From 79c84d3768eca7f1bfa29483e95e8575ef14c2bb Mon Sep 17 00:00:00 2001 From: Rony Date: Tue, 19 Jul 2022 22:42:50 +0530 Subject: [PATCH 01/10] add Earth Berberoka, Earth Lusca and Earth Wendigo --- clusters/threat-actor.json | 105 ++++++++++++++++++++++++++++++++++++- 1 file changed, 103 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2c66884..9032680 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9651,7 +9651,108 @@ }, "uuid": "e665ac2f-87b4-4c2e-bef7-78bf0a8af87b", "value": "Predatory Sparrow" + }, + { + "description": "According to TrendMicro, Earth Berberoka is a threat group originating from China that mainly focuses on targeting gambling websites. This group's campaign uses multiple malware families that target the Windows, Linux, and macOS platforms that have been attributed to Chinese-speaking actors. Aside from using tried-and-tested malware families that have been upgraded, such as PlugX and Gh0st RAT, Earth Berberoka has also developed a brand-new complex, multistage malware family, which has been dubbed PuppetLoader.", + "meta": { + "cfr-suspected-victims": [ + "China", + "United States", + "Hong Kong", + "Malaysia", + "Taiwan" + ], + "cfr-target-category": [ + "Gambling Websites", + "Information technology", + "Electronics Manufacturers", + "Education" + ], + "country": "CN", + "refs": [ + "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf", + "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html", + "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", + "https://documents.trendmicro.com/assets/txt/earth-berberoka-linux-iocs-2.txt", + "https://documents.trendmicro.com/assets/txt/earth-berberoka-macos-iocs-2.txt", + "https://documents.trendmicro.com/assets/txt/earth-berberoka-domains-2.txt", + "https://www.youtube.com/watch?v=QXGO4RJaUPQ", + "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf" + ] + }, + "uuid": "9d82077b-7e95-4b22-8762-3224797ff5f0", + "value": "Earth Berberoka" + }, + { + "description": "Earth Lusca is a threat actor from China that targets organizations of interest to the Chinese government, including academic institutions, telecommunication companies, religious organizations, and other civil society groups. Earth Lusca's tools closely resemble those used by Winnti Umbrella, but the group appears to operate separately from Winnti. Earth Lusca has also been observed targeting cryptocurrency payment platforms and cryptocurrency exchanges in what are likely financially motivated attacks.", + "meta": { + "cfr-suspected-victims": [ + "Australia", + "China", + "France", + "Germany", + "Hong Kong", + "Japan", + "Mongolia", + "Nepal", + "Nigeria", + "Philippines", + "Taiwan", + "Thailand", + "United Arab Emirates", + "United States", + "Vietnam" + ], + "cfr-target-category": [ + "Gambling companies", + "Government Institutions", + "Education", + "Media and Entertainment", + "Pro-democracy and human rights political organizations", + "Telecommunications", + "Religious organization", + "Cryptocurrency", + "Medical", + "Covid-19 research organizations" + ], + "country": "CN", + "refs": [ + "https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf", + "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi", + "https://media-exp1.licdn.com/dms/document/C561FAQHhWFRcWmdCPw/feedshare-document-pdf-analyzed/0/1639591145314?e=1658966400&v=beta&t=_uCcyEVg6b_VDiBTvWQIXtBOdQ1GQAAydqGyq62KA3E", + "https://www.sentinelone.com/wp-content/uploads/2021/08/SentinelOne_-SentinelLabs_ShadowPad_WP_V2.pdf" + ], + "synonyms": [ + "CHROMIUM", + "ControlX", + "TAG-22", + "FISHMONGER" + ] + }, + "uuid": "39150b30-61af-4d9c-9682-1595e145f3c1", + "value": "Earth Lusca" + }, + { + "description": "Earth Wendigo is a threat actor from China that has been targeting several organizations — including government organizations, research institutions, and universities in Taiwan — since May 2019, aiming to exfiltrate emails from targeted organizations via the injection of JavaScript backdoors to a webmail system that is widely used in Taiwan. The threat actor also sent spear-phishing emails embedded with malicious links to multiple individuals, including politicians and activists, who support movements in Tibet, the Uyghur region, or Hong Kong.", + "meta": { + "cfr-suspected-victims": [ + "Hong Kong", + "Taiwan" + ], + "cfr-target-category": [ + "Government", + "Education" + ], + "country": "CN", + "refs": [ + "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html" + ] + }, + "uuid": "c96e1329-cf7e-44ac-a3db-9e251dc98ec5", + "value": "Earth Wendigo" } ], - "version": 232 -} + "version": 233 +} \ No newline at end of file From 3fabd584163e1f39d2bc9c3f886c1635d7a26015 Mon Sep 17 00:00:00 2001 From: Rony Date: Tue, 19 Jul 2022 23:36:30 +0530 Subject: [PATCH 02/10] chg: [threat-actor] fixed --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 9032680..81ffca6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9755,4 +9755,4 @@ } ], "version": 233 -} \ No newline at end of file +} From 2e8a577b0ce8aa9ccc656ee9bf7238c544249b25 Mon Sep 17 00:00:00 2001 From: Rony Date: Wed, 20 Jul 2022 09:45:21 +0530 Subject: [PATCH 03/10] add PwC naming to CN actors --- clusters/threat-actor.json | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 81ffca6..0570929 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -651,9 +651,7 @@ "Winnti Group", "Suckfly", "APT41", - "APT 41", "Group72", - "Group 72", "Blackfly", "LEAD", "WICKED SPIDER", @@ -897,7 +895,8 @@ "DRAGONFISH", "BRONZE ELGIN", "ATK1", - "G0030" + "G0030", + "Red Salamander" ] }, "related": [ @@ -1409,7 +1408,9 @@ "synonyms": [ "IceFog", "Dagger Panda", - "Trident" + "Trident", + "RedFoxtrot", + "Red Wendigo" ] }, "uuid": "32c534b9-abec-4823-b223-a810f897b47b", @@ -6327,8 +6328,12 @@ "description": "Recorded Future’s Insikt Group has identified two new cyberespionage campaigns targeting the Tibetan Community over the past two years. The campaigns, which we are collectively naming RedAlpha, combine light reconnaissance, selective targeting, and diverse malicious tooling. We discovered this activity as the result of pivoting off of a new malware sample observed targeting the Tibetan community based in India.", "meta": { "refs": [ - "https://www.recordedfuture.com/redalpha-cyber-campaigns/", + "https://www.recordedfuture.com/chinese-cyberespionage-operations", "https://go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf" + ], + "synonyms": [ + "DeepCliff", + "Red Dev 3" ] }, "uuid": "71a3b962-9a36-11e8-88f8-b31d20c6fa2a", @@ -7425,7 +7430,8 @@ "synonyms": [ "ZIRCONIUM", "JUDGMENT PANDA", - "BRONZE VINEWOOD" + "BRONZE VINEWOOD", + "Red keres" ] }, "uuid": "6bf7e6b6-5917-45a6-9567-f0baba79768c", @@ -7483,7 +7489,8 @@ "Palmerworm", "G0098", "T-APT-03", - "Manga Taurus" + "Manga Taurus", + "Red Djinn" ] }, "uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e", @@ -7821,10 +7828,6 @@ "country": "CN", "refs": [ "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology" - ], - "synonyms": [ - "Temp.Hex", - "Vicious Panda" ] }, "uuid": "5533d062-18ab-4c70-9472-0eac03f95a1d", @@ -8667,7 +8670,8 @@ "synonyms": [ "ATK233", "G0125", - "Operation Exchange Marauder" + "Operation Exchange Marauder", + "Red Dev 13" ] }, "uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5", @@ -9722,13 +9726,15 @@ "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi", "https://media-exp1.licdn.com/dms/document/C561FAQHhWFRcWmdCPw/feedshare-document-pdf-analyzed/0/1639591145314?e=1658966400&v=beta&t=_uCcyEVg6b_VDiBTvWQIXtBOdQ1GQAAydqGyq62KA3E", - "https://www.sentinelone.com/wp-content/uploads/2021/08/SentinelOne_-SentinelLabs_ShadowPad_WP_V2.pdf" + "https://www.sentinelone.com/wp-content/uploads/2021/08/SentinelOne_-SentinelLabs_ShadowPad_WP_V2.pdf", + "https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html" ], "synonyms": [ "CHROMIUM", "ControlX", "TAG-22", - "FISHMONGER" + "FISHMONGER", + "Red Dev 10" ] }, "uuid": "39150b30-61af-4d9c-9682-1595e145f3c1", From 000bfe92d9d9dc95feba4c87e409ac237623d81f Mon Sep 17 00:00:00 2001 From: Rony Date: Wed, 20 Jul 2022 10:04:58 +0530 Subject: [PATCH 04/10] add APT9/Red Pegasus & BRONZE EDGEWOOD/Red Hariasa --- clusters/threat-actor.json | 45 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0570929..92a2c4b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9758,6 +9758,51 @@ }, "uuid": "c96e1329-cf7e-44ac-a3db-9e251dc98ec5", "value": "Earth Wendigo" + }, + { + "description": "In early 2021 CTU researchers observed BRONZE EDGEWOOD exploiting the Microsoft Exchange Server of an organization in Southeast Asia. The threat group deployed a China Chopper webshell and ran the Nishang Invoke-PowerShellTcp.ps1 script to connect back to C2 infrastructure. The threat group is publicly linked to malware families Chinoxy, PCShare and FunnyDream. CTU researchers have discovered that BRONZE EDGEWOOD also leverages Cobalt Strike in its intrusion activity. BRONZE EDGEWOOD has been active since at least 2018 and targets government and private enterprises across Southeast Asia. CTU researchers assess with moderate confidence that BRONZE EDGEWOOD operates on behalf the Chinese government and has a remit that covers political espionage.", + "meta": { + "cfr-suspected-victims": [ + "Kyrgyzstan", + "Malaysia", + "Vietnam" + ], + "country": "CN", + "refs": [ + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf" + ], + "synonyms": [ + "Red Hariasa" + ] + }, + "uuid": "b4ce9385-eedf-4a71-803c-6d53a250d10b", + "value": "BRONZE EDGEWOOD" + }, + { + "description": "APT9 engages in cyber operations where the goal is data theft, usually focusing on the data and projects that make a particular organization competitive within its field. APT9 was historically very active in the pharmaceuticals and biotechnology industry. We have observed this actor use spearphishing, valid accounts, as well as remote services for Initial Access. On at least one occasion, Mandiant observed APT9 at two companies in the biotechnology industry and suspect that APT9 actors may have gained initial access to one of the companies by using a trusted relationship between the two companies. APT9 use a wide range of backdoors, including publicly available backdoors, as well as backdoors that are believed to be custom, but are used by multiple APT groups.", + "meta": { + "cfr-suspected-victims": [ + "United States" + ], + "cfr-target-category": [ + "Pharmaceuticals", + "Healthcare", + "Construction", + "Aerospace", + "Defense industrial base" + ], + "country": "CN", + "refs": [ + "https://www.mandiant.com/resources/apt-groups#apt19", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf" + ], + "synonyms": [ + "Red Pegasus" + ] + }, + "uuid": "7e6d82a4-3b7d-4c24-a2c5-e211ce6eafc5", + "value": "APT9" } ], "version": 233 From 082039b3b0d9864124d14d3fcabf412c538db20d Mon Sep 17 00:00:00 2001 From: Rony Date: Wed, 20 Jul 2022 14:52:58 +0530 Subject: [PATCH 05/10] added CN actors from secureworks threat profile https://www.secureworks.com/research/threat-profiles?filter=item-china and fixed some AKAs --- clusters/threat-actor.json | 190 ++++++++++++++++++++++++++++++++++--- 1 file changed, 175 insertions(+), 15 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 92a2c4b..c984884 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -956,7 +956,7 @@ "value": "Lotus Panda" }, { - "description": "We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone.\nHURRICANE PANDA’s preferred initial vector of compromise and persistence is a China Chopper webshell – a tiny and easily obfuscated 70 byte text file that consists of an ‘eval()’ command, which is then used to provide full command execution and file upload/download capabilities to the attackers. This script is typically uploaded to a web server via a SQL injection or WebDAV vulnerability, which is often trivial to uncover in a company with a large external web presence.\nOnce inside, the adversary immediately moves on to execution of a credential theft tool such as Mimikatz (repacked to avoid AV detection). If they are lucky to have caught an administrator who might be logged into that web server at the time, they will have gained domain administrator credentials and can now roam your network at will via ‘net use’ and ‘wmic’ commands executed through the webshell terminal.", + "description": "We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone.\nHURRICANE PANDA's preferred initial vector of compromise and persistence is a China Chopper webshell – a tiny and easily obfuscated 70 byte text file that consists of an ‘eval()’ command, which is then used to provide full command execution and file upload/download capabilities to the attackers. This script is typically uploaded to a web server via a SQL injection or WebDAV vulnerability, which is often trivial to uncover in a company with a large external web presence.\nOnce inside, the adversary immediately moves on to execution of a credential theft tool such as Mimikatz (repacked to avoid AV detection). If they are lucky to have caught an administrator who might be logged into that web server at the time, they will have gained domain administrator credentials and can now roam your network at will via ‘net use’ and ‘wmic’ commands executed through the webshell terminal.", "meta": { "attribution-confidence": "50", "country": "CN", @@ -1676,9 +1676,7 @@ ], "synonyms": [ "APT23", - "APT 23", "KeyBoy", - "TropicTrooper", "Tropic Trooper", "BRONZE HOBART", "G0081" @@ -2421,14 +2419,15 @@ "https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/", "https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/", "https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/", - "https://unit42.paloaltonetworks.com/atoms/fighting-ursa/" + "https://unit42.paloaltonetworks.com/atoms/fighting-ursa/", + "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag" ], "synonyms": [ "APT 28", "APT28", "Pawn Storm", "PawnStorm", - "Fancy Bear", + "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "TsarTeam", @@ -2603,7 +2602,8 @@ "https://attack.mitre.org/groups/G0010/", "https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/", "https://www.secureworks.com/research/threat-profiles/iron-hunter", - "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" + "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/", + "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag" ], "synonyms": [ "Turla", @@ -2747,14 +2747,15 @@ "https://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks", "https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage", "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/", - "https://attack.mitre.org/groups/G0034/" + "https://attack.mitre.org/groups/G0034/", + "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag" ], "synonyms": [ "Sandworm Team", "Black Energy", "BlackEnergy", "Quedagh", - "Voodoo Bear", + "VOODOO BEAR", "TEMP.Noble", "Iron Viking", "G0034" @@ -4510,7 +4511,11 @@ "description": "The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions.", "meta": { "refs": [ - "https://www.f-secure.com/documents/996508/1030745/callisto-group" + "https://www.f-secure.com/documents/996508/1030745/callisto-group", + "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag" + ], + "synonyms": [ + "COLDRIVER" ] }, "uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f", @@ -4882,7 +4887,7 @@ ], "synonyms": [ "CactusPete", - "Karma Panda", + "KARMA PANDA", "BRONZE HUNTLEY" ] }, @@ -6510,11 +6515,12 @@ "synonyms": [ "BRONZE PRESIDENT", "HoneyMyte", - "Red Lich" + "Red Lich", + "TEMP.HEX" ] }, "uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339", - "value": "Mustang Panda" + "value": "MUSTANG PANDA" }, { "description": "This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.", @@ -7827,7 +7833,20 @@ "meta": { "country": "CN", "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology" + "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology", + "https://www.recordedfuture.com/china-linked-ta428-threat-group", + "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia", + "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop", + "https://blog.group-ib.com/task", + "https://www.sentinelone.com/labs/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op", + "https://www.youtube.com/watch?v=1WfPlgtfWnQ", + "https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf", + "https://vb2020.vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf", + "https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf" + ], + "synonyms": [ + "Colourful Panda", + "BRONZE DUDLEY" ] }, "uuid": "5533d062-18ab-4c70-9472-0eac03f95a1d", @@ -7992,10 +8011,13 @@ "meta": { "refs": [ "https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/calypso-apt-2019-rus.pdf" + ], + "synonyms": [ + "BRONZE MEDLEY" ] }, "uuid": "200d04c8-a11f-45c4-86fd-35bb5de3f7a3", - "value": "Calypso group" + "value": "Calypso" }, { "description": "Proofpoint researchers detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware. The actor initiated their campaigns impersonating the Bundeszentralamt fur Steuern, the German Federal Ministry of Finance, with lookalike domains, verbiage, and stolen branding in the emails. For their campaigns in Germany, the actor chose Cobalt Strike, a commercially licensed software tool that is generally used for penetration testing and emulates the type of backdoor framework used by Metasploit, a similar penetration testing tool. Proofpoint researchers have also observed this actor distributing Maze ransomware, employing similar social engineering techniques to those it uses for Cobalt Strike, while also targeting organizations in Italy and impersonating the Agenzia Delle Entrate, the Italian Revenue Agency. We have also recently observed the actor targeting organizations in the United States using the IcedID banking Trojan while impersonating the United States Postal Service (USPS).", @@ -8708,7 +8730,8 @@ "https://www.fireeye.com/blog/threat-research/2020/07/ghostwriter-influence-campaign.html", "https://twitter.com/hatr/status/1377220336597483520", "https://www.mandiant.com/resources/unc1151-linked-to-belarus-government", - "https://www.bleepingcomputer.com/news/security/meta-ukrainian-officials-military-targeted-by-ghostwriter-hackers/" + "https://www.bleepingcomputer.com/news/security/meta-ukrainian-officials-military-targeted-by-ghostwriter-hackers", + "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag" ], "synonyms": [ "UNC1151", @@ -9734,6 +9757,7 @@ "ControlX", "TAG-22", "FISHMONGER", + "BRONZE UNIVERSITY", "Red Dev 10" ] }, @@ -9803,6 +9827,142 @@ }, "uuid": "7e6d82a4-3b7d-4c24-a2c5-e211ce6eafc5", "value": "APT9" + }, + { + "description": "BRONZE SPRING is a threat group that CTU researchers assess with high confidence operates on behalf of China in the theft of intellectual property from defense, engineering, pharmaceutical and technology companies. The threat group typically uses scan-and-exploit for initial access, deploys the China Chopper webshell for remote execution and persistence, and creates RAR archives with a '.jpg' file extension for data exfiltration. \nIn July 2020 the U.S. Department of Justice indicted two Chinese hackers CTU researchers assess are members of the BRONZE SPRING threat group. The Department of Justice allege these hackers were responsible for compromising networks of hundreds of organisations and individuals in the U.S. and abroad since 2009, and that exfiltrated data would be passed to the Chinese Ministry of State Security or sold for financial gain.", + "meta": { + "cfr-suspected-victims": [ + "United States", + "Australia", + "Belgium", + "Germany", + "Japan", + "Lithuania", + "Netherlands", + "Spain", + "South Korea", + "Sweden", + "United Kingdom" + ], + "cfr-target-category": [ + "Information technology", + "Medical", + "Civil engineering", + "Business", + "Education", + "Gaming", + "Energy", + "Pharmaceuticals", + "Defense industrial base" + ], + "country": "CN", + "refs": [ + "https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion", + "https://www.justice.gov/opa/press-release/file/1295981/download", + "https://www.justice.gov/opa/press-release/file/1295986/download", + "https://intrusiontruth.wordpress.com/2021/05/06/an-apt-with-no-name", + "https://twitter.com/MrDanPerez/status/1390285821786394624" + ], + "synonyms": [ + "UNC302" + ] + }, + "uuid": "8b77424e-18bc-4ea7-baa4-d87441978e20", + "value": "BRONZE SPRING" + }, + { + "description": "BRONZE STARLIGHT has been active since mid 2021 and targets organizations globally across a range of industry verticals. The group leverages HUI Loader to load Cobalt Strike and PlugX payloads for command and control. CTU researchers have observed BRONZE STARLIGHT deploying ransomware to compromised networks as part of name-and-shame ransomware schemes, and posted victim names to leak sites. \nCTU researchers assess with moderate confidence that BRONZE STARLIGHT is located in China based on observed tradecraft, including the use of HUI Loader and PlugX which are associated with China-based threat group activity. It is plausible that BRONZE STARLIGHT deploys ransomware as a smokescreen rather than for financial gain, with the underlying motivation of stealing intellectual property theft or conducting espionage.", + "meta": { + "country": "CN", + "refs": [ + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation", + "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility", + "https://twitter.com/cglyer/status/1480734487000453121" + ], + "synonyms": [ + "DEV-0401" + ] + }, + "uuid": "737c0207-1a1a-4480-86e7-b6a5066e1ee5", + "value": "BRONZE STARLIGHT" + }, + { + "description": "BRONZE HIGHLAND has been observed using spearphishing as an initial infection vector to deploy the MgBot remote access trojan against targets in Hong Kong. Third party reporting suggests the threat group also targets India, Malaysia and Taiwan and leverages Cobalt Strike and KsRemote Android Rat. CTU researchers assess with moderate confidence that BRONZE HIGHLAND operates on behalf of China and has a remit covering espionage against domestic human rights and pro-democracy advocates and nations neighbouring China", + "meta": { + "cfr-suspected-victims": [ + "Hong Kong", + "Malaysia", + "India", + "Taiwan" + ], + "country": "CN", + "refs": [ + "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware", + "https://vb2020.vblocalhost.com/uploads/VB2020-43.pdf", + "https://www.youtube.com/watch?v=LeKi0KfzOow&list=PLffioUnqXWkdzWcZXH-bzPVgcs2R4r7iS&index=1&t=2154s" + ], + "synonyms": [ + "Evasive Panda" + ] + }, + "uuid": "62710572-e416-419d-bb1f-81ffc1ddc976", + "value": "BRONZE HIGHLAND" + }, + { + "description": "In December 2020, the IT management software provider SolarWinds announced that an unidentified threat actor had exploited a vulnerability in their Orion Platform software to deploy a web shell dubbed SUPERNOVA. CTU researchers track the operators of the SUPERNOVA web shell as BRONZE SPIRAL and assess with low confidence that the group is of Chinese origin. SUPERNOVA was likely deployed through exploitation of CVE-2020-10148, and CTU researchers observed post-exploitation reconnaissance commands roughly 30 minutes before the web shell was deployed. This may have been indicative of the threat actor conducting scan-and-exploit activity and then triaging for victims of particular interest, before deploying SUPERNOVA and attempting to dump credentials and move laterally.\n\nBRONZE SPIRAL has been associated with previous intrusions involving the targeting of ManageEngine servers, maintenance of long-term access to periodically harvest credentials and exfiltrate data, and espionage or theft of intellectual property. The threat group makes extensive use of native system tools and 'living off the land' techniques.", + "meta": { + "country": "CN", + "refs": [ + "https://unit42.paloaltonetworks.com/solarstorm-supernova", + "https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis", + "https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group", + "https://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112" + ] + }, + "uuid": "3f04dbbc-69bc-409b-82a1-6135f0b6a41c", + "value": "BRONZE SPIRAL" + }, + { + "description": "BRONZE VAPOR is a targeted threat group assessed with moderate confidence to be of Chinese origin. Artefacts from tools associated with this group and open source reporting on related incidents indicate that BRONZE VAPOR have operated since at least 2017. The group conducts espionage against multiple industries including semiconductors, aviation and telecommunications. CTU researchers assess BRONZE VAPOR's intent to be information theft, with operations focused on intellectual property (semiconductors) and personally identifiable information such as traveller records (aviation). Compromise of telecommunications companies can yield personally identifiable information and meta data on client communications such as Call Data Records (CDR).\n\nPrior to 2019 their operational focus, with some exceptions, revolved around targets in East Asia particularity Taiwan with it's thriving semiconductor industry. In 2021 details emerged in open source of attacks on at least one European semiconductor company believed to date back to 2017. In 2019 BRONZE VAPOR attacked one of more entities in the European airlines sector. The group gains initial access via VPN services, may use spearphishing with 'Letter of Appointment' themed lures, and deploys Cobalt Strike along with custom data exfiltration tools to target organizations. Post-intrusion activity involves living-of-the-land using legitimate tools and commands available within victim environment as well as using AceHash for credential harvesting, WATERCYCLE for data exfiltration and STOCKPIPE for proxying information through Microsoft Exchange servers over email.\n\nBRONZE VAPOR uses a set of tactics that, although not individually unique, when viewed in aggregate create a relatively distinct playbook. Intrusions begin with credential based attacks against an existing remote access solution (Citrix, VPN etc.) or B2B network access. Cobalt Strike is deployed into the environment and further access is then conducted via Cobalt Strike Beacon and other features of the platform. Sharphound is deployed to map out the victim's Active Directory infrastructure and and collect critical information about the domain including important account names. Command and control infrastructure is hosted on subdomains of Azure and Appspot services to blend in with legitimate traffic. The threat actor also registers their own domains for command and control, often with a \"sync\" or \"update\" related theme. WinRAR is commonly used for compressing data prior to exfiltration. Filenames for these archives often involve a string of numbers and variations of the word \"update\". Data is exfiltrated using WATERCYCLE to cloud based platforms such as OneDrive and GoogleDrive.", + "meta": { + "cfr-suspected-victims": [ + "Taiwan" + ], + "cfr-target-category": [ + "Semiconductor Industry" + ], + "country": "CN", + "refs": [ + "https://www.secureworks.com/research/threat-profiles/bronze-vapor" + ] + }, + "uuid": "af12a336-bb68-41ff-866a-834cedc0b5fc", + "value": "BRONZE VAPOR" + }, + { + "description": "Check Point Research discovered a new campaign against the Mongolian public sector, which takes advantage of the current Coronavirus scare, in order to deliver a previously unknown malware implant to the target. \nA closer look at this campaign allowed us to tie it to other operations which were carried out by the same anonymous group, dating back to at least 2016. Over the years, these operations targeted different sectors in multiple countries, such as Ukraine, Russia, and Belarus.", + "meta": { + "cfr-suspected-victims": [ + "Belarus", + "Russia", + "Mongolia", + "Ukraine" + ], + "country": "CN", + "refs": [ + "https://securelist.com/microcin-is-here/97353", + "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia", + "https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia", + "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign", + "https://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf" + ] + }, + "uuid": "68d8c25b-8595-4c20-a5c7-a11a2a34b717", + "value": "Vicious Panda" } ], "version": 233 From 932fcf1871c6a45451a2b93e6427a32579e21ec7 Mon Sep 17 00:00:00 2001 From: Rony Date: Wed, 20 Jul 2022 15:07:35 +0530 Subject: [PATCH 06/10] added Red Nue --- clusters/threat-actor.json | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c984884..e986b7c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9963,6 +9963,24 @@ }, "uuid": "68d8c25b-8595-4c20-a5c7-a11a2a34b717", "value": "Vicious Panda" + }, + { + "description": "Red Nue, active since at least 2017, is known for its use of the multi-platform LootRAt backdoor, also known as ReverseWindow. LootRAT has variants for Windows and Macintosh (reported in open source as Demsty), as well as an Android variant known as SpyDealer. Red Nue has also used another Windows backdoor known as WinDealer since at least 2019, when it deployed it to targets as part of a watering hole campaign on a Chinese news website for the Chinese diaspora community. Parts of Asia feature heavily in Red Nue's victimology.", + "meta": { + "country": "CN", + "refs": [ + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", + "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_301_shui-leon_en.pdf", + "https://blogs.jpcert.or.jp/en/2021/10/windealer.html", + "https://securelist.com/windealer-dealing-on-the-side/105946", + "https://blogs.blackberry.com/en/2022/06/threat-thursday-china-based-apt-plays-auto-updater-card-to-deliver-windealer-malware" + ], + "synonyms": [ + "LuoYu" + ] + }, + "uuid": "c73c8a76-1e44-44d6-b955-79f3a73582a1", + "value": "Red Nue" } ], "version": 233 From 2e045d9c8c7ca9f01677d6b0395a5b554a1817d3 Mon Sep 17 00:00:00 2001 From: Rony Date: Wed, 20 Jul 2022 21:28:15 +0530 Subject: [PATCH 07/10] chg: [fix] resolve conflict --- clusters/threat-actor.json | 37 ++++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e986b7c..edde14b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9679,6 +9679,41 @@ "uuid": "e665ac2f-87b4-4c2e-bef7-78bf0a8af87b", "value": "Predatory Sparrow" }, + { + "description": "MSTIC has not found any notable associations between this observed activity, tracked as DEV-0586, and other known activity groups. MSTIC assesses that the malware (WhisperGate), which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom.", + "meta": { + "cfr-suspected-victims": [ + "Ukraine" + ], + "cfr-type-of-incident": "Sabotage", + "refs": [ + "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", + "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/", + "https://unit42.paloaltonetworks.com/atoms/ruinousursa/" + ], + "synonyms": [ + "Ruinous Ursa" + ] + }, + "uuid": "a5f64c1a-c829-4855-903d-e0ff2098b2d7", + "value": "DEV-0586" + }, + { + "description": "This group started operating during the first quarter of 2022. They published samples of alleged stolen data from companies on their site on Tor. It is unclear if they conducted the attacks themselves, or if they bought leaked databases from third parties.", + "meta": { + "refs": [ + "https://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html", + "https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability", + "https://sysdig.com/blog/zoom-into-kinsing-kdevtmpfsi/", + "https://unit42.paloaltonetworks.com/atoms/moneylibra/" + ], + "synonyms": [ + "Money Libra" + ] + }, + "uuid": "4d522fad-452c-46be-94ea-5803aec9b709", + "value": "Kinsing" + }, { "description": "According to TrendMicro, Earth Berberoka is a threat group originating from China that mainly focuses on targeting gambling websites. This group's campaign uses multiple malware families that target the Windows, Linux, and macOS platforms that have been attributed to Chinese-speaking actors. Aside from using tried-and-tested malware families that have been upgraded, such as PlugX and Gh0st RAT, Earth Berberoka has also developed a brand-new complex, multistage malware family, which has been dubbed PuppetLoader.", "meta": { @@ -9983,5 +10018,5 @@ "value": "Red Nue" } ], - "version": 233 + "version": 234 } From 2b54df56f9c544072f48f1c9dd027c402d982066 Mon Sep 17 00:00:00 2001 From: Rony Date: Wed, 20 Jul 2022 21:32:11 +0530 Subject: [PATCH 08/10] update --- clusters/threat-actor.json | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index edde14b..e217a23 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3563,13 +3563,15 @@ "https://www.phnompenhpost.com/national/kingdom-targeted-new-malware", "https://attack.mitre.org/groups/G0017/", "https://attack.mitre.org/groups/G0002/", - "https://www.secureworks.com/research/threat-profiles/bronze-overbrook" + "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", + "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/" ], "synonyms": [ "Moafee", "BRONZE OVERBROOK", "G0017", - "G0002" + "G0002", + "Shallow Taurus" ] }, "related": [ @@ -8617,12 +8619,14 @@ "https://pastebin.com/6EDgCKxd", "https://github.com/fireeye/sunburst_countermeasures", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware", - "https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html" + "https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html", + "https://unit42.paloaltonetworks.com/atoms/solarphoenix/" ], "synonyms": [ "DarkHalo", "StellarParticle", - "NOBELIUM" + "NOBELIUM", + "Solar Phoenix" ] }, "related": [ From aa81da6ea69903f6e784964e291500f6abd496fc Mon Sep 17 00:00:00 2001 From: Rony Date: Wed, 20 Jul 2022 21:34:28 +0530 Subject: [PATCH 09/10] update --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e217a23..cad14af 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10022,5 +10022,5 @@ "value": "Red Nue" } ], - "version": 234 + "version": 233 } From add6b27466023477f5d335405282950b89ff8c3e Mon Sep 17 00:00:00 2001 From: Rony Date: Wed, 20 Jul 2022 21:39:33 +0530 Subject: [PATCH 10/10] update --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e217a23..cad14af 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10022,5 +10022,5 @@ "value": "Red Nue" } ], - "version": 234 + "version": 233 }