From 622d67eb388f18da67da121c50c6c1956f806840 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 16 Nov 2023 07:10:17 -0800 Subject: [PATCH 01/10] [threat-actors] Add MirrorFace --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c3676ff..91b2094 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13000,6 +13000,19 @@ }, "uuid": "615311f0-58d4-4d1d-ac86-6ba86d119317", "value": "KAX17" + }, + { + "description": "MirrorFace is a Chinese-speaking advanced persistent threat group that has been targeting high-value organizations in Japan, including media, government, diplomatic, and political entities. They have been conducting spear-phishing campaigns, utilizing malware such as LODEINFO and MirrorStealer to steal credentials and exfiltrate sensitive data. While there is speculation about their connection to APT10, ESET currently track them as a separate entity.", + "meta": { + "country": "CN", + "refs": [ + "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", + "https://web-assets.esetstatic.com/wls/2023/01/eset_apt_activity_report_t32022.pdf", + "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/" + ] + }, + "uuid": "e992d874-604b-4a09-9c6c-0319d5be652a", + "value": "MirrorFace" } ], "version": 294 From 03d16eba613e4592786660d5ffc04da20dd97287 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 16 Nov 2023 07:10:18 -0800 Subject: [PATCH 02/10] [threat-actors] Add VulzSecTeam --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 91b2094..1187c10 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13013,6 +13013,21 @@ }, "uuid": "e992d874-604b-4a09-9c6c-0319d5be652a", "value": "MirrorFace" + }, + { + "description": "VulzSec, also known as VulzSecTeam, is a hacktivist group that has been involved in various cyber-attacks. They have targeted government websites in retaliation for issues such as police brutality and the treatment of Indian Muslims. The group has been involved in campaigns like OpIndia2.0, where they planned to launch DDoS attacks on Indian government websites.", + "meta": { + "country": "ID", + "refs": [ + "https://blog.cyble.com/2023/04/28/indian-ideology-targeted-by-hacktivists-reprisal-hacktivism-draws-more-attacks/", + "https://www.enigmasoftware.com/indonesian-sudanese-cyber-threats-continue-grow-size-scope/" + ], + "synonyms": [ + "VulzSec" + ] + }, + "uuid": "fcb18ca2-ea45-4f5c-a827-ed8b6b697a08", + "value": "VulzSecTeam" } ], "version": 294 From f759525c251aded26d18da808de89a0b6173a27e Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 16 Nov 2023 07:10:18 -0800 Subject: [PATCH 03/10] [threat-actors] Add Chernovite --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1187c10..ada4f3e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13028,6 +13028,20 @@ }, "uuid": "fcb18ca2-ea45-4f5c-a827-ed8b6b697a08", "value": "VulzSecTeam" + }, + { + "description": "Chernovite is a highly capable and sophisticated threat actor group that has developed a modular ICS malware framework called PIPEDREAM. They are known for targeting industrial control systems and operational technology environments, with the ability to disrupt, degrade, and potentially destroy physical processes. Chernovite has demonstrated a deep understanding of ICS protocols and intrusion techniques, making them a significant threat to critical infrastructure sectors.", + "meta": { + "country": "RU", + "refs": [ + "https://www.dragos.com/blog/pipedream-mousehole-opcua-module/", + "https://www.dragos.com/blog/industry-news/chernovite-pipedream-malware-targeting-industrial-control-systems/", + "https://www.dragos.com/threats/the-2022-ics-ot-vulnerability-briefing-recap/", + "https://www.dragos.com/blog/responding-to-chernovites-pipedream-with-dragos-global-services/" + ] + }, + "uuid": "2ce00149-9a25-4dea-8dd5-59bdb68d11a1", + "value": "Chernovite" } ], "version": 294 From ce555828e1fd675efb2bd8034eb89cc9a0225929 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 16 Nov 2023 07:10:18 -0800 Subject: [PATCH 04/10] [threat-actors] Add MurenShark --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ada4f3e..fac0ac6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13042,6 +13042,19 @@ }, "uuid": "2ce00149-9a25-4dea-8dd5-59bdb68d11a1", "value": "Chernovite" + }, + { + "description": "MurenShark is an advanced persistent threat group that operates primarily in the Middle East, with a focus on targeting Turkey. They have shown interest in military projects, as well as research institutes and universities. This group is highly skilled in counter-analysis and reverse traceability, using sophisticated tactics to avoid detection. They utilize compromised websites as file servers and command and control servers, and have been known to use attack tools like NiceRender for phishing purposes.", + "meta": { + "refs": [ + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-murenshark-apt-threat-actors-aka-actor210426-active-iocs" + ], + "synonyms": [ + "Actor210426" + ] + }, + "uuid": "e5c78742-bf60-4da8-b038-d548ae3f4ecb", + "value": "MurenShark" } ], "version": 294 From 941ef757bb5fd8d92fb5ef550f65be88887ef88b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 16 Nov 2023 07:10:18 -0800 Subject: [PATCH 05/10] [threat-actors] Add DriftingCloud --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index fac0ac6..b9005af 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13055,6 +13055,19 @@ }, "uuid": "e5c78742-bf60-4da8-b038-d548ae3f4ecb", "value": "MurenShark" + }, + { + "description": "DriftingCloud is a persistent threat actor known for targeting various industries and locations. They are skilled at developing or acquiring zero-day exploits to gain unauthorized access to target networks. Compromising gateway devices is a common tactic used by DriftingCloud, making network monitoring solutions crucial for detecting their attacks.", + "meta": { + "country": "CN", + "refs": [ + "https://socradar.io/driftingcloud-apt-group-exploits-zero-day-in-sophos-firewall/", + "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/", + "https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html" + ] + }, + "uuid": "6f6b187b-971b-4df9-a7ef-9b3fd7e092f7", + "value": "DriftingCloud" } ], "version": 294 From dc9d98ffe91e67d36b6c1aff600df0d803acf92c Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 16 Nov 2023 07:10:18 -0800 Subject: [PATCH 06/10] [threat-actors] Add UNC4191 --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b9005af..4fe0513 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13068,6 +13068,18 @@ }, "uuid": "6f6b187b-971b-4df9-a7ef-9b3fd7e092f7", "value": "DriftingCloud" + }, + { + "description": "UNC4191 is a China-linked threat actor that has been involved in cyber espionage campaigns targeting public and private sectors primarily in Southeast Asia. They have been known to use USB devices as an initial infection vector and have been observed deploying various malware families on infected systems. UNC4191's operations have also extended to the US, Europe, and the Asia Pacific Japan region, with a particular focus on the Philippines.", + "meta": { + "country": "CN", + "refs": [ + "https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia", + "https://therecord.media/espionage-group-using-usb-devices-to-hack-targets-in-southeast-asia/" + ] + }, + "uuid": "df697450-57e0-496b-982c-a167ed41f023", + "value": "UNC4191" } ], "version": 294 From d365624734c8ce6655907b1f9064554c74ae36c2 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 16 Nov 2023 07:10:18 -0800 Subject: [PATCH 07/10] [threat-actors] Add DragonSpark --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4fe0513..300d507 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13080,6 +13080,17 @@ }, "uuid": "df697450-57e0-496b-982c-a167ed41f023", "value": "UNC4191" + }, + { + "description": "DragonSpark is a threat actor that has been conducting attacks primarily targeting organizations in East Asia. They utilize the open-source tool SparkRAT, which is a multi-platform and frequently updated remote access Trojan. The threat actor is believed to be Chinese-speaking based on their use of Chinese language support and compromised infrastructure located in China and Taiwan. They employ various techniques to evade detection, including Golang source code interpretation and the use of the China Chopper webshell.", + "meta": { + "country": "CN", + "refs": [ + "https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/" + ] + }, + "uuid": "a219a78b-7b91-41b1-bf14-91e31e0bb9da", + "value": "DragonSpark" } ], "version": 294 From 5d6bcf5e55e0a1047fc84bc745198f163f8d2c7c Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 16 Nov 2023 07:10:18 -0800 Subject: [PATCH 08/10] [threat-actors] Add FusionCore --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 300d507..a18562e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13091,6 +13091,16 @@ }, "uuid": "a219a78b-7b91-41b1-bf14-91e31e0bb9da", "value": "DragonSpark" + }, + { + "description": "The CYFIRMA research team has identified a new up-and-coming European threat actor group known as FusionCore. Running Malware-as-a-service, along with the hacker-for- hire operation, they have a wide variety of tools and services that are being offered on their website, making it a one-stop-shop for threat actors looking to purchase cost- effective yet customizable malware. The operators have started a ransomware affiliate program that equips the attackers with the ransomware and affiliate software to manage victims. FusionCore typically provides sellers with a detailed set of instructions for any service or product being sold, enabling individuals with minimal experience to carry out complex attacks.", + "meta": { + "refs": [ + "https://www.cyfirma.com/?post_type=out-of-band&p=17003" + ] + }, + "uuid": "ab376039-4ede-4dfc-a45b-c80d9d994657", + "value": "FusionCore" } ], "version": 294 From 6e7e5e60ceba4cc558a5de90484518ef7227b168 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 16 Nov 2023 07:10:19 -0800 Subject: [PATCH 09/10] [threat-actors] Add Earth Kitsune --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a18562e..f1e98ed 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13101,6 +13101,19 @@ }, "uuid": "ab376039-4ede-4dfc-a45b-c80d9d994657", "value": "FusionCore" + }, + { + "description": "Earth Kitsune is an advanced persistent threat actor that has been active since at least 2019. They primarily target individuals interested in North Korea and use various tactics, such as compromising websites and employing social engineering, to distribute self-developed backdoors. Earth Kitsune demonstrates technical proficiency and continuously evolves their tools, tactics, and procedures. They have been associated with malware such as WhiskerSpy and SLUB.", + "meta": { + "refs": [ + "https://www.trendmicro.com/en_us/research/23/b/earth-kitsune-delivers-new-whiskerspy-backdoor.html", + "https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html", + "https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html", + "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-earth-kitsune-tracking-slub-s-current-operations/" + ] + }, + "uuid": "a9f29636-26e4-42f0-95d1-7a49dd6f0a79", + "value": "Earth Kitsune" } ], "version": 294 From c832066fa5fd9fb1644ef8d7047d16f123d5cd89 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 16 Nov 2023 07:10:19 -0800 Subject: [PATCH 10/10] [threat-actors] Add AppMilad --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f1e98ed..afc5ec0 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13114,6 +13114,17 @@ }, "uuid": "a9f29636-26e4-42f0-95d1-7a49dd6f0a79", "value": "Earth Kitsune" + }, + { + "description": "AppMilad is an Iranian hacking group that has been identified as the source of a spyware campaign called RatMilad. This spyware is designed to silently infiltrate victims' devices and gather personal and corporate information, including private communications and photos. The group has been distributing the spyware through fake apps and targeting primarily Middle Eastern enterprises.", + "meta": { + "country": "IR", + "refs": [ + "https://zimpstage.wpengine.com/blog/we-smell-a-ratmilad-mobile-spyware/" + ] + }, + "uuid": "e284c356-4b77-4f86-a8f2-7793cbe8662b", + "value": "AppMilad" } ], "version": 294