From 3dc460e795b90a6792f9374dbbcd2cde16f680a4 Mon Sep 17 00:00:00 2001 From: "pnx@pyrite" Date: Wed, 4 Mar 2020 13:36:34 +0100 Subject: [PATCH 1/3] adding new/updated threat actor names from CrowdStrike 2020 report --- clusters/threat-actor.json | 170 +++++++++++++++++++++++++++++++++---- 1 file changed, 153 insertions(+), 17 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 439c2b6..5c7ad12 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1673,7 +1673,8 @@ "country": "CN", "refs": [ "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/", - "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/" + "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [ "APT23", @@ -1897,7 +1898,8 @@ "https://www.justice.gov/opa/pr/former-us-counterintelligence-agent-charged-espionage-behalf-iran-four-iranians-charged-cyber", "https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/", "https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf", - "https://attack.mitre.org/groups/G0058/" + "https://attack.mitre.org/groups/G0058/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [ "Newscaster", @@ -2827,7 +2829,8 @@ "http://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign", "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", - "https://attack.mitre.org/groups/G0046/" + "https://attack.mitre.org/groups/G0046/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [ "Carbanak", @@ -2908,7 +2911,8 @@ "https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack", "https://www.forcepoint.com/blog/security-labs/highly-evasive-code-injection-awaits-user-interaction-delivering-malware", "https://www.kaspersky.com/blog/financial-trojans-2019/25690/", - "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/" + "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ] }, "uuid": "b737c51f-b579-49d5-a907-743b2e6d03cb", @@ -4272,7 +4276,11 @@ "https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf", "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/", "https://attack.mitre.org/groups/G0047/", - "https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/Russia/APT/Gamaredon" + "https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/Russia/APT/Gamaredon", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ], + "synonyms": [ + "Primitive Bear" ] }, "related": [ @@ -4760,6 +4768,7 @@ "uuid": "4d9f68ba-cb2b-40bf-ba4b-6a5a9f2e1cf8", "value": "Cyber Berkut" }, + { "meta": { "attribution-confidence": "50", @@ -6476,7 +6485,8 @@ "country": "CN", "refs": [ "https://www.cfr.org/interactive/cyber-operations/mustang-panda", - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/" + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ] }, "uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339", @@ -6497,7 +6507,11 @@ "refs": [ "https://www.cfr.org/interactive/cyber-operations/thrip", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", - "https://attack.mitre.org/groups/G0076/" + "https://attack.mitre.org/groups/G0076/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ], + "synonyms": [ + "LOTUS PANDA" ] }, "uuid": "98be4300-a9ef-11e8-9a95-bb9221083cfc", @@ -6926,7 +6940,8 @@ "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/" ], "synonyms": [ - "SectorJ04 Group" + "SectorJ04 Group", + "GRACEFUL SPIDER" ] }, "uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f", @@ -7015,7 +7030,8 @@ ], "synonyms": [ "Silence", - "Silence APT group" + "Silence APT group", + "WHISPER SPIDER" ] }, "uuid": "0d5e17fd-7a71-47fd-b4bc-867cdb833726", @@ -7030,11 +7046,13 @@ "https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/", "https://securelist.com/chafer-used-remexi-malware/89538/", "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets", - "https://attack.mitre.org/groups/G0087/" + "https://attack.mitre.org/groups/G0087/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [ "APT 39", - "Chafer" + "Chafer", + "REMIX KITTEN" ] }, "uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b", @@ -7075,7 +7093,8 @@ "meta": { "refs": [ "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", - "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/" + "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ] }, "uuid": "80f07c15-cad3-44a2-a8a4-dd14490b5117", @@ -7095,7 +7114,8 @@ "description": "Beginning in January 2018 and persisting through the first half of the year, CrowdStrike Intelligence observed SALTY SPIDER, developer and operator of the long-running Sality botnet, distribute malware designed to target cryptocurrency users.", "meta": { "refs": [ - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/" + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ] }, "uuid": "7e37be6b-5a94-45f3-bdeb-f494c520eee3", @@ -7105,7 +7125,8 @@ "description": "This adversary is suspected of continuing to target upstream providers (e.g., law firms and managed service providers) to support additional intrusions against high-profile assets. In 2018, CrowdStrike observed this adversary using spear-phishing, URL 'web bugs' and scheduled tasks to automate credential harvesting.", "meta": { "refs": [ - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/" + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ] }, "uuid": "d7a41ada-6687-4a6b-8b5c-396808cdd758", @@ -7115,7 +7136,8 @@ "description": "One of the first observed adopters of the 8.t exploit document builder in late 2017, further KRYPTONITE PANDA activity was limited in 2018. Last known activity for this adversary occurred in June 2018 and involved suspected targeting of Cambodia.", "meta": { "refs": [ - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/" + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ] }, "uuid": "393ebaad-4f05-4b35-bd31-45ac4ae7472d", @@ -7370,7 +7392,11 @@ "refs": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/", "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/", - "https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/" + "https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ], + "synonyms": [ + "CIRCUIT PANDA" ] }, "uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e", @@ -7965,7 +7991,117 @@ }, "uuid": "87af83a4-ced4-4e7c-96a6-86612dc095b1", "value": "InvisiMole" + }, + { + "description": "Publicly known as 'EmpireMonkey', ANTHROPOID SPIDER conducted phishing campaigns in February and March 2019, spoofing French, Norwegian and Belizean financial regulators and institutions. These campaigns used macro-enabled Microsoft documents to deliver the PowerShell Empire post-exploitation framework. ANTHROPOID SPIDER likely enabled a breach that allegedly involved fraudulent transfers over the SWIFT network.", + "meta": { + "refs": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest", + "https://fortiguard.com/encyclopedia/botnet/7630456" + ], + "synonyms": [ + "Empire Monkey", + "CobaltGoblin" + ] + }, + "uuid": "559a64d8-8657-4a93-9208-060d52efdec4", + "value": "ANTHROPOID SPIDER" + }, + { + "description": "Opportunistic actor that installs custom root certificate on victim to support man-in-the-middle network monitoring.", + "meta": { + "refs": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf" + ] + }, + "uuid": "2d2f3b53-c544-4823-a65f-da53ff8f594e", + "value": "CLOCKWORD SPIDER" + }, + { + "description": "In June 2019, CrowdStrike Intelligence observed a source code fork of BitPaymer and began tracking the new ransomware strain as DoppelPaymer. Further technical analysis revealed an increasing divergence between two versions of Dridex, with the new version dubbed DoppelDridex. Based on this evidence, CrowdStrike Intelligence assessed with high confidence that a new group split off from INDRIK SPIDER to form the adversary DOPPEL SPIDER. Following DOPPEL SPIDER’s inception, CrowdStrike Intelligence observed multiple BGH incidents attributed to the group, with the largest known ransomware demand being 250 BTC. Other demands were not nearly as high, suggesting that the group conducts network reconnaissance to determine the value of the victim organization.", + "meta": { + "refs": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ] + }, + "uuid": "2154b183-c5c5-418f-8e47-f6e999b64e30", + "value": "DOPPEL SPIDER" + }, + { + "description": "IMPERIAL KITTEN has maintained a consistent operational tempo since Q2 2019. Its operations primarily utilize recruitment- and job-themed infrastructure to deliver custom tooling.", + "meta": { + "refs": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ] + }, + "uuid": "937e1bc2-e1ab-4e5b-a697-0415c6070f46", + "value": "IMPERIAL KITTEN" + }, + { + "description": "Spambots continued to decline in 2019, with MONTY SPIDER’s CraP2P spambot falling silent in April.", + "meta": { + "refs": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ] + }, + "uuid": "168a9e38-70e3-4542-b78f-afa2414436bb", + "value": "MONTY SPIDER" + }, + { + "description": "NARWHAL SPIDER’s operation of Cutwail v2 was limited to country-specific spam campaigns, although late in 2019 there appeared to be an effort to expand by bringing in INDRIK SPIDER as a customer.", + "meta": { + "refs": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ] + }, + "uuid": "fda9cdea-0017-495e-879d-0f348db2aa07", + "value": "NARWHAL SPIDER" + }, + { + "description": "Mentioned as MaaS operator in CrowdStrike's 2020 Report.", + "meta": { + "refs": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ] + }, + "uuid": "c042c592-25f6-4887-8a1b-6b8e3bfdcf0c", + "value": "NOCTURNAL SPIDER" + }, + { + "description": "Mentioned as operator of DanaBot in CrowdStrike's 2020 Report.", + "meta": { + "refs": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ] + }, + "uuid": "7fb1662e-0257-4606-b3a2-bf294c64c098", + "value": "SCULLY SPIDER" + }, + { + "description": "Mentioned as operator of SmokeLoader in CrowdStrike's 2020 Report.", + "meta": { + "refs": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ] + }, + "uuid": "e27796eb-624a-4e41-aa40-52d47c764b07", + "value": "SMOKY SPIDER" + }, + { + "description": "VENOM SPIDER is the developer of a large toolset that includes SKID, VenomKit and Taurus Loader. Under the moniker 'badbullzvenom', the adversary has been an active member of Russian underground forums since at least 2012, specializing in the identification of vulnerabilities and the subsequent development of tools for exploitation, as well as for gaining and maintaining access to victim machines and carding services. Recent advertisements for the malware indicate that VENOM SPIDER limits the sale and use of its tools, selling modules only to trusted affiliates. This preference can be seen in the fact that adversaries observed using the tools include the targeted criminal adversary COBALT SPIDER and BGH adversaries WIZARD SPIDER and PINCHY SPIDER.", + "meta": { + "refs": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ], + "synonyms": [ + "badbullzvenom" + ] + }, + "uuid": "86b4e2f3-8bbf-48fd-9d27-034d3ac3b187", + "value": "VENOM SPIDER" } ], - "version": 155 + "version": 156 } From 184f193342f04ec32b1905bcd1c044ca218bb722 Mon Sep 17 00:00:00 2001 From: "Daniel Plohmann (jupiter)" Date: Wed, 4 Mar 2020 19:39:14 +0100 Subject: [PATCH 2/3] IMPERIAL KITTEN as alias for Tortoiseshell --- clusters/threat-actor.json | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5c7ad12..79b13cc 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4768,7 +4768,6 @@ "uuid": "4d9f68ba-cb2b-40bf-ba4b-6a5a9f2e1cf8", "value": "Cyber Berkut" }, - { "meta": { "attribution-confidence": "50", @@ -7761,7 +7760,11 @@ "description": "A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers.\nThe group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access.", "meta": { "refs": [ - "https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain" + "https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain", + "https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897" + ], + "synonyms": [ + "IMPERIAL KITTEN" ] }, "uuid": "5f108484-db7f-11e9-aaa4-fb0176425734", @@ -8029,16 +8032,6 @@ "uuid": "2154b183-c5c5-418f-8e47-f6e999b64e30", "value": "DOPPEL SPIDER" }, - { - "description": "IMPERIAL KITTEN has maintained a consistent operational tempo since Q2 2019. Its operations primarily utilize recruitment- and job-themed infrastructure to deliver custom tooling.", - "meta": { - "refs": [ - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" - ] - }, - "uuid": "937e1bc2-e1ab-4e5b-a697-0415c6070f46", - "value": "IMPERIAL KITTEN" - }, { "description": "Spambots continued to decline in 2019, with MONTY SPIDER’s CraP2P spambot falling silent in April.", "meta": { From 0c2b0b76eb06398be1f1ba88e0a46ede05b015ae Mon Sep 17 00:00:00 2001 From: "Daniel Plohmann (jupiter)" Date: Wed, 4 Mar 2020 21:09:06 +0100 Subject: [PATCH 3/3] while we are at it, we can also do Longhorn = APT-C-39 --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 79b13cc..c079d45 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4425,11 +4425,13 @@ "refs": [ "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", "https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/", - "https://www.cfr.org/interactive/cyber-operations/longhorn" + "https://www.cfr.org/interactive/cyber-operations/longhorn", + "http://blogs.360.cn/post/APT-C-39_CIA_EN.html" ], "synonyms": [ "Lamberts", - "the Lamberts" + "the Lamberts", + "APT-C-39" ] }, "related": [