From b01e64eb1f77bedc4afd3207d84c6b6163231b9d Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 8 Apr 2020 14:53:19 +0200 Subject: [PATCH 1/2] add Operation Shadow Forece --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e7a6f0c..cc70890 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8102,6 +8102,17 @@ }, "uuid": "86b4e2f3-8bbf-48fd-9d27-034d3ac3b187", "value": "VENOM SPIDER" + }, + { + "description": "Operation Shadow Force is a group of malware that is representative of Shadow Force and Wgdrop from 2013 to 2020, and is a group activity that attacks Korean companies and organizations. The group's first confirmed attack was in March 2013, but considering the date of malware creation, it is likely to have been active before 2012. Since the malware used mainly by them is Shadow Force, it was named Operation Shadow Force, and it has not been confirmed whether the attacker is associated with a known group.", + "meta": { + "refs": [ + "https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?curPage=1&menu_dist=2&seq=29129", + "https://mobile.twitter.com/mstoned7/status/1247361687570673664" + ] + }, + "uuid": "f628b544-48b6-44e2-b794-950713353cf1", + "value": "Operation Shadow Force" } ], "version": 157 From f6fd07fbc934797a9b6a4e3efe6720f86c10498e Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 27 Apr 2020 09:36:23 +0200 Subject: [PATCH 2/2] add speculoos bakdoor --- clusters/backdoor.json | 21 ++++++++++++++++++++- clusters/threat-actor.json | 25 +++++++++++++++++++++++-- 2 files changed, 43 insertions(+), 3 deletions(-) diff --git a/clusters/backdoor.json b/clusters/backdoor.json index 70de666..ab3d1cd 100644 --- a/clusters/backdoor.json +++ b/clusters/backdoor.json @@ -99,7 +99,26 @@ }, "uuid": "aefe3603-8f96-425c-9f71-9fe21334f224", "value": "FlowerPippi" + }, + { + "description": "FreeBSD-based payload, Speculoos was delivered by exploiting CVE-2019-19781, a vulnerability affecting the Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliances that allowed an adversary to remotely execute arbitrary commands. This vulnerability was first disclosed on December 17, 2019 via security bulletin CTX267679 which contained several mitigation recommendations. By January 24, 2020, permanent patches for the affected appliances were issued. Based on the spread of industries and regions, in addition to the timing of the vulnerability disclosure, we believe this campaign may have been more opportunistic in nature compared to the highly targeted attack campaigns that are often associated with these types of adversaries. However, considering the exploitation of the vulnerability in conjunction with delivery of a backdoor specifically designed to execute on the associated FreeBSD operating system indicates the adversary was absolutely targeting the affected devices.", + "meta": { + "refs": [ + "https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/" + ] + }, + "related": [ + { + "dest-uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", + "tags": [ + "estimative-language:likelihood-probability=\"very-likely\"" + ], + "type": "used-by" + } + ], + "uuid": "201e8794-a93b-476f-9436-1dd859c6e5d9", + "value": "Speculoos" } ], - "version": 7 + "version": 8 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 15a9077..3250cef 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7749,9 +7749,19 @@ ], "country": "CN", "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html" + "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html", + "https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/" ] }, + "related": [ + { + "dest-uuid": "201e8794-a93b-476f-9436-1dd859c6e5d9", + "tags": [ + "estimative-language:likelihood-probability=\"very-likely\"" + ], + "type": "uses" + } + ], "uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", "value": "APT41" }, @@ -8109,7 +8119,18 @@ }, "uuid": "f628b544-48b6-44e2-b794-950713353cf1", "value": "Operation Shadow Force" + }, + { + "description": "Researchers at FireEye report finding a hacking group (dubbed NOTROBIN) that has been bundling mitigation code for NetScaler servers with its exploits. In effect, the hackers exploit the flaw to get access to the server, kill any existing malware, set up their own backdoor, then block off the vulnerable code from future exploit attempts by mitigation.", + "meta": { + "refs": [ + "https://www.theregister.co.uk/2020/01/17/hackers_patch_citrix_vulnerability/", + "https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html" + ] + }, + "uuid": "21d08f2c-97b2-444e-be49-8457093b841a", + "value": "NOTROBIN" } ], - "version": 157 + "version": 158 }