diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 55ed7ed..fd67d7c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9285,7 +9285,41 @@ }, "uuid": "64930954-db40-4d97-8fc4-76079d239e15", "value": "Elephant Beetle" + }, + { + "description": "EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. In early September 2021, the group has been obeserved exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigation lead researchers to believe that they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike). This threat actor deploys tactics, techniques and procedures (TTPs) that are traditionally associated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a targeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation. Additionally and rather uniquely, they leverage legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload, namely BUMBLEEBEE and BAZARLOADER, further evading detection mechanisms. This level of human-interaction is rather unusual for cyber crime groups focused on mass scale operations.", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability", + "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti" + ], + "synonyms": [ + "DEV-0413" + ] + }, + "uuid": "3ce2a9e0-c435-402a-a7f3-d48b64d1ab9d", + "value": "EXOTIC LILY" + }, + { + "description": "TA578, a threat actor that Proofpoint researchers have been tracking since May of 2020. TA578 has previously been observed in email-based campaigns delivering Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, and Cobalt Strike.", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming" + ] + }, + "uuid": "d1a8626a-06a5-4ecc-9519-e17fc6724f15", + "value": "TA578" + }, + { + "description": "TA579, a threat actor that Proofpoint researchers have been tracking since August 2021. This actor frequently delivered BazaLoader and IcedID in past campaigns.", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming" + ] + }, + "uuid": "7ab283ac-b78f-42db-b564-0550b9637b0b", + "value": "TA579" } ], - "version": 226 + "version": 227 }