From e41f6aec42c789bbbdb4848a95d1a61f80f779a5 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 15 Nov 2024 03:42:17 -0800 Subject: [PATCH 1/7] [threat-actors] Add WageMole aliases --- clusters/threat-actor.json | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0298ce3..be80cd7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17354,7 +17354,16 @@ "country": "KP", "refs": [ "https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/", - "https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west" + "https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west", + "https://unit42.paloaltonetworks.com/fake-north-korean-it-worker-activity-cluster/" + ], + "synonyms": [ + "Famous Chollima", + "UNC5267", + "Wagemole", + "Nickel Tapestry", + "Contagious Interview", + "Storm-1877" ] }, "uuid": "09aa3edb-e956-43f0-9fcb-a3154b47d202", From 7ad7d3605a0146859b0f1cb55945c5cb4332acfe Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 15 Nov 2024 03:42:18 -0800 Subject: [PATCH 2/7] [threat-actors] Add UAC-0194 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index be80cd7..ee382e9 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17389,6 +17389,17 @@ }, "uuid": "84bf7b38-e120-44c9-bfdd-82740593a6c6", "value": "APT73" + }, + { + "description": "UAC-0194 is a Russian threat actor linked to the exploitation of the Windows zero-day CVE-2024-43451, which was used in attacks against Ukrainian organizations. The group delivered phishing emails containing .url files that, when interacted with, exploited the vulnerability to facilitate the installation of additional payloads, including the SparkRAT trojan. They also exploited the Server Message Block protocol for NTLM hash exfiltration. CERT-UA has associated UAC-0194's activities with social engineering tactics to convince victims to execute malicious files.", + "meta": { + "country": "RU", + "refs": [ + "https://www.clearskysec.com/0d-vulnerability-exploited-in-the_wild/" + ] + }, + "uuid": "714f76b2-a8fd-49b0-8605-0eb1c9703140", + "value": "UAC-0194" } ], "version": 320 From 8aeb150619d35bba39f66d03c9266959ca0280fd Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 15 Nov 2024 03:42:18 -0800 Subject: [PATCH 3/7] [threat-actors] Add TAG-112 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ee382e9..082a628 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17400,6 +17400,17 @@ }, "uuid": "714f76b2-a8fd-49b0-8605-0eb1c9703140", "value": "UAC-0194" + }, + { + "description": "TAG-112 is a Chinese state-sponsored APT that compromised Tibetan websites, including Tibet Post and Gyudmed Tantric University, to deliver Cobalt Strike malware. The group exploited vulnerabilities in the Joomla CMS to embed malicious JavaScript that spoofed a TLS certificate error, tricking users into downloading a compromised security certificate. TAG-112's infrastructure, concealed using Cloudflare, shows notable overlap with TAG-102, but it employs less sophisticated tactics, relying on Cobalt Strike rather than custom malware. The campaign reflects ongoing cyber-espionage efforts targeting Tibetan entities, likely for information collection and surveillance.", + "meta": { + "country": "CN", + "refs": [ + "https://www.recordedfuture.com/research/china-nexus-tag-112-compromises-tibetan-websites" + ] + }, + "uuid": "9eeb11a0-3fcf-4036-844a-2500c72f8b69", + "value": "TAG-112" } ], "version": 320 From 74323acdfeaa681935328343e4200bfa5647fd38 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 15 Nov 2024 03:42:18 -0800 Subject: [PATCH 4/7] [threat-actors] Add SilkSpecter --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 082a628..23541cd 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17411,6 +17411,17 @@ }, "uuid": "9eeb11a0-3fcf-4036-844a-2500c72f8b69", "value": "TAG-112" + }, + { + "description": "SilkSpecter is a Chinese financially motivated threat actor that orchestrates phishing campaigns targeting e-commerce shoppers, particularly during peak shopping seasons. They exploit legitimate payment processors like Stripe to exfiltrate Cardholder Data and Personally Identifiable Information through convincing fake e-commerce sites created using the oemapps SaaS platform. Their phishing infrastructure relies on Chinese-hosted CDN servers and utilizes deceptive elements such as the \"trusttollsvg\" icon and a \"/homeapi/collect\" endpoint to track victim interactions. Analysts have linked SilkSpecter to over 89 IP addresses and more than 4,000 domain names associated with phishing activities, predominantly using .top, .shop, .store, and .vip TLDs.", + "meta": { + "country": "CN", + "refs": [ + "https://blog.eclecticiq.com/inside-intelligence-center-financially-motivated-chinese-threat-actor-silkspecter-targeting-black-friday-shoppers" + ] + }, + "uuid": "0f4c942f-9491-4844-b782-4ee65033c7e0", + "value": "SilkSpecter" } ], "version": 320 From 56a2a330d1165d623b94cd2a330305f5a1049ccb Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 15 Nov 2024 03:42:18 -0800 Subject: [PATCH 5/7] [threat-actors] Add TA455 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 23541cd..5ba3c61 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17422,6 +17422,17 @@ }, "uuid": "0f4c942f-9491-4844-b782-4ee65033c7e0", "value": "SilkSpecter" + }, + { + "description": "TA455 is an Iranian APT group targeting the aerospace industry through a campaign known as the “Iranian Dream Job Campaign,” utilizing deceptive job offers to lure victims. They employ spearphishing tactics with malicious ZIP files containing the executable “secur32[.]dll” and disguise their C2 communications within the traffic of reputable services like Cloudflare and GitHub. The group intentionally mimics the TTPs of the North Korean Lazarus group to mislead investigators and complicate attribution. Their multi-stage infection strategy enhances the likelihood of success while evading detection.", + "meta": { + "country": "IR", + "refs": [ + "https://informationsecuritybuzz.com/iranian-dream-job-aerospace/" + ] + }, + "uuid": "c2f1f2e3-9573-49be-b01e-6ffff9a9571b", + "value": "TA455" } ], "version": 320 From dea8f8dd0b8e2b846f26151b7855c6870f1d75d3 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 15 Nov 2024 03:42:18 -0800 Subject: [PATCH 6/7] [threat-actors] Add Kairos --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5ba3c61..6d423b6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17433,6 +17433,16 @@ }, "uuid": "c2f1f2e3-9573-49be-b01e-6ffff9a9571b", "value": "TA455" + }, + { + "description": "Kairos is an extortion group that emerged with a data-leak site on 13 November 2024, claiming attacks against six organizations, primarily in the US healthcare sector. The group is financially motivated, demanding Bitcoin payments for the secure deletion of stolen files and threatening to leak data if victims do not comply. While no specific TTPs are publicly known, common techniques among extortion groups include phishing and scanning for exposed internet-facing devices. There is a potential link to a user on a Russian-language cybercriminal forum who shares a post-exploitation script, but attribution remains uncertain.", + "meta": { + "refs": [ + "https://www.cyjax.com/resources/blog/an-elephant-in-kairos-data-leak-site-emerges-for-new-extortion-group/" + ] + }, + "uuid": "4d3c9666-6e08-4186-854c-cc0f8c28f5b6", + "value": "Kairos" } ], "version": 320 From 5a408ad95579cf910b3ea92e4fb462990cf02342 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Fri, 15 Nov 2024 03:42:23 -0800 Subject: [PATCH 7/7] [threat actors] Update README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2d7844d..5c2bd9f 100644 --- a/README.md +++ b/README.md @@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *774* elements +Category: *actor* - source: *MISP Project* - total: *779* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]