adding Proofpoint's TA428

This commit is contained in:
Daniel Plohmann 2019-07-31 14:08:50 +02:00 committed by GitHub
parent dbb67dd7d2
commit a4a72d0698
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -7622,7 +7622,18 @@
},
"uuid": "64ac8827-89d9-4738-9df3-cd955c628bee",
"value": "SWEED"
},
{
"description": "Proofpoint researchers have identified a targeted APT campaign that utilized malicious RTF documents to deliver custom malware to unsuspecting victims. We dubbed this campaign “Operation LagTime IT” based on entities that were targeted and the distinctive domains registered to C&C IP infrastructure. Beginning in early 2019, these threat actors targeted a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. We determined that the infection vector observed in this campaign was spear phishing, with emails originating from both free email accounts and compromised user accounts. Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT. Additionally, this APT group utilizes Poison Ivy payloads that share overlapping command and control (C&C) infrastructure with the newly identified Cotx campaigns. Based on infrastructure overlaps, post-exploitation techniques, and historic TTPs utilized in this operation, Proofpoint analysts attribute this activity to the Chinese APT group tracked internally as TA428. Researchers believe that this activity has an operational and tactical resemblance to the Maudi Surveillance Operation which was previously reported in 2013.",
"meta": {
"country": "CN",
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology"
]
},
"uuid": "5533d062-18ab-4c70-9472-0eac03f95a1d",
"value": "TA428"
}
],
"version": 122
"version": 123
}