From 6fe19ac915e575e9a93e70d433f100e66737939c Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 21 May 2024 06:56:41 -0700 Subject: [PATCH 1/6] [threat-actors] Add PhantomCore --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2d5e637..7785cbd 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15945,6 +15945,16 @@ }, "uuid": "19ddf2b0-9cfb-430f-8919-49205cbec863", "value": "Water Orthrus" + }, + { + "description": "PhantomCore is a threat actor group known for using a remote access malware called PhantomRAT. They have been observed executing malicious code through specially crafted RAR archives, different from previous attacks exploiting vulnerabilities. The attribution of their campaign to Ukraine is uncertain due to limited visibility inside Russian networks. PhantomCore's use of RAR archives in their attack chain has been previously observed in other threat actor groups like Forest Blizzard.", + "meta": { + "refs": [ + "https://therecord.media/russian-researchers-winrar-bug-ukraine-espionage" + ] + }, + "uuid": "485947c7-edb6-4a07-9276-2114dc767551", + "value": "PhantomCore" } ], "version": 308 From 754a9b08f891d13de0ff4bb1d90f774fa8122068 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 21 May 2024 06:56:41 -0700 Subject: [PATCH 2/6] [threat-actors] Add CiberInteligenciaSV --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7785cbd..70ae18d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15955,6 +15955,17 @@ }, "uuid": "485947c7-edb6-4a07-9276-2114dc767551", "value": "PhantomCore" + }, + { + "description": "CiberInteligenciaSV is a threat actor that leaked 5.1 million Salvadoran records on Breach Forums. They have also compromised El Salvador's state Bitcoin wallet, Chivo, leaking its source code and VPN credentials. The group aims to obscure their involvement by associating with the Guacamaya group and its proxies.", + "meta": { + "refs": [ + "https://securityaffairs.com/162790/data-breach/el-salvador-massive-leak-biometric-data.html", + "https://www.cysecurity.news/2024/04/cryptocurrency-chaos-el-salvadors.html" + ] + }, + "uuid": "0558bc64-21d9-43e4-8b12-18172d9b5c7d", + "value": "CiberInteligenciaSV" } ], "version": 308 From e17f2eda0c7e7bf84e4b84ab3f94633299f646a0 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 21 May 2024 06:56:41 -0700 Subject: [PATCH 3/6] [threat-actors] Add Void Manticore --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 70ae18d..b6062de 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15966,6 +15966,17 @@ }, "uuid": "0558bc64-21d9-43e4-8b12-18172d9b5c7d", "value": "CiberInteligenciaSV" + }, + { + "description": "Void Manticore is an Iranian APT group affiliated with MOIS, known for conducting destructive wiping attacks and influence operations. They collaborate with Scarred Manticore, sharing targets and conducting disruptive operations using custom wipers. Void Manticore's TTPs involve manual file deletion, lateral movement via RDP, and the deployment of custom wipers like the BiBi wiper. The group utilizes online personas like 'Karma' and 'Homeland Justice' to leak information and amplify the impact of their attacks.", + "meta": { + "country": "IR", + "refs": [ + "https://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/" + ] + }, + "uuid": "53ac2695-35ba-4ab2-a5cd-48ca533f1b72", + "value": "Void Manticore" } ], "version": 308 From d172320fad5de3fd5f567243796c1d5c3a9b369b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 21 May 2024 06:56:42 -0700 Subject: [PATCH 4/6] [threat-actors] Add Kimsuky aliases --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b6062de..278e80a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5675,7 +5675,8 @@ "https://asec.ahnlab.com/en/61082/", "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-north-korean-apt-kimsuky-aka-black-banshee-active-iocs-29/", "https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/", - "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html" + "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html", + "https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b" ], "synonyms": [ "Velvet Chollima", @@ -5685,7 +5686,8 @@ "G0086", "APT43", "Emerald Sleet", - "THALLIUM" + "THALLIUM", + "Springtail" ], "targeted-sector": [ "Research - Innovation", From e97ecd46b0810fdbf7b19c98008a22f615ee14cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mathieu=20B=C3=A9ligon?= Date: Tue, 21 May 2024 19:23:04 +0200 Subject: [PATCH 5/6] Add phantomcore reference Co-authored-by: Rony <49360849+r0ny123@users.noreply.github.com> --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 278e80a..cd41dc9 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15952,7 +15952,8 @@ "description": "PhantomCore is a threat actor group known for using a remote access malware called PhantomRAT. They have been observed executing malicious code through specially crafted RAR archives, different from previous attacks exploiting vulnerabilities. The attribution of their campaign to Ukraine is uncertain due to limited visibility inside Russian networks. PhantomCore's use of RAR archives in their attack chain has been previously observed in other threat actor groups like Forest Blizzard.", "meta": { "refs": [ - "https://therecord.media/russian-researchers-winrar-bug-ukraine-espionage" + "https://therecord.media/russian-researchers-winrar-bug-ukraine-espionage", + "https://www.facct.ru/blog/phantomdl-loader" ] }, "uuid": "485947c7-edb6-4a07-9276-2114dc767551", From 32b9051873ca5dc32885d75bfe4f55f96032e45d Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Tue, 21 May 2024 19:29:26 +0200 Subject: [PATCH 6/6] [threat actors] fix merge --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 401c2db..a2ba1b3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5676,7 +5676,7 @@ "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-north-korean-apt-kimsuky-aka-black-banshee-active-iocs-29/", "https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/", "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html", - "https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b" + "https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage" ], "synonyms": [