Merge pull request #778 from Mathieu4141/threat-actors/fix-malware-reuser-duplicate

[threat-actors] Fix Volatile Cedar and Dancing Salome conflicts
This commit is contained in:
Alexandre Dulaunoy 2022-09-30 06:37:15 +02:00 committed by GitHub
commit 800006e6ab
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -3606,32 +3606,48 @@
{
"description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive.",
"meta": {
"country": "LB",
"refs": [
"https://blog.checkpoint.com/2015/03/31/volatilecedar/",
"https://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/",
"https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/",
"https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf"
"https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf"
],
"suspected-victims": [
"Middle East",
"Israel",
"Lebanon",
"Saudi Arabia"
],
"synonyms": [
"Reuse team",
"Malware reusers",
"Dancing Salome",
"Lebanese Cedar"
]
},
"related": [
{
"dest-uuid": "0155c3b1-8c7c-4176-aeda-68678dd99992",
"tags": [
"estimative-language:likelihood-probability=\"very-likely\""
],
"type": "uses"
}
],
"uuid": "cf421ce6-ddfe-419a-bc65-6a9fc953232a",
"value": "Volatile Cedar"
},
{
"description": "Threat Group conducting cyber espionage while re-using tools from other teams; like those of Hacking Team, and vmprotect to obfuscate.",
"description": "Dancing Salome is the Kaspersky codename for an APT actor with a primary focus on ministries of foreign affairs, think tanks, and Ukraine. What makes Dancing Salome interesting and relevant is the attackers penchant for leveraging HackingTeam RCS implants compiled after the public breach.",
"meta": {
"synonyms": [
"Reuse team",
"Dancing Salome"
"refs": [
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170728/Guerrero-Saade-Raiu-VB2017.pdf"
],
"suspected-victims": [
"Ukraine"
]
},
"uuid": "3d5192f2-f235-46fd-aa68-dd00cc17d632",
"value": "Malware reusers"
"value": "Dancing Salome"
},
{
"description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.",