From df5301eab526fb3e17f03dae0699c337d575937f Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Tue, 9 Apr 2019 08:38:44 +0200 Subject: [PATCH 01/19] adding FireEye's TMP.Lapis / APT36 --- clusters/threat-actor.json | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b40a7fe..2aab5fe 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6655,7 +6655,21 @@ }, "uuid": "401c30c7-4317-458a-9b0a-379a44d63457", "value": "Operation ShadowHammer" + }, + { + "description": "FireEye details APT36 as a Pakistani espionage group that supports Pakistani military and diplomatic interests, targeting Indian military and government. Operations have been also observed in the US, Europe, and Central Asia. Uses social engineering emails, multiple open-source, and custom malware tools.", + "meta": { + "refs": [ + "https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf" + ], + "synonyms": [ + "APT 36", + "TMP.Lapis" + ] + }, + "uuid": "80fad97c-df3a-44ea-a127-cf29833b4946", + "value": "APT36" } ], - "version": 105 + "version": 106 } From 6467fe5849c87687627c2170439ae0be3c232815 Mon Sep 17 00:00:00 2001 From: rmkml Date: Tue, 9 Apr 2019 22:27:28 +0200 Subject: [PATCH 02/19] Add Parasite HTTP RAT --- clusters/rat.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/rat.json b/clusters/rat.json index 30450da..71e6b7f 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3328,7 +3328,17 @@ }, "uuid": "1b6a067b-50b9-4aa7-a49b-823e94e210fe", "value": "H-worm" + }, + { + "description": "The RAT, dubbed Parasite HTTP, is especially notable for the extensive array of techniques it incorporates for sandbox detection, anti-debugging, anti-emulation, and other protections. The malware is also modular in nature, allowing actors to add new capabilities as they become available or download additional modules post infection.", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks" + ] + }, + "uuid": "1b6a067c-50ba-4aa7-a59b-824e94e210fe", + "value": "Parasite-HTTP-RAT" } ], - "version": 26 + "version": 27 } From eb90e99dafa94521ca3538bafd41277c66ce2c16 Mon Sep 17 00:00:00 2001 From: rmkml Date: Wed, 10 Apr 2019 22:37:54 +0200 Subject: [PATCH 03/19] Add Globe Imposter Ransomware --- clusters/ransomware.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 6ab28c0..f61e664 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13062,7 +13062,19 @@ }, "uuid": "8cfa694b-3e6b-410a-828f-037d981870b2", "value": "Jokeroo" + }, + { + "description": "During December 2017, a new variant of the GlobeImposter Ransomware was detected for the first time and reported on malware-traffic-analysis. At first sight this ransomware looks very similar to other ransomware samples and uses common techniques such as process hollowing. However, deeper inspection showed that like LockPoS, which was analyzed by CyberBit, GlobeImposter too bypasses user-mode hooks by directly invoking system calls. Given this evasion technique is being leveraged by new malware samples may indicate that this is a beginning of a trend aiming to bypass user-mode security products.", + "meta": { + "payment-method": "Bitcoin", + "price": "0.35", + "refs": [ + "https://www.fortinet.com/blog/threat-research/analysis-of-new-globeimposter-ransomware-variant.html" + ] + }, + "uuid": "8cfa694c-2e6b-310a-728f-027d981870b2", + "value": "GlobeImposter" } ], - "version": 54 + "version": 55 } From 60e4a486a7719c89c1f82dcd17423f2a64c91c78 Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Thu, 11 Apr 2019 23:55:51 +0530 Subject: [PATCH 04/19] adding additional resources for APT36 --- clusters/threat-actor.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2aab5fe..01ecbff 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6661,6 +6661,8 @@ "meta": { "refs": [ "https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf" + "https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf" + "https://aisa.org.au//PDF/AISA%20Sydney%20-%20Dec2016.pdf" ], "synonyms": [ "APT 36", From 2fc914b2f94bc4ad3804bd15923b8c04fdf840f1 Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Fri, 12 Apr 2019 01:06:50 +0530 Subject: [PATCH 05/19] Update threat-actor.json --- clusters/threat-actor.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 01ecbff..db3d03b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6660,8 +6660,8 @@ "description": "FireEye details APT36 as a Pakistani espionage group that supports Pakistani military and diplomatic interests, targeting Indian military and government. Operations have been also observed in the US, Europe, and Central Asia. Uses social engineering emails, multiple open-source, and custom malware tools.", "meta": { "refs": [ - "https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf" - "https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf" + "https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf", + "https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf", "https://aisa.org.au//PDF/AISA%20Sydney%20-%20Dec2016.pdf" ], "synonyms": [ From 7987c8f023acbb079a6ffe81a9a3aa8f1b2abf32 Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Fri, 12 Apr 2019 01:56:12 +0530 Subject: [PATCH 06/19] Update threat-actor.json --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index db3d03b..e0c5fe8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2887,12 +2887,14 @@ "http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", "https://www.amnesty.org/en/documents/asa33/8366/2018/en/", - "https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/" + "https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/", + "https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe" ], "synonyms": [ "C-Major", "Transparent Tribe", - "Mythic Leopard" + "Mythic Leopard", + "ProjectM" ] }, "related": [ From 159225b6cf62a1c6478fd1a970317e21037b5388 Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Thu, 11 Apr 2019 22:29:49 +0200 Subject: [PATCH 07/19] Based on additional research, APT36 can actually be merged into Mythic Leopard --- clusters/threat-actor.json | 28 +++++++++------------------- 1 file changed, 9 insertions(+), 19 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index db3d03b..1d4dd3e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2887,12 +2887,18 @@ "http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", "https://www.amnesty.org/en/documents/asa33/8366/2018/en/", - "https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/" + "https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/", + "https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf", + "https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf", + "https://aisa.org.au//PDF/AISA%20Sydney%20-%20Dec2016.pdf" ], "synonyms": [ "C-Major", "Transparent Tribe", - "Mythic Leopard" + "Mythic Leopard", + "APT36", + "APT 36", + "TMP.Lapis" ] }, "related": [ @@ -6655,23 +6661,7 @@ }, "uuid": "401c30c7-4317-458a-9b0a-379a44d63457", "value": "Operation ShadowHammer" - }, - { - "description": "FireEye details APT36 as a Pakistani espionage group that supports Pakistani military and diplomatic interests, targeting Indian military and government. Operations have been also observed in the US, Europe, and Central Asia. Uses social engineering emails, multiple open-source, and custom malware tools.", - "meta": { - "refs": [ - "https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf", - "https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf", - "https://aisa.org.au//PDF/AISA%20Sydney%20-%20Dec2016.pdf" - ], - "synonyms": [ - "APT 36", - "TMP.Lapis" - ] - }, - "uuid": "80fad97c-df3a-44ea-a127-cf29833b4946", - "value": "APT36" } ], - "version": 106 + "version": 107 } From 25597c24f79a470a56c38debe36247cbe79218ba Mon Sep 17 00:00:00 2001 From: rmkml Date: Fri, 12 Apr 2019 21:29:13 +0200 Subject: [PATCH 08/19] Add BlackWorm Ransomware --- clusters/ransomware.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index f61e664..90f8fe8 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13074,7 +13074,19 @@ }, "uuid": "8cfa694c-2e6b-310a-728f-027d981870b2", "value": "GlobeImposter" + }, + { + "description": "BlackWorm Ransomware is a malicious computer infection that encrypts your files, and then does everything it can to prevent you from restoring them. It needs you to pay $200 for the decryption key, but there is no guarantee that the people behind this infection would really issue the decryption tool for you.", + "meta": { + "payment-method": "Bitcoin", + "price": "200 $", + "refs": [ + "https://spyware-techie.com/blackworm-ransomware-removal-guide" + ] + }, + "uuid": "8cfa694a-2e5b-300a-727f-027d881870b2", + "value": "BlackWorm" } ], - "version": 55 + "version": 56 } From 3256cca9e053ced12ce97113b9eb2618e5efdaf2 Mon Sep 17 00:00:00 2001 From: Bart Date: Fri, 12 Apr 2019 21:12:16 +0100 Subject: [PATCH 09/19] Add DoNot team references --- clusters/threat-actor.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a9c864d..2be228e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5764,7 +5764,9 @@ "description": "In March 2017, the 360 Chasing Team found a sample of targeted attacks that confirmed the previously unknown sample of APT's attack actions, which the organization can now trace back at least in April 2016. The chasing team named the attack organization APT-C-35. In June 2017, the 360 Threat Intelligence Center discovered the organization’s new attack activity, confirmed and exposed the gang’s targeted attacks against Pakistan, and analyzed in detail. The unique EHDevel malicious code framework used by the organization", "meta": { "refs": [ - "https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/" + "https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/", + "https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia", + "https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/" ], "synonyms": [ "DoNot Team" From 54cd80ee2da667dc2cdcb5186cf9cd3dcac16ad7 Mon Sep 17 00:00:00 2001 From: rmkml Date: Fri, 12 Apr 2019 22:42:57 +0200 Subject: [PATCH 10/19] Add Brushaloader Malware --- clusters/tool.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index d3b494c..17a5a7c 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7620,7 +7620,17 @@ ], "uuid": "e1ca79eb-5629-4267-bb37-3992c7126ef4", "value": "EVILNUM" + }, + { + "description": "Brushaloader also leverages a combination of VBScript and PowerShell to create a Remote Access Trojan (RAT) that allows persistent command execution on infected systems.", + "meta": { + "refs": [ + "https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html" + ] + }, + "uuid": "e1ca79ea-5628-4266-bb36-3892c7126ef4", + "value": "Brushaloader" } ], - "version": 115 + "version": 116 } From f94e138b2706e978688682d831f000e37fa2d439 Mon Sep 17 00:00:00 2001 From: rmkml Date: Fri, 12 Apr 2019 23:31:30 +0200 Subject: [PATCH 11/19] Add Vidar Stealer --- clusters/stealer.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/clusters/stealer.json b/clusters/stealer.json index d262160..7511a0b 100644 --- a/clusters/stealer.json +++ b/clusters/stealer.json @@ -54,7 +54,18 @@ }, "uuid": "a646edab-5c6f-4a79-8a6c-153535259e16", "value": "AZORult" + }, + { + "description": "Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.", + "meta": { + "date": "Dec 2018.", + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar" + ] + }, + "uuid": "a646edaa-4c6f-3a79-7a6c-143535259e15", + "value": "Vidar" } ], - "version": 4 + "version": 5 } From 86323ca9488f591448ee73c614d9a9137ab7d7a6 Mon Sep 17 00:00:00 2001 From: rmkml Date: Sat, 13 Apr 2019 16:38:46 +0200 Subject: [PATCH 12/19] Add Tellyouthepass Ransomware --- clusters/ransomware.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 90f8fe8..4cddd47 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13086,7 +13086,19 @@ }, "uuid": "8cfa694a-2e5b-300a-727f-027d881870b2", "value": "BlackWorm" + }, + { + "description": "Tellyouthepass is a ransomware that alters system files, registry entries and encodes personal photos, documents, and servers or archives. Army-grade encryption algorithms get used to change the original code of the file and make the data useless.", + "meta": { + "payment-method": "Bitcoin", + "price": "0.2", + "refs": [ + "https://malware.wikia.org/wiki/Tellyouthepass" + ] + }, + "uuid": "7cfa694a-1e5b-300a-627f-027d881870b1", + "value": "Tellyouthepass" } ], - "version": 56 + "version": 57 } From 9aa6244ed909d58e016898350f661deae29feb76 Mon Sep 17 00:00:00 2001 From: rmkml Date: Sat, 13 Apr 2019 17:01:31 +0200 Subject: [PATCH 13/19] Add Ave Maria Stealer --- clusters/stealer.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/clusters/stealer.json b/clusters/stealer.json index 7511a0b..105639f 100644 --- a/clusters/stealer.json +++ b/clusters/stealer.json @@ -65,7 +65,18 @@ }, "uuid": "a646edaa-4c6f-3a79-7a6c-143535259e15", "value": "Vidar" + }, + { + "description": "Information stealer which uses AutoIT for wrapping.", + "meta": { + "date": "Jan 2019.", + "refs": [ + "https://blog.yoroi.company/research/the-ave_maria-malware/" + ] + }, + "uuid": "a546edaa-4c6f-2a79-7a6c-133535249e14", + "value": "Ave Maria" } ], - "version": 5 + "version": 6 } From 747dd3f90d018a02168c1a5c9747f5ddc9978a91 Mon Sep 17 00:00:00 2001 From: rmkml Date: Sat, 13 Apr 2019 21:47:24 +0200 Subject: [PATCH 14/19] Add Caesar RAT --- clusters/rat.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/rat.json b/clusters/rat.json index 71e6b7f..d32547a 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3338,7 +3338,17 @@ }, "uuid": "1b6a067c-50ba-4aa7-a59b-824e94e210fe", "value": "Parasite-HTTP-RAT" + }, + { + "description": "Caesar is an HTTP-based RAT that allows you to remotely control devices directly from your browser.", + "meta": { + "refs": [ + "https://securityonline.info/caesarrat-http-based-rat/" + ] + }, + "uuid": "1b6a066c-50ba-4aa6-a49b-823e94e110fe", + "value": "Caesar RAT" } ], - "version": 27 + "version": 28 } From 356c485459faf2b986aadbc58c6f7f65bd0ed76f Mon Sep 17 00:00:00 2001 From: rmkml Date: Sat, 13 Apr 2019 22:06:53 +0200 Subject: [PATCH 15/19] Add BigBobRoss Ransomware --- clusters/ransomware.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 4cddd47..8ba04c7 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13098,7 +13098,18 @@ }, "uuid": "7cfa694a-1e5b-300a-627f-027d881870b1", "value": "Tellyouthepass" + }, + { + "description": "BigBobRoss ransomware is the cryptovirus that requires a ransom in Bitcoin to return encrypted files marked with .obfuscated appendix.", + "meta": { + "payment-method": "Bitcoin", + "refs": [ + "https://www.2-spyware.com/remove-bigbobross-ransomware.html" + ] + }, + "uuid": "8cfa684a-1e4b-309a-617f-026d881870b1", + "value": "BigBobRoss" } ], - "version": 57 + "version": 58 } From 55f6d2838897e2d0ce493c5b9dd633cf3b8a1582 Mon Sep 17 00:00:00 2001 From: rmkml Date: Sat, 13 Apr 2019 22:41:37 +0200 Subject: [PATCH 16/19] Add Planetary Ransomware --- clusters/ransomware.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 8ba04c7..1455660 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13109,7 +13109,18 @@ }, "uuid": "8cfa684a-1e4b-309a-617f-026d881870b1", "value": "BigBobRoss" + }, + { + "description": "First discovered by malware security analyst, Lawrence Abrams, PLANETARY is an updated variant of another high-risk ransomware called HC7.", + "meta": { + "payment-method": "Bitcoin", + "refs": [ + "https://www.pcrisk.com/removal-guides/12121-planetary-ransomware" + ] + }, + "uuid": "6cfa664a-1e2b-329a-607f-026d781870b1", + "value": "Planetary" } ], - "version": 58 + "version": 59 } From 271143519d35be94215f5ece4c14b84e2759c286 Mon Sep 17 00:00:00 2001 From: rmkml Date: Sat, 13 Apr 2019 23:04:25 +0200 Subject: [PATCH 17/19] Add SpelevoEK --- clusters/exploit-kit.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index c6489c3..cec4cf2 100644 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -749,7 +749,17 @@ }, "uuid": "00815961-3249-4e2e-9421-bb57feb73bb2", "value": "Unknown" + }, + { + "description": "The Spelevo exploit kit seems to have similarities to SPL EK, which is a different exploit kit.", + "meta": { + "refs": [ + "https://cyberwarzone.com/what-is-the-spelevo-exploit-kit/" + ] + }, + "uuid": "00715961-2249-3e2e-8420-bb47feb73bb2", + "value": "SpelevoEK" } ], - "version": 13 + "version": 14 } From d16cc2e184186003e37aad1288e2f8aea52bc162 Mon Sep 17 00:00:00 2001 From: rmkml Date: Sun, 14 Apr 2019 20:49:36 +0200 Subject: [PATCH 18/19] Add Cr1ptt0r Ransomware --- clusters/ransomware.json | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 1455660..beef9af 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13120,7 +13120,24 @@ }, "uuid": "6cfa664a-1e2b-329a-607f-026d781870b1", "value": "Planetary" + }, + { + "description": "Cr1ptT0r Ransomware Targets NAS Devices with Old Firmware.", + "meta": { + "payment-method": "Bitcoin", + "refs": [ + "https://www.coveware.com/blog/2019/3/13/cr1ptt0r-ransomware-targets-nas-devices-with-old-firmware", + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cr1ptt0r" + ], + "synonyms": [ + "Criptt0r", + "Cr1pt0r", + "Cripttor" + ] + }, + "uuid": "8cfa554a-1e1b-328a-606f-026d771870b1", + "value": "Cr1ptT0r" } ], - "version": 59 + "version": 60 } From d98aefa18640094c269421de2b3b0f5ae7ad4ea2 Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Wed, 17 Apr 2019 09:17:23 +0530 Subject: [PATCH 19/19] fixed the broken link --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2be228e..8ec4896 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -757,7 +757,7 @@ "country": "CN", "refs": [ "https://securelist.com/analysis/publications/69953/the-naikon-apt/", - "http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html", + "https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html", "https://www.cfr.org/interactive/cyber-operations/apt-30" ], "synonyms": [