MISP/misp-galaxy
6
0
Fork 0
mirror of https://github.com/MISP/misp-galaxy.git synced 2024-11-26 16:57:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #249 from Delta-Sierra/master

Browse source 
Update and add threat actors
This commit is contained in:
Alexandre Dulaunoy 2018-08-25 17:14:33 +02:00 committed by GitHub
commit 7b07b513b3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 223 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
clusters/microsoft-activity-group.json
View file

@ -86,7 +86,9 @@
"refs": [ "refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/", "https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/",
"http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_A_Profile_Of_A_Persistent_Adversary_English.pdf", "http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_A_Profile_Of_A_Persistent_Adversary_English.pdf",
"https://blogs.technet.microsoft.com/mmpc/2015/11/16/microsoft-security-intelligence-report-strontium/" "https://blogs.technet.microsoft.com/mmpc/2015/11/16/microsoft-security-intelligence-report-strontium/",
"https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/",
"https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/"
], ],
"synonyms": [ "synonyms": [
"APT 28", "APT 28",

34
clusters/ransomware.json
View file

@ -3202,19 +3202,36 @@
"extensions": [ "extensions": [
".dharma", ".dharma",
".wallet", ".wallet",
".zzzzz" ".zzzzz",
".cmb",
".id-BCBEF350.[paymentbtc@firemail.cc].cmb"
], ],
"ransomnotes": [ "ransomnotes": [
"README.txt", "README.txt",
"README.jpg", "README.jpg",
"Info.hta" "Info.hta",
"FILES ENCRYPTED.txt",
"INFO.hta",
"https://www.bleepstatic.com/images/news/ransomware/d/dharma/cmb/hta-ransom-note.jpg",
"all your data has been locked us\nYou want to return?\nwrite email paymentbtc@firemail.cc",
"All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\nWrite this ID in the title of your message ACBFF130\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\nhttps://localbitcoins.com/buy_bitcoins\nAlso you can find other places to buy Bitcoins and beginners guide here:\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\nAttention!\nDo not rename encrypted files.\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam."
], ],
"refs": [ "refs": [
"https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html", "https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html",
"https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/" "https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/",
"https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/"
] ]
}, },
"uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b", "uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b",
"related": [
{
"dest-uuid": "15a30d84-4f5f-4b75-a162-e36107d30215",
"type": "similar",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
]
}
],
"value": "Dharma Ransomware" "value": "Dharma Ransomware"
}, },
{ {
@ -9025,6 +9042,15 @@
] ]
}, },
"uuid": "15a30d84-4f5f-4b75-a162-e36107d30215", "uuid": "15a30d84-4f5f-4b75-a162-e36107d30215",
"related": [
{
"dest-uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b",
"type": "similar",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
]
}
],
"value": "Virus-Encoder" "value": "Virus-Encoder"
}, },
{ {
@ -10341,5 +10367,5 @@
"uuid": "c76c4d24-9f99-11e8-808d-a7f1c66a53c5" "uuid": "c76c4d24-9f99-11e8-808d-a7f1c66a53c5"
} }
], ],
"version": 29 "version": 30
} }

197
clusters/threat-actor.json
View file

@ -473,6 +473,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", "uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb",
@ -620,6 +627,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "24110866-cb22-4c85-a7d2-0413e126694b", "uuid": "24110866-cb22-4c85-a7d2-0413e126694b",
@ -1097,7 +1111,16 @@
] ]
}, },
"uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8", "uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8",
"value": "Mirage" "value": "Mirage",
"related": [
{
"dest-uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
]
}, },
{ {
"description": "PLA Navy", "description": "PLA Navy",
@ -2034,7 +2057,9 @@
"https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf", "https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/", "http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/",
"https://www.cfr.org/interactive/cyber-operations/apt-28" "https://www.cfr.org/interactive/cyber-operations/apt-28",
"https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/",
"https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/"
], ],
"synonyms": [ "synonyms": [
"APT 28", "APT 28",
@ -2525,10 +2550,24 @@
"South Korea", "South Korea",
"Bangladesh Bank", "Bangladesh Bank",
"Sony Pictures Entertainment", "Sony Pictures Entertainment",
"United States" "United States",
"Thailand",
"France",
"China",
"Hong Kong",
"United Kingdom",
"Guatemala",
"Canada",
"Bangladesh",
"Japan",
"India",
"Germany",
"Brazil",
"Thailand",
"Australia"
], ],
"cfr-target-category": [ "cfr-target-category": [
" Government", "Government",
"Private sector" "Private sector"
], ],
"cfr-type-of-incident": "Espionage", "cfr-type-of-incident": "Espionage",
@ -2542,7 +2581,8 @@
"https://www.us-cert.gov/ncas/alerts/TA17-318A", "https://www.us-cert.gov/ncas/alerts/TA17-318A",
"https://www.us-cert.gov/ncas/alerts/TA17-318B", "https://www.us-cert.gov/ncas/alerts/TA17-318B",
"https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/", "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/",
"https://www.cfr.org/interactive/cyber-operations/lazarus-group" "https://www.cfr.org/interactive/cyber-operations/lazarus-group",
"https://www.cfr.org/interactive/cyber-operations/operation-ghostsecret"
], ],
"synonyms": [ "synonyms": [
"Operation DarkSeoul", "Operation DarkSeoul",
@ -5305,10 +5345,21 @@
"description": "The Rancor groups attacks use two primary malware families which are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers toolkit. Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to Singapore and Cambodia.", "description": "The Rancor groups attacks use two primary malware families which are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers toolkit. Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to Singapore and Cambodia.",
"meta": { "meta": {
"refs": [ "refs": [
"https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/",
"https://www.cfr.org/interactive/cyber-operations/rancor"
], ],
"synonyms": [ "synonyms": [
"Rancor group" "Rancor group"
],
"cfr-suspected-victims": [
"Singapore",
"Cambodia"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Civil society"
] ]
}, },
"uuid": "79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b", "uuid": "79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b",
@ -5378,7 +5429,139 @@
"DoNot Team" "DoNot Team"
] ]
} }
},
{
"value": "TempTick",
"description": "This threat actor targets organizations in the finance, defense, aerospace, technology, health-care, and automotive sectors and media organizations in East Asia for the purpose of espionage. Believed to be responsible for the targeting of South Korean actors prior to the meeting of Donald J. Trump and Kim Jong-un",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/temptick"
],
"cfr-suspected-victims": [
"South Korea",
"Japan"
],
"cfr-suspected-state-sponsor": "China",
"cfr-target-category": [
"Government",
"Private sector"
]
},
"uuid": "3f3ff6de-a6a7-11e8-92b4-3743eb1c7762"
},
{
"value": "Operation Parliament",
"description": "This threat actor uses spear-phishing techniques to target parliaments, government ministries, academics, and media organizations, primarily in the Middle East, for the purpose of espionage.",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/operation-parliament"
],
"cfr-suspected-victims": [
"Palestine",
"United Arab Emirates",
"Qatar",
"Somalia",
"Syria",
"Canada",
"Germany",
"Serbia",
"Kuwait",
"Egypt",
"Saudi Arabia",
"Chile",
"Iraq",
"India",
"United States",
"Israel",
"Russia",
"South Korea",
"Jordan",
"Djibouti",
"Lebonon",
"Morocco",
"Iran",
"United Kingdom",
"Afghanistan",
"Oman",
"Denmark"
],
"cfr-suspected-state-sponsor": "Unknown",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Civil society"
]
},
"uuid": "e20e8eb8-a6b4-11e8-8a92-6ba6e7540c6d"
},
{
"value": "Inception Framework",
"description": "This threat actor uses spear-phishing techniques to target private-sector energy, defense, aerospace, research, and media organizations and embassies in Africa, Europe, and the Middle East, for the purpose of espionage.",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/inception-framework"
],
"cfr-suspected-victims": [
"South Africa",
"Malaysia",
"Kenya",
"Suriname",
"United Kingdom"
],
"cfr-suspected-state-sponsor": "Unknown",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Private sector"
]
},
"uuid": "71ef51ca-a791-11e8-a026-07980ca910ca"
},
{
"value": "Winnti Umbrella",
"description": "This threat actor targets software companies and political organizations in the United States, China, Japan, and South Korea. It primarily acts to support cyber operations conducted by other threat actors affiliated with Chinese intelligence services.\nBelieved to be associated with the Axiom, APT 17, and Mirage threat actors. Believed to share the same tools and infrastructure as the threat actors that carried out Operation Aurora, the 2015 targeting of video game companies, the 2015 targeting of the Thai government, and the 2017 targeting of Chinese-language news websites",
"meta": {
"refs": [
"https://www.cfr.org/interactive/cyber-operations/winnti-umbrella"
],
"cfr-suspected-victims": [
"United States",
"South Korea",
"United Kingdom",
"China",
"Japan"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector"
]
},
"uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10",
"related": [
{
"dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
]
} }
], ],
"version": 53 "version": 54
} }