From 26f6a33695604947e290885c1441cd4d258d0e5b Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Tue, 26 Jul 2022 11:09:33 +0200 Subject: [PATCH] more aliases from Unit 42 --- clusters/threat-actor.json | 47 +++++++++++++++++++++++++++++++++++--- 1 file changed, 44 insertions(+), 3 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8728466..2551b0d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5850,7 +5850,8 @@ "https://securelist.com/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/75082/", "https://securelist.com/operation-daybreak/75100/", "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/", - "https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/" + "https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/", + "https://unit42.paloaltonetworks.com/atoms/moldypisces/" ], "synonyms": [ "APT 37", @@ -5866,7 +5867,8 @@ "ScarCruft", "Venus 121", "ATK4", - "G0067" + "G0067", + "Moldy Pisces" ] }, "related": [ @@ -10020,7 +10022,46 @@ }, "uuid": "c73c8a76-1e44-44d6-b955-79f3a73582a1", "value": "Red Nue" + }, + { + "description": "Prying Libra, also known as Pickaxe, is a threat actor active since at least August 2017, and continues to remain active to this day. The adversary's goal is to install and maintain a popular cryptocurrency miner on the victim's machine. The miner in question is an open-source tool named XMRig that generates the Monero cryptocurrency. Malware is delivered via downloads through the popular Adfly advertisement platform. Users are often mislead into clicking on a malicious advertisement that results in the payload being delivered to the victim. Once installed, the malware leverages VBS scripts and redirection services, such as bitly, to ultimately download and execute XMRig. Over 15 million confirmed victims have been discovered to be infected in recent campaigns, with actual numbers likely to be between 30-45 million victims. The victims are found across the globe, with high concentrations in Thailand, Vietnam, Egypt, Indonesia, and Turkey.", + "meta": { + "refs": [ + "https://unit42.paloaltonetworks.com/atoms/pryinglibra/" + ], + "synonyms": [ + "Prying Libra" + ] + }, + "uuid": "1bfd16ae-fd98-4a96-9397-d1651548bda2", + "value": "Pickaxe" + }, + { + "description": "Thief Libra is a cloud-focused threat group that has a history of cryptojacking operations as well as cloud service platform credential scraping. They were first known to operate on January 27, 2019. They use a variety of custom build Go Scripts as well as repurposed cryptojacking scripts from other groups including TeamTNT. They are currently considered to be an opportunistic threat group that targets exposed cloud instances and applications.", + "meta": { + "refs": [ + "https://unit42.paloaltonetworks.com/atoms/thieflibra/" + ], + "synonyms": [ + "Thief Libra" + ] + }, + "uuid": "4b4b4717-d31e-4be6-a3ba-b13edb42decd", + "value": "Watchdog" + }, + { + "description": "Returned Libra, also known as 8220 Mining Group, is a cloud threat actor group that has been active since at least 2017. Tools commonly employed during their operations are PwnRig or DBUsed which are customized variants of the XMRig Monero mining software. The Returned Libra mining group is believed to have originated from a GitHub fork of the Rocke group's software. Returned Libra has elevated its mining operations with the use of cloud service platform credential scrapping.", + "meta": { + "refs": [ + "https://unit42.paloaltonetworks.com/atoms/returnedlibra/" + ], + "synonyms": [ + "8220 Mining Group" + ] + }, + "uuid": "7831d56e-5913-44ca-8835-f42017aeb0cd", + "value": "Returned Libra" } ], - "version": 236 + "version": 237 }