From d6ade514bc86e4dca450e936b766a8402ae2f564 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 7 Oct 2024 03:58:02 -0700 Subject: [PATCH 1/6] [threat-actors] Add SkidSec --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 34844ed..dab0b0e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16918,6 +16918,20 @@ }, "uuid": "80a874d5-0645-4245-aeb6-9b33a8689928", "value": "UNC1860" + }, + { + "description": "SkidSec is a threat group that has engaged in operations targeting exposed printers in South Korea to disseminate North Korean propaganda, utilizing techniques such as printer exploitation and social engineering for evidence collection. The group has also experienced a leadership change following the loss of their leader, Govadmin, while continuing to mobilize their followers for various missions. They have humorously solicited financial support for their activities, framing it as a means to support their cause. Additionally, they have been noted for their potential to leak sensitive information from compromised devices.", + "meta": { + "refs": [ + "https://socradar.io/dark-peep-7-shadows-of-betrayal-and-leadership-in-flux/", + "https://medium.com/@criminalip/skidsec-hacker-group-announces-plans-to-spread-north-korean-propaganda-through-hacked-printers-in-fdd314178dc4" + ], + "synonyms": [ + "SkidSec Leaks" + ] + }, + "uuid": "afca4b9c-2bdb-47ef-becc-1d5683d3d2fb", + "value": "SkidSec" } ], "version": 316 From dfe6e6dfabc46068929494c23c02105ace990cdc Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 7 Oct 2024 03:58:02 -0700 Subject: [PATCH 2/6] [threat-actors] Add Awaken Likho --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index dab0b0e..78ed7f8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16932,6 +16932,20 @@ }, "uuid": "afca4b9c-2bdb-47ef-becc-1d5683d3d2fb", "value": "SkidSec" + }, + { + "description": "Awaken Likho is an APT group that has targeted Russian government agencies and industrial enterprises, employing techniques such as information gathering via search engines and using MeshCentral for remote access. The group has been active since at least December 2021 and has ramped up its activities following the Russo-Ukrainian conflict. Recent reports indicate that they are focusing on espionage against critical infrastructure in the defense and energy sectors. Analysis of their malware reveals a new version that is still in development, suggesting ongoing operational capabilities.", + "meta": { + "refs": [ + "https://securelist.com/awaken-likho-apt-new-implant-campaign/114101/", + "https://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/" + ], + "synonyms": [ + "Core Werewolf" + ] + }, + "uuid": "b3a4c34f-0ad6-4083-938a-958deb34b6c7", + "value": "Awaken Likho" } ], "version": 316 From 182102f73899b7345d623d8d50359c282ffc5e67 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 7 Oct 2024 03:58:02 -0700 Subject: [PATCH 3/6] [threat-actors] Add CeranaKeeper --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 78ed7f8..4e3e522 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16946,6 +16946,17 @@ }, "uuid": "b3a4c34f-0ad6-4083-938a-958deb34b6c7", "value": "Awaken Likho" + }, + { + "description": "CeranaKeeper is a China-aligned APT that has been active since at least early 2022, primarily targeting governmental institutions in Asian countries. The group employs custom backdoors like TONESHELL and OneDoor, leveraging cloud services such as Dropbox and OneDrive for data exfiltration. CeranaKeeper utilizes techniques like side-loading, brute-force attacks, and the deployment of BAT scripts to extend its reach within compromised networks. Their operations are characterized by a relentless pursuit of sensitive data, adapting their toolset and methods to evade detection.", + "meta": { + "country": "CN", + "refs": [ + "https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/" + ] + }, + "uuid": "a798eb63-b0b2-4da5-8a9e-d6e821f775eb", + "value": "CeranaKeeper" } ], "version": 316 From 2137a86586816edac3a9362b749f63276553231b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 7 Oct 2024 03:58:02 -0700 Subject: [PATCH 4/6] [threat-actors] Add SongXY --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4e3e522..db5c3d8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16957,6 +16957,17 @@ }, "uuid": "a798eb63-b0b2-4da5-8a9e-d6e821f775eb", "value": "CeranaKeeper" + }, + { + "description": "SongXY is a Chinese APT group that employs phishing tactics to initiate cyberespionage campaigns. They utilize the Royal Road RTF builder, exploiting the CVE-2018-0798 vulnerability in Microsoft Equation Editor. In one instance, they sent a document containing a link to an attacker-controlled server, which automatically triggered upon opening, allowing them to gather information about the target's system configuration.", + "meta": { + "refs": [ + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/", + "http://www.ptsecurity.com/upload/corporate/ww-en/analytics/APT-Attacks-eng.pdf" + ] + }, + "uuid": "439a65b0-c4b4-4a09-a9c9-2c70476574ab", + "value": "SongXY" } ], "version": 316 From 8c9ee3b293adafa1b0ed45afeba5ebc36bd17523 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 7 Oct 2024 03:58:02 -0700 Subject: [PATCH 5/6] [threat-actors] Add TaskMasters --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index db5c3d8..40c3e41 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16968,6 +16968,21 @@ }, "uuid": "439a65b0-c4b4-4a09-a9c9-2c70476574ab", "value": "SongXY" + }, + { + "description": "TaskMasters is a state-sponsored Chinese APT that has been active since at least 2010, primarily targeting industrial, energy, and government sectors in Russia and the CIS. The group has been linked to the Webdav-O Trojan, which employs techniques to bypass network defenses by connecting to legitimate services. Investigations suggest that TaskMasters may have been involved in attacks against Russian federal executive authorities in 2020, potentially alongside another Chinese group, TA428. Additionally, the group has been associated with the BackDoor.RemShell.24 malware, indicating a diverse toolkit in their operations.", + "meta": { + "country": "CN", + "refs": [ + "https://www.group-ib.com/blog/task/", + "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/?utm_source=rss&utm_medium=rss&utm_campaign=apt-group-targeting-governmental-agencies-in-east-asia" + ], + "synonyms": [ + "BlueTraveller" + ] + }, + "uuid": "f6134b6c-56f1-4eda-be0f-79411d627f19", + "value": "TaskMasters" } ], "version": 316 From 3ac6bb3080c3ca42f23ea32ead3a262d01738ca4 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 7 Oct 2024 03:58:03 -0700 Subject: [PATCH 6/6] [threat actors] Update README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bea1cde..1e1075d 100644 --- a/README.md +++ b/README.md @@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *746* elements +Category: *actor* - source: *MISP Project* - total: *751* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]