From e2dbd5a9a377892ea9ebb06598b5ae8966f331fb Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 17 Nov 2017 15:41:44 +0100 Subject: [PATCH] add MuddyWater + Update HIDDEN COBRA and update its tools --- clusters/rat.json | 11 ++++++++++- clusters/threat-actor.json | 16 ++++++++++++++-- clusters/tool.json | 11 ++++++++++- 3 files changed, 34 insertions(+), 4 deletions(-) diff --git a/clusters/rat.json b/clusters/rat.json index a9bbcc7..38b7b0d 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -7,7 +7,7 @@ ], "description": "remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote \"operator\" to control a system as if they have physical access to that system.", "uuid": "312f8714-45cb-11e7-b898-135207cdceb9", - "version": 4, + "version": 5, "values": [ { "meta": { @@ -2138,6 +2138,15 @@ "https://cdn.riskiq.com/wp-content/uploads/2017/10/RiskIQ-htpRAT-Malware-Attacks.pdf?_ga=2.159415805.1155855406.1509033001-1017609577.1507615928" ] } + }, + { + "description": "According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service to establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.", + "value": "FALLCHILL", + "meta": { + "refs": [ + "https://www.us-cert.gov/ncas/alerts/TA17-318A" + ] + } } ] } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2117c8c..145a9bf 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1093,7 +1093,10 @@ "https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/", "https://www.us-cert.gov/ncas/alerts/TA17-164A", "https://securelist.com/lazarus-under-the-hood/77908/", - "http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf" + "http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf", + "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity", + "https://www.us-cert.gov/ncas/alerts/TA17-318A", + "https://www.us-cert.gov/ncas/alerts/TA17-318B" ] }, "value": "Lazarus Group", @@ -2218,6 +2221,15 @@ }, "description": "Sowbug has been conducting highly targeted cyber attacks against organizations in South America and Southeast Asia and appears to be heavily focused on foreign policy institutions and diplomatic targets. Sowbug has been seen mounting classic espionage attacks by stealing documents from the organizations it infiltrates. ", "value": "Sowbug" + }, + { + "meta": { + "refs": [ + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" + ] + }, + "description": "MuddyWater", + "value": "The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques." } ], "name": "Threat actor", @@ -2232,5 +2244,5 @@ ], "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", - "version": 28 + "version": 29 } diff --git a/clusters/tool.json b/clusters/tool.json index b1a62aa..e569134 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -10,7 +10,7 @@ ], "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", - "version": 35, + "version": 36, "values": [ { "meta": { @@ -3029,6 +3029,15 @@ "https://securelist.com/the-silence/83009/" ] } + }, + { + "value": "Volgmer", + "description": "Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial, automotive, and media industries. It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer", + "meta": { + "refs": [ + "https://www.us-cert.gov/ncas/alerts/TA17-318B" + ] + } } ] }