From 89a3f986baed15dd548928b83655cb9bd4e9a4bb Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Tue, 24 Aug 2021 16:29:34 +0200 Subject: [PATCH 1/2] Add InkySquid synonym. --- clusters/threat-actor.json | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 53760d1..cd0af95 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5660,6 +5660,7 @@ ], "country": "KP", "refs": [ + "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/", "https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html", "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", @@ -5678,13 +5679,14 @@ "APT 37", "Group 123", "Group123", - "ScarCruft", - "Reaper", - "Reaper Group", - "Red Eyes", - "Ricochet Chollima", + "InkySquid", "Operation Daybreak", "Operation Erebus", + "Reaper Group", + "Reaper", + "Red Eyes", + "Ricochet Chollima", + "ScarCruft", "Venus 121" ] }, @@ -8862,5 +8864,5 @@ "value": "BelialDemon" } ], - "version": 205 + "version": 206 } From 1985de4d44b14712cc4c7328970d731c83ce589c Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Fri, 27 Aug 2021 10:28:06 +0200 Subject: [PATCH 2/2] Add BLUELIGHT tool. --- clusters/tool.json | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index b81a6d5..f9540ed 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8426,7 +8426,20 @@ }, "uuid": "2214b113-6942-494f-94b7-576e74fccdb5", "value": "Matanbuchus" + }, + { + "description": "It is likely that BLUELIGHT is used as a secondary payload following successful delivery of Cobalt Strike.", + "meta": { + "refs": [ + "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/" + ], + "type": [ + "backdoor" + ] + }, + "uuid": "b1c4f468-1c55-40aa-bce4-c3772ef83d0c", + "value": "BLUELIGHT" } ], - "version": 146 + "version": 147 }