Merge branch 'main' of github.com:MISP/misp-galaxy into main

This commit is contained in:
Alexandre Dulaunoy 2024-02-07 10:22:24 +01:00
commit c867adcbf3
Signed by: adulau
GPG key ID: 09E2CD4944E6CBCD
4 changed files with 206 additions and 15 deletions

View file

@ -374,7 +374,17 @@
],
"uuid": "f8444fcc-730e-4898-8ef5-6cc1976ff475",
"value": "TROIBOMB"
},
{
"description": "ZIPLINE makes use of extensive functionality to ensure the authentication of its custom protocol used to establish command and control (C2).",
"meta": {
"refs": [
"https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"
]
},
"uuid": "14504cbe-8423-47aa-a947-a3ab5549a068",
"value": "ZIPLINE"
}
],
"version": 17
"version": 18
}

View file

@ -283,7 +283,17 @@
},
"uuid": "54b61c7e-8ced-4b90-a295-62102bfd4f32",
"value": "Oski Stealer"
},
{
"description": "WARPWIRE is a JavaScript-based credential stealer",
"meta": {
"refs": [
"https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"
]
},
"uuid": "b581b182-505a-4243-9569-c175513c4441",
"value": "WARPWIRE"
}
],
"version": 14
"version": 15
}

View file

@ -1615,7 +1615,8 @@
"https://attack.mitre.org/groups/G0081/",
"https://www.secureworks.com/research/threat-profiles/bronze-hobart",
"https://www.mandiant.com/resources/insights/apt-groups",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html"
],
"synonyms": [
"PIRATE PANDA",
@ -1623,7 +1624,8 @@
"Tropic Trooper",
"BRONZE HOBART",
"G0081",
"Red Orthrus"
"Red Orthrus",
"Earth Centaur"
],
"targeted-sector": [
"Military",
@ -3478,7 +3480,9 @@
"https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials",
"https://s.tencent.com/research/report/669.html",
"https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html",
"https://www.secureworks.com/research/threat-profiles/copper-fieldstone"
"https://www.secureworks.com/research/threat-profiles/copper-fieldstone",
"https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html",
"https://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/"
],
"synonyms": [
"C-Major",
@ -3489,7 +3493,8 @@
"APT 36",
"TMP.Lapis",
"Green Havildar",
"COPPER FIELDSTONE"
"COPPER FIELDSTONE",
"Earth Karkaddan"
],
"targeted-sector": [
"Activists",
@ -5162,6 +5167,7 @@
"value": "Cyber Berkut"
},
{
"description": "Tonto Team is a Chinese-speaking APT group that has been active since at least 2013. They primarily target military, diplomatic, and infrastructure organizations in Asia and Eastern Europe. The group has been observed using various malware, including the Bisonal RAT and ShadowPad. They employ spear-phishing emails with malicious attachments as their preferred method of distribution.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
@ -5185,7 +5191,11 @@
"https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
"https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/"
"https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/",
"https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html",
"https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/",
"https://go.recordedfuture.com/hubfs/reports/cta-2023-0919.pdf",
"https://www.recordedfuture.com/multi-year-chinese-apt-campaign-targets-south-korean-academic-government-political-entities"
],
"synonyms": [
"CactusPete",
@ -5194,7 +5204,9 @@
"COPPER",
"Red Beifang",
"G0131",
"PLA Unit 65017"
"PLA Unit 65017",
"Earth Akhlut",
"TAG-74"
]
},
"uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26",
@ -7145,8 +7157,16 @@
{
"description": "An extensive surveillance operation targets specific groups of individuals with malicious mobile apps that collect sensitive information on the device along with surrounding voice recordings. Researchers with CheckPoint discovered the attack and named it Domestic Kitten. The targets are Kurdish and Turkish natives, and ISIS supporters, all Iranian citizens.",
"meta": {
"country": "IR",
"refs": [
"https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/"
"https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/",
"https://www.trendmicro.com/en_us/research/19/f/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.html",
"https://www.welivesecurity.com/2022/10/20/domestic-kitten-campaign-spying-iranian-citizens-furball-malware/",
"https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/"
],
"synonyms": [
"Bouncing Golf",
"APT-C-50"
]
},
"uuid": "dda1b28e-c558-11e8-8666-27cf61d1d7ee",
@ -10635,7 +10655,12 @@
"https://documents.trendmicro.com/assets/txt/earth-berberoka-macos-iocs-2.txt",
"https://documents.trendmicro.com/assets/txt/earth-berberoka-domains-2.txt",
"https://www.youtube.com/watch?v=QXGO4RJaUPQ",
"https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf"
"https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf",
"https://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/",
"https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html"
],
"synonyms": [
"GamblingPuppet"
]
},
"uuid": "9d82077b-7e95-4b22-8762-3224797ff5f0",
@ -13087,7 +13112,11 @@
"meta": {
"refs": [
"https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/",
"https://securelist.com/apt-annual-review-what-the-worlds-threat-actors-got-up-to-in-2020/99574/"
"https://securelist.com/apt-annual-review-what-the-worlds-threat-actors-got-up-to-in-2020/99574/",
"https://www.redpacketsecurity.com/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/?utm_source=rss&utm_medium=rss&utm_campaign=operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links"
],
"synonyms": [
"Operation Poisoned News"
]
},
"uuid": "533af03d-e160-4312-a92f-0500055f2b56",
@ -14171,7 +14200,8 @@
"https://www.rewterz.com/rewterz-news/rewterz-threat-advisory-ivanti-vpn-zero-days-weaponized-by-unc5221-threat-actors-to-deploy-multiple-malware-families-active-iocs/",
"https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day",
"https://quointelligence.eu/2024/01/unc5221-unreported-and-undetected-wirefire-web-shell-variant/",
"https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/"
"https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/",
"https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"
],
"synonyms": [
"UNC5221"
@ -14906,6 +14936,57 @@
},
"uuid": "f34962a4-a792-4f23-af23-a8bf0f053fcf",
"value": "Ferocious Kitten"
},
{
"description": "The threat actors compromised the update server of a remote support solutions provider to deliver a remote access tool called 9002 RAT to their targets of interest through the update process. They carried this out by first stealing the companys certificate then using it to sign the malware. They also configured the update server to only deliver malicious files if the client is located in the range of IP addresses of their target organisations.",
"meta": {
"country": "CN",
"refs": [
"https://decoded.avast.io/threatintel/avast-finds-backdoor-on-us-government-commission-network/?utm_source=rss&utm_medium=rss&utm_campaign=avast-finds-backdoor-on-us-government-commission-network",
"https://www.trendmicro.com/en_my/research/18/h/supply-chain-attack-operation-red-signature-targets-south-korean-organizations.html"
]
},
"uuid": "3e9b98d9-0c61-4050-bafa-486622de0080",
"value": "Operation Red Signature"
},
{
"description": "Earth Yako is a threat actor that has been actively targeting researchers in academic organizations and think tanks in Japan. They use spearphishing emails with malicious attachments to gain initial access to their targets' systems. Earth Yako's objectives and patterns suggest a possible connection to a Chinese APT group, but conclusive proof of their nationality is lacking. They have been observed using various malware delivery methods and techniques, such as the use of Winword.exe for DLL Hijacking.",
"meta": {
"refs": [
"https://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html"
],
"synonyms": [
"Operation RestyLink",
"Enelink"
]
},
"uuid": "2875aff1-2a0f-4e82-ae42-607a3a74d129",
"value": "Earth Yako"
},
{
"description": "What sets Urpage attacks apart is its targeting of InPage, a word processor for Urdu and Arabic languages. However, its Delphi backdoor component, which it has in common with Confucius and Patchwork, and its apparent use of Bahamut-like malware, is what makes it more intriguing as it connects Urpage to these other known threats. Trend Micro covered the Delphi component in the context of the Confucius and Patchwork connection. They mentioned Urpage as a third unnamed threat actor connected to the two.",
"meta": {
"refs": [
"https://www.trendmicro.com/en_us/research/18/h/the-urpage-connection-to-bahamut-confucius-and-patchwork.html"
]
},
"uuid": "4e137d53-b9cf-4b9a-88c2-f29dd27ac302",
"value": "Urpage"
},
{
"description": "Operation Emmental, also known as the Retefe gang, is a threat actor group that has been active since at least 2012. They primarily target customers of banks in countries such as Austria, Sweden, Switzerland, and Japan. The group has developed sophisticated malware, including a Mac alternative called Dok, to bypass two-factor authentication and hijack network traffic. They have also been observed using phishing emails to spread their malware. The group is believed to be Russian-speaking and has continuously improved their malicious codes over the years.",
"meta": {
"country": "RU",
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/osx_dok-mac-malware-emmental-hijacks-user-network-traffic/"
],
"synonyms": [
"Retefe Gang",
"Retefe Group"
]
},
"uuid": "a1527821-fe84-44ec-ad29-8d3040463bc9",
"value": "Operation Emmental"
}
],
"version": 299

View file

@ -9230,11 +9230,12 @@
"value": "metasploit"
},
{
"description": "A swiss army knife for pentesting networks.",
"description": "A swiss army knife for pentesting networks. CRACKMAPEXEC is a post-exploitation tool against Microsoft Windows environments. It is recognized for its lateral movement capabilities.",
"meta": {
"refs": [
"https://github.com/byt3bl33d3r/CrackMapExec",
"https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf"
"https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf",
"https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"
],
"synonyms": [],
"type": [
@ -10794,7 +10795,96 @@
],
"uuid": "cdd432b0-8899-4e7d-ad4a-b18741ade11d",
"value": "RevClient"
},
{
"description": "Colibri Loader is a piece of malware that first appeared on underground forums in August 2021 and was advertised to “people who have large volumes of traffic and lack of time to work out the material“. As it names suggests, it is meant to deliver and manage payloads onto infected computers.",
"meta": {
"refs": [
"https://www.malwarebytes.com/blog/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique"
]
},
"related": [
{
"dest-uuid": "64e51712-89d6-4c91-98ac-8907eafe98c6",
"tags": [
"estimative-language:likelihood-probability=\"very-likely\""
],
"type": "delivers"
}
],
"uuid": "63615901-dd49-4541-801f-327a6963c88b",
"value": "Colibri Loader"
},
{
"description": "A mitigation bypass technique was recently identified that led to the deployment of a custom webshell tracked as BUSHWALK. Successful exploitation would bypass the initial mitigation provided by Ivanti on Jan. 10, 2024. At this time, Mandiant assesses the mitigation bypass activity is highly targeted, limited, and is distinct from the post-advisory mass exploitation activity. BUSHWALK is written in Perl and is embedded into a legitimate CS file, querymanifest.cgi. BUSHWALK provides a threat actor the ability to execute arbitrary commands or write files to a server. BUSHWALK executes its malicious Perl function, validateVersion, if the web request platform parameter is SafariiOS. It uses Base64 and RC4 to decode and decrypt the threat actors payload in the web requests command parameter.",
"meta": {
"refs": [
"https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"
]
},
"uuid": "0752d766-2c2a-43ce-aebd-6a4e214cd43c",
"value": "BUSHWALK"
},
{
"description": "The original LIGHTWIRE webshell sample contains a simpler obfuscation routine. It will initialize an RC4 object and then immediately use the RC4 object to decrypt the issued command./nMandiant has identified an additional variant of the LIGHTWIRE web shell that inserts itself into a legitimate component of the VPN gateway, compcheckresult.cgi./nThe new sample utilizes the same GET parameters as the original LIGHTWIRE sample./nThe new variant of LIGHTWIRE features a different obfuscation routine. It first assigns a string scalar variable to $useCompOnly. Next, it will use the Perl tr operator to transform the string using a character-by-character translation. The key is then Base64-decoded and used to RC4 decrypt the incoming request. Finally, the issued command is executed by calling eval.",
"meta": {
"refs": [
"https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"
]
},
"uuid": "5b9d5714-9eb9-4e3b-b437-26a9b50a633e",
"value": "LIGHTWIRE"
},
{
"description": "CHAINLINE is a Python webshell backdoor that is embedded in a Ivanti Connect Secure Python package that enables arbitrary command execution./nCHAINLINE was identified in the CAV Python package in the following path: /home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/resources/health.py. This is the same Python package modified to support the WIREFIRE web shell./nUnlike WIREFIRE, which modifies an existing file, CHAINLINE creates a new file called health.py, which is not a legitimate filename in the CAV Python package. The existence of this filename or an associated compiled Python cache file may indicate the presence of CHAINLINE./nUNC5221 registered a new API resource path to support the access of CHAINLINE at the REST endpoint /api/v1/cav/client/health. This was accomplished by importing the maliciously created Health API resource and then calling the add_resource() class method on the FLASK-RESTful Api object within /home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/__init__.py.",
"meta": {
"refs": [
"https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"
]
},
"uuid": "87e353c6-e0e8-427a-b55f-61cbd2853c57",
"value": "CHAINLINE"
},
{
"description": "FRAMESTING is a Python webshell embedded in a Ivanti Connect Secure Python package that enables arbitrary command execution./nFRAMESTING was identified in the CAV Python package in the following path: /home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/resources/category.py. Note that this is the same Python package modified to support the WIREFIRE and CHAINLINE web shells./nWhen installed, the threat actor can access FRAMESTING web shell at the REST endpoint /api/v1/cav/client/categories with a POST request. Note that the legitimate categories endpoint only accepts GET requests./nThe web shell employs two methods of accepting commands from an attacker. It first attempts to retrieve the command stored in the value of a cookie named DSID from the current HTTP request. If the cookie is not present or is not of the expected length, it will attempt to decompress zlib data within the request's POST data. Lastly, FRAMESTING will then pass the decrypted POST data into a Python exec() statement to dynamically execute additional Python code./nNote that DSID is also the name of a cookie used by Ivanti Connect Secure appliances for maintaining user VPN sessions. FRAMESTING likely uses the same cookie name to blend in with network traffic.",
"meta": {
"refs": [
"https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"
]
},
"uuid": "a9470d3d-ecfd-408b-ba1e-f3ca65791e0d",
"value": "FRAMESTING"
},
{
"description": "IMPACKET is a Python library that allows for interaction with various network protocols. It is particularly effective in environments that rely on Active Directory and related Microsoft Windows network services.",
"meta": {
"refs": [
"https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"
]
},
"uuid": "7b02521e-422e-49a2-96fc-ad6c13057a6c",
"value": "IMPACKET"
},
{
"description": "IODINE is a network traffic tunneler that allows for tunneling of IPv4 traffic over DNS.",
"meta": {
"refs": [
"https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"
]
},
"uuid": "94ae63e7-7f92-4657-812c-2f27bf50ca21",
"value": "IODINE"
},
{
"description": "ENUM4LINUX is a Linux Perl script for enumerating data from Windows and Samba hosts.",
"meta": {
"refs": [
"https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"
]
},
"uuid": "c44c5c54-435a-453a-a128-43ca18b82c37",
"value": "ENUM4LINUX"
}
],
"version": 171
"version": 172
}