From 70456bd8acbfebede8587fa7d320e39b0005537f Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Tue, 21 Nov 2023 11:40:50 +0100 Subject: [PATCH 1/3] Kimsuky relations --- clusters/banker.json | 7 ++ clusters/ransomware.json | 30 ++++++++ clusters/rat.json | 60 ++++++++++++++++ clusters/threat-actor.json | 143 ++++++++++++++++++++++++++++++++++++- clusters/tool.json | 119 ++++++++++++++++++++++++++++++ 5 files changed, 358 insertions(+), 1 deletion(-) diff --git a/clusters/banker.json b/clusters/banker.json index c099f152..33bb90f4 100644 --- a/clusters/banker.json +++ b/clusters/banker.json @@ -674,6 +674,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" } ], "uuid": "e683cd91-40b4-4e1c-be25-34a27610a22e", diff --git a/clusters/ransomware.json b/clusters/ransomware.json index de43caa4..ffbfe8c2 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -23395,6 +23395,36 @@ }, { "description": "ransomware", + "related": [ + { + "dest-uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + }, + { + "dest-uuid": "509aff15-ba17-4582-b1a0-b0ed89df01d8", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "c76e2ee8-52d1-4a55-81df-5542d232ca32", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "a8f167a8-30b9-4953-8eb6-247f0d046d32", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "d650da35-7ad7-417a-902a-16ea55bd1126", "value": "XRat" }, diff --git a/clusters/rat.json b/clusters/rat.json index 63018767..2fa76025 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -760,6 +760,27 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + }, + { + "dest-uuid": "4d58ad7d-b5ee-4efb-b6af-6c70aadb326a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "6efa425c-3731-44fd-9224-2a62df061a2d", @@ -1064,6 +1085,36 @@ "https://github.com/c4bbage/xRAT" ] }, + "related": [ + { + "dest-uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + }, + { + "dest-uuid": "c76e2ee8-52d1-4a55-81df-5542d232ca32", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "d650da35-7ad7-417a-902a-16ea55bd1126", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "a8f167a8-30b9-4953-8eb6-247f0d046d32", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "509aff15-ba17-4582-b1a0-b0ed89df01d8", "value": "xRAT" }, @@ -1496,6 +1547,15 @@ "https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp?hl=en" ] }, + "related": [ + { + "dest-uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], "uuid": "6583d982-a5cb-47e0-a3b0-bc18cadaeb53", "value": "Chrome Remote Desktop" }, diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7343e5da..b4630e5c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5553,7 +5553,8 @@ "https://attack.mitre.org/groups/G0086/", "https://us-cert.cisa.gov/ncas/alerts/aa20-301a", "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite", - "https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report" + "https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report", + "https://asec.ahnlab.com/en/57873/" ], "synonyms": [ "Velvet Chollima", @@ -5571,6 +5572,146 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "509aff15-ba17-4582-b1a0-b0ed89df01d8", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c76e2ee8-52d1-4a55-81df-5542d232ca32", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d650da35-7ad7-417a-902a-16ea55bd1126", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a8f167a8-30b9-4953-8eb6-247f0d046d32", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4d58ad7d-b5ee-4efb-b6af-6c70aadb326a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6efa425c-3731-44fd-9224-2a62df061a2d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "05252643-093b-4070-b62f-d5836683a9fa", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bea5f660-a106-4983-a11a-0e0b6ce348d2", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5a78ec38-8b93-4dde-a99e-0c9b77674838", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e683cd91-40b4-4e1c-be25-34a27610a22e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e596e014-c0b7-491a-afee-3588fbfc61c1", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6583d982-a5cb-47e0-a3b0-bc18cadaeb53", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "78ed653d-2d76-4a99-849e-1509e4573c32", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8abdd40c-d79a-4353-80e3-29f8a4229a37", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d1b7830a-fced-4be3-a99c-f495af9d9e1b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cdd432b0-8899-4e7d-ad4a-b18741ade11d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0ec2f388-bf0f-4b5c-97b1-fc736d26c25f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "860643d6-5693-4e4e-ad1f-56c49faa10a7", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "4e18657-3995-5837-88f1-f823520382a8", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3", diff --git a/clusters/tool.json b/clusters/tool.json index 36950a31..db70287f 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -4249,6 +4249,27 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "similar" + }, + { + "dest-uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + }, + { + "dest-uuid": "509aff15-ba17-4582-b1a0-b0ed89df01d8", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "d650da35-7ad7-417a-902a-16ea55bd1126", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "c76e2ee8-52d1-4a55-81df-5542d232ca32", @@ -5303,6 +5324,34 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "used-by" + }, + { + "dest-uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + }, + { + "dest-uuid": "6efa425c-3731-44fd-9224-2a62df061a2d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "05252643-093b-4070-b62f-d5836683a9fa", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "4d58ad7d-b5ee-4efb-b6af-6c70aadb326a", @@ -8524,6 +8573,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "similar" + }, + { + "dest-uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + }, + { + "dest-uuid": "d1b7830a-fced-4be3-a99c-f495af9d9e1b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "78ed653d-2d76-4a99-849e-1509e4573c32", @@ -10675,6 +10738,62 @@ ], "uuid": "f162df7a-725b-40ef-add2-43ce74eb50a4", "value": "AtlasAgent" + }, + { + "meta": { + "refs": [ + "https://asec.ahnlab.com/en/57873/" + ] + }, + "related": [ + { + "dest-uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], + "uuid": "bea5f660-a106-4983-a11a-0e0b6ce348d2", + "value": "RDP Wrapper" + }, + { + "description": "open-source VNC tool", + "meta": { + "refs": [ + "https://asec.ahnlab.com/en/57873/" + ] + }, + "related": [ + { + "dest-uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], + "uuid": "e596e014-c0b7-491a-afee-3588fbfc61c1", + "value": "TightVNC" + }, + { + "description": "Malware", + "meta": { + "refs": [ + "https://asec.ahnlab.com/en/57873/" + ] + }, + "related": [ + { + "dest-uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], + "uuid": "cdd432b0-8899-4e7d-ad4a-b18741ade11d", + "value": "RevClient" } ], "version": 170 From 53ea633504eb154be1ab155e4b52c1c1ed70eac8 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Tue, 21 Nov 2023 11:45:05 +0100 Subject: [PATCH 2/3] Kimsuky target --- clusters/threat-actor.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b4630e5c..70252d8e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5563,6 +5563,14 @@ "Operation Stolen Pencil", "G0086", "APT43" + ], + "targeted-sector": [ + "Research - Innovation", + "Energy", + "Defense", + "Diplomacy", + "Academia - University ", + "News - Media" ] }, "related": [ From 0b44ea33f0f8b68d8c14892d67bff1a89d0d4437 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Tue, 21 Nov 2023 15:20:21 +0100 Subject: [PATCH 3/3] fix version --- clusters/banker.json | 2 +- clusters/ransomware.json | 2 +- clusters/rat.json | 2 +- clusters/threat-actor.json | 2 +- clusters/tool.json | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/clusters/banker.json b/clusters/banker.json index 33bb90f4..5323eecd 100644 --- a/clusters/banker.json +++ b/clusters/banker.json @@ -1226,5 +1226,5 @@ "value": "Malteiro" } ], - "version": 18 + "version": 19 } diff --git a/clusters/ransomware.json b/clusters/ransomware.json index ffbfe8c2..005f1b11 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -26206,5 +26206,5 @@ "value": "Yanluowang" } ], - "version": 118 + "version": 119 } diff --git a/clusters/rat.json b/clusters/rat.json index 2fa76025..6ffa2d63 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3636,5 +3636,5 @@ "value": "STRRAT" } ], - "version": 43 + "version": 44 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 78db255e..0ca3a2f8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13515,5 +13515,5 @@ "value": "SilverFish" } ], - "version": 294 + "version": 295 } diff --git a/clusters/tool.json b/clusters/tool.json index db70287f..65d792ed 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -10796,5 +10796,5 @@ "value": "RevClient" } ], - "version": 170 + "version": 171 }