Merge pull request #412 from Delta-Sierra/master

update threat actors and tools
This commit is contained in:
Alexandre Dulaunoy 2019-06-04 09:56:47 +02:00 committed by GitHub
commit 3948cc24c1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 122 additions and 15 deletions

View file

@ -3362,7 +3362,17 @@
}, },
"uuid": "1b6a066c-50ba-4aa6-a49b-823e94e110fe", "uuid": "1b6a066c-50ba-4aa6-a49b-823e94e110fe",
"value": "Caesar RAT" "value": "Caesar RAT"
},
{
"description": "During the month of October, Check Point researchers discovered a widespread malware campaign spreading a remote access trojan (dubbed “FlawedAmmy”) that allows attackers to take over victims computers and data. The campaign was the latest and most widespread delivering the FlawedAmmyy RAT, following a number of campaigns that have spread this malware in recent months. The Trojan allows attackers to gain full access to the machines camera and microphone, collect screen grabs, steal credentials and sensitive files, and intrusively monitor the victims actions. As a result, FlawedAmmy is the first RAT to enter the Global Threat Indexs top 10 ranking. ",
"meta": {
"refs": [
"https://www.helpnetsecurity.com/2018/11/14/flawedammy-most-wanted-malware-list/"
]
},
"uuid": "4b9b99f0-9c2d-4db5-aaff-09de88509c04",
"value": "FlawedAmmy"
} }
], ],
"version": 28 "version": 29
} }

View file

@ -1760,14 +1760,25 @@
"https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf", "https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf",
"https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/", "https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/",
"https://www.verfassungsschutz.de/download/broschuere-2016-10-bfv-cyber-brief-2016-04.pdf", "https://www.verfassungsschutz.de/download/broschuere-2016-10-bfv-cyber-brief-2016-04.pdf",
"https://www.cfr.org/interactive/cyber-operations/newscaster" "https://www.cfr.org/interactive/cyber-operations/newscaster",
"https://www.washingtontimes.com/news/2014/may/29/iranian-hackers-sucker-punch-us-defense-heads-crea/",
"https://securelist.com/freezer-paper-around-free-meat/74503/",
"https://www.scmagazine.com/home/security-news/cybercrime/hbo-breach-accomplished-with-hard-work-by-hacker-poor-security-practices-by-victim/",
"http://www.arabnews.com/node/1195681/media",
"https://cyware.com/news/iranian-apt-charming-kitten-impersonates-clearsky-the-security-firm-that-uncovered-its-campaigns-7fea0b4f",
"https://blog.certfa.com/posts/the-return-of-the-charming-kitten/",
"https://www.justice.gov/opa/pr/former-us-counterintelligence-agent-charged-espionage-behalf-iran-four-iranians-charged-cyber",
"https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/",
"https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf",
"https://attack.mitre.org/groups/G0058/"
], ],
"synonyms": [ "synonyms": [
"Newscaster", "Newscaster",
"Parastoo", "Parastoo",
"iKittens", "iKittens",
"Group 83", "Group 83",
"Newsbeef" "Newsbeef",
"NewsBeef"
] ]
}, },
"related": [ "related": [
@ -2579,7 +2590,12 @@
"https://blog.cyber4sight.com/2017/04/similarities-between-carbanak-and-fin7-malware-suggest-actors-are-closely-related/", "https://blog.cyber4sight.com/2017/04/similarities-between-carbanak-and-fin7-malware-suggest-actors-are-closely-related/",
"https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor", "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor",
"https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns",
"https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/" "https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/",
"https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain",
"https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf",
"https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf",
"https://attack.mitre.org/groups/G0008/"
], ],
"synonyms": [ "synonyms": [
"Carbanak", "Carbanak",
@ -2644,11 +2660,17 @@
"value": "TeamSpy Crew" "value": "TeamSpy Crew"
}, },
{ {
"description": "Buhtrap has been active since 2014, however their first attacks against financial institutions were only detected in August 2015. Earlier, the group had only focused on targeting banking clients. At the moment, the group is known to target Russian and Ukrainian banks.\nFrom August 2015 to February 2016 Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubles ($25.7 mln). The number of successful attacks against Ukrainian banks has not been identified.\nBuhtrap is the first hacker group using a network worm to infect the overall bank infrastructure that significantly increases the difficulty of removing all malicious functions from the network. As a result, banks have to shut down the whole infrastructure which provokes delay in servicing customers and additional losses.\nMalicious programs intentionally scan for machines with an automated Bank-Customer system of the Central Bank of Russia (further referred to as BCS CBR). We have not identified incidents of attacks involving online money transfer systems, ATM machines or payment gates which are known to be of interest for other criminal groups.",
"meta": { "meta": {
"attribution-confidence": "50", "attribution-confidence": "50",
"country": "RU", "country": "RU",
"refs": [ "refs": [
"https://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/" "https://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/",
"https://www.group-ib.com/brochures/gib-buhtrap-report.pdf",
"https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack",
"https://www.forcepoint.com/blog/security-labs/highly-evasive-code-injection-awaits-user-interaction-delivering-malware",
"https://www.kaspersky.com/blog/financial-trojans-2019/25690/",
"https://www.welivesecurity.com/2015/04/09/operation-buhtrap/"
] ]
}, },
"uuid": "b737c51f-b579-49d5-a907-743b2e6d03cb", "uuid": "b737c51f-b579-49d5-a907-743b2e6d03cb",
@ -4302,11 +4324,24 @@
"https://www.helpnetsecurity.com/2016/11/22/cobalt-hackers-synchronized-atm-heists/", "https://www.helpnetsecurity.com/2016/11/22/cobalt-hackers-synchronized-atm-heists/",
"https://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/", "https://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/",
"https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish", "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish",
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-september-cobalt-spider/" "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-september-cobalt-spider/",
"https://www.group-ib.com/blog/cobalt",
"https://www.reuters.com/article/us-taiwan-cyber-atms/taiwan-atm-heist-linked-to-european-hacking-spree-security-firm-idUSKBN14P0CX",
"https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target",
"https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/",
"https://www.riskiq.com/blog/labs/cobalt-strike/",
"https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/",
"https://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/",
"https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain",
"https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested",
"https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf",
"https://attack.mitre.org/groups/G0080/"
], ],
"synonyms": [ "synonyms": [
"Cobalt group", "Cobalt group",
"Cobalt Group",
"Cobalt gang", "Cobalt gang",
"Cobalt Gang",
"GOLD KINGSWOOD", "GOLD KINGSWOOD",
"Cobalt Spider" "Cobalt Spider"
] ]
@ -4412,7 +4447,10 @@
"https://www.secureworks.jp/resources/rp-bronze-butler", "https://www.secureworks.jp/resources/rp-bronze-butler",
"https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/", "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/",
"http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html", "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html",
"https://www.cfr.org/interactive/cyber-operations/bronze-butler" "https://www.cfr.org/interactive/cyber-operations/bronze-butler",
"https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses",
"https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/",
"https://attack.mitre.org/groups/G0060/"
], ],
"synonyms": [ "synonyms": [
"Bronze Butler", "Bronze Butler",
@ -4744,7 +4782,7 @@
"value": "Snake Wine" "value": "Snake Wine"
}, },
{ {
"description": "This threat actor targets governments, diplomatic missions, private companies in the energy sector, and academics for espionage purposes.", "description": "This threat actor targets governments, diplomatic missions, private companies in the energy sector, and academics for espionage purposes.\nThe Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007. The name \"Mask\" comes from the Spanish slang word \"Careto\" (\"Ugly Face\" or “Mask”) which the authors included in some of the malware modules.\n More than 380 unique victims in 31 countries have been observed to date.What makes “The Mask” special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, 32-and 64-bit Windows versions, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (Apple iOS).",
"meta": { "meta": {
"attribution-confidence": "50", "attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Spain", "cfr-suspected-state-sponsor": "Spain",
@ -4771,8 +4809,9 @@
"cfr-type-of-incident": "Espionage", "cfr-type-of-incident": "Espionage",
"country": "ES", "country": "ES",
"refs": [ "refs": [
"https://securelist.com/blog/research/58254/the-caretomask-apt-frequently-asked-questions/", "https://securelist.com/the-caretomask-apt-frequently-asked-questions/58254/",
"https://www.cfr.org/interactive/cyber-operations/careto" "https://www.cfr.org/interactive/cyber-operations/careto",
"https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133638/unveilingthemask_v1.0.pdf"
], ],
"synonyms": [ "synonyms": [
"The Mask", "The Mask",
@ -5584,6 +5623,7 @@
], ],
"since": "2016", "since": "2016",
"synonyms": [ "synonyms": [
"Dragonfly 2.0",
"Dragonfly2", "Dragonfly2",
"Berserker Bear" "Berserker Bear"
], ],
@ -6486,10 +6526,16 @@
"description": "APT39 was created to bring together previous activities and methods used by this actor, and its activities largely align with a group publicly referred to as \"Chafer.\" However, there are differences in what has been publicly reported due to the variances in how organizations track activity. APT39 primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor. While APT39's targeting scope is global, its activities are concentrated in the Middle East. APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.", "description": "APT39 was created to bring together previous activities and methods used by this actor, and its activities largely align with a group publicly referred to as \"Chafer.\" However, there are differences in what has been publicly reported due to the variances in how organizations track activity. APT39 primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor. While APT39's targeting scope is global, its activities are concentrated in the Middle East. APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.",
"meta": { "meta": {
"refs": [ "refs": [
"https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html" "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html",
"https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions",
"https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/",
"https://securelist.com/chafer-used-remexi-malware/89538/",
"https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets",
"https://attack.mitre.org/groups/G0087/"
], ],
"synonyms": [ "synonyms": [
"APT 39" "APT 39",
"Chafer"
] ]
}, },
"uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b", "uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b",
@ -6777,7 +6823,47 @@
}, },
"uuid": "6bf7e6b6-5917-45a6-9567-f0baba79768c", "uuid": "6bf7e6b6-5917-45a6-9567-f0baba79768c",
"value": "APT31" "value": "APT31"
},
{
"description": "BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years. Multiple papers and talks have been released covering this campaign, which used the ELIRKS backdoor when it was first discovered in 2012. It is known for using blogs and microblogging services to hide the location of its actual command-and-control (C&C) servers. This allows an attacker to change the C&C server used quickly by changing the information in these posts.\nLike most campaigns, BLACKGEAR has evolved over time. Our research indicates that it has started targeting Japanese users. Two things led us to this conclusion: first, the fake documents that are used as part of its infection routines are now in Japanese. Secondly, it is now using blogging sites and microblogging services based in Japan for its C&C activity.",
"meta": {
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-cyberespionage-campaign-resurfaces-abuses-social-media-for-cc-communication/"
],
"synonyms": [
"Topgear",
"Comnie",
"BLACKGEAR"
]
},
"uuid": "8b62b20a-5b1c-48af-8424-e8220cd2fbd7",
"value": "Blackgear"
},
{
"description": "BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. A group known by Microsoft as NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified.",
"meta": {
"refs": [
"https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/",
"https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html",
"https://attack.mitre.org/groups/G0063/"
]
},
"uuid": "8fbd195f-5e03-4e85-8ca5-4f1dff300bec",
"value": "BlackOasis"
},
{
"description": "BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names of some of their C&C servers, BlackTechs campaigns are likely designed to steal their targets technology.\nFollowing their activities and evolving tactics and techniques helped us uncover the proverbial red string of fate that connected three seemingly disparate campaigns: PLEAD, Shrouded Crossbow, and of late, Waterbear.\nPLEAD is an information theft campaign with a penchant for confidential documents. Active since 2012, it has so far targeted Taiwanese government agencies and private organizations. PLEADs toolset includes the self-named PLEAD backdoor and the DRIGO exfiltration tool. PLEAD uses spear-phishing emails to deliver and install their backdoor, either as an attachment or through links to cloud storage services. Some of the cloud storage accounts used to deliver PLEAD are also used as drop off points for exfiltrated documents stolen by DRIGO.\nPLEAD actors use a router scanner tool to scan for vulnerable routers, after which the attackers will enable the routers VPN feature then register a machine as virtual server. This virtual server will be used either as a C&C server or an HTTP server that delivers PLEAD malware to their targets.",
"meta": {
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
"https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/",
"https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/"
]
},
"uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e",
"value": "BlackTech"
} }
], ],
"version": 110 "version": 111
} }

View file

@ -7787,7 +7787,18 @@
], ],
"uuid": "80365d3a-6d46-4195-a772-364749a6dc06", "uuid": "80365d3a-6d46-4195-a772-364749a6dc06",
"value": "SunOrcal" "value": "SunOrcal"
},
{
"description": "Threat actors have delivered Bookworm as a payload in attacks on targets in Thailand. Readers who are interested in this campaign should start with our first blog that lays out the overall functionality of the malware and introduces its many components.\n Unit 42 does not have detailed targeting information for all known Bookworm samples, but we are aware of attempted attacks on at least two branches of government in Thailand. We speculate that other attacks delivering Bookworm were also targeting organizations in Thailand based on the contents of the associated decoys documents, as well as several of the dynamic DNS domain names used to host C2 servers that contain the words “Thai” or “Thailand”. Analysis of compromised systems seen communicating with Bookworm C2 servers also confirms our speculation on targeting with a majority of systems existing within Thailand.",
"meta": {
"refs": [
"https://unit42.paloaltonetworks.com/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/",
"https://unit42.paloaltonetworks.com/bookworm-trojan-a-model-of-modular-architecture/"
]
},
"uuid": "9ff6e087-6755-447a-b537-8f06c7aa4a85",
"value": "Bookworm"
} }
], ],
"version": 121 "version": 122
} }