chg: [threat-actor] add exotic lily, ta578, ta579

This commit is contained in:
Rony 2022-05-14 20:52:15 +05:30 committed by GitHub
parent 9777f40b58
commit 2721522e82
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -9285,7 +9285,41 @@
}, },
"uuid": "64930954-db40-4d97-8fc4-76079d239e15", "uuid": "64930954-db40-4d97-8fc4-76079d239e15",
"value": "Elephant Beetle" "value": "Elephant Beetle"
},
{
"description": "EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. In early September 2021, the group has been obeserved exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigation lead researchers to believe that they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike). This threat actor deploys tactics, techniques and procedures (TTPs) that are traditionally associated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a targeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation. Additionally and rather uniquely, they leverage legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload, namely BUMBLEEBEE and BAZARLOADER, further evading detection mechanisms. This level of human-interaction is rather unusual for cyber crime groups focused on mass scale operations.",
"meta": {
"refs": [
"https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability",
"https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti"
],
"synonyms": [
"DEV-0413"
]
},
"uuid": "3ce2a9e0-c435-402a-a7f3-d48b64d1ab9d",
"value": "EXOTIC LILY"
},
{
"description": "TA578, a threat actor that Proofpoint researchers have been tracking since May of 2020. TA578 has previously been observed in email-based campaigns delivering Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, and Cobalt Strike.",
"meta": {
"refs": [
"https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming"
]
},
"uuid": "d1a8626a-06a5-4ecc-9519-e17fc6724f15",
"value": "TA578"
},
{
"description": "TA579, a threat actor that Proofpoint researchers have been tracking since August 2021. This actor frequently delivered BazaLoader and IcedID in past campaigns.",
"meta": {
"refs": [
"https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming"
]
},
"uuid": "7ab283ac-b78f-42db-b564-0550b9637b0b",
"value": "TA579"
} }
], ],
"version": 226 "version": 227
} }