From cddfd5fcd18e410eee7fc6bdea405af656e68ab6 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 11 Jan 2019 09:53:08 +0100 Subject: [PATCH 1/2] TA505 threat actorand affiliates malwares --- clusters/backdoor.json | 12 +++++++++++- clusters/rat.json | 12 +++++++++++- clusters/threat-actor.json | 13 ++++++++++++- 3 files changed, 34 insertions(+), 3 deletions(-) diff --git a/clusters/backdoor.json b/clusters/backdoor.json index 8518a70..b1deff9 100644 --- a/clusters/backdoor.json +++ b/clusters/backdoor.json @@ -41,7 +41,17 @@ }, "uuid": "2bb165dc-9f93-11e8-ae64-d3dbab0dd786", "value": "Rosenbridge" + }, + { + "description": "The purpose of the macro was to download and execute a variant of ServHelper that set up reverse SSH tunnels that enabled access to the infected host through the Remote Desktop Protocol (RDP) port 3389.\n\n\"Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to “hijack” legitimate user accounts or their web browser profiles and use them as they see fit,\" researchers from Proofpoint explain in an analysis released today.\n\nThe other ServHelper variant does not include the tunneling and hijacking capabilities and functions only as a downloader for the FlawedGrace RAT.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/new-servhelper-backdoor-and-flawedgrace-rat-pushed-by-necurs-botnet/" + ] + }, + "uuid": "8b50360c-4d16-4f52-be75-e74c27f533df", + "value": "ServHelper" } ], - "version": 3 + "version": 4 } diff --git a/clusters/rat.json b/clusters/rat.json index d641060..92bc2dc 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3298,7 +3298,17 @@ }, "uuid": "ef9f1592-0186-4f5d-a8ea-6c10450d2219", "value": "BONDUPDATER" + }, + { + "description": "Proofpoint also point out that FlawedGrace is a full-featured RAT written in C++ and that it is a very large program that \"extensive use of object-oriented and multithreaded programming techniques. \"As a consequence, getting familiar with its internal structure takes a lot of time and is far from a simple task.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/new-servhelper-backdoor-and-flawedgrace-rat-pushed-by-necurs-botnet/" + ] + }, + "uuid": "428c8288-6f65-453f-bfa2-4b519d08f8e9", + "value": "FlawedGrace" } ], - "version": 23 + "version": 24 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 3508411..7e5b280 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6126,7 +6126,18 @@ }, "uuid": "b06c3af1-0243-4428-88da-b3451c345e1e", "value": "Operation Sharpshooter" + }, + { + "description": "TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/", + "https://www.proofpoint.com/sites/default/files/ta505_timeline_final4_0.png" + ] + }, + "uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f", + "value": "TA505" } ], - "version": 84 + "version": 85 } From 90d2bf7bc128e5fd3fb97258186c14a9e8cee0fe Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 11 Jan 2019 10:17:07 +0100 Subject: [PATCH 2/2] add drakhydrus ref --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7e5b280..9e443cf 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5547,7 +5547,8 @@ "description": "In July 2018, Unit 42 analyzed a targeted attack using a novel file type against at least one government agency in the Middle East. It was carried out by a previously unpublished threat group we track as DarkHydrus. Based on our telemetry, we were able to uncover additional artifacts leading us to believe this adversary group has been in operation with their current playbook since early 2016. This attack diverged from previous attacks we observed from this group as it involved spear-phishing emails sent to targeted organizations with password protected RAR archive attachments that contained malicious Excel Web Query files (.iqy).", "meta": { "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/", + "https://mobile.twitter.com/360TIC/status/1083289987339042817" ] }, "uuid": "ce2c2dfd-2445-4fbc-a747-9e7092e383f9",