mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-26 16:57:18 +00:00
chg: [threat-actor] add exotic lily, ta578, ta579
This commit is contained in:
parent
9777f40b58
commit
2721522e82
1 changed files with 35 additions and 1 deletions
|
@ -9285,7 +9285,41 @@
|
|||
},
|
||||
"uuid": "64930954-db40-4d97-8fc4-76079d239e15",
|
||||
"value": "Elephant Beetle"
|
||||
},
|
||||
{
|
||||
"description": "EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. In early September 2021, the group has been obeserved exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigation lead researchers to believe that they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike). This threat actor deploys tactics, techniques and procedures (TTPs) that are traditionally associated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a targeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation. Additionally and rather uniquely, they leverage legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload, namely BUMBLEEBEE and BAZARLOADER, further evading detection mechanisms. This level of human-interaction is rather unusual for cyber crime groups focused on mass scale operations.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability",
|
||||
"https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti"
|
||||
],
|
||||
"synonyms": [
|
||||
"DEV-0413"
|
||||
]
|
||||
},
|
||||
"uuid": "3ce2a9e0-c435-402a-a7f3-d48b64d1ab9d",
|
||||
"value": "EXOTIC LILY"
|
||||
},
|
||||
{
|
||||
"description": "TA578, a threat actor that Proofpoint researchers have been tracking since May of 2020. TA578 has previously been observed in email-based campaigns delivering Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, and Cobalt Strike.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming"
|
||||
]
|
||||
},
|
||||
"uuid": "d1a8626a-06a5-4ecc-9519-e17fc6724f15",
|
||||
"value": "TA578"
|
||||
},
|
||||
{
|
||||
"description": "TA579, a threat actor that Proofpoint researchers have been tracking since August 2021. This actor frequently delivered BazaLoader and IcedID in past campaigns.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming"
|
||||
]
|
||||
},
|
||||
"uuid": "7ab283ac-b78f-42db-b564-0550b9637b0b",
|
||||
"value": "TA579"
|
||||
}
|
||||
],
|
||||
"version": 226
|
||||
"version": 227
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue