From 5994fa4160a03eba5bc1ac5da0d19d7c673b9c6c Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Thu, 29 Sep 2022 14:39:42 -0700 Subject: [PATCH] [threat-actors] Fix Volatile Cedar and Dancing Salome conflicts --- clusters/threat-actor.json | 36 ++++++++++++++++++++++++++---------- 1 file changed, 26 insertions(+), 10 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 37727b0..25663df 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3604,34 +3604,50 @@ "value": "OilRig" }, { - "description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive .", + "description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive.", "meta": { + "country": "LB", "refs": [ "https://blog.checkpoint.com/2015/03/31/volatilecedar/", "https://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/", "https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/", - "https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf" + "https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf" + ], + "suspected-victims": [ + "Middle East", + "Israel", + "Lebanon", + "Saudi Arabia" ], "synonyms": [ - "Reuse team", - "Malware reusers", - "Dancing Salome", "Lebanese Cedar" ] }, + "related": [ + { + "dest-uuid": "0155c3b1-8c7c-4176-aeda-68678dd99992", + "tags": [ + "estimative-language:likelihood-probability=\"very-likely\"" + ], + "type": "uses" + } + ], "uuid": "cf421ce6-ddfe-419a-bc65-6a9fc953232a", "value": "Volatile Cedar" }, { - "description": "Threat Group conducting cyber espionage while re-using tools from other teams; like those of Hacking Team, and vmprotect to obfuscate.", + "description": "Dancing Salome is the Kaspersky codename for an APT actor with a primary focus on ministries of foreign affairs, think tanks, and Ukraine. What makes Dancing Salome interesting and relevant is the attacker’s penchant for leveraging HackingTeam RCS implants compiled after the public breach.", "meta": { - "synonyms": [ - "Reuse team", - "Dancing Salome" + "refs": [ + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170728/Guerrero-Saade-Raiu-VB2017.pdf" + ], + "suspected-victims": [ + "Ukraine" ] }, "uuid": "3d5192f2-f235-46fd-aa68-dd00cc17d632", - "value": "Malware reusers" + "value": "Dancing Salome" }, { "description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.",