Merge pull request #537 from danielplohmann/patch-28

Adding Nazar APT as described by JAGS in his OPCDE talk yesterday.
2024-11-22 23:07:19 +00:00 · 2020-04-24 15:33:47 +02:00 · 2020-04-24 15:33:47 +02:00 · 4234d44052
commit 4234d44052
parent cac034064a 858621ebdc
1 changed files with 14 additions and 1 deletions
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -8116,7 +8116,20 @@
      },
      "uuid": "d0b900fa-84b4-11ea-bc55-0242ac130003",
      "value": "ItaDuke"
+    },
+    {
+      "description": "This actor was identified by Juan Andres Guerrero-Saade from the SIG37 cluster as published in the ShadowBrokers' 'Lost in Translation' leak. Earliest known sighting potentially dates back to as far as 2008 with a confirmed center of activity around 2010-2013. The actor name is derived from a PDB debug string fragment: 'khzer'. Victimology indicates targeting of Iran, assessed with low confidence based on VT file submission locations. Nazar employs a modular toolkit where a main dropper silently registers multiple DLLs as OLE controls in the Windows registry. Functionality includes keylogging, sound and screen grabbing, as well as traffic capture using the MicroOlap Packet Sniffer library.",
+      "meta": {
+        "refs": [
+          "https://www.epicturla.com/blog/the-lost-nazar"
+        ],
+        "synonyms": [
+          "SIG37"
+        ]
+      },
+      "uuid": "169187c5-9fbe-42df-ae92-6e35846db021",
+      "value": "Nazar"
    }
  ],
-  "version": 157
+  "version": 158
 }