[threat-actors] Add TunnelSnake

2024-11-26 08:47:18 +00:00 · 2023-12-01 16:21:53 -08:00 · 2023-12-01 16:21:53 -08:00 · 6c2cb8979f
commit 6c2cb8979f
parent dbbb075b1c
1 changed files with 12 additions and 0 deletions
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -13602,6 +13602,18 @@
      },
      "uuid": "89f5a5cb-514f-46db-8959-6bb9aa991e9f",
      "value": "WildPressure"
+    },
+    {
+      "description": "The TunnelSnake campaign demonstrates the activity of a sophisticated actor that invests significant resources in designing an evasive toolset and infiltrating networks of high-profile organizations. By leveraging Windows drivers, covert communications channels and proprietary malware, the group behind it maintains a considerable level of stealth. That said, some of its TTPs, like the usage of a commodity webshell and open-source legacy code for loading unsigned drivers, may get detected and in fact were flagged by Kaspersky's product, giving them visibility into the group’s operation.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.redpacketsecurity.com/operation-tunnelsnake/",
+          "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/"
+        ]
+      },
+      "uuid": "f0bb3d3a-c012-4d12-b621-51192977f190",
+      "value": "TunnelSnake"
    }
  ],
  "version": 295