From 2d30785af5eac225d93551ab3a941819ea61a517 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=BCrgen=20L=C3=B6hel?= <juergen.loehel@inlyse.com>
Date: Wed, 8 Mar 2023 21:44:16 -0600
Subject: [PATCH 1/4] chg [threat-actors] Add TA866
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jürgen Löhel <juergen.loehel@inlyse.com>
---
 clusters/threat-actor.json | 50 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 49 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 0da6af5..d9d8c96 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -10564,7 +10564,55 @@
       ],
       "uuid": "eb0b100c-8a4e-4859-b6f8-eebd66c3d20c",
       "value": "Prophet Spider"
+    },
+    {
+      "description": "According to Proofpoint, TA866 is a newly identified threat actor that distributes malware via email utilizing both commodity and custom tools. While most of the activity observed occurred since October 2022, Proofpoint researchers identified multiple activity clusters since 2019 that overlap with TA866 activity. Most of the activity recently observed by Proofpoint suggests recent campaigns are financially motivated, however assessment of historic related activities suggests a possible, additional espionage objective.",
+      "meta": {
+        "motive": "mainly financially motivated, additional espionage objective.",
+        "references": [
+          "https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "f3b7e302-152b-4c4e-85c2-82733b78d13f",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "49ca568f-b6e4-49ff-963e-796f8207d185",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "9eb2a417-2bb6-496c-816b-bccb3f3074f6",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "5c7fa5e1-352a-41c3-8e55-744e5fa88793",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "7b956ff0-9021-499c-82a4-24b958cb32d9",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "uses"
+        }
+      ],
+      "uuid": "a3c22f46-5135-4b39-a33f-92906ac12c31",
+      "value": "TA866"
     }
   ],
-  "version": 261
+  "version": 262
 }

From 437d4a30e5a3cd2f918e8f2004c90f44743d1f30 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=BCrgen=20L=C3=B6hel?= <juergen.loehel@inlyse.com>
Date: Wed, 8 Mar 2023 21:45:13 -0600
Subject: [PATCH 2/4] chg [tds]: Add 404 TDS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jürgen Löhel <juergen.loehel@inlyse.com>
---
 clusters/tds.json | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/clusters/tds.json b/clusters/tds.json
index 5b7658f..7475e55 100644
--- a/clusters/tds.json
+++ b/clusters/tds.json
@@ -132,7 +132,20 @@
       },
       "uuid": "ec0048f2-a7b2-4a71-83de-6e8fe4fef252",
       "value": "Orchid TDS"
+    },
+    {
+      "description": "Proofpoint has tracked the 404 TDS since at least September 2022. Proofpoint is not aware if this is a service sold on underground forums, but it is likely a shared or sold tool due to its involvement in a variety of phishing and malware campaigns.",
+      "meta": {
+        "refs": [
+          "https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me"
+        ],
+        "type": [
+          "Underground"
+        ]
+      },
+      "uuid": "7b956ff0-9021-499c-82a4-24b958cb32d9",
+      "value": "404 TDS"
     }
   ],
-  "version": 4
+  "version": 5
 }

From 031a4c8030acf95f357b00ef58da78944566e647 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=BCrgen=20L=C3=B6hel?= <juergen.loehel@inlyse.com>
Date: Wed, 8 Mar 2023 21:45:39 -0600
Subject: [PATCH 3/4] chg [stealer]: Add Rhadamanthys
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jürgen Löhel <juergen.loehel@inlyse.com>
---
 clusters/stealer.json | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/clusters/stealer.json b/clusters/stealer.json
index 78545bb..8fb3311 100644
--- a/clusters/stealer.json
+++ b/clusters/stealer.json
@@ -196,7 +196,20 @@
       },
       "uuid": "7f95ebda-2c7b-49a4-ad57-bd5766a1f651",
       "value": "Album Stealer"
+    },
+    {
+      "description": "According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.",
+      "meta": {
+        "refs": [
+          "https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88",
+          "https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/",
+          "https://www.malware-traffic-analysis.net/2023/01/03/index.html",
+          "https://threatmon.io/rhadamanthys-stealer-analysis-threatmon/"
+        ]
+      },
+      "uuid": "9eb2a417-2bb6-496c-816b-bccb3f3074f6",
+      "value": "Rhadamanthys"
     }
   ],
-  "version": 11
+  "version": 12
 }

From 9f9a2633945cc57b86661eab9b7c4d2971b57523 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=BCrgen=20L=C3=B6hel?= <juergen.loehel@inlyse.com>
Date: Wed, 8 Mar 2023 21:46:11 -0600
Subject: [PATCH 4/4] chg [tool]: Add tools used by TA866 during the Screentime
 campaign
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jürgen Löhel <juergen.loehel@inlyse.com>
---
 clusters/tool.json | 55 +++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 54 insertions(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 38bddaf..8e8d39e 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -8701,7 +8701,60 @@
       },
       "uuid": "55d5853c-393e-449b-ab2b-871e3fe45288",
       "value": "TgToxic"
+    },
+    {
+      "description": "According to Proofpoint, WasabiSeed is a simple VBS downloader which repeatedly uses Windows Installer to connect to the C2 server looking for MSI packages to download and run. Proofpoint showed that it downloads and executes first a second MSI file containing Screenshotter.",
+      "meta": {
+        "refs": [
+          "https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "54c03b3c-6f97-46ea-a93f-f07bfd5cdd36,",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        }
+      ],
+      "uuid": "f3b7e302-152b-4c4e-85c2-82733b78d13f",
+      "value": "WasabiSeed"
+    },
+    {
+      "description": "According to Proofpoint, this is a utility with a single function of taking a JPG screenshot of the user's desktop and submitting it to a remote C2 via a POST to a hardcoded IP address. This is helpful to the threat actor during the reconnaissance and victim profiling stage.",
+      "meta": {
+        "refs": [
+          "https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me"
+        ]
+      },
+      "uuid": "49ca568f-b6e4-49ff-963e-796f8207d185",
+      "value": "Screenshotter"
+    },
+    {
+      "description": "According to Proofpoint, this is a Lua-based malware likely used by a nation-state sponsored attacker used to target European government personnel involved in managing the logistics of refugees fleeing Ukraine.",
+      "meta": {
+        "refs": [
+          "https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails",
+          "https://blogs.blackberry.com/en/2022/03/threat-thursday-sunseed-malware"
+        ]
+      },
+      "uuid": "54c03b3c-6f97-46ea-a93f-f07bfd5cdd36",
+      "value": "SunSeed"
+    },
+    {
+      "description": "According to Proofpoint, the A(uto)H(ot)K(key) Bot is a collection of separate AutoHotKey scripts. The bot's main component is an infinite loop that polls and downloads additional AHK scripts. The bot can load a stealer like Rhadamanthys and can check if the machine is part of an Active Directory domain.",
+      "meta": {
+        "refs": [
+          "https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me",
+          "https://research.checkpoint.com/2019/finteam-trojanized-teamviewer-against-government-targets/",
+          "https://www.trendmicro.com/en_us/research/19/d/potential-targeted-attack-uses-autohotkey-and-malicious-script-embedded-in-excel-file-to-avoid-detection.html",
+          "https://www.trendmicro.com/en_us/research/20/l/stealth-credential-stealer-targets-us-canadian-bank-customers.html"
+        ]
+      },
+      "uuid": "5c7fa5e1-352a-41c3-8e55-744e5fa88793",
+      "value": "AHK Bot"
     }
   ],
-  "version": 160
+  "version": 161
 }