Merge pull request #743 from danielplohmann/patch-23

more aliases from Unit 42
This commit is contained in:
Alexandre Dulaunoy 2022-07-27 10:14:54 +02:00 committed by GitHub
commit 6134853219
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -5850,7 +5850,8 @@
"https://securelist.com/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/75082/",
"https://securelist.com/operation-daybreak/75100/",
"https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/",
"https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/"
"https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/",
"https://unit42.paloaltonetworks.com/atoms/moldypisces/"
],
"synonyms": [
"APT 37",
@ -5866,7 +5867,8 @@
"ScarCruft",
"Venus 121",
"ATK4",
"G0067"
"G0067",
"Moldy Pisces"
]
},
"related": [
@ -10020,7 +10022,46 @@
},
"uuid": "c73c8a76-1e44-44d6-b955-79f3a73582a1",
"value": "Red Nue"
},
{
"description": "Prying Libra, also known as Pickaxe, is a threat actor active since at least August 2017, and continues to remain active to this day. The adversary's goal is to install and maintain a popular cryptocurrency miner on the victim's machine. The miner in question is an open-source tool named XMRig that generates the Monero cryptocurrency. Malware is delivered via downloads through the popular Adfly advertisement platform. Users are often mislead into clicking on a malicious advertisement that results in the payload being delivered to the victim. Once installed, the malware leverages VBS scripts and redirection services, such as bitly, to ultimately download and execute XMRig. Over 15 million confirmed victims have been discovered to be infected in recent campaigns, with actual numbers likely to be between 30-45 million victims. The victims are found across the globe, with high concentrations in Thailand, Vietnam, Egypt, Indonesia, and Turkey.",
"meta": {
"refs": [
"https://unit42.paloaltonetworks.com/atoms/pryinglibra/"
],
"synonyms": [
"Prying Libra"
]
},
"uuid": "1bfd16ae-fd98-4a96-9397-d1651548bda2",
"value": "Pickaxe"
},
{
"description": "Thief Libra is a cloud-focused threat group that has a history of cryptojacking operations as well as cloud service platform credential scraping. They were first known to operate on January 27, 2019. They use a variety of custom build Go Scripts as well as repurposed cryptojacking scripts from other groups including TeamTNT. They are currently considered to be an opportunistic threat group that targets exposed cloud instances and applications.",
"meta": {
"refs": [
"https://unit42.paloaltonetworks.com/atoms/thieflibra/"
],
"synonyms": [
"Thief Libra"
]
},
"uuid": "4b4b4717-d31e-4be6-a3ba-b13edb42decd",
"value": "Watchdog"
},
{
"description": "Returned Libra, also known as 8220 Mining Group, is a cloud threat actor group that has been active since at least 2017. Tools commonly employed during their operations are PwnRig or DBUsed which are customized variants of the XMRig Monero mining software. The Returned Libra mining group is believed to have originated from a GitHub fork of the Rocke group's software. Returned Libra has elevated its mining operations with the use of cloud service platform credential scrapping.",
"meta": {
"refs": [
"https://unit42.paloaltonetworks.com/atoms/returnedlibra/"
],
"synonyms": [
"8220 Mining Group"
]
},
"uuid": "7831d56e-5913-44ca-8835-f42017aeb0cd",
"value": "Returned Libra"
}
],
"version": 236
"version": 237
}