From 3379a0777b8f00494bcc4d4edaa6483e1ce5c9e3 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 09:20:10 -0800 Subject: [PATCH 01/11] [threat-actors] Add Karkadann --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2501bef..16d729c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14789,6 +14789,20 @@ }, "uuid": "33bfb09d-c6f4-4403-b434-1d4d4733ec52", "value": "TA2719" + }, + { + "description": "Karkadann is a threat actor that has been active since at least October 2020, targeting government bodies and news outlets in the Middle East. They have been involved in watering hole attacks, compromising high-profile websites to inject malicious JavaScript code. The group has been linked to another commercial spyware company called Candiru, suggesting they may utilize multiple spyware technologies. There are similarities in the infrastructure and tactics used by Karkadann in their campaigns.", + "meta": { + "refs": [ + "https://securelist.com/apt-trends-report-q2-2022/106995/", + "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/" + ], + "synonyms": [ + "Piwiks" + ] + }, + "uuid": "8146ba06-cef2-4a94-b26e-1a4041e04c7d", + "value": "Karkadann" } ], "version": 299 From bffb0ef644880a4c8e687a576c32aa78c8231474 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 09:20:10 -0800 Subject: [PATCH 02/11] [threat-actors] Add Tomiris --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 16d729c..503f328 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14803,6 +14803,16 @@ }, "uuid": "8146ba06-cef2-4a94-b26e-1a4041e04c7d", "value": "Karkadann" + }, + { + "description": "Tomiris is a threat actor that has been active since at least 2019. They primarily target government and diplomatic entities in the Commonwealth of Independent States region, with occasional victims in other regions being foreign representations of CIS countries. Tomiris uses a wide variety of malware implants, including downloaders, backdoors, and file stealers, developed in different programming languages. They employ various attack vectors such as spear-phishing, DNS hijacking, and exploitation of vulnerabilities. There are potential ties between Tomiris and Turla, but they are considered separate threat actors with distinct targeting and tradecraft by Kaspersky.", + "meta": { + "refs": [ + "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/" + ] + }, + "uuid": "2f854548-1af0-4f55-acab-4f85ce9f162c", + "value": "Tomiris" } ], "version": 299 From dd01813e51b0b9b45b3d085939dcc1733eb7c745 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 09:20:10 -0800 Subject: [PATCH 03/11] [threat-actors] Add ShaggyPanther --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 503f328..63b2352 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14813,6 +14813,19 @@ }, "uuid": "2f854548-1af0-4f55-acab-4f85ce9f162c", "value": "Tomiris" + }, + { + "description": "ShaggyPanther is a threat actor that primarily targets government entities in Taiwan and Malaysia. They have been active since 2008 and utilize hidden encrypted payloads in registry keys. Their activities have been detected in various locations, including Indonesia and Syria.", + "meta": { + "country": "CN", + "refs": [ + "https://securelist.com/ksb-2019-review-of-the-year/95394/", + "https://securelist.com/apt-trends-report-q3-2019/94530/", + "https://securelist.com/apt-review-of-the-year/89117/" + ] + }, + "uuid": "07791d89-64b6-46df-9f67-ccde8c2cbb20", + "value": "ShaggyPanther" } ], "version": 299 From 40becc0ee992b47a593dcb9aef993502ff507b85 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 09:20:10 -0800 Subject: [PATCH 04/11] [threat-actors] Add Fishing Elephant --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 63b2352..1f93174 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14826,6 +14826,17 @@ }, "uuid": "07791d89-64b6-46df-9f67-ccde8c2cbb20", "value": "ShaggyPanther" + }, + { + "description": "Fishing Elephant is a threat actor that primarily targets victims in Bangladesh and Pakistan. They rely on consistent TTPs, including payload and communication patterns, while occasionally incorporating new techniques such as geo-fencing and hiding executables within certificate files. Their tool of choice is AresRAT, which they deliver through platforms like Heroku and Dropbox. Recently, they have shifted their focus to government and diplomatic entities in Turkey, Pakistan, Bangladesh, Ukraine, and China.", + "meta": { + "refs": [ + "https://securelist.com/apt-trends-report-q1-2020/96826/", + "https://securelist.com/apt-trends-report-q1-2022/106351/" + ] + }, + "uuid": "0df34184-4ccf-4357-8e8e-e990058d2992", + "value": "Fishing Elephant" } ], "version": 299 From cff0da0b3a287389e47b4cda14cf8429ffb94d64 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 09:20:10 -0800 Subject: [PATCH 05/11] [threat-actors] Add RevengeHotels --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1f93174..862d9b2 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14837,6 +14837,16 @@ }, "uuid": "0df34184-4ccf-4357-8e8e-e990058d2992", "value": "Fishing Elephant" + }, + { + "description": "RevengeHotels is a targeted cybercrime campaign that has been active since 2015, primarily targeting hotels, hostels, and tourism companies. The threat actor uses remote access Trojan malware to infiltrate hotel front desks and steal credit card data from guests and travelers. The campaign has impacted hotels in multiple countries, including Brazil, Argentina, Chile, and Mexico. The threat actor employs social engineering techniques and sells credentials from infected systems to other cybercriminals for remote access.", + "meta": { + "refs": [ + "https://securelist.com/revengehotels/95229/" + ] + }, + "uuid": "083acee6-6969-4c74-80c2-5d442936aa97", + "value": "RevengeHotels" } ], "version": 299 From c97fc15d59a9b13f43445810b4693dc03f15d3ff Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 09:20:11 -0800 Subject: [PATCH 06/11] [threat-actors] Add GhostEmperor --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 862d9b2..e3ec656 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14847,6 +14847,18 @@ }, "uuid": "083acee6-6969-4c74-80c2-5d442936aa97", "value": "RevengeHotels" + }, + { + "description": "GhostEmperor is a Chinese-speaking threat actor that targets government entities and telecom companies in Southeast Asia. They employ a Windows kernel-mode rootkit called Demodex to gain remote control over their targeted servers. The actor demonstrates a high level of sophistication and uses various anti-forensic and anti-analysis techniques to evade detection. They have been active for a significant period of time and continue to pose a threat to their targets.", + "meta": { + "country": "CN", + "refs": [ + "https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation", + "https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/" + ] + }, + "uuid": "3c3ca8f3-c6ab-4c5d-9bd0-be6677d6cdeb", + "value": "GhostEmperor" } ], "version": 299 From 3a15a275849dd1a8faa93a90090aff00ea5a312c Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 09:20:11 -0800 Subject: [PATCH 07/11] [threat-actors] Add Operation Triangulation --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e3ec656..ae7b07b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14859,6 +14859,19 @@ }, "uuid": "3c3ca8f3-c6ab-4c5d-9bd0-be6677d6cdeb", "value": "GhostEmperor" + }, + { + "description": "Operation Triangulation is an ongoing APT campaign targeting iOS devices with zero-click iMessage exploits. The threat actor behind the campaign has been active since at least 2019 and continues to operate. The attack chain involves the delivery of a malicious iMessage attachment that launches a series of exploits, ultimately leading to the deployment of the TriangleDB implant. Kaspersky researchers have discovered and reported multiple vulnerabilities used in the campaign, with patches released by Apple.", + "meta": { + "refs": [ + "https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/", + "https://securelist.com/operation-triangulation-catching-wild-triangle/110916/", + "https://securelist.com/triangulation-validators-modules/110847/", + "https://securelist.com/operation-triangulation/109842/" + ] + }, + "uuid": "220001c6-c976-4cad-a356-4d8c2dd2b1c1", + "value": "Operation Triangulation" } ], "version": 299 From 045ec7071fd567d5c2e4dfc606679c79549c8423 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 09:20:11 -0800 Subject: [PATCH 08/11] [threat-actors] Add Operation Ghoul --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ae7b07b..371eb47 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14872,6 +14872,17 @@ }, "uuid": "220001c6-c976-4cad-a356-4d8c2dd2b1c1", "value": "Operation Triangulation" + }, + { + "description": "Operation Ghoul is a profit-driven threat actor that targeted over 130 organizations in 30 countries, primarily in the industrial and engineering sectors. They employed high-quality social engineering techniques, such as spear-phishing emails disguised as payment advice from a UAE bank, to distribute malware. The group's main motivation is financial gain through the sale of stolen intellectual property and business intelligence, as well as attacks on banking accounts. Their attacks were effective, particularly against companies that were unprepared to detect them.", + "meta": { + "refs": [ + "https://securelist.com/kaspersky-security-bulletin-2016-executive-summary/76858/", + "https://securelist.com/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/75718/" + ] + }, + "uuid": "624cc006-1131-4e53-a53c-3958cfbe233f", + "value": "Operation Ghoul" } ], "version": 299 From d2586524e397f0991517095188584ce638ac75ca Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 09:20:11 -0800 Subject: [PATCH 09/11] [threat-actors] Add CardinalLizard --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 371eb47..c1b0261 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14883,6 +14883,17 @@ }, "uuid": "624cc006-1131-4e53-a53c-3958cfbe233f", "value": "Operation Ghoul" + }, + { + "description": "CardinalLizard, a cyber threat actor linked to China, has targeted entities in Asia since 2018. Their methods include spear-phishing, custom malware with anti-detection features, and potentially shared infrastructure with other actors.", + "meta": { + "country": "CN", + "refs": [ + "https://securelist.com/apt-review-of-the-year/89117/" + ] + }, + "uuid": "97f40858-1582-4a59-a990-866813982830", + "value": "CardinalLizard" } ], "version": 299 From 3a44200a0c8343442626463c39be5cf7f6da2bc1 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 09:20:11 -0800 Subject: [PATCH 10/11] [threat-actors] Add APT5 aliases --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c1b0261..885f83e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5225,7 +5225,8 @@ "MANGANESE", "BRONZE FLEETWOOD", "TEMP.Bottle", - "Mulberry Typhoon" + "Mulberry Typhoon", + "Poisoned Flight" ], "targeted-sector": [ "Electronic", From 957e848a6f8b8e5332f7ad0cc1d2a38740489e69 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 5 Feb 2024 09:20:11 -0800 Subject: [PATCH 11/11] [threat-actors] Add Ferocious Kitten --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 885f83e..ebe47ef 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14895,6 +14895,17 @@ }, "uuid": "97f40858-1582-4a59-a990-866813982830", "value": "CardinalLizard" + }, + { + "description": "Ferocious Kitten is an APT group that has been active against Persian-speaking individuals since 2015 and appears to be based in Iran. Although it has been active over a large timespan, the group has mostly operated under the radar until a lure document was uploaded to VirusTotal and was brought to public knowledge by researchers on Twitter. Subsequently, one of its implants was analyzed by a Chinese intelligence firm. Kaspersky then expanded some of the findings on the group and provided insights on additional variants. The malware dropped from the aforementioned document is dubbed MarkiRAT and is used to record keystrokes and clipboard content, provide file download and upload capabilities as well as the ability to execute arbitrary commands on the victims machine. Kaspersky were able to trace the implant back to at least 2015, along with variants intended to hijack the execution of the Telegram and Chrome applications as a persistence method. Interestingly, some of the TTPs used by this threat actor are reminiscent of other groups operating in the domain of dissident surveillance. For example, it used the same C2 domains across its implants for years, which was witnessed in the activity of Domestic Kitten. In the same vein, the Telegram execution hijacking technique observed in this campaign by Ferocious Kitten was also observed being used by Rampant Kitten, as covered by Check Point.", + "meta": { + "country": "IR", + "refs": [ + "https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/" + ] + }, + "uuid": "f34962a4-a792-4f23-af23-a8bf0f053fcf", + "value": "Ferocious Kitten" } ], "version": 299