MISP/misp-galaxy
6
0
Fork 0
mirror of https://github.com/MISP/misp-galaxy.git synced 2024-11-23 07:17:17 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #239 from Delta-Sierra/master

Browse source 
more clusters
This commit is contained in:
Alexandre Dulaunoy 2018-08-06 09:19:11 +02:00 committed by GitHub
commit bdceed0b68
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 15 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
clusters/rat.json
View file

@ -548,7 +548,8 @@
"meta": { "meta": {
"date": "2014", "date": "2014",
"refs": [ "refs": [
"https://github.com/quasar/QuasarRAT" "https://github.com/quasar/QuasarRAT",
"https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/"
] ]
}, },
"uuid": "6efa425c-3731-44fd-9224-2a62df061a2d", "uuid": "6efa425c-3731-44fd-9224-2a62df061a2d",

11
clusters/threat-actor.json
View file

@ -3759,7 +3759,6 @@
}, },
{ {
"value": "The Big Bang", "value": "The Big Bang",
"uuid": "475df014-556a-41db-ad6a-ff509dd202a1",
"description": "While it is not clear exactly what the attacker is looking for, what is clear is that once he finds it, a second stage of the attack awaits, fetching additional modules and/or malware from the Command and Control server. This then is a surveillance attack in progress and has been dubbed Big Bang due to the attackers fondness for the Big Bang Theory TV show, after which some of the malwares modules are named.", "description": "While it is not clear exactly what the attacker is looking for, what is clear is that once he finds it, a second stage of the attack awaits, fetching additional modules and/or malware from the Command and Control server. This then is a surveillance attack in progress and has been dubbed Big Bang due to the attackers fondness for the Big Bang Theory TV show, after which some of the malwares modules are named.",
"meta": { "meta": {
"refs": [ "refs": [
@ -3768,6 +3767,16 @@
] ]
} }
}, },
{
"value": "Subaat",
"description": "In mid-July, Palo Alto Networks Unit 42 identified a small targeted phishing campaign aimed at a government organization. While tracking the activities of this campaign, we identified a repository of additional malware, including a web server that was used to host the payloads used for both this attack as well as others.",
"meta": {
"refs": [
"https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/"
]
},
"uuid": "a7bc4ef2-971a-11e8-9bf0-13aa7d6d8651"
},
{ {
"value": "The Gorgon Group", "value": "The Gorgon Group",
"description": "Unit 42 researchers have been tracking Subaat, an attacker, since 2017. Recently Subaat drew our attention due to renewed targeted attack activity. Part of monitoring Subaat included realizing the actor was possibly part of a larger crew of individuals responsible for carrying out targeted attacks against worldwide governmental organizations. Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec, in which they found interesting connections to a larger group of attackers Unit 42 researchers have been tracking, which we are calling Gorgon Group.", "description": "Unit 42 researchers have been tracking Subaat, an attacker, since 2017. Recently Subaat drew our attention due to renewed targeted attack activity. Part of monitoring Subaat included realizing the actor was possibly part of a larger crew of individuals responsible for carrying out targeted attacks against worldwide governmental organizations. Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec, in which they found interesting connections to a larger group of attackers Unit 42 researchers have been tracking, which we are calling Gorgon Group.",

5
clusters/tool.json
View file

@ -2,7 +2,7 @@
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
"source": "MISP Project", "source": "MISP Project",
"version": 80, "version": 81,
"values": [ "values": [
{ {
"meta": { "meta": {
@ -2847,7 +2847,8 @@
{ {
"meta": { "meta": {
"refs": [ "refs": [
"https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html" "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html",
"https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/"
] ]
}, },
"description": "QUASARRAT is an open-source RAT available at https://github.com/quasar/QuasarRat . The versions used by APT10 (1.3.4.0, 2.0.0.0, and 2.0.0.1) are not available via the public GitHub page, indicating that APT10 has further customized the open source version. The 2.0 versions require a dropper to decipher and launch the AES encrypted QUASARRAT payload. QUASARRAT is a fully functional .NET backdoor that has been used by multiple cyber espionage groups in the past.", "description": "QUASARRAT is an open-source RAT available at https://github.com/quasar/QuasarRat . The versions used by APT10 (1.3.4.0, 2.0.0.0, and 2.0.0.1) are not available via the public GitHub page, indicating that APT10 has further customized the open source version. The 2.0 versions require a dropper to decipher and launch the AES encrypted QUASARRAT payload. QUASARRAT is a fully functional .NET backdoor that has been used by multiple cyber espionage groups in the past.",