if 'external_id' in reference and reference.get("source_name", None) in mitre_sources:
value['meta']['external_id'] = reference['external_id']
if not value['meta'].get('external_id', None):
exit("Entry is missing an external ID, please update mitre_sources. Available references: {}".format(
json.dumps(item['external_references'])
))
if 'kill_chain_phases' in item: # many (but not all) attack-patterns have this
value['meta']['kill_chain'] = []