From f53a92065c55486f292144bf685e0421cb5ccd58 Mon Sep 17 00:00:00 2001 From: StefanKelm Date: Thu, 16 Jan 2020 16:46:38 +0100 Subject: [PATCH 01/10] Update ransomware.json 5ss5c --- clusters/ransomware.json | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 0cfdb14..c591c68 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13619,7 +13619,22 @@ }, "uuid": "21b349c3-ede2-4e11-abda-1444eb272eff", "value": "Clop" + }, + { + "description": "The cybercrime group that brought us Satan, DBGer and Lucky ransomware and perhaps Iron ransomware, has now come up with a new version or rebranding named 5ss5c. [...] It will however only encrypt files with the following extensions: 7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip", + "ransomnotes-filenames": [ + "_如何解密我的文件_.txt" + ], + "ransomnotes-refs": [ + "https://1.bp.blogspot.com/-T0B4txHlNHs/Xh4-raVFVtI/AAAAAAAACTE/R-YoW8QHFLsuD140AF9vD-_rOifULExUgCLcBGAsYHQ/s1600/note.PNG" + ], + "refs": [ + "https://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html" + ] + }, + "uuid": "8ac9fc73-05db-4be8-8f46-33bbd6b3502b", + "value": "5ss5c Ransomware" } ], - "version": 76 + "version": 77 } From 027d94e68a44b556b335bd43c3360b2da2d53617 Mon Sep 17 00:00:00 2001 From: StefanKelm Date: Thu, 16 Jan 2020 16:59:22 +0100 Subject: [PATCH 02/10] Update ransomware.json --- clusters/ransomware.json | 1 + 1 file changed, 1 insertion(+) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index c591c68..a5098b1 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13622,6 +13622,7 @@ }, { "description": "The cybercrime group that brought us Satan, DBGer and Lucky ransomware and perhaps Iron ransomware, has now come up with a new version or rebranding named 5ss5c. [...] It will however only encrypt files with the following extensions: 7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip", + "meta": { "ransomnotes-filenames": [ "_如何解密我的文件_.txt" ], From 8eeceafc515814d2214862e6f95a6a5c42e3f2cb Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 18 Jan 2020 17:02:44 +0100 Subject: [PATCH 03/10] chg: [threat-actor] Budminer APT added based on document from "Soesanto, Stefan" Ref: https://www.research-collection.ethz.ch/bitstream/handle/20.500.11850/389371/1/Cyber-Reports-2020-01-A-one-sided-Affair.pdf Ref: https://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan --- clusters/threat-actor.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 415303e..b2e3342 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7872,7 +7872,19 @@ }, "uuid": "c4ce1174-9462-47e9-8038-794f40a184b3", "value": "SideWinder" + }, + { + "description": "Based on the evidence we have presented Symantec attributed the activity involving theDripion malware to the Budminer advanced threat group. While we have not seen newcampaigns using Taidoor malware since 2014, we believe the Budminer group has changedtactics to avoid detection after being outed publicly in security white papers and blogs over thepast few years.", + "value": "Budminer", + "meta": [ + "https://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan", + "https://app.box.com/s/xqh458fe1url7mgl072hhd0yxqw3x0jm", + "https://www.research-collection.ethz.ch/bitstream/handle/20.500.11850/389371/1/Cyber-Reports-2020-01-A-one-sided-Affair.pdf" + ], + "synonyms": "Budminer cyberespionage group", + "suspected-victims": "Taiwan", + "country": "CN" } ], - "version": 149 + "version": 150 } From 34c5c6627947a2383daecf3738135773ff93f564 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 18 Jan 2020 17:08:32 +0100 Subject: [PATCH 04/10] chg: [threat-actor] fix order --- clusters/threat-actor.json | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b2e3342..55dc4c5 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7874,16 +7874,17 @@ "value": "SideWinder" }, { + "country": "CN", "description": "Based on the evidence we have presented Symantec attributed the activity involving theDripion malware to the Budminer advanced threat group. While we have not seen newcampaigns using Taidoor malware since 2014, we believe the Budminer group has changedtactics to avoid detection after being outed publicly in security white papers and blogs over thepast few years.", - "value": "Budminer", "meta": [ "https://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan", "https://app.box.com/s/xqh458fe1url7mgl072hhd0yxqw3x0jm", "https://www.research-collection.ethz.ch/bitstream/handle/20.500.11850/389371/1/Cyber-Reports-2020-01-A-one-sided-Affair.pdf" ], - "synonyms": "Budminer cyberespionage group", "suspected-victims": "Taiwan", - "country": "CN" + "synonyms": "Budminer cyberespionage group", + "uuid": "2eb0dc7a-cef6-4744-92ac-2fe269dacb95", + "value": "Budminer" } ], "version": 150 From 564f27c5cae849973e3b7bd2f3776ed23669dadf Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 18 Jan 2020 17:26:45 +0100 Subject: [PATCH 05/10] chg: [threat-actor] format fixed --- clusters/threat-actor.json | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 55dc4c5..aee9134 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7874,15 +7874,17 @@ "value": "SideWinder" }, { - "country": "CN", "description": "Based on the evidence we have presented Symantec attributed the activity involving theDripion malware to the Budminer advanced threat group. While we have not seen newcampaigns using Taidoor malware since 2014, we believe the Budminer group has changedtactics to avoid detection after being outed publicly in security white papers and blogs over thepast few years.", - "meta": [ - "https://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan", - "https://app.box.com/s/xqh458fe1url7mgl072hhd0yxqw3x0jm", - "https://www.research-collection.ethz.ch/bitstream/handle/20.500.11850/389371/1/Cyber-Reports-2020-01-A-one-sided-Affair.pdf" - ], - "suspected-victims": "Taiwan", - "synonyms": "Budminer cyberespionage group", + "meta": { + "country": "CN", + "refs": [ + "https://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan", + "https://app.box.com/s/xqh458fe1url7mgl072hhd0yxqw3x0jm", + "https://www.research-collection.ethz.ch/bitstream/handle/20.500.11850/389371/1/Cyber-Reports-2020-01-A-one-sided-Affair.pdf" + ], + "suspected-victims": "Taiwan", + "synonyms": "Budminer cyberespionage group" + }, "uuid": "2eb0dc7a-cef6-4744-92ac-2fe269dacb95", "value": "Budminer" } From dbaab413b6b4680ae458a7d7a8ac6e1917fcc357 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 18 Jan 2020 17:30:27 +0100 Subject: [PATCH 06/10] chg: [threat-actor] typo fixed --- clusters/threat-actor.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index aee9134..10d1de8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7883,7 +7883,9 @@ "https://www.research-collection.ethz.ch/bitstream/handle/20.500.11850/389371/1/Cyber-Reports-2020-01-A-one-sided-Affair.pdf" ], "suspected-victims": "Taiwan", - "synonyms": "Budminer cyberespionage group" + "synonyms": [ + "Budminer cyberespionage group" + ] }, "uuid": "2eb0dc7a-cef6-4744-92ac-2fe269dacb95", "value": "Budminer" From 29a128da6fb179ed59b4126f363890ad6d9c3b4e Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Wed, 22 Jan 2020 15:42:01 +0100 Subject: [PATCH 07/10] adding references and TEMP.MixMaster as alias for WIZARD SPIDER with kudos to @tbarabosch --- clusters/threat-actor.json | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 10d1de8..fdca75f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6959,9 +6959,16 @@ "description": "Wizard Spider is reportedly associated with Grim Spider and Lunar Spider.\nThe WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which GRIM SPIDER appears to be a subset. The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function.\nGRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.", "meta": { "refs": [ + "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", - "https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/" + "https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/", + "https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/", + "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" + ], + "synonyms": [ + "TEMP.MixMaster" ] }, "uuid": "bdf4fe4f-af8a-495f-a719-cf175cecda1f", @@ -7891,5 +7898,5 @@ "value": "Budminer" } ], - "version": 150 + "version": 151 } From ccfe5ee1305ee7383d1033c1620b0af44be2816d Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Thu, 23 Jan 2020 11:14:20 +0100 Subject: [PATCH 08/10] removing and fixing deadlinks in the best possible way Hi! While migrating Malpedia to our new reference data format, we noticed a few potentially dead/moved references in your cluster. This pull request should fix most of them, for some I was not able to find an appropriate replacement. --- clusters/threat-actor.json | 60 ++++++++++++++++---------------------- 1 file changed, 25 insertions(+), 35 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index fdca75f..0f354e6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -216,7 +216,7 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "https://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" + "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492182276.pdf" ] }, "uuid": "41c15f08-a646-49f7-a644-1bebbf7a4dcd", @@ -506,7 +506,7 @@ "http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf", "https://www.cfr.org/interactive/cyber-operations/apt-17", - "https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security/", + "https://www.carbonblack.com/2013/02/08/bit9-and-our-customers-security/", "https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware", "https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire", "https://www.recordedfuture.com/hidden-lynx-analysis/" @@ -659,7 +659,7 @@ "https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/", "https://www.cfr.org/interactive/cyber-operations/axiom", "https://securelist.com/games-are-over/70991/", - "https://blog.vsec.com.vn/apt/initial-winnti-analysis-against-vietnam-game-company.html", + "https://vsec.com.vn/en/blogen/initial-winnti-analysis-against-vietnam-game-company.html", "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a", "https://www.dw.com/en/thyssenkrupp-victim-of-cyber-attack/a-36695341", "https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/", @@ -834,7 +834,7 @@ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/", "https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/", - "https://threatconnect.com/tag/naikon/", + "https://threatconnect.com/blog/tag/naikon/", "https://attack.mitre.org/groups/G0019/" ], "synonyms": [ @@ -2070,7 +2070,7 @@ "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing", "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf", "http://www.clearskysec.com/thamar-reservoir/", - "https://citizenlab.org/2015/08/iran_two_factor_phishing/", + "https://citizenlab.ca/2015/08/iran_two_factor_phishing/", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", "https://www.symantec.com/connect/blogs/shamoon-multi-staged-destructive-attacks-limited-specific-targets", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", @@ -2380,10 +2380,9 @@ "https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/", "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", - "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/", "https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/", "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", - "https://www.msn.com/en-au/news/world/russia-tried-to-hack-mh17-inquiry-system/ar-BBmmuuT", + "https://www.msn.com/en-nz/news/world/russian-hackers-accused-of-targeting-un-chemical-weapons-watchdog-mh17-files/ar-BBNV2ny", "https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/", "https://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/", "https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/", @@ -2647,7 +2646,6 @@ "http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans", "https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/", "https://www.cfr.org/interactive/cyber-operations/crouching-yeti", - "https://ssu.gov.ua/sbu/control/uk/publish/article?art_id=170951&cat_i=39574", "https://www.reuters.com/article/us-ukraine-cyber-attack-energy-idUSKBN1521BA", "https://dragos.com/wp-content/uploads/CrashOverride-01.pdf", "https://www.independent.ie/irish-news/statesponsored-hackers-targeted-eirgrid-electricity-network-in-devious-attack-36005921.html", @@ -2811,10 +2809,9 @@ "motive": "Cybercrime", "refs": [ "https://en.wikipedia.org/wiki/Carbanak", - "https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf", + "https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe", "http://2014.zeronights.ru/assets/files/slides/ivanovb-zeronights.pdf", "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", - "https://blog.cyber4sight.com/2017/04/similarities-between-carbanak-and-fin7-malware-suggest-actors-are-closely-related/", "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/", @@ -3181,7 +3178,7 @@ "attribution-confidence": "50", "country": "TN", "refs": [ - "https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/" + "https://web.archive.org/web/20160315044507/https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/" ], "synonyms": [ "TunisianCyberArmy" @@ -3270,7 +3267,6 @@ "https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe", "https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf", "https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf", - "https://aisa.org.au//PDF/AISA%20Sydney%20-%20Dec2016.pdf", "https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials", "https://s.tencent.com/research/report/669.html", "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html" @@ -3312,7 +3308,7 @@ "cfr-type-of-incident": "Espionage", "country": "AE", "refs": [ - "https://citizenlab.org/2016/05/stealth-falcon/", + "https://citizenlab.ca/2016/05/stealth-falcon/", "https://www.cfr.org/interactive/cyber-operations/stealth-falcon", "https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/", "https://attack.mitre.org/groups/G0038/" @@ -3396,7 +3392,7 @@ "country": "IN", "refs": [ "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries", - "https://blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign", + "https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign", "https://www.cymmetria.com/patchwork-targeted-attack/", "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf", "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", @@ -3495,7 +3491,7 @@ "refs": [ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf", "https://attack.mitre.org/wiki/Groups", - "https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor", + "https://www.forcepoint.com/de/blog/x-labs/trojanized-adobe-installer-used-install-dragonok-s-new-custom-backdoor", "http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor", "https://www.cfr.org/interactive/cyber-operations/moafee", "https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/", @@ -3836,7 +3832,7 @@ "https://pan-unit42.github.io/playbook_viewer/", "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", - "https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdf", + "https://www.gov.il/BlobFolder/reports/attack_il/he/CERT-IL-ALERT-W-120.pdf", "https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a", "https://raw.githubusercontent.com/pan-unit42/playbook_viewer/master/playbook_json/oilrig.json", "https://www.cfr.org/interactive/cyber-operations/oilrig", @@ -3944,7 +3940,7 @@ "description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive .", "meta": { "refs": [ - "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf", + "https://blog.checkpoint.com/2015/03/31/volatilecedar/", "https://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/", "https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/" ], @@ -3998,11 +3994,10 @@ "https://middle-east-online.com/en/cyber-war-gaza-hackers-deface-israel-fire-service-website", "https://www.fireeye.com/blog/threat-research/2014/06/molerats-here-for-spring.html", "https://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html", - "https://blog.vectra.ai/blog/moonlight-middle-east-targeted-attacks", + "https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks", "https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/", "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf", "https://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf", - "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26760/en_US/McAfee_Labs_Threat_Advisory_GazaCybergang.pdf", "https://securelist.com/gaza-cybergang-updated-2017-activity/82765/", "https://www.kaspersky.com/blog/gaza-cybergang/26363/", "https://attack.mitre.org/groups/G0021/" @@ -4092,7 +4087,7 @@ "description": "A threat group that has been active for at least seven years has used malware, phishing and disinformation tactics to target activists, journalists, politicians and public figures in various Latin American countries. The threat actor, dubbed Packrat based on its preference for remote access Trojans (RATs) and because it has used the same infrastructure for several years, has been analyzed by Citizen Lab researchers John Scott-Railton, Morgan Marquis-Boire, and Claudio Guarnieri, and Cyphort researcher Marion Marschalek, best known for her extensive analysis of state-sponsored threats.", "meta": { "refs": [ - "https://citizenlab.org/2015/12/packrat-report/" + "https://citizenlab.ca/2015/12/packrat-report/" ] }, "uuid": "fe344665-d153-4d31-a32a-1509efde1ca7", @@ -4937,7 +4932,7 @@ "attribution-confidence": "50", "country": "KP", "refs": [ - "https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/" + "https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html" ] }, "uuid": "73c636ae-e55c-4167-bf40-315789698adb", @@ -4964,7 +4959,6 @@ "country": "CN", "refs": [ "https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/", - "https://www.threatconnect.com/china-superman-apt/", "https://www.cfr.org/interactive/cyber-operations/mofang", "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" ], @@ -4995,7 +4989,7 @@ "country": "IR", "refs": [ "https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf", - "https://blog.domaintools.com/2017/03/hunt-case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastructure/", + "https://www.domaintools.com/resources/blog/case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastr", "http://www.clearskysec.com/copykitten-jpost/", "http://www.clearskysec.com/tulip/", "https://www.cfr.org/interactive/cyber-operations/copykittens", @@ -5345,7 +5339,7 @@ { "meta": { "refs": [ - "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" ] }, "uuid": "e85ab78c-5e86-403c-b444-9cdcc167fb77", @@ -5385,7 +5379,7 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Pointed-Dagger.pdf", + "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn", "https://news.softpedia.com/news/trochilus-rat-evades-antivirus-detection-used-for-cyber-espionage-in-south-east-asia-498776.shtml", "https://unit42.paloaltonetworks.com/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" ] @@ -5439,11 +5433,9 @@ "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf", "http://securityaffairs.co/wordpress/33785/cyber-crime/arid-viper-israel-sex-video.html", "https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/", - "https://ti.360.com/upload/report/file/APTSWXLVJ8fnjoxck.pdf", "https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/", "https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/", "https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View", - "https://www.ci-project.org/blog/2017/3/4/arid-viper", "http://blog.talosintelligence.com/2017/06/palestine-delphi.html", "https://www.threatconnect.com/blog/kasperagent-malware-campaign/", "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/sexually-explicit-material-used-as-lures-in-cyber-attacks?linkId=12425812", @@ -5514,7 +5506,7 @@ "country": "RU", "refs": [ "https://securelist.com/introducing-whitebear/81638/", - "https://www.cfr.org/interactive/cyber-operations/whitebears" + "https://www.cfr.org/interactive/cyber-operations/whitebear" ], "synonyms": [ "Skipper Turla" @@ -5539,7 +5531,7 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/" + "http://en.hackdig.com/02/39538.htm" ] }, "uuid": "110792e8-38d2-4df2-9ea3-08b60321e994", @@ -5638,7 +5630,6 @@ "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/moneytaker-hacker-group-steals-millions-from-us-and-russian-banks/", - "https://www.group-ib.com/resources/reports/money-taker.html", "https://www.group-ib.com/blog/moneytaker" ] }, @@ -5650,7 +5641,7 @@ "meta": { "refs": [ "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/", - "https://cdn.securelist.com/files/2017/09/Microcin_Technical_4PDF_eng_final_s.pdf" + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf" ] }, "uuid": "0a6b31cd-54cd-4f82-9b87-aab780604632", @@ -5766,7 +5757,7 @@ "refs": [ "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", - "https://www.cfr.org/interactive/cyber-operations/leviathan", + "https://www.cfr.org/interactive/cyber-operations/apt-40", "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html", "https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/", "https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html", @@ -6134,7 +6125,7 @@ "description": "ZooPark is a cyberespionage operation that has been focusing on Middle Eastern targets since at least June 2015. The threat actors behind ZooPark infect Android devices using several generations of malware we label from v1-v4, with v4 being the most recent version deployed in 2017.", "meta": { "refs": [ - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03095519/ZooPark_for_public_final.pdf" + "https://securelist.com/whos-who-in-the-zoo/85394/" ] }, "uuid": "4defbf2e-4f73-11e8-807f-578d61da7568", @@ -6420,7 +6411,7 @@ "refs": [ "https://www.cfr.org/interactive/cyber-operations/inception-framework", "https://www.symantec.com/connect/blogs/blue-coat-exposes-inception-framework-very-sophisticated-layered-malware-attack-targeted-milit", - "https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/%238", + "https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/", "https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies", "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/", "https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf" @@ -7237,7 +7228,6 @@ "attribution-confidence": "10", "country": "IR", "refs": [ - "https://resecurity.com/blog/parliament_races/", "https://www.nbcnews.com/politics/national-security/iranian-backed-hackers-stole-data-major-u-s-government-contractor-n980986", "https://threatpost.com/ranian-apt-6tb-data-citrix/142688/", "https://hub.packtpub.com/resecurity-reports-iriduim-behind-citrix-data-breach-200-government-agencies-oil-and-gas-companies-and-technology-companies-also-targeted/" From edc51963736a66bba3892dd477de9de0fb65bdbe Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Thu, 23 Jan 2020 11:27:00 -0500 Subject: [PATCH 09/10] Add Attor and DePriMon --- clusters/threat-actor.json | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0f354e6..828b3bb 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7886,7 +7886,37 @@ }, "uuid": "2eb0dc7a-cef6-4744-92ac-2fe269dacb95", "value": "Budminer" + }, + { + "description": "Adversary group targeting diplomatic missions and governmental organisations.", + "meta": { + "cfr-target-category": [ + "Private sector", + "Government" + ], + "cfr-type-of-incident": "Espionage", + "refs": [ + "https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform" + ] + }, + "uuid": "947a450a-df6c-4c2e-807b-0da8ecea1d26", + "value": "Attor" + }, + { + "description": "DePriMon is an unusually advanced downloader whose developers have put extra effort into setting up the architecture and crafting the critical components.", + "meta": { + "cfr-target-category": [ + "Private sector", + "Finance" + ], + "cfr-type-of-incident": "Espionage", + "refs": [ + "https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader" + ] + }, + "uuid": "443faf38-ad93-4421-8a53-47ad84b195fa", + "value": "DePriMon" } ], - "version": 151 + "version": 152 } From 6d078a88dd9f715ba90ccda10365fab585ec9c0f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 24 Jan 2020 09:04:38 +0100 Subject: [PATCH 10/10] chg: [ransomware] Nodera ransomware added --- clusters/ransomware.json | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index a5098b1..935e809 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -1,7 +1,8 @@ { "authors": [ "https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml", - "http://pastebin.com/raw/GHgpWjar" + "http://pastebin.com/raw/GHgpWjar", + "MISP Project" ], "category": "tool", "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar", @@ -13635,7 +13636,24 @@ }, "uuid": "8ac9fc73-05db-4be8-8f46-33bbd6b3502b", "value": "5ss5c Ransomware" + }, + { + "description": "Nodera is a ransomware family that uses the Node.js framework and was discovered by Quick Heal researchers. The infection chain starts with a VBS script embedded with multiple JavaScript files. Upon execution, a directory is created and both the main node.exe program and several required NodeJS files are downloaded into the directory. Additionally, a malicious JavaScript payload that performs the encryption process is saved in this directory. After checking that it has admin privileges and setting applicable variables, the malicious JavaScript file enumerates the drives to create a list of targets. Processes associated with common user file types are stopped and volume shadow copies are deleted. Finally, all user-specific files on the C: drive and all files on other drives are encrypted and are appended with a .encrypted extension. The ransom note containing instructions on paying the Bitcoin ransom are provided along with a batch script to be used for decryption after obtaining the private key. Some mistakes in the ransom note identified by the researchers include the fact that it mentions a 2048-bit RSA public key instead of 4096-bit (the size that was actually used), a hard-coded private key destruction time dating back almost 2 years ago, and a lack of instructions for how the private key will be obtained after the ransom is paid. These are signs that the ransomware may be in the development phase and was likely written by an amateur. For more information, see the QuickHeal blog post in the Reference section below.", + "meta": { + "extensions": [ + ".encrypted" + ], + "refs": [ + "https://exchange.xforce.ibmcloud.com/collection/6f18908ce6d9cf4efb551911e00d9ec4", + "https://blogs.quickheal.com/first-node-js-based-ransomware-nodera/" + ], + "synonyms": [ + "Nodera" + ] + }, + "uuid": "0529c53a-afe7-4549-899e-3f8735467f96", + "value": "Nodera Ransomware" } ], - "version": 77 + "version": 78 }