From 4cf84858e31b376438f7855f69c07552d80fff1f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 31 Jul 2018 15:26:11 +0200 Subject: [PATCH 1/8] chg: [tool] Bisonal malware added (new variant with encryption capabilities) --- clusters/tool.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index ed10eea..a3a24bf 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -2,7 +2,7 @@ "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "source": "MISP Project", - "version": 78, + "version": 79, "values": [ { "meta": { @@ -4375,6 +4375,17 @@ "description": "Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host", "value": "Koadic", "uuid": "f9e0b922-253c-40fa-a6d2-e60ec9c6980b" + }, + { + "value": "Bisonal", + "uuid": "23f6da78-873a-4ab0-9167-c8b0563627a5", + "description": "In early May, Unit 42 discovered an attack campaign against at least one defense company in Russia and one unidentified organization in South Korea delivering a variant of Bisonal malware. While not previously publicly documented, the variant has been in the wild since at least 2014. There are three primary differences between it and older Bisonal malware including a different cipher and encryption for C2 communication, and a large rewrite of the code for both network communication and maintaining persistence. To date, we have only collected 14 samples of this variant, indicating it may be sparingly used. The adversary behind these attacks lured the targets into launching the Microsoft Windows executable malware by masquerading it as a PDF file (using a fake PDF icon) and reusing publicly available data for the decoy PDF file’s contents. Attacks using Bisonal have been blogged about in the past. In 2013, both COSEINC and FireEye revealed attacks using Bisonal against Japanese organizations . In October 2017, AhnLab published a report called “Operation Bitter Biscuit,” an attack campaign against South Korea, Japan, India and Russia using Bisonal and its successors, Bioazih and Dexbia. ", + "meta": { + "refs": [ + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/", + "https://camal.coseinc.com/publish/2013Bisonal.pdf" + ] + } } ], "authors": [ From 43fa95df7a2f829fab979318665afaa160cc8b8d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 2 Aug 2018 10:03:18 +0200 Subject: [PATCH 2/8] chg: [threat-actor] new reference to CARBON SPIDER/Carbanak --- clusters/threat-actor.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a006590..32f1dac 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1600,7 +1600,8 @@ "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://blog.cyber4sight.com/2017/04/similarities-between-carbanak-and-fin7-malware-suggest-actors-are-closely-related/", "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor", - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns" + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/" ], "motive": "Cybercrime" }, @@ -3763,5 +3764,5 @@ ], "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", - "version": 46 + "version": 47 } From c232b3dd5ac7f88ab477797ec9c61f6dc41dd955 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 2 Aug 2018 10:30:47 +0200 Subject: [PATCH 3/8] chg: [tool] added based on Carbanak tooling description from Crowdstrike ref: https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/ --- clusters/tool.json | 65 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 64 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index a3a24bf..10efb1a 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -2,7 +2,7 @@ "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "source": "MISP Project", - "version": 79, + "version": 80, "values": [ { "meta": { @@ -4386,6 +4386,69 @@ "https://camal.coseinc.com/publish/2013Bisonal.pdf" ] } + }, + { + "value": "Sekur", + "uuid": "ddbd9db5-7875-437b-b7c5-a17d2892d218", + "description": "Sekur has been CARBON SPIDER’s primary tool for several years, although usage over the last year appears to have declined. It contains all the functionality you would expect from a RAT, allowing the adversary to execute commands, manage the file system, manage processes, and collect data. In addition, it can record videos of victim sessions, log keystrokes, enable remote desktop, or install Ammyy Admin or VNC modules. From July 2014 on, samples were compiled with the capability to target Epicor POS systems and to collect credit card data.", + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/" + ] + } + }, + { + "value": "Agent ORM", + "uuid": "c1159097-3dad-48ab-91cf-c055182f5785", + "description": "Agent ORM began circulating alongside Skeur in campaigns throughout the second half of 2015. The malware collects basic system information and is able to take screenshots of victim systems. It is used to download next-stage payloads when systems of interest are identified. It is strongly suspected that Agent ORM has been deprecated in favor of script-based first-stage implants (VB Flash, JS Flash, and Bateleur).", + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/" + ], + "synonyms": [ + "Tosliph", + "DRIFTPIN" + ] + } + }, + { + "value": "VB Flash", + "uuid": "2815a353-cd56-4ed0-8581-812b94f7a326", + "description": "VB Flash was first observed being deployed alongside Agent ORM in September 2015. It is likely that this was developed as a replacement to Agent ORM and contained similar capabilities. The first observed instance of VB Flash included comments and was easy to analyze—later versions soon began to integrate multiple layers of obfuscation. Several versions of VB Flash were developed including ones that utilized Google Forms, Google Macros, and Google Spreadsheets together to make a command-and-control (C2) channel. This variant would POST victim data to a specified Google form, then make a request to a Google macro script, receiving an address for a Google Spreadsheet from which to request commands.", + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/" + ], + "synonyms": [ + "HALFBAKED" + ] + } + }, + { + "value": "JS Flash", + "uuid": "bf03a7ae-3c5e-47b9-84c6-27756297f1b5", + "description": "JS Flash capabilities closely resemble those of VB Flash and leverage interesting techniques in deployment via batch scripts embedded as OLE objects in malicious documents. Many iterations of JS Flash were observed being tested before deployment, containing minor changes to obfuscation and more complex additions, such as the ability to download TinyMet (a cutdown of the Metasploit Meterpreter payload). PowerShell was also used heavily for the execution of commands and arbitrary script execution. No JS Flash samples were observed being deployed after November 2017.", + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/" + ], + "synonyms": [ + "JavaScript variant of HALFBAKED" + ] + } + }, + { + "value": "Bateleur", + "uuid": "81faf0c1-0595-436b-a66a-05d8b435bccd", + "description": "Bateleur deployments began not long after JS Flash and were also written in JavaScript. Deployments were more infrequent and testing was not observed. It is likely that Bateleur was run in parallel as an alternative tool and eventually replaced JS Flash as CARBON SPIDER’s first stage tool of choice. Although much simpler in design than JS Flash, all executing out of a single script with more basic obfuscation, Bateleur has a wealth of capabilities—including the ability to download arbitrary scripts and executables, deploy TinyMet, execute commands via PowerShell, deploy a credential stealer, and collect victim system information such as screenshots.", + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/" + ], + "synonyms": [ + "" + ] + } } ], "authors": [ From ece56dff38ac6b8085a030193bd7caade451816d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 2 Aug 2018 15:08:39 +0200 Subject: [PATCH 4/8] chg: [threat-actor] leafminer - RASPITE added --- clusters/threat-actor.json | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 32f1dac..6e56d7d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2687,6 +2687,20 @@ }, "uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c" }, + { + "value": "RASPITE", + "description": "Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE. Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time. RASPITE leverages strategic website compromise to gain initial access to target networks. RASPITE uses the same methodology as DYMALLOY and ALLANITE in embedding a link to a resource to prompt an SMB connection, from which it harvests Windows credentials. The group then deploys install scripts for a malicious service to beacon back to RASPITE-controlled infrastructure, allowing the adversary to remotely access the victim machine.", + "uuid": "2c8994ba-367c-46f6-bfb0-390c8760dd9e", + "meta": { + "synonyms": "LeafMiner", + "since": "2017", + "victimology": "Electric utility sector", + "refs": [ + "https://dragos.com/blog/20180802Raspite.html", + "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" + ] + } + }, { "meta": { "refs": [ @@ -3764,5 +3778,5 @@ ], "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", - "version": 47 + "version": 48 } From 1fdf47d509b0c02c1f2fd2efecce2604339d15de Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 2 Aug 2018 15:13:18 +0200 Subject: [PATCH 5/8] fix: [threat-actor] synonyms are always arraus --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 6e56d7d..bf82861 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2692,7 +2692,7 @@ "description": "Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE. Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time. RASPITE leverages strategic website compromise to gain initial access to target networks. RASPITE uses the same methodology as DYMALLOY and ALLANITE in embedding a link to a resource to prompt an SMB connection, from which it harvests Windows credentials. The group then deploys install scripts for a malicious service to beacon back to RASPITE-controlled infrastructure, allowing the adversary to remotely access the victim machine.", "uuid": "2c8994ba-367c-46f6-bfb0-390c8760dd9e", "meta": { - "synonyms": "LeafMiner", + "synonyms": ["LeafMiner"], "since": "2017", "victimology": "Electric utility sector", "refs": [ From 3da005a3f38826cf0d95088a648679b926ec52bb Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 2 Aug 2018 15:15:47 +0200 Subject: [PATCH 6/8] fix: jq all the things(tm) --- clusters/threat-actor.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index bf82861..f173001 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2692,7 +2692,9 @@ "description": "Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE. Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time. RASPITE leverages strategic website compromise to gain initial access to target networks. RASPITE uses the same methodology as DYMALLOY and ALLANITE in embedding a link to a resource to prompt an SMB connection, from which it harvests Windows credentials. The group then deploys install scripts for a malicious service to beacon back to RASPITE-controlled infrastructure, allowing the adversary to remotely access the victim machine.", "uuid": "2c8994ba-367c-46f6-bfb0-390c8760dd9e", "meta": { - "synonyms": ["LeafMiner"], + "synonyms": [ + "LeafMiner" + ], "since": "2017", "victimology": "Electric utility sector", "refs": [ From a0dfdd65ae2aeab3e9552535cd576c7399694e88 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 3 Aug 2018 08:34:55 +0200 Subject: [PATCH 7/8] chg: [rat] Hallaj PRO Rat added ref: https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/ misp-event: 5b63f5e4-bf24-4f46-8340-48fc02de0b81 --- clusters/rat.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/rat.json b/clusters/rat.json index a953b8b..7394c96 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -2,7 +2,7 @@ "uuid": "312f8714-45cb-11e7-b898-135207cdceb9", "description": "remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote \"operator\" to control a system as if they have physical access to that system.", "source": "MISP Project", - "version": 11, + "version": 12, "values": [ { "meta": { @@ -2521,6 +2521,16 @@ "description": "The RAT is written in .NET, it uses socket.io for communication. Currently there are two variants of the malware, the 1st variant is a typical downloader whereas the 2nd one has download and C2 functionalities.", "value": "SocketPlayer", "uuid": "d9475765-2cea-45c0-b638-a082b9427239" + }, + { + "value": "Hallaj PRO RAT", + "description": "RAT", + "uuid": "f6447046-f4e8-4977-9cc3-edee74ff0038", + "meta": { + "refs": [ + "https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/" + ] + } } ], "authors": [ From b3701b6b34f2bbbb32b065cf1407709cdde95ae9 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 3 Aug 2018 10:26:52 +0200 Subject: [PATCH 8/8] chg: [threat-actor] The Gordon Group added ref: https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/ --- clusters/threat-actor.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f173001..b0d856a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3759,6 +3759,7 @@ }, { "value": "The Big Bang", + "uuid": "475df014-556a-41db-ad6a-ff509dd202a1", "description": "While it is not clear exactly what the attacker is looking for, what is clear is that once he finds it, a second stage of the attack awaits, fetching additional modules and/or malware from the Command and Control server. This then is a surveillance attack in progress and has been dubbed ‘Big Bang’ due to the attacker’s fondness for the ‘Big Bang Theory’ TV show, after which some of the malware’s modules are named.", "meta": { "refs": [ @@ -3766,6 +3767,16 @@ "https://blog.talosintelligence.com/2017/06/palestine-delphi.html" ] } + }, + { + "value": "The Gorgon Group", + "description": "Unit 42 researchers have been tracking Subaat, an attacker, since 2017. Recently Subaat drew our attention due to renewed targeted attack activity. Part of monitoring Subaat included realizing the actor was possibly part of a larger crew of individuals responsible for carrying out targeted attacks against worldwide governmental organizations. Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec, in which they found interesting connections to a larger group of attackers Unit 42 researchers have been tracking, which we are calling Gorgon Group.", + "uuid": "e47c2c4d-706b-4098-92a2-b93e7103e131", + "meta": { + "refs": [ + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" + ] + } } ], "name": "Threat actor", @@ -3780,5 +3791,5 @@ ], "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", - "version": 48 + "version": 49 }