Skip to content

Commit

Permalink
Merge branch 'main' of github.com:MISP/misp-galaxy into main
Browse files Browse the repository at this point in the history
  • Loading branch information
@adulau
adulau committed Feb 7, 2024
2 parents d07c584 + 05496a7 commit c867adc
Show file tree
Hide file tree
Showing 4 changed files with 206 additions and 15 deletions.
12 changes: 11 additions & 1 deletion clusters/backdoor.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -374,7 +374,17 @@
],
"uuid": "f8444fcc-730e-4898-8ef5-6cc1976ff475",
"value": "TROIBOMB"
},
{
"description": "ZIPLINE makes use of extensive functionality to ensure the authentication of its custom protocol used to establish command and control (C2).",
"meta": {
"refs": [
"https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"
]
},
"uuid": "14504cbe-8423-47aa-a947-a3ab5549a068",
"value": "ZIPLINE"
}
],
"version": 17
"version": 18
}
12 changes: 11 additions & 1 deletion clusters/stealer.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -283,7 +283,17 @@
},
"uuid": "54b61c7e-8ced-4b90-a295-62102bfd4f32",
"value": "Oski Stealer"
},
{
"description": "WARPWIRE is a JavaScript-based credential stealer",
"meta": {
"refs": [
"https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"
]
},
"uuid": "b581b182-505a-4243-9569-c175513c4441",
"value": "WARPWIRE"
}
],
"version": 14
"version": 15
}
101 changes: 91 additions & 10 deletions clusters/threat-actor.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1615,15 +1615,17 @@
"https://attack.mitre.org/groups/G0081/",
"https://www.secureworks.com/research/threat-profiles/bronze-hobart",
"https://www.mandiant.com/resources/insights/apt-groups",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html"
],
"synonyms": [
"PIRATE PANDA",
"KeyBoy",
"Tropic Trooper",
"BRONZE HOBART",
"G0081",
"Red Orthrus"
"Red Orthrus",
"Earth Centaur"
],
"targeted-sector": [
"Military",
Expand Down Expand Up @@ -3478,7 +3480,9 @@
"https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials",
"https://s.tencent.com/research/report/669.html",
"https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html",
"https://www.secureworks.com/research/threat-profiles/copper-fieldstone"
"https://www.secureworks.com/research/threat-profiles/copper-fieldstone",
"https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html",
"https://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/"
],
"synonyms": [
"C-Major",
Expand All @@ -3489,7 +3493,8 @@
"APT 36",
"TMP.Lapis",
"Green Havildar",
"COPPER FIELDSTONE"
"COPPER FIELDSTONE",
"Earth Karkaddan"
],
"targeted-sector": [
"Activists",
Expand Down Expand Up @@ -5162,6 +5167,7 @@
"value": "Cyber Berkut"
},
{
"description": "Tonto Team is a Chinese-speaking APT group that has been active since at least 2013. They primarily target military, diplomatic, and infrastructure organizations in Asia and Eastern Europe. The group has been observed using various malware, including the Bisonal RAT and ShadowPad. They employ spear-phishing emails with malicious attachments as their preferred method of distribution.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
Expand All @@ -5185,7 +5191,11 @@
"https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
"https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/"
"https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/",
"https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html",
"https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/",
"https://go.recordedfuture.com/hubfs/reports/cta-2023-0919.pdf",
"https://www.recordedfuture.com/multi-year-chinese-apt-campaign-targets-south-korean-academic-government-political-entities"
],
"synonyms": [
"CactusPete",
Expand All @@ -5194,7 +5204,9 @@
"COPPER",
"Red Beifang",
"G0131",
"PLA Unit 65017"
"PLA Unit 65017",
"Earth Akhlut",
"TAG-74"
]
},
"uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26",
Expand Down Expand Up @@ -7145,8 +7157,16 @@
{
"description": "An extensive surveillance operation targets specific groups of individuals with malicious mobile apps that collect sensitive information on the device along with surrounding voice recordings. Researchers with CheckPoint discovered the attack and named it Domestic Kitten. The targets are Kurdish and Turkish natives, and ISIS supporters, all Iranian citizens.",
"meta": {
"country": "IR",
"refs": [
"https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/"
"https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/",
"https://www.trendmicro.com/en_us/research/19/f/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.html",
"https://www.welivesecurity.com/2022/10/20/domestic-kitten-campaign-spying-iranian-citizens-furball-malware/",
"https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/"
],
"synonyms": [
"Bouncing Golf",
"APT-C-50"
]
},
"uuid": "dda1b28e-c558-11e8-8666-27cf61d1d7ee",
Expand Down Expand Up @@ -10635,7 +10655,12 @@
"https://documents.trendmicro.com/assets/txt/earth-berberoka-macos-iocs-2.txt",
"https://documents.trendmicro.com/assets/txt/earth-berberoka-domains-2.txt",
"https://www.youtube.com/watch?v=QXGO4RJaUPQ",
"https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf"
"https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf",
"https://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/",
"https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html"
],
"synonyms": [
"GamblingPuppet"
]
},
"uuid": "9d82077b-7e95-4b22-8762-3224797ff5f0",
Expand Down Expand Up @@ -13087,7 +13112,11 @@
"meta": {
"refs": [
"https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/",
"https://securelist.com/apt-annual-review-what-the-worlds-threat-actors-got-up-to-in-2020/99574/"
"https://securelist.com/apt-annual-review-what-the-worlds-threat-actors-got-up-to-in-2020/99574/",
"https://www.redpacketsecurity.com/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/?utm_source=rss&utm_medium=rss&utm_campaign=operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links"
],
"synonyms": [
"Operation Poisoned News"
]
},
"uuid": "533af03d-e160-4312-a92f-0500055f2b56",
Expand Down Expand Up @@ -14171,7 +14200,8 @@
"https://www.rewterz.com/rewterz-news/rewterz-threat-advisory-ivanti-vpn-zero-days-weaponized-by-unc5221-threat-actors-to-deploy-multiple-malware-families-active-iocs/",
"https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day",
"https://quointelligence.eu/2024/01/unc5221-unreported-and-undetected-wirefire-web-shell-variant/",
"https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/"
"https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/",
"https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation"
],
"synonyms": [
"UNC5221"
Expand Down Expand Up @@ -14906,6 +14936,57 @@
},
"uuid": "f34962a4-a792-4f23-af23-a8bf0f053fcf",
"value": "Ferocious Kitten"
},
{
"description": "The threat actors compromised the update server of a remote support solutions provider to deliver a remote access tool called 9002 RAT to their targets of interest through the update process. They carried this out by first stealing the company’s certificate then using it to sign the malware. They also configured the update server to only deliver malicious files if the client is located in the range of IP addresses of their target organisations.",
"meta": {
"country": "CN",
"refs": [
"https://decoded.avast.io/threatintel/avast-finds-backdoor-on-us-government-commission-network/?utm_source=rss&utm_medium=rss&utm_campaign=avast-finds-backdoor-on-us-government-commission-network",
"https://www.trendmicro.com/en_my/research/18/h/supply-chain-attack-operation-red-signature-targets-south-korean-organizations.html"
]
},
"uuid": "3e9b98d9-0c61-4050-bafa-486622de0080",
"value": "Operation Red Signature"
},
{
"description": "Earth Yako is a threat actor that has been actively targeting researchers in academic organizations and think tanks in Japan. They use spearphishing emails with malicious attachments to gain initial access to their targets' systems. Earth Yako's objectives and patterns suggest a possible connection to a Chinese APT group, but conclusive proof of their nationality is lacking. They have been observed using various malware delivery methods and techniques, such as the use of Winword.exe for DLL Hijacking.",
"meta": {
"refs": [
"https://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html"
],
"synonyms": [
"Operation RestyLink",
"Enelink"
]
},
"uuid": "2875aff1-2a0f-4e82-ae42-607a3a74d129",
"value": "Earth Yako"
},
{
"description": "What sets Urpage attacks apart is its targeting of InPage, a word processor for Urdu and Arabic languages. However, its Delphi backdoor component, which it has in common with Confucius and Patchwork, and its apparent use of Bahamut-like malware, is what makes it more intriguing as it connects Urpage to these other known threats. Trend Micro covered the Delphi component in the context of the Confucius and Patchwork connection. They mentioned Urpage as a third unnamed threat actor connected to the two.",
"meta": {
"refs": [
"https://www.trendmicro.com/en_us/research/18/h/the-urpage-connection-to-bahamut-confucius-and-patchwork.html"
]
},
"uuid": "4e137d53-b9cf-4b9a-88c2-f29dd27ac302",
"value": "Urpage"
},
{
"description": "Operation Emmental, also known as the Retefe gang, is a threat actor group that has been active since at least 2012. They primarily target customers of banks in countries such as Austria, Sweden, Switzerland, and Japan. The group has developed sophisticated malware, including a Mac alternative called Dok, to bypass two-factor authentication and hijack network traffic. They have also been observed using phishing emails to spread their malware. The group is believed to be Russian-speaking and has continuously improved their malicious codes over the years.",
"meta": {
"country": "RU",
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/osx_dok-mac-malware-emmental-hijacks-user-network-traffic/"
],
"synonyms": [
"Retefe Gang",
"Retefe Group"
]
},
"uuid": "a1527821-fe84-44ec-ad29-8d3040463bc9",
"value": "Operation Emmental"
}
],
"version": 299
Expand Down
Loading

0 comments on commit c867adc

Please sign in to comment.