MISP/misp-galaxy
6
0
Fork 0
mirror of https://github.com/MISP/misp-galaxy.git synced 2024-11-22 23:07:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

merging TG2003 / Elephant Beetle into FIN13

Browse source 
as indicated in the respective resources published by the organizations using these aliases.
This commit is contained in:
Daniel Plohmann 2022-08-02 14:11:43 +02:00 committed by GitHub
parent 2330c17602
commit bc20a463c8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
clusters/threat-actor.json
View file

@ -9136,7 +9136,14 @@
"meta": {
"country": "RU",
"refs": [
"https://www.mandiant.com/resources/fin13-cybercriminal-mexico"
"https://www.mandiant.com/resources/fin13-cybercriminal-mexico",
"https://blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation",
"https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf",
"https://www.netwitness.com/wp-content/uploads/FIN13-Elephant-Beetle-NetWitness.pdf"
],
"synonyms": [
"TG2003",
"Elephant Beetle"
]
},
"uuid": "60fa684d-c738-4b77-98fb-3f6605e2bb82",
@ -9485,19 +9492,6 @@
"uuid": "6cce6ecc-e6f5-4ae5-b8c5-cf633b7cf973",
"value": "ModifiedElephant"
},
{
"description": "Financially motivated threat group targeting and infiltrating organizations from the finance and commerce sector in Latin America.",
"meta": {
"refs": [
"https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf"
],
"synonyms": [
"TG2003"
]
},
"uuid": "64930954-db40-4d97-8fc4-76079d239e15",
"value": "Elephant Beetle"
},
{
"description": "EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. In early September 2021, the group has been obeserved exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigation lead researchers to believe that they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike). This threat actor deploys tactics, techniques and procedures (TTPs) that are traditionally associated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a targeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation. Additionally and rather uniquely, they leverage legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload, namely BUMBLEEBEE and BAZARLOADER, further evading detection mechanisms. This level of human-interaction is rather unusual for cyber crime groups focused on mass scale operations.",
"meta": {
@ -10012,5 +10006,5 @@
"value": "Returned Libra"
}
],
"version": 237
"version": 238
}