From 79c84d3768eca7f1bfa29483e95e8575ef14c2bb Mon Sep 17 00:00:00 2001
From: Rony <rony_123@protonmail.ch>
Date: Tue, 19 Jul 2022 22:42:50 +0530
Subject: [PATCH] add Earth Berberoka, Earth Lusca and Earth Wendigo

---
 clusters/threat-actor.json | 105 ++++++++++++++++++++++++++++++++++++-
 1 file changed, 103 insertions(+), 2 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 2c66884..9032680 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -9651,7 +9651,108 @@
       },
       "uuid": "e665ac2f-87b4-4c2e-bef7-78bf0a8af87b",
       "value": "Predatory Sparrow"
+    },
+    {
+      "description": "According to TrendMicro, Earth Berberoka is a threat group originating from China that mainly focuses on targeting gambling websites. This group's campaign uses multiple malware families that target the Windows, Linux, and macOS platforms that have been attributed to Chinese-speaking actors. Aside from using tried-and-tested malware families that have been upgraded, such as PlugX and Gh0st RAT, Earth Berberoka has also developed a brand-new complex, multistage malware family, which has been dubbed PuppetLoader.",
+      "meta": {
+        "cfr-suspected-victims": [
+          "China",
+          "United States",
+          "Hong Kong",
+          "Malaysia",
+          "Taiwan"
+        ],
+        "cfr-target-category": [
+          "Gambling Websites",
+          "Information technology",
+          "Electronics Manufacturers",
+          "Education"
+        ],
+        "country": "CN",
+        "refs": [
+          "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf",
+          "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html",
+          "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt",
+          "https://documents.trendmicro.com/assets/txt/earth-berberoka-linux-iocs-2.txt",
+          "https://documents.trendmicro.com/assets/txt/earth-berberoka-macos-iocs-2.txt",
+          "https://documents.trendmicro.com/assets/txt/earth-berberoka-domains-2.txt",
+          "https://www.youtube.com/watch?v=QXGO4RJaUPQ",
+          "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf"
+        ]
+      },
+      "uuid": "9d82077b-7e95-4b22-8762-3224797ff5f0",
+      "value": "Earth Berberoka"
+    },
+    {
+      "description": "Earth Lusca is a threat actor from China that targets organizations of interest to the Chinese government, including academic institutions, telecommunication companies, religious organizations, and other civil society groups. Earth Lusca's tools closely resemble those used by Winnti Umbrella, but the group appears to operate separately from Winnti. Earth Lusca has also been observed targeting cryptocurrency payment platforms and cryptocurrency exchanges in what are likely financially motivated attacks.",
+      "meta": {
+        "cfr-suspected-victims": [
+          "Australia",
+          "China",
+          "France",
+          "Germany",
+          "Hong Kong",
+          "Japan",
+          "Mongolia",
+          "Nepal",
+          "Nigeria",
+          "Philippines",
+          "Taiwan",
+          "Thailand",
+          "United Arab Emirates",
+          "United States",
+          "Vietnam"
+        ],
+        "cfr-target-category": [
+          "Gambling companies",
+          "Government Institutions",
+          "Education",
+          "Media and Entertainment",
+          "Pro-democracy and human rights political organizations",
+          "Telecommunications",
+          "Religious organization",
+          "Cryptocurrency",
+          "Medical",
+          "Covid-19 research organizations"
+        ],
+        "country": "CN",
+        "refs": [
+          "https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf",
+          "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf",
+          "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan",
+          "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi",
+          "https://media-exp1.licdn.com/dms/document/C561FAQHhWFRcWmdCPw/feedshare-document-pdf-analyzed/0/1639591145314?e=1658966400&v=beta&t=_uCcyEVg6b_VDiBTvWQIXtBOdQ1GQAAydqGyq62KA3E",
+          "https://www.sentinelone.com/wp-content/uploads/2021/08/SentinelOne_-SentinelLabs_ShadowPad_WP_V2.pdf"
+        ],
+        "synonyms": [
+          "CHROMIUM",
+          "ControlX",
+          "TAG-22",
+          "FISHMONGER"
+        ]
+      },
+      "uuid": "39150b30-61af-4d9c-9682-1595e145f3c1",
+      "value": "Earth Lusca"
+    },
+    {
+      "description": "Earth Wendigo is a threat actor from China that has been targeting several organizations — including government organizations, research institutions, and universities in Taiwan — since May 2019, aiming to exfiltrate emails from targeted organizations via the injection of JavaScript backdoors to a webmail system that is widely used in Taiwan. The threat actor also sent spear-phishing emails embedded with malicious links to multiple individuals, including politicians and activists, who support movements in Tibet, the Uyghur region, or Hong Kong.",
+      "meta": {
+        "cfr-suspected-victims": [
+          "Hong Kong",
+          "Taiwan"
+        ],
+        "cfr-target-category": [
+          "Government",
+          "Education"
+        ],
+        "country": "CN",
+        "refs": [
+          "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html"
+        ]
+      },
+      "uuid": "c96e1329-cf7e-44ac-a3db-9e251dc98ec5",
+      "value": "Earth Wendigo"
     }
   ],
-  "version": 232
-}
+  "version": 233
+}
\ No newline at end of file