From f107563cad5c9643f2bcc8f44172d0d664060578 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 12 Sep 2018 09:34:16 +0200 Subject: [PATCH 1/3] add ref for operation Applejeus --- clusters/rat.json | 3 ++- clusters/threat-actor.json | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/rat.json b/clusters/rat.json index 588d917..fc2266b 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -2742,7 +2742,8 @@ "description": "According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service to establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.", "meta": { "refs": [ - "https://www.us-cert.gov/ncas/alerts/TA17-318A" + "https://www.us-cert.gov/ncas/alerts/TA17-318A", + "https://securelist.com/operation-applejeus/87553/" ] }, "related": [ diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 44a0ad5..d38a829 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2582,7 +2582,8 @@ "https://www.us-cert.gov/ncas/alerts/TA17-318B", "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/", "https://www.cfr.org/interactive/cyber-operations/lazarus-group", - "https://www.cfr.org/interactive/cyber-operations/operation-ghostsecret" + "https://www.cfr.org/interactive/cyber-operations/operation-ghostsecret", + "https://securelist.com/operation-applejeus/87553/" ], "synonyms": [ "Operation DarkSeoul", From a73424139f6dd25257769f393c9a3bc88d9dd461 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 12 Sep 2018 14:26:44 +0200 Subject: [PATCH 2/3] fix versions --- clusters/rat.json | 2 +- clusters/threat-actor.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/rat.json b/clusters/rat.json index fc2266b..a603c7a 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -2914,5 +2914,5 @@ "value": "Hallaj PRO RAT" } ], - "version": 13 + "version": 14 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d38a829..a0031f0 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5714,5 +5714,5 @@ "uuid": "abd89986-b1b0-11e8-b857-efe290264006" } ], - "version": 56 + "version": 57 } From 039fc91bd637542560af0499f3a94af105f850da Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 12 Sep 2018 14:27:09 +0200 Subject: [PATCH 3/3] add description for sigma ransomware --- clusters/ransomware.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index fd67db2..9fe0606 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -10541,7 +10541,7 @@ }, { "value": "Sigma Ransomware", - "description": "", + "description": "Today one of our volunteers, Aura, told me about a new new malspam campaign pretending to be from Craigslist that is under way and distributing the Sigma Ransomware. These spam emails contain password protected Word or RTF documents that download the Sigma Ransomware executable from a remote site and install it on a recipients computer.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/sigma-ransomware-being-distributed-using-fake-craigslist-malspam/"