From e787efce72f00d136c972e6917f4697dec8f94b1 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 22 Dec 2017 10:05:52 +0100 Subject: [PATCH 1/4] add SedKit --- clusters/tool.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index e3c9edf..ea250fe 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -10,7 +10,7 @@ ], "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", - "version": 44, + "version": 45, "values": [ { "meta": { @@ -3227,6 +3227,16 @@ "http://blog.trendmicro.com/trendlabs-security-intelligence/ratankba-watering-holes-against-enterprises/" ] } + }, + { + "value": "Sedkit", + "description": "Sedkit was an exploit kit used exclusively by the Sednit group. During its lifetime, Sednit leveraged vulnerabilities in various persistently vulnerable applications, but mostly Adobe Flash and Internet Explorer. When Sedkit was first discovered, potential victims were redirected to its landing page through a watering-hole scheme. Following that campaign, their preferred method consisted of malicious links embedded in emails sent to Sednit’s targets. Sedkit’s workflow is illustrated below.", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/", + "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/" + ] + } } ] } From f737b7fe0a8a04cd9cdcdaf53d8c1f63df0cc249 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 22 Dec 2017 10:08:54 +0100 Subject: [PATCH 2/4] modify SedKit description --- clusters/tool.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index ea250fe..19fb3a3 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -3230,7 +3230,7 @@ }, { "value": "Sedkit", - "description": "Sedkit was an exploit kit used exclusively by the Sednit group. During its lifetime, Sednit leveraged vulnerabilities in various persistently vulnerable applications, but mostly Adobe Flash and Internet Explorer. When Sedkit was first discovered, potential victims were redirected to its landing page through a watering-hole scheme. Following that campaign, their preferred method consisted of malicious links embedded in emails sent to Sednit’s targets. Sedkit’s workflow is illustrated below.", + "description": "Sedkit is the Sednit exploit-kit; it’s used only for targeted attacks, starting with targeted phishing emails with URLs that spoof legitimate URLs. October 2016 is the last time we’re aware that Sedkit was used.", "meta": { "refs": [ "https://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/", From d6b16b2177de11fb8404c18d5b074967718149da Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 22 Dec 2017 10:46:18 +0100 Subject: [PATCH 3/4] update Sofacy tools --- clusters/exploit-kit.json | 8 ++++++-- clusters/tool.json | 21 +++++++++++++++------ 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index ae32539..187b2fd 100644 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -37,11 +37,12 @@ }, { "value": "DealersChoice", - "description": "DealersChoice is a Flash Player Exploit platform triggered by RTF", + "description": "DealersChoice is a Flash Player Exploit platform triggered by RTF.\n\nDealersChoice is a platform that generates malicious documents containing embedded Adobe Flash files. Palo Alto Network researchers analyzed two variants — variant A, which is a standalone variant including Flash exploit code packaged with a payload, and variant B, which is a modular variant that loads exploit code on demand. This new component appeared in 2016 and is still in use.", "meta": { "refs": [ "http://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-ramps-up-spear-phishing-before-zero-days-get-patched/" + "http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-ramps-up-spear-phishing-before-zero-days-get-patched/", + "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/" ], "synonyms": [ "Sednit RTF EK" @@ -142,6 +143,9 @@ "http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/", "http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/" ], + "synonyms":[ + "SedKit" + ], "status": "Active" } }, diff --git a/clusters/tool.json b/clusters/tool.json index 19fb3a3..fc9f543 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -677,7 +677,7 @@ "NETUI" ] }, - "description": "backdoor used by apt28", + "description": "backdoor used by apt28\n\nSedreco serves as a spying backdoor; its functionalities can be extended with dynamically loaded plugins. It is made up of two distinct components: a dropper and the persistent payload installed by this dropper. We have not seen this component since April 2016.", "value": "EVILTOSS" }, { @@ -1213,10 +1213,11 @@ ], "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/", - "https://app.box.com/s/l7n781ig6n8wlf1aff5hgwbh4qoi5jqq" + "https://app.box.com/s/l7n781ig6n8wlf1aff5hgwbh4qoi5jqq", + "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/" ] }, - "description": "This backdoor component is known to have a modular structure featuring various espionage functionalities, such as key-logging, screen grabbing and file exfiltration. This component is available for Osx, Windows, Linux and iOS operating systems.", + "description": "This backdoor component is known to have a modular structure featuring various espionage functionalities, such as key-logging, screen grabbing and file exfiltration. This component is available for Osx, Windows, Linux and iOS operating systems.\n\nXagent is a modular backdoor with spying functionalities such as keystroke logging and file exfiltration. Xagent is the group’s flagship backdoor and heavily used in their operations. Early versions for Linux and Windows were seen years ago, then in 2015 an iOS version came out. One year later, an Android version was discovered and finally, in the beginning of 2017, an Xagent sample for OS X was described.", "value": "X-Agent" }, { @@ -3229,11 +3230,19 @@ } }, { - "value": "Sedkit", - "description": "Sedkit is the Sednit exploit-kit; it’s used only for targeted attacks, starting with targeted phishing emails with URLs that spoof legitimate URLs. October 2016 is the last time we’re aware that Sedkit was used.", + "value": "USBStealer", + "description": "USBStealer serves as a network tool that extracts sensitive information from air-gapped networks. We have not seen this component since mid 2015.", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/" + ] + } + }, + { + "value": "Downdelph", + "description": "Downdelph is a lightweight downloader developed in the Delphi programming language. As we already mentioned in our white paper, its period of activity was from November 2013 to September 2015 and there have been no new variants seen since.", "meta": { "refs": [ - "https://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/", "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/" ] } From 9b23956c3739d0a4c2bd4b8e14fd82cac46e11c8 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 22 Dec 2017 10:47:06 +0100 Subject: [PATCH 4/4] jqallthethings --- clusters/exploit-kit.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 187b2fd..15b7fab 100644 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -143,7 +143,7 @@ "http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/", "http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/" ], - "synonyms":[ + "synonyms": [ "SedKit" ], "status": "Active"