PassCV group added

This commit is contained in:
Alexandre Dulaunoy 2017-01-06 13:51:22 +01:00
parent c3364add3c
commit ea9ebaf5d6

View file

@ -1235,6 +1235,13 @@
"refs": ["https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets"], "refs": ["https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets"],
"country": "IR" "country": "IR"
} }
},
{
"value": "PassCV",
"description": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term PassCV to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. Wed like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs theyve begun development on. ",
"meta": {
"refs": ["https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"]
}
} }
], ],
"name": "Threat actor", "name": "Threat actor",
@ -1249,5 +1256,5 @@
], ],
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
"uuid": "7cdff317-a673-4474-84ec-4f1754947823", "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
"version": 8 "version": 9
} }