This commit is contained in:
Deborah Servili 2020-09-16 10:22:38 +02:00
commit 0fe525a9db
9 changed files with 8814 additions and 101 deletions

View file

@ -1157,7 +1157,19 @@
},
"uuid": "809d100b-d46d-40f4-b498-5371f46bb9d6",
"value": "AESDDoS"
},
{
"description": "A set of DDoS botnet.",
"meta": {
"synonyms": [
"Katura",
"MyraV",
"myra"
]
},
"uuid": "e23d0f90-6dc5-46a5-b38d-06f176b7c601",
"value": "Arceus"
}
],
"version": 20
"version": 21
}

File diff suppressed because it is too large Load diff

View file

@ -6,7 +6,8 @@
"Andrea Garavaglia",
"Andras Iklody",
"Daniel Plohmann",
"Christophe Vandeplas"
"Christophe Vandeplas",
"Rmkml"
],
"category": "tool",
"description": "Malware galaxy cluster based on Malpedia.",
@ -18826,7 +18827,34 @@
},
"uuid": "10c03b2e-5e53-11ea-ac08-00163cdbc7b4",
"value": "Raccoon"
},
{
"description": "According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/",
"https://news.sophos.com/en-us/2020/05/21/asnarok2/",
"https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw"
],
"synonyms": [],
"type": []
},
"uuid": "10c03b2f-5e52-01ea-bc08-00153cdbc7b3",
"value": "Ragnarok"
},
{
"description": "Conti is a new family of ransomware observed in the wild by the Carbon Black Threat Analysis Unit (TAU). Unlike most ransomware, Conti contains unique features that separate it in terms of performance and focus on network-based targets.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.conti",
"https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/"
],
"synonyms": [],
"type": []
},
"uuid": "10c03b2e-5f52-01fa-ac08-00253cdbc6b3",
"value": "Conti"
}
],
"version": 2562
"version": 2564
}

2774
clusters/sod-matrix.json Normal file

File diff suppressed because it is too large Load diff

View file

@ -175,18 +175,6 @@
"uuid": "9e71024e-817f-45b0-92a0-d886c30bc929",
"value": "Dust Storm"
},
{
"description": "Adversary targeting dissident groups in China and its surroundings.",
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"
]
},
"uuid": "06e659ff-ece8-4e6c-a110-d9692ac6d8ee",
"value": "Karma Panda"
},
{
"meta": {
"attribution-confidence": "50",
@ -606,13 +594,6 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c",
@ -982,15 +963,11 @@
"http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/",
"https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/",
"https://www.crowdstrike.com/blog/storm-chasing/",
"https://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/",
"https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf"
"https://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/"
],
"synonyms": [
"Black Vine",
"TEMP.Avengers",
"Zirconium",
"APT 31",
"APT31"
"TEMP.Avengers"
]
},
"related": [
@ -1555,16 +1532,11 @@
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"http://www.crowdstrike.com/blog/whois-samurai-panda/",
"https://www.cfr.org/interactive/cyber-operations/sykipot",
"https://www.secureworks.com/research/threat-profiles/bronze-edison"
"http://www.crowdstrike.com/blog/whois-samurai-panda/"
],
"synonyms": [
"PLA Navy",
"APT4",
"APT 4",
"Wisp Team",
"BRONZE EDISON"
"Wisp Team"
]
},
"related": [
@ -1581,13 +1553,6 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "2fb07fa4-0d7f-43c7-8ff4-b28404313fe7",
@ -2013,7 +1978,8 @@
"https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/",
"https://www.brighttalk.com/webcast/10703/275683",
"https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage",
"https://www.secureworks.com/research/threat-profiles/cobalt-trinity"
"https://www.secureworks.com/research/threat-profiles/cobalt-trinity",
"https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/"
],
"synonyms": [
"APT 33",
@ -2323,7 +2289,7 @@
"meta": {
"attribution-confidence": "50",
"country": "TN",
"motive": "Hacktivism-Nationalist",
"motive": "Hacktivists-Nationalists",
"synonyms": [
"FallagaTeam"
]
@ -2390,7 +2356,7 @@
"https://www.apnews.com/4d174e45ef5843a0ba82e804f080988f",
"https://www.voanews.com/a/iaaf-hack-fancy-bears/3793874.html",
"https://securelist.com/a-slice-of-2017-sofacy-activity/83930/",
"http://www.dw.com/en/hackers-lurking-parliamentarians-told/a-19564630",
"https://www.dw.com/en/hackers-lurking-parliamentarians-told/a-19564630",
"https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/",
"https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/",
"https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html",
@ -2410,13 +2376,13 @@
"https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/",
"https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/",
"http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/",
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf",
"https://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/",
"https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf",
"https://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/",
"https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/",
"http://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament",
"https://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament",
"https://www.volkskrant.nl/cultuur-media/russen-faalden-bij-hackpogingen-ambtenaren-op-nederlandse-ministeries~b77ff391/",
"http://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508",
"https://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508",
"https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/",
"https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected",
"https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf",
@ -2426,7 +2392,8 @@
"https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae",
"https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1",
"https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf",
"https://marcoramilli.com/2019/12/05/apt28-attacks-evolution/"
"https://marcoramilli.com/2019/12/05/apt28-attacks-evolution/",
"https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/"
],
"synonyms": [
"APT 28",
@ -2590,7 +2557,7 @@
"https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf",
"https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec",
"https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/",
"http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf",
"https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf",
"https://www.melani.admin.ch/melani/en/home/dokumentation/reports/technical-reports/technical-report_apt_case_ruag.html",
"https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/",
"https://www.engadget.com/2017/06/07/russian-malware-hidden-britney-spears-instagram/",
@ -2598,6 +2565,7 @@
"https://www.trendmicro.com/vinfo/vn/security/news/cyber-attacks/cyberespionage-group-turla-deploys-backdoor-ahead-of-g20-summit",
"https://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/",
"https://attack.mitre.org/groups/G0010/",
"https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/",
"https://www.secureworks.com/research/threat-profiles/iron-hunter"
],
"synonyms": [
@ -2845,14 +2813,16 @@
"https://threatpost.com/fileless-malware-campaigns-tied-to-same-attacker/124369/",
"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
"https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html",
"http://blog.morphisec.com/fin7-attacks-restaurant-industry",
"https://blog.morphisec.com/fin7-attacks-restaurant-industry",
"https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/",
"http://blog.morphisec.com/fin7-attack-modifications-revealed",
"http://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign",
"https://blog.morphisec.com/fin7-attack-modifications-revealed",
"https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign",
"https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/",
"https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html",
"https://attack.mitre.org/groups/G0046/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"https://threatintel.blog/OPBlueRaven-Part1/",
"https://threatintel.blog/OPBlueRaven-Part2/",
"https://www.secureworks.com/research/threat-profiles/gold-niagara"
],
"synonyms": [
@ -3111,6 +3081,7 @@
"https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/",
"https://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678",
"https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/",
"https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html",
"https://www.secureworks.com/research/threat-profiles/nickel-gladstone"
],
"synonyms": [
@ -3850,8 +3821,7 @@
"cfr-type-of-incident": "Espionage",
"country": "IR",
"refs": [
"http://www.clearskysec.com/oilrig/",
"http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability",
"https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability",
"https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/",
"https://unit42.paloaltonetworks.com/unit42-introducing-the-adversary-playbook-first-up-oilrig/",
"https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/",
@ -3878,6 +3848,7 @@
"https://www.clearskysec.com/oilrig/",
"https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/",
"https://attack.mitre.org/groups/G0049/",
"https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/",
"https://www.secureworks.com/research/threat-profiles/cobalt-gypsy"
],
"synonyms": [
@ -4803,10 +4774,29 @@
{
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"Eastern Europe",
"Japan",
"South Korea",
"Taiwan",
"US"
],
"cfr-target-category": [
"Military",
"Government",
"Private sector"
],
"country": "CN",
"refs": [
"https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403?emailToken=JRrydPtyYnqTg9EyZsw31FwuZ7JNEOKCXF7LaW/HM1DLsjnUp6e6wLgph560pnmiTAN/5ssf7moyADPQj2p2Gc+YkL1yi0zhIiUM9M6aj1HTYQ==",
"https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/"
"https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/",
"https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf",
"https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/",
"https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403"
],
"synonyms": [
"CactusPete",
"Karma Panda"
]
},
"uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26",
@ -5151,36 +5141,17 @@
"https://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments",
"http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/",
"https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919",
"https://www.cfr.org/interactive/cyber-operations/sykipot"
"https://www.cfr.org/interactive/cyber-operations/sykipot",
"https://www.secureworks.com/research/threat-profiles/bronze-edison"
],
"synonyms": [
"PLA Navy",
"APT4",
"APT 4",
"BRONZE EDISON",
"Sykipot"
]
},
"related": [
{
"dest-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "2fb07fa4-0d7f-43c7-8ff4-b28404313fe7",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b",
"value": "Maverick Panda"
},
@ -5700,7 +5671,13 @@
"meta": {
"refs": [
"https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf"
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf",
"https://securelist.com/apt-trends-report-q2-2019/91897/",
"https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/",
"https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/"
],
"synonyms": [
"SixLittleMonkeys"
]
},
"uuid": "0a6b31cd-54cd-4f82-9b87-aab780604632",
@ -5805,7 +5782,16 @@
"United States",
"Hong Kong",
"The Philippines",
"Asia Pacific Economic Cooperation"
"Asia Pacific Economic Cooperation",
"Cambodia",
"Belgium",
"Germany",
"Philippines",
"Malaysia",
"Norway",
"Saudi Arabia",
"Switzerland",
"United Kingdom"
],
"cfr-target-category": [
"Government",
@ -5828,7 +5814,9 @@
"https://intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network",
"https://intrusiontruth.wordpress.com/2020/01/14/who-is-mr-ding",
"https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40",
"https://www.secureworks.com/research/threat-profiles/bronze-mohawk"
"https://www.secureworks.com/research/threat-profiles/bronze-mohawk",
"https://www.mycert.org.my/portal/advisory?id=MA-774.022020",
"https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign"
],
"synonyms": [
"TEMP.Periscope",
@ -7073,6 +7061,7 @@
"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/",
"https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service",
"https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return",
"https://www.secureworks.com/research/threat-profiles/gold-crestwood"
],
"synonyms": [
@ -7220,17 +7209,6 @@
"uuid": "7e37be6b-5a94-45f3-bdeb-f494c520eee3",
"value": "Salty Spider"
},
{
"description": "This adversary is suspected of continuing to target upstream providers (e.g., law firms and managed service providers) to support additional intrusions against high-profile assets. In 2018, CrowdStrike observed this adversary using spear-phishing, URL 'web bugs' and scheduled tasks to automate credential harvesting.",
"meta": {
"refs": [
"https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
]
},
"uuid": "d7a41ada-6687-4a6b-8b5c-396808cdd758",
"value": "Judgment Panda"
},
{
"description": "In the first quarter of 2018, CrowdStrike Intelligence identified NOMAD PANDA activity targeting Central Asian nations with exploit documents built with the 8.t tool.",
"meta": {
@ -7422,21 +7400,25 @@
"value": "Silent Librarian"
},
{
"description": "FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a particular organization competetive in its field. Based on available data (April 2016), FireEye assesses that APT31 conducts network operations at the behest of the Chinese Government.",
"description": "FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a particular organization competetive in its field. Based on available data (April 2016), FireEye assesses that APT31 conducts network operations at the behest of the Chinese Government. Also according to Crowdstrike, this adversary is suspected of continuing to target upstream providers (e.g., law firms and managed service providers) to support additional intrusions against high-profile assets. In 2018, CrowdStrike observed this adversary using spear-phishing, URL “web bugs” and scheduled tasks to automate credential harvesting.",
"meta": {
"country": "CN",
"refs": [
"https://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/",
"https://duo.com/decipher/apt-groups-moving-down-the-supply-chain",
"https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf",
"https://redalert.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists",
"https://twitter.com/bkMSFT/status/1201876664667582466",
"https://www.secureworks.com/research/bronz-vinewood-uses-hanaloader-to-target-government-supply-chain",
"https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains",
"https://www.secureworks.com/research/threat-profiles/bronze-vinewood"
"https://www.secureworks.com/research/threat-profiles/bronze-vinewood",
"https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
],
"synonyms": [
"APT 31",
"ZIRCONIUM",
"JUDGMENT PANDA",
"BRONZE VINEWOOD"
]
},
@ -8030,7 +8012,7 @@
"value": "SideWinder"
},
{
"description": "Operation Wocao (我操, “Wǒ co”, used as “shit” or “damn”) is the name that Fox-IT uses to describe the hacking activities of a Chinese based hacking group.\nThis report details the profile of a publicly underreported threat actor that Fox-IT has dealt with over the past two years. Fox-IT assesses with high confidence that the actor is a Chinese group and that they are likely working to support the interests of the Chinese government and are tasked with obtaining information for espionage purposes. With medium confidence, Fox-IT assesses that the tools, techniques and procedures are those of the actor referred to as APT20 by industry partners. We have identified victims of this actor in more than 10 countries, in government entities, managed service providers and across a wide variety of industries, including Energy, Health Care and High-Tech.",
"description": "Operation Wocao (我操, “Wǒ cāo”, used as “shit” or “damn”) is the name that Fox-IT uses to describe the hacking activities of a Chinese based hacking group.\nThis report details the profile of a publicly underreported threat actor that Fox-IT has dealt with over the past two years. Fox-IT assesses with high confidence that the actor is a Chinese group and that they are likely working to support the interests of the Chinese government and are tasked with obtaining information for espionage purposes. With medium confidence, Fox-IT assesses that the tools, techniques and procedures are those of the actor referred to as APT20 by industry partners. We have identified victims of this actor in more than 10 countries, in government entities, managed service providers and across a wide variety of industries, including Energy, Health Care and High-Tech.",
"meta": {
"refs": [
"https://www.fox-it.com/nl/actueel/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/"
@ -8370,7 +8352,32 @@
],
"uuid": "e400b6c5-77cf-453d-ba0f-44575583ac6c",
"value": "GALLIUM"
},
{
"description": "Proofpoint researchers observed a phishing campaign impersonating the World Health Organizations (WHO) guidance on COVID-19 critical preparedness to deliver a new malware family that researchers have dubbed Sepulcher. This campaign targeted European diplomatic and legislative bodies, non-profit policy research organizations, and global organizations dealing with economic affairs. Additionally, a sender email identified in this campaign has been linked to historic Chinese APT targeting of the international Tibetan community using payloads linked to LuckyCat malware. Subsequently, a phishing campaign from July 2020 targeting Tibetan dissidents was identified delivering the same strain of Sepulcher malware. Operator email accounts identified in this campaign have been publicly linked to historic Chinese APT campaigns targeting the Tibetan community delivering ExileRAT malware. Based on the use of publicly known sender addresses associated with Tibetan dissident targeting and the delivery of Sepulcher malware payloads, Proofpoint researchers have attributed both campaigns to the APT actor TA413, which has previously been documented in association with ExileRAT. The usage of publicly known Tibetan-themed sender accounts to deliver Sepulcher malware demonstrates a short-term realignment of TA413s targets of interest. While best known for their campaigns against the Tibetan diaspora, this APT group associated with the Chinese state interest prioritized intelligence collection around Western economies reeling from COVID-19 in March 2020 before resuming more conventional targeting later this year.",
"meta": {
"country": "CN",
"refs": [
"https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic"
]
},
"uuid": "cbf94f8d-20f2-45a0-b78b-54715b6b4e18",
"value": "TA413"
},
{
"description": "ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against financial technology companies. While said malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates. The groups targets remain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service (MaaS) provider whose infamous customers include FIN6 and Cobalt Group.",
"meta": {
"refs": [
"https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/",
"https://securelist.com/deathstalker-mercenary-triumvirate/98177/"
],
"synonyms": [
"DeathStalker"
]
},
"uuid": "b6f3150f-2240-4c57-9dda-5144c5077058",
"value": "Evilnum"
}
],
"version": 168
"version": 178
}

View file

@ -8093,7 +8093,56 @@
"related": [],
"uuid": "e83d1296-027a-4f30-98e0-19622967d5c4",
"value": "CrackMapExec"
},
{
"description": "Wellmess is a Remote Access Trojan written in Golang and also have a .NET version",
"meta": {
"refs": [
"https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf",
"https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html",
"https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf",
"https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf"
],
"synonyms": [],
"type": [
"RAT"
]
},
"related": [],
"uuid": "4fe80228-1142-4e70-9df8-c8f1f3356cfb",
"value": "WellMess"
},
{
"description": "WellMail is a lightweight tool designed to run commands or scripts with the results being sent to a hardcoded Command and Control (C2) server.",
"meta": {
"refs": [
"https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf"
],
"synonyms": [],
"type": [
"RAT"
]
},
"related": [],
"uuid": "59266c02-e3c8-47a6-b00c-bbb50c8975e9",
"value": "WellMail"
},
{
"description": "Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server.",
"meta": {
"refs": [
"https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF"
],
"synonyms": [],
"type": [
"Backdoor",
"Rootkit"
]
},
"related": [],
"uuid": "a0a46c1b-e774-410e-a84b-020b2558d851",
"value": "Drovorub"
}
],
"version": 136
"version": 138
}

View file

@ -0,0 +1,9 @@
{
"description": "China Defence Universities",
"icon": "globe",
"name": "China Defence Universities Tracker",
"namespace": "misp",
"type": "china-defence-universities",
"uuid": "c51c59e9-f213-4ad4-9913-09a43d78dff5",
"version": 1
}

29
galaxies/sod-matrix.json Normal file
View file

@ -0,0 +1,29 @@
{
"description": "SoD Matrix",
"icon": "map",
"kill_chain_order": {
"during-incident-crime": [
"CSIRT",
"LEA",
"Judiciary",
"Prosecutors"
],
"post-incident-crime": [
"CSIRT",
"LEA",
"Judiciary",
"Prosecutors"
],
"prior-to-incident-crime": [
"CSIRT",
"LEA",
"Judiciary",
"Prosecutors"
]
},
"name": "SoD Matrix",
"namespace": "sod-matrix",
"type": "sod-matrix",
"uuid": "50104ead-7315-457c-b596-b4471cabf28b",
"version": 1
}

View file

@ -0,0 +1,295 @@
#!/usr/bin/python3
import requests
import json
from bs4 import BeautifulSoup
import bs4
import uuid
# This tool is part of the MISP core project and released under the GNU Affero
# General Public License v3.0
#
# Copyright (C) 2020 Cormac Doherty
# Copyright (C) 2020 Roger Johnston
#
#
# version 0.1 - initial
# version 0.2 - fixed typo ( _curRef NOT curRef)
def _buildArticleSection(nxtSibling):
_sectionParagraphs = []
_nxtsib = nxtSibling
# Headings and their content are at the same hierarchical
# level in the html - just a sequence. This loop is bounded on
# the next element being a <p>
while ((_nxtsib is not None) and (_nxtsib.name == 'p')):
# Almost every sentence, if not clause, in parapgraph
# text is referenced/cited/footnoted.
#
# The following iterates through the sequence of 'tokens'
# in the current <p>, building 'statements' composed of a
# statement and a reference.
#
# so-called "clauses" and "references" are accumulated over
# loop iterations i.e. a clause is appended to previous clauses
# if a reference has yet to be accumulated. (implicitly -
# references come after statements.)
#
# Once a 'clause' AND a 'statement' are accumulated, an encapsulating
# 'statement' is appended to the section's list of paragraphs and
# are reset.
#
_curClause = None
_curRef = None
for token in _nxtsib.contents:
# References (links) are interleved within text blocks as <spans>.
# The following control structure parses 'the next token' as
# - <spans> containing a link
# - disposable 'junk' if its <em>phasised and contains "Last update"
# - as relevant paragraph text to be accumulated.
if (token.name == 'span'):
_anchors = token.find_all('a', recursive=True)
_anch = None
if (len(_anchors) != 0):
_anch = _anchors[0]
if (_anch is not None):
_curRef = _anch['href']
else:
_curRef = None
elif ((token.name != 'em') or (not ("Last updated" in token.text))): # ignore the "last updated footer
if (_curClause is not None):
if (isinstance(token, bs4.element.NavigableString)):
_curClause = _curClause + token
else:
_curClause = _curClause + token.text
else:
# anomalous html handling
# - <strong> and
# - (useless) <a> tags
# appear in a few places
if ((token.name != 'strong') and
(token.name != 'em') and
(token.name != 'br') and
(token.name != 'sup') and
(token.name != 'a')):
_curClause = token # this quashes them
# Once a 'clause' AND a 'statement' are accumulated, an encapsulating
# 'statement' is appended to the section's list of paragraphs and
# are reset.
if ((_curRef is not None) and (_curClause is not None)):
statement = {}
statement["clause"] = _curClause
statement["ref"] = _curRef
_sectionParagraphs.append(statement)
_curClause = None
_curRef = None
# If a sequence of 'clauses' have been accumulated without finding a reference
# create a reference-LESS statement.
if ((_curClause is not None) and (not "Last updated" in _curClause)):
statement = {}
statement["clause"] = _curClause
_sectionParagraphs.append(statement)
_nxtsib = _nxtsib.find_next_sibling()
return _sectionParagraphs
def _buildListSection(listContent):
laboratories = []
for lab in listContent.find_all('li', recursive="False"):
_lab = {}
_lab['name'] = lab.contents[0].replace(u'\xa0', '')
ref = lab.find('a')
if (ref is not None):
_lab['ref'] = ref['href']
else:
_lab['ref'] = None
laboratories.append(_lab)
return laboratories
def _fetchArticle(url):
response = requests.get(url)
soup = BeautifulSoup(response.content, 'html5lib')
_article = soup.body.find_all('article')[0]
article = {}
article['url'] = url
article['name'] = _article.h1.text.replace('\n', '').strip()
article['_name'] = _article.h2.contents[0]
_artbody = _article.find('div', {"class": "article__copy"})
# Risk Statement
article['risk statement'] = _artbody.find('p').text
article['intro'] = _buildArticleSection(_artbody.find('p').find_next_sibling())
# Article body
sections = []
for _heading in _artbody.findChildren('h2'):
_nxtSibling = _heading.find_next_sibling()
section = {}
section['title'] = _heading.text
if (_nxtSibling.name == 'ul'):
section['body'] = _buildListSection(_nxtSibling)
else:
section['body'] = _buildArticleSection(_nxtSibling)
sections.append(section)
article['sections'] = sections
# # Logo
# logo = _article.div[0].aside[0].find("div", {"class": "aside__logo"})
_panel = _article.find("div", {"class": "aside__groups cf"})
_paneldivs = _panel.find_all('div')
for _paneldiv in _panel.find_all('div'):
_title = _paneldiv.find('h3').text
_items = []
for _item in _paneldiv.find_all('li'):
_anch = _item.find('a')
if (_anch is not None):
if ("Location" in _title): # locations
_loc = {}
_loc['name'] = _anch.contents[0].replace('\n', '').strip()
_loc['ref'] = _anch['href']
_latlong = _anch['href'].split("=")[1]
_loc['lat'] = _latlong.split(",")[0]
_loc['long'] = _latlong.split(",")[1]
_items.append(_loc)
else:
_items.append(_anch.text)
else:
_items.append(_item.text.replace('\n', '').strip())
article[_title.lower()] = _items
return article
def _gen_galaxy(scrape):
base = {
"authors": [
"Australian Strategic Policy Institute"
],
"category": "academic-institution",
"description": "The China Defence Universities Tracker is a database of Chinese institutions engaged in military or security-related science and technology research. It was created by ASPIs International Cyber Policy Centre.",
"name": "China Defence Universities Tracker",
"source": "ASPI International Cyber Policy Centre",
"type": "china-defence-universities",
"uuid": "d985d2eb-d6ad-4b44-9c69-44eb90095e23",
"values": [
],
"version": 1
}
for uni in scrape:
new_template = template = {
"description": "",
"meta": {
"refs": []
},
"uuid": "",
"value": ""
}
new_template["uuid"] = str(uuid.uuid4())
new_template["meta"]["refs"].append(uni["url"])
new_template["value"] = uni["name"] + f" ({uni['_name']})"
def _append_meta(key, meta):
if uni.get(meta):
values = []
for value in uni[meta]:
if value != "":
values.append(value)
if values:
new_template["meta"][key] = values
if uni.get("intro"):
for intro in uni["intro"]:
new_template["description"] += intro["clause"]
if new_template["description"] == "":
new_template["description"] += uni["name"] + f" ({uni['_name']})"
else:
new_template["description"] += uni["name"] + f" ({uni['_name']})"
if uni.get("risk"):
if uni.get("risk") != "":
new_template["meta"]["risk"] = uni["risk statement"]
_append_meta("aliases", "aliases")
_append_meta("supervising agencies", "supervising agencies")
_append_meta("subsidiaries", "subsidiaries")
_append_meta("topics", "topics")
_append_meta("categories", "categories")
if uni.get("sections"):
labs = []
for section in uni["sections"]:
if section["title"] == "Major defence laboratories":
for lab in section["body"]:
if lab.get("name"):
if lab["name"] != "":
labs.append(lab["name"])
if labs:
new_template["meta"]["major defence laboratories"] = labs
if uni.get("location"):
if uni.get(uni["location"][0]["name"]) != "":
new_template["meta"]["address"] = uni["location"][0]["name"]
if uni.get(uni["location"][0]["lat"]) != "":
new_template["meta"]["lat"] = uni["location"][0]["lat"]
if uni.get(uni["location"][0]["long"]) != "":
new_template["meta"]["long"] = uni["location"][0]["long"]
base["values"].append(new_template)
return base
def main():
url = "https://unitracker.aspi.org.au"
response = requests.get(url)
soup = BeautifulSoup(response.content, 'html5lib')
table = soup.find_all('table')[0] # Grab the first table
head = None
articles = []
for row in table.find_all('tr'):
if head is not None:
colOne = row.find_all('td')[0].find_all('a')[0]['href']
article = _fetchArticle(url + colOne)
print("Processing: {}".format(url + colOne))
articles.append(article)
else:
head = "bloop"
galaxy = _gen_galaxy(articles)
print(galaxy)
with open("china-defence-universities.json", "w") as g:
g.write(json.dumps(galaxy, indent=4, sort_keys=True))
if __name__ == "__main__":
main()