From d77d3398ab838be88bacb2f601f8f7916529408f Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 15 Jul 2024 08:06:23 -0700 Subject: [PATCH 1/3] [threat-actors] Add Void Banshee --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 74e11bc..d970464 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16358,6 +16358,16 @@ }, "uuid": "745fd45f-9076-4c88-a977-01940bc0d36e", "value": "Water Sigbin" + }, + { + "description": "Void Banshee is an APT group targeting North America, Europe, and Southeast Asia for information theft and financial gain. They exploit vulnerabilities like CVE-2024-38112 to deliver the Atlantida info-stealer through malicious PDFs disguised as book files. The group uses internet shortcuts with MHTML protocol handlers to access and execute files through disabled Internet Explorer, posing a significant threat to organizations. Void Banshee's TTPs include crafting URL strings to control window sizes in IE and using HTML files to hide malicious downloads from victims.", + "meta": { + "refs": [ + "https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html" + ] + }, + "uuid": "df584835-97da-4e27-ab35-bcd3c5bf7815", + "value": "Void Banshee" } ], "version": 312 From a944be0d25a689c4a99f7cfe52eb3c53e919ed11 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 15 Jul 2024 08:06:23 -0700 Subject: [PATCH 2/3] [threat-actors] Add CRYSTALRAY --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d970464..83885f5 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16368,6 +16368,16 @@ }, "uuid": "df584835-97da-4e27-ab35-bcd3c5bf7815", "value": "Void Banshee" + }, + { + "description": "CRYSTALRAY is a threat actor known for leveraging open source tools like zmap and SSH-Snake to conduct widespread vulnerability scanning and exploitation. They target victims to collect and sell credentials, deploy cryptominers, and maintain persistence in compromised environments. CRYSTALRAY uses multiple backdoors to control access and spreads through victim networks using SSH-Snake. The actor also uses tools like Platypus for managing victims and extracting sensitive information from compromised systems.", + "meta": { + "refs": [ + "https://sysdig.com/blog/crystalray-rising-threat-actor-exploiting-oss-tools/" + ] + }, + "uuid": "feeab818-a9bd-4bff-9923-bf8421abd6c5", + "value": "CRYSTALRAY" } ], "version": 312 From e23952b35c092ca1c8660f1aab9a78c7c8f645af Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 15 Jul 2024 08:06:24 -0700 Subject: [PATCH 3/3] [threat actors] Update README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8153184..c203427 100644 --- a/README.md +++ b/README.md @@ -535,7 +535,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *707* elements +Category: *actor* - source: *MISP Project* - total: *709* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]