diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index 0f5482a..3d97ff3 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -277,7 +277,17 @@ ], "uuid": "00edb40d-2fed-4d36-98b1-c85fc2bb1168", "value": "PARINACOTA" + }, + { + "description": "GADOLINIUM is a nation-state activity group that has been compromising targets for nearly a decade with a worldwide focus on the maritime and health industries. As with most threat groups, GADOLINIUM tracks the tools and techniques of security practitioners looking for new techniques they can use or modify to create new exploit methods.\nHistorically, GADOLINIUM used custom-crafted malware families that analysts can identify and defend against. In response, over the last year GADOLINIUM has begun to modify portions of its toolchain to use open-source toolkits to obfuscate their activity and make it more difficult for analysts to track. Because cloud services frequently offer a free trial or one-time payment (PayGo) account offerings, malicious actors have found ways to take advantage of these legitimate business offerings. By establishing free or PayGo accounts, they can use cloud-based technology to create a malicious infrastructure that can be established quickly then taken down before detection or given up at little cost.", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/" + ] + }, + "uuid": "99e708f7-1c01-467d-b0da-f6cebd434abc", + "value": "GADOLINIUM" } ], - "version": 8 + "version": 9 } diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 3c04293..82bc750 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13858,6 +13858,26 @@ "uuid": "e390e1bb-2af1-4139-8e61-6e534d707dfb", "value": "Snake Ransomware" }, + { + "description": "Anomali researchers have observed a new ransomware family, dubbed eCh0raix, targeting QNAP Network Attached Storage (NAS) devices. QNAP devices are created by the Taiwanese company QNAP Systems, Inc., and contain device storage and media player functionality, amongst others. The devices appear to be compromised by brute forcing weak credentials and exploiting known vulnerabilities in targeted attacks. The malicious payload encrypts the targeted file extensions on the NAS using AES encryption and appends .encrypt extension to the encrypted files. The ransom note created by the ransomware has the form shown below.\neCh0raix was first seen in June 2019, after victims began reporting ransomware attacks in a forum topic on BleepingComputer.\nOn June 1st, 2020, there has been a sudden surge of eCh0raix victims seeking help in our forums and submissions to the ransomware identification site ID-Ransomware.", + "meta": { + "extensions": [ + ".encrypt" + ], + "ransomnotes": [ + "All your data has been locked(crypted).\n​How to unclock(decrypt) instruction located in this TOR website:\nhttp://sg3dwqfpnr4sl5hh.onion/order/[Bitcoin address]\nUse TOR browser for access .onion websites.\nhttps://duckduckgo.com/html?q=tor+browser+how+to\n\nDo NOT remove this file and NOT remove last line in this file!\n[base64 encoded encrypted data]" + ], + "ransomnotes-filenames": [ + "README_FOR_DECRYPT.txt" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/ongoing-ech0raix-ransomware-campaign-targets-qnap-nas-devices/", + "https://www.anomali.com/blog/the-ech0raix-ransomware" + ] + }, + "uuid": "f3ded787-783e-4c6b-909a-8da01254380c", + "value": "eCh0raix" + }, { "description": "The threat group behind this malware seems to operate by hacking into companies, stealing sensitive data, and then running Egregor to encrypt all the files. According to the ransom note, if the ransom is not paid by the company within 3 days, and aside from leaking part of the stolen data, they will distribute via mass media where the company's partners and clients will know that the company was attacked.", "meta": { @@ -13930,5 +13950,5 @@ "value": "WastedLocker" } ], - "version": 87 + "version": 88 } diff --git a/clusters/rat.json b/clusters/rat.json index a630854..a6af336 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3453,6 +3453,19 @@ "uuid": "9d36db93-7d60-4da6-a611-1a32e02a054f", "value": "SDBbot" }, + { + "description": "A China-based APT has been sending organizations spear-phishing emails that distribute a never-before-seen intelligence-collecting RAT dubbed Sepulcher.\n\nResearchers discovered the new malware being distributed over the past six months through two separate campaigns. The first, in March, targeted European diplomatic and legislative bodies, non-profit policy research organizations and global organizations dealing with economic affairs. The second, in July, targeted Tibetan dissidents. They tied the campaigns to APT group TA413, which researchers say has been associated with Chinese state interests and is known for targeting the Tibetan community.\n\n“Based on the use of publicly known sender addresses associated with Tibetan dissident targeting and the delivery of Sepulcher malware payloads, [we] have attributed both campaigns to the APT actor TA413,” said Proofpoint researchers in a Wednesday analysis. “The usage of publicly known Tibetan-themed sender accounts to deliver Sepulcher malware demonstrates a short-term realignment of TA413’s targets of interest.”", + "meta": { + "refs": [ + "https://www.enigmasoftware.fr/logicielmalveillantsepulcher-supprimer/", + "https://threatpost.com/chinese-apt-sepulcher-malware-phishing-attacks/158871/", + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sepulcher", + "https://cyware.com/news/chinese-apt-ta413-found-distributing-sepulcher-malware-176a0969" + ] + }, + "uuid": "d0ed7527-cd1b-4b05-bbac-2e409ca46104", + "value": "Sepulcher" + }, { "description": "The campaign spreads via phishing emails posing as invoices, tax reports, invitations and similar types of messages containing a ZIP archive attachment with a malicious LNK file. When a user opens the malicious LNK file, it abuses the Windows Management Instrumentation Command-line tool and silently downloads a malicious XSL file. The XSL file downloads all of Guildma’s modules and executes a first stage loader, which loads the rest of the modules. The malware is then active and waits for commands from the C&C server and/or specific user interactions, such as opening a webpage of one of the targeted banks.", "meta": { @@ -3465,5 +3478,5 @@ "value": "Guildma" } ], - "version": 35 + "version": 36 } diff --git a/clusters/target-information.json b/clusters/target-information.json index b460f6e..ae398fc 100644 --- a/clusters/target-information.json +++ b/clusters/target-information.json @@ -1154,7 +1154,7 @@ "French" ], "territory-type": [ - "Counry" + "Country" ], "top-level-domain": ".bf" }, diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2b43e24..51f68e1 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4272,7 +4272,8 @@ "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/", "https://attack.mitre.org/groups/G0047/", "https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/Russia/APT/Gamaredon", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/" ], "synonyms": [ "Primitive Bear" @@ -8111,7 +8112,8 @@ ], "cfr-type-of-incident": "Espionage", "refs": [ - "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" + "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", + "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/" ] }, "uuid": "87af83a4-ced4-4e7c-96a6-86612dc095b1", @@ -8328,6 +8330,17 @@ "uuid": "d1c25b0e-e4c5-4b7c-b790-2e185cb2f07e", "value": "COBALT KATANA" }, + { + "description": "Dark Basin is a hack-for-hire group that has targeted thousands of individuals and hundreds of institutions on six continents. Targets include advocacy groups and journalists, elected and senior government officials, hedge funds, and multiple industries.\nDark Basin extensively targeted American nonprofits, including organisations working on a campaign called #ExxonKnew, which asserted that ExxonMobil hid information about climate change for decades.\nWe also identify Dark Basin as the group behind the phishing of organizations working on net neutrality advocacy, previously reported by the Electronic Frontier Foundation.\nWe link Dark Basin with high confidence to an Indian company, BellTroX InfoTech Services, and related entitie", + "meta": { + "refs": [ + "https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/", + "https://github.com/citizenlab/malware-indicators/tree/master/202006_DarkBasin" + ] + }, + "uuid": "3cbc52d5-fe4d-4d7a-a5e9-641b7c073d62", + "value": "Dark Basin" + }, { "description": "GALLIUM, is a threat actor believed to be targeting telecommunication providers over the world, mostly South-East Asia, Europe and Africa. To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss.", "meta": {