Mirrors
/
cyber_threat_intelligence
mirror of https://github.com/vuldb/cyber_threat_intelligence
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update

This commit is contained in:
Marc Ruef 2021-10-14 15:48:47 +02:00
parent 684f97d8c2
commit 4ff50e0f3b
18 changed files with 501 additions and 194 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
APT41/README.md
View File

@ -16,7 +16,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
* US
* CN
* TR
* RU
* ...
There are 7 more country items available. Please use our online service to access the data.
@ -27,26 +27,28 @@ These indicators of compromise indicate associated network ressources which are
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 43.255.191.255 | - | High
2 | 45.76.6.149 | 45.76.6.149.vultr.com | Medium
3 | 45.76.75.219 | 45.76.75.219.vultr.com | Medium
4 | 45.138.157.78 | vpnru07.12.21.example.com | High
5 | 61.78.62.21 | - | High
6 | 61.195.98.245 | h61-195-98-245.ablenetvps.ne.jp | High
7 | 66.42.48.186 | 66.42.48.186.vultr.com | Medium
8 | 66.42.98.220 | 66.42.98.220.vultr.com | Medium
9 | 66.42.103.222 | 66.42.103.222.vultr.com | Medium
10 | 66.42.107.133 | 66.42.107.133.vultr.com | Medium
11 | 66.98.126.203 | 66.98.126.203.16clouds.com | High
12 | 67.198.161.250 | 67.198.161.250.CUSTOMER.KRYPT.COM | High
13 | 67.198.161.251 | 67.198.161.251.CUSTOMER.KRYPT.COM | High
14 | 67.198.161.252 | 67.198.161.252.CUSTOMER.KRYPT.COM | High
15 | 74.82.201.8 | 74.82.201.8.16clouds.com | High
16 | 91.208.184.78 | wk-azure.biz | High
17 | 103.19.3.21 | - | High
18 | ... | ... | ...
1 | 23.67.95.153 | a23-67-95-153.deploy.static.akamaitechnologies.com | High
2 | 43.255.191.255 | - | High
3 | 45.76.6.149 | 45.76.6.149.vultr.com | Medium
4 | 45.76.75.219 | 45.76.75.219.vultr.com | Medium
5 | 45.138.157.78 | vpnru07.12.21.example.com | High
6 | 61.78.62.21 | - | High
7 | 61.195.98.245 | h61-195-98-245.ablenetvps.ne.jp | High
8 | 66.42.48.186 | 66.42.48.186.vultr.com | Medium
9 | 66.42.98.220 | 66.42.98.220.vultr.com | Medium
10 | 66.42.103.222 | 66.42.103.222.vultr.com | Medium
11 | 66.42.107.133 | 66.42.107.133.vultr.com | Medium
12 | 66.98.126.203 | 66.98.126.203.16clouds.com | High
13 | 67.198.161.250 | 67.198.161.250.CUSTOMER.KRYPT.COM | High
14 | 67.198.161.251 | 67.198.161.251.CUSTOMER.KRYPT.COM | High
15 | 67.198.161.252 | 67.198.161.252.CUSTOMER.KRYPT.COM | High
16 | 74.82.201.8 | 74.82.201.8.16clouds.com | High
17 | 91.208.184.78 | wk-azure.biz | High
18 | 103.19.3.21 | - | High
19 | 103.19.3.109 | - | High
20 | ... | ... | ...
There are 34 more IOC items available. Please use our online service to access the data.
There are 38 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -79,13 +81,14 @@ ID | Type | Indicator | Confidence
10 | File | `addentry.php` | Medium
11 | ... | ... | ...
There are 98 more IOA items available. Please use our online service to access the data.
There are 109 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://app.box.com/s/qtqlwejty7xz8wj8osz98webycgo5j9x
* https://github.com/blackberry/threat-research-and-intelligence/blob/main/APT41.csv
* https://github.com/eset/malware-ioc/tree/master/winnti_group
* https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.14/APT%2041.pdf

45
Cerber/README.md
View File

@ -21,29 +21,29 @@ These indicators of compromise indicate associated network ressources which are
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 23.152.0.36 | tcts-000036.techtrapes.com | High
2 | 34.199.22.139 | ec2-34-199-22-139.compute-1.amazonaws.com | Medium
3 | 45.56.79.23 | li929-23.members.linode.com | High
4 | 52.2.101.52 | ec2-52-2-101-52.compute-1.amazonaws.com | Medium
5 | 52.21.132.24 | ec2-52-21-132-24.compute-1.amazonaws.com | Medium
6 | 54.84.252.139 | ec2-54-84-252-139.compute-1.amazonaws.com | Medium
7 | 54.87.5.88 | ec2-54-87-5-88.compute-1.amazonaws.com | Medium
8 | 54.88.175.149 | ec2-54-88-175-149.compute-1.amazonaws.com | Medium
9 | 54.152.181.87 | ec2-54-152-181-87.compute-1.amazonaws.com | Medium
10 | 78.128.92.96 | - | High
11 | 85.93.0.0 | - | High
12 | 87.96.148.0 | h87-96-148-0.cust.a3fiber.se | High
13 | 87.97.148.0 | - | High
14 | 87.98.148.0 | sbg5-mail-137.bouncer.cloud | High
15 | 87.106.18.141 | - | High
16 | 91.119.56.0 | 91-119-56-0.dsl.dynamic.surfer.at | High
17 | 91.119.216.0 | 91-119-216-0.dsl.dynamic.surfer.at | High
18 | 91.120.56.0 | - | High
19 | 91.120.216.0 | - | High
20 | 91.121.56.0 | - | High
1 | 5.196.159.173 | - | High
2 | 23.152.0.36 | tcts-000036.techtrapes.com | High
3 | 34.199.22.139 | ec2-34-199-22-139.compute-1.amazonaws.com | Medium
4 | 45.56.79.23 | li929-23.members.linode.com | High
5 | 52.2.101.52 | ec2-52-2-101-52.compute-1.amazonaws.com | Medium
6 | 52.21.132.24 | ec2-52-21-132-24.compute-1.amazonaws.com | Medium
7 | 54.84.252.139 | ec2-54-84-252-139.compute-1.amazonaws.com | Medium
8 | 54.87.5.88 | ec2-54-87-5-88.compute-1.amazonaws.com | Medium
9 | 54.88.175.149 | ec2-54-88-175-149.compute-1.amazonaws.com | Medium
10 | 54.152.181.87 | ec2-54-152-181-87.compute-1.amazonaws.com | Medium
11 | 78.128.92.96 | - | High
12 | 85.93.0.0 | - | High
13 | 87.96.148.0 | h87-96-148-0.cust.a3fiber.se | High
14 | 87.97.148.0 | - | High
15 | 87.98.148.0 | sbg5-mail-137.bouncer.cloud | High
16 | 87.106.18.141 | - | High
17 | 91.119.56.0 | 91-119-56-0.dsl.dynamic.surfer.at | High
18 | 91.119.216.0 | 91-119-216-0.dsl.dynamic.surfer.at | High
19 | 91.120.56.0 | - | High
20 | 91.120.216.0 | - | High
21 | ... | ... | ...
There are 40 more IOC items available. Please use our online service to access the data.
There are 41 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -77,7 +77,7 @@ ID | Type | Indicator | Confidence
10 | File | `/shell?cmd` | Medium
11 | ... | ... | ...
There are 519 more IOA items available. Please use our online service to access the data.
There are 521 more IOA items available. Please use our online service to access the data.
## References
@ -90,6 +90,7 @@ The following list contains external sources which discuss the actor and the ass
* https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
* https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
* https://blog.talosintelligence.com/2021/09/threat-roundup-0917-0924.html
* https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
## Literature

59
Dridex/README.md
View File

@ -9,8 +9,8 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Dridex:
* DE
* NO
* US
* NO
* ...
There are 28 more country items available. Please use our online service to access the data.
@ -26,24 +26,24 @@ ID | IP address | Hostname | Confidence
3 | 2.58.16.87 | - | High
4 | 2.138.111.86 | 86.red-2-138-111.dynamicip.rima-tde.net | High
5 | 3.223.115.185 | ec2-3-223-115-185.compute-1.amazonaws.com | Medium
6 | 5.9.44.37 | static.37.44.9.5.clients.your-server.de | High
7 | 5.9.188.148 | static.148.188.9.5.clients.your-server.de | High
8 | 8.210.53.215 | - | High
9 | 8.248.159.254 | - | High
10 | 8.249.217.254 | - | High
11 | 8.249.233.254 | - | High
12 | 8.253.45.214 | - | High
13 | 8.253.45.249 | - | High
14 | 8.253.131.120 | - | High
15 | 8.253.131.121 | - | High
16 | 8.253.132.120 | - | High
17 | 14.98.183.4 | static-4.183.98.14-tataidc.co.in | High
18 | 18.195.23.231 | ec2-18-195-23-231.eu-central-1.compute.amazonaws.com | Medium
19 | 23.3.13.88 | a23-3-13-88.deploy.static.akamaitechnologies.com | High
20 | 23.3.13.153 | a23-3-13-153.deploy.static.akamaitechnologies.com | High
6 | 5.2.70.173 | - | High
7 | 5.9.44.37 | static.37.44.9.5.clients.your-server.de | High
8 | 5.9.188.148 | mta5.offerteora.com | High
9 | 5.39.222.84 | - | High
10 | 5.39.222.87 | - | High
11 | 5.39.222.102 | insideappple.com | High
12 | 5.181.158.4 | no-rdns.mivocloud.com | High
13 | 5.181.158.185 | no-rdns.mivocloud.com | High
14 | 5.181.158.186 | no-rdns.mivocloud.com | High
15 | 5.181.158.187 | no-rdns.mivocloud.com | High
16 | 8.210.53.215 | - | High
17 | 8.248.159.254 | - | High
18 | 8.249.217.254 | - | High
19 | 8.249.233.254 | - | High
20 | 8.253.45.214 | - | High
21 | ... | ... | ...
There are 324 more IOC items available. Please use our online service to access the data.
There are 390 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -55,9 +55,10 @@ ID | Technique | Description | Confidence
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | T1211 | 7PK Security Features | High
5 | ... | ... | ...
5 | T1222 | Permission Issues | High
6 | ... | ... | ...
There are 7 more TTP items available. Please use our online service to access the data.
There are 8 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -67,17 +68,17 @@ ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `.DS_Store` | Medium
2 | File | `.htaccess` | Medium
3 | File | `/.htpasswd` | Medium
4 | File | `/admin.php/Foodcat/editsave` | High
5 | File | `/admin.php?s=/admin/config/groupsave.html` | High
6 | File | `/admin/?req=modules&action=add` | High
7 | File | `/admin/api-cms-nav/create-page` | High
8 | File | `/admin/index.html` | High
9 | File | `/admin/index.php?c=database` | High
10 | File | `/admin/index/index.html#listarticle` | High
3 | File | `/+CSCOE+/logon.html` | High
4 | File | `/.htpasswd` | Medium
5 | File | `/admin.php/Foodcat/editsave` | High
6 | File | `/admin.php?s=/admin/config/groupsave.html` | High
7 | File | `/admin/?req=modules&action=add` | High
8 | File | `/admin/api-cms-nav/create-page` | High
9 | File | `/admin/index.html` | High
10 | File | `/admin/index.php?c=database` | High
11 | ... | ... | ...
There are 1212 more IOA items available. Please use our online service to access the data.
There are 1351 more IOA items available. Please use our online service to access the data.
## References
@ -100,8 +101,10 @@ The following list contains external sources which discuss the actor and the ass
* https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
* https://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
* https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
* https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
* https://feodotracker.abuse.ch/downloads/ipblocklist.csv
* https://gist.githubusercontent.com/BBcan177/bf29d47ea04391cb3eb0/raw/
* https://github.com/blackberry/threat-research-and-intelligence/blob/main/TA575-Dridex.csv
* https://github.com/fl0x2208/IOCs-in-CSV-format/blob/6297513d672bd69f1bf488018035892e599e7a9c/Dridex_banking_trojan.xlsx
* https://us-cert.cisa.gov/ncas/alerts/aa19-339a
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.04(2)/Dridex.pdf

76
FIN12/README.md Normal file
View File

@ -0,0 +1,76 @@
# FIN12 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [FIN12](https://vuldb.com/?actor.fin12). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.fin12](https://vuldb.com/?actor.fin12)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FIN12:
* US
* CN
* GB
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of FIN12.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 5.2.72.202 | pieterb.com | High
2 | 23.81.246.17 | - | High
3 | 95.179.165.239 | 95.179.165.239.vultr.com | Medium
4 | ... | ... | ...
There are 2 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by FIN12. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1499 | Resource Consumption | High
4 | ... | ... | ...
There are 1 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FIN12. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/backups/` | Medium
2 | File | `/config/getuser` | High
3 | File | `/forum/away.php` | High
4 | File | `/includes/session.php` | High
5 | File | `/modules/admin/vw_usr_roles.php` | High
6 | File | `/modules/projects/vw_files.php` | High
7 | File | `/modules/public/calendar.php` | High
8 | File | `/services/details.asp` | High
9 | File | `/_core/profile/` | High
10 | File | `adclick.php` | Medium
11 | ... | ... | ...
There are 112 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

70
FontOnLake/README.md Normal file
View File

@ -0,0 +1,70 @@
# FontOnLake - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [FontOnLake](https://vuldb.com/?actor.fontonlake). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.fontonlake](https://vuldb.com/?actor.fontonlake)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FontOnLake:
* CN
* US
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of FontOnLake.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 27.102.130.63 | - | High
2 | 47.107.60.212 | - | High
3 | 47.112.197.119 | - | High
4 | ... | ... | ...
There are 2 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by FontOnLake. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1068 | Execution with Unnecessary Privileges | High
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by FontOnLake. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/s/` | Low
2 | File | `AdminbaseController.class.php` | High
3 | File | `application\User\Controller\ProfileController.class.php` | High
4 | File | `exif.c` | Low
5 | File | `htimage.exe` | Medium
6 | File | `libbfd.c` | Medium
7 | File | `opncls.c` | Medium
8 | Library | `gdrv.sys` | Medium
9 | Argument | `-m/-c` | Low
10 | Argument | `imgurl` | Low
11 | ... | ... | ...
There are 5 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

41
Formbook/README.md
View File

@ -10,10 +10,10 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
* US
* CN
* IT
* DE
* ...
There are 3 more country items available. Please use our online service to access the data.
There are 5 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -25,25 +25,25 @@ ID | IP address | Hostname | Confidence
2 | 3.223.115.185 | ec2-3-223-115-185.compute-1.amazonaws.com | Medium
3 | 5.134.13.72 | i51.gds.guru.net.uk | High
4 | 13.59.53.244 | ec2-13-59-53-244.us-east-2.compute.amazonaws.com | Medium
5 | 20.36.253.92 | - | High
6 | 23.6.69.99 | a23-6-69-99.deploy.static.akamaitechnologies.com | High
7 | 23.227.38.74 | - | High
8 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | Medium
9 | 34.214.40.214 | ec2-34-214-40-214.us-west-2.compute.amazonaws.com | Medium
10 | 34.216.47.14 | ec2-34-216-47-14.us-west-2.compute.amazonaws.com | Medium
11 | 34.242.63.192 | ec2-34-242-63-192.eu-west-1.compute.amazonaws.com | Medium
12 | 34.243.160.251 | ec2-34-243-160-251.eu-west-1.compute.amazonaws.com | Medium
13 | 34.255.61.59 | ec2-34-255-61-59.eu-west-1.compute.amazonaws.com | Medium
14 | 35.178.125.63 | ec2-35-178-125-63.eu-west-2.compute.amazonaws.com | Medium
15 | 40.77.18.167 | - | High
16 | 44.230.27.49 | ec2-44-230-27-49.us-west-2.compute.amazonaws.com | Medium
17 | 45.135.229.212 | iad.scarletshark.net | High
18 | 47.75.37.155 | - | High
19 | 47.111.101.108 | - | High
20 | 50.116.94.41 | almanagalleria.com.qa | High
5 | 13.107.42.12 | 1drv.ms | High
6 | 20.36.253.92 | - | High
7 | 23.6.69.99 | a23-6-69-99.deploy.static.akamaitechnologies.com | High
8 | 23.227.38.74 | - | High
9 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | Medium
10 | 34.214.40.214 | ec2-34-214-40-214.us-west-2.compute.amazonaws.com | Medium
11 | 34.216.47.14 | ec2-34-216-47-14.us-west-2.compute.amazonaws.com | Medium
12 | 34.242.63.192 | ec2-34-242-63-192.eu-west-1.compute.amazonaws.com | Medium
13 | 34.243.160.251 | ec2-34-243-160-251.eu-west-1.compute.amazonaws.com | Medium
14 | 34.255.61.59 | ec2-34-255-61-59.eu-west-1.compute.amazonaws.com | Medium
15 | 35.178.125.63 | ec2-35-178-125-63.eu-west-2.compute.amazonaws.com | Medium
16 | 40.77.18.167 | - | High
17 | 40.126.26.134 | - | High
18 | 44.230.27.49 | ec2-44-230-27-49.us-west-2.compute.amazonaws.com | Medium
19 | 45.135.229.212 | iad.scarletshark.net | High
20 | 47.75.37.155 | - | High
21 | ... | ... | ...
There are 51 more IOC items available. Please use our online service to access the data.
There are 73 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -78,7 +78,7 @@ ID | Type | Indicator | Confidence
10 | File | `/admin/admintools/tool.php` | High
11 | ... | ... | ...
There are 2005 more IOA items available. Please use our online service to access the data.
There are 2013 more IOA items available. Please use our online service to access the data.
## References
@ -88,6 +88,7 @@ The following list contains external sources which discuss the actor and the ass
* https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
* https://blog.talosintelligence.com/2021/07/threat-roundup-0723-0730.html
* https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
* https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
## Literature

51
GandCrab/README.md
View File

@ -1,64 +1,77 @@
# GandCrab - Cyber Threat Intelligence
# Gandcrab - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [GandCrab](https://vuldb.com/?actor.gandcrab). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Gandcrab](https://vuldb.com/?actor.gandcrab). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.gandcrab](https://vuldb.com/?actor.gandcrab)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with GandCrab:
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Gandcrab:
* CA
* US
* CA
* CN
* ...
There are 3 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of GandCrab.
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Gandcrab.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 5.39.221.60 | - | High
2 | 13.76.158.123 | - | High
3 | 66.171.248.178 | api1.whatismyipaddress.com | High
4 | ... | ... | ...
3 | 20.50.64.11 | - | High
4 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | Medium
5 | 35.205.61.67 | 67.61.205.35.bc.googleusercontent.com | Medium
6 | 39.107.34.197 | - | High
7 | 45.118.145.96 | - | High
8 | 52.116.175.70 | hs20.name.tools | High
9 | 54.36.194.90 | ip90.ip-54-36-194.eu | High
10 | 66.96.147.103 | 103.147.96.66.static.eigbox.net | High
11 | 66.171.248.178 | api1.whatismyipaddress.com | High
12 | ... | ... | ...
There are 5 more IOC items available. Please use our online service to access the data.
There are 22 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by GandCrab. This data is unique as it uses our predictive model for actor profiling.
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Gandcrab. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1068 | Execution with Unnecessary Privileges | High
2 | T1600 | Cryptographic Issues | High
2 | T1587.003 | Improper Certificate Validation | High
3 | T1600 | Cryptographic Issues | High
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by GandCrab. This data is unique as it uses our predictive model for actor profiling.
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Gandcrab. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/cgi-bin/editBookmark` | High
2 | File | `/getcfg.php` | Medium
3 | File | `AccessPoint.aspx` | High
4 | File | `archive.php` | Medium
5 | File | `cgi-bin/mainfunction.cgi` | High
6 | File | `my.activation.php3` | High
7 | File | `shop.php` | Medium
8 | Library | `cgi-bin/libagent.cgi` | High
9 | Library | `ppctl.dll` | Medium
10 | Library | `tmnciesc.sys` | Medium
4 | File | `announcement.php` | High
5 | File | `archive.php` | Medium
6 | File | `cgi-bin/mainfunction.cgi` | High
7 | File | `data/gbconfiguration.dat` | High
8 | File | `fciv.exe` | Medium
9 | File | `fs/inode.c` | Medium
10 | File | `my.activation.php3` | High
11 | ... | ... | ...
There are 6 more IOA items available. Please use our online service to access the data.
There are 17 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://blog.talosintelligence.com/2020/09/threat-roundup-0904-0911.html
* https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
* https://community.blueliv.com/#!/s/5afd59bd82df413e376682f2
* https://precisionsec.com/threat-intelligence-feeds/gandcrab/

44
Gh0stRAT/README.md
View File

@ -21,29 +21,29 @@ These indicators of compromise indicate associated network ressources which are
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 36.43.74.215 | - | High
2 | 36.46.114.54 | - | High
3 | 39.109.1.246 | - | High
4 | 42.51.192.3 | - | High
5 | 43.226.152.12 | - | High
6 | 43.226.159.201 | - | High
7 | 45.119.125.223 | - | High
8 | 45.195.203.97 | - | High
9 | 45.253.67.78 | - | High
10 | 47.93.52.188 | - | High
11 | 47.93.245.163 | - | High
12 | 47.95.233.18 | - | High
13 | 47.111.82.157 | - | High
14 | 47.112.30.91 | - | High
15 | 58.218.66.21 | - | High
16 | 58.218.67.245 | - | High
17 | 58.218.199.225 | - | High
18 | 58.221.47.41 | - | High
19 | 58.221.47.47 | - | High
20 | 59.46.12.8 | - | High
1 | 13.249.38.69 | server-13-249-38-69.iad89.r.cloudfront.net | High
2 | 36.43.74.215 | - | High
3 | 36.46.114.54 | - | High
4 | 39.109.1.246 | - | High
5 | 42.51.192.3 | - | High
6 | 43.226.152.12 | - | High
7 | 43.226.159.201 | - | High
8 | 45.119.125.223 | - | High
9 | 45.195.203.97 | - | High
10 | 45.253.67.78 | - | High
11 | 47.93.52.188 | - | High
12 | 47.93.245.163 | - | High
13 | 47.95.233.18 | - | High
14 | 47.111.82.157 | - | High
15 | 47.112.30.91 | - | High
16 | 58.218.66.21 | - | High
17 | 58.218.67.245 | - | High
18 | 58.218.199.225 | - | High
19 | 58.221.47.41 | - | High
20 | 58.221.47.47 | - | High
21 | ... | ... | ...
There are 72 more IOC items available. Please use our online service to access the data.
There are 77 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -93,6 +93,8 @@ The following list contains external sources which discuss the actor and the ass
* https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
* https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
* https://blog.talosintelligence.com/2021/09/threat-roundup-0917-0924.html
* https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
* https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
## Literature

27
Kuluoz/README.md
View File

@ -8,8 +8,8 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Kuluoz:
* IL
* US
* IL
## IOC - Indicator of Compromise
@ -17,12 +17,23 @@ These indicators of compromise indicate associated network ressources which are
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 37.59.24.98 | ns3043472.ip-37-59-24.eu | High
2 | 69.64.32.247 | dragon324.dedicatedpanel.com | High
3 | 74.221.221.58 | 58.221.221.74.opticip.com | High
4 | ... | ... | ...
1 | 13.32.208.34 | server-13-32-208-34.iad66.r.cloudfront.net | High
2 | 37.59.24.98 | ns3043472.ip-37-59-24.eu | High
3 | 69.64.32.247 | dragon324.dedicatedpanel.com | High
4 | 74.221.221.58 | 58.221.221.74.opticip.com | High
5 | 82.165.155.77 | mail850785786.mywebspace.zone | High
6 | 85.12.29.254 | - | High
7 | ... | ... | ...
There are 5 more IOC items available. Please use our online service to access the data.
There are 10 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Kuluoz. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
## IOA - Indicator of Attack
@ -31,13 +42,15 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `data/gbconfiguration.dat` | High
2 | Argument | `Password` | Medium
2 | File | `wp-includes/kses.php` | High
3 | Argument | `Password` | Medium
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://blog.talosintelligence.com/2021/08/threat-roundup-0806-0813.html
* https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
## Literature

33
Lokibot/README.md
View File

@ -27,21 +27,23 @@ ID | IP address | Hostname | Confidence
4 | 35.247.234.230 | 230.234.247.35.bc.googleusercontent.com | Medium
5 | 37.235.1.174 | resolver1.freedns.zone.powered.by.virtexxa.com | High
6 | 37.235.1.177 | resolver2.freedns.zone.powered.by.virtexxa.com | High
7 | 45.147.229.85 | - | High
8 | 50.16.216.118 | ec2-50-16-216-118.compute-1.amazonaws.com | Medium
9 | 50.19.92.227 | ec2-50-19-92-227.compute-1.amazonaws.com | Medium
10 | 54.225.78.40 | ec2-54-225-78-40.compute-1.amazonaws.com | Medium
11 | 54.225.165.85 | ec2-54-225-165-85.compute-1.amazonaws.com | Medium
12 | 54.225.245.108 | ec2-54-225-245-108.compute-1.amazonaws.com | Medium
13 | 54.235.88.121 | ec2-54-235-88-121.compute-1.amazonaws.com | Medium
14 | 63.251.106.25 | - | High
15 | 70.32.1.32 | ip-70.32.1.32.hosted.by.gigenet.com | High
16 | 79.134.225.70 | - | High
17 | 91.195.240.46 | - | High
18 | 102.186.213.112 | - | High
19 | ... | ... | ...
7 | 45.33.83.75 | li1029-75.members.linode.com | High
8 | 45.147.229.85 | - | High
9 | 50.16.216.118 | ec2-50-16-216-118.compute-1.amazonaws.com | Medium
10 | 50.19.92.227 | ec2-50-19-92-227.compute-1.amazonaws.com | Medium
11 | 54.225.78.40 | ec2-54-225-78-40.compute-1.amazonaws.com | Medium
12 | 54.225.165.85 | ec2-54-225-165-85.compute-1.amazonaws.com | Medium
13 | 54.225.245.108 | ec2-54-225-245-108.compute-1.amazonaws.com | Medium
14 | 54.235.88.121 | ec2-54-235-88-121.compute-1.amazonaws.com | Medium
15 | 63.251.106.25 | - | High
16 | 65.254.254.55 | mail.yourhostingaccount.com | High
17 | 70.32.1.32 | ip-70.32.1.32.hosted.by.gigenet.com | High
18 | 78.128.92.142 | venom8.steeldns.com | High
19 | 79.134.225.70 | - | High
20 | 91.195.240.46 | - | High
21 | ... | ... | ...
There are 36 more IOC items available. Please use our online service to access the data.
There are 40 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -75,7 +77,7 @@ ID | Type | Indicator | Confidence
10 | File | `/admin/loginc.php` | High
11 | ... | ... | ...
There are 1119 more IOA items available. Please use our online service to access the data.
There are 1121 more IOA items available. Please use our online service to access the data.
## References
@ -87,6 +89,7 @@ The following list contains external sources which discuss the actor and the ass
* https://blog.talosintelligence.com/2021/08/threat-roundup-0820-0827.html
* https://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
* https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
* https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.06(1)/LokiBot%20Infection%20Chain.pdf
## Literature

72
MalKamak/README.md Normal file
View File

@ -0,0 +1,72 @@
# MalKamak - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [MalKamak](https://vuldb.com/?actor.malkamak). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.malkamak](https://vuldb.com/?actor.malkamak)
## Campaigns
The following campaigns are known and can be associated with MalKamak:
* GhostShell
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with MalKamak:
* CN
* US
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of MalKamak.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 50.116.17.41 | li601-41.members.linode.com | High
2 | 139.162.120.150 | li1604-150.members.linode.com | High
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by MalKamak. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1499 | Resource Consumption | High
4 | ... | ... | ...
There are 1 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by MalKamak. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/domains/list` | High
2 | File | `/run/spice-vdagentd/spice-vdagent-sock` | High
3 | File | `/tmp` | Low
4 | File | `English/pages_MacUS/cgi_lan.cgi` | High
5 | File | `ping.cgi` | Medium
6 | Argument | `DIA_IPADDRESS` | High
7 | Argument | `LAN_TXT24` | Medium
8 | Argument | `Product` | Low
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://www.cybereason.com/blog/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

3
Ramnit/README.md
View File

@ -43,7 +43,7 @@ ID | IP address | Hostname | Confidence
20 | 35.224.11.86 | 86.11.224.35.bc.googleusercontent.com | Medium
21 | ... | ... | ...
There are 132 more IOC items available. Please use our online service to access the data.
There are 134 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -88,6 +88,7 @@ The following list contains external sources which discuss the actor and the ass
* https://blog.talosintelligence.com/2021/08/threat-roundup-0813-0820.html
* https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
* https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
* https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
* https://github.com/firehol/blocklist-ipsets/blob/master/bambenek_ramnit.ipset
## Literature

13
Remcos/README.md
View File

@ -13,7 +13,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
* SE
* ...
There are 11 more country items available. Please use our online service to access the data.
There are 12 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -38,12 +38,12 @@ ID | IP address | Hostname | Confidence
15 | 23.227.38.74 | - | High
16 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | Medium
17 | 35.214.144.124 | 124.144.214.35.bc.googleusercontent.com | Medium
18 | 37.139.64.106 | - | High
19 | 37.230.130.153 | - | High
20 | 40.126.28.22 | - | High
18 | 37.1.206.16 | free.ispiria.net | High
19 | 37.139.64.106 | - | High
20 | 37.230.130.153 | - | High
21 | ... | ... | ...
There are 60 more IOC items available. Please use our online service to access the data.
There are 64 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -76,7 +76,7 @@ ID | Type | Indicator | Confidence
10 | File | `/tmp` | Low
11 | ... | ... | ...
There are 163 more IOA items available. Please use our online service to access the data.
There are 170 more IOA items available. Please use our online service to access the data.
## References
@ -90,6 +90,7 @@ The following list contains external sources which discuss the actor and the ass
* https://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
* https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
* https://blog.talosintelligence.com/2021/09/threat-roundup-0917-0924.html
* https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
## Literature

38
Sarwent/README.md Normal file
View File

@ -0,0 +1,38 @@
# Sarwent - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Sarwent](https://vuldb.com/?actor.sarwent). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.sarwent](https://vuldb.com/?actor.sarwent)
## Campaigns
The following campaigns are known and can be associated with Sarwent:
* Amnesty International and Pegasus
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Sarwent.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 87.249.53.124 | 677515-co39933.tmweb.ru | High
2 | 185.215.113.67 | - | High
3 | 194.9.71.129 | free.gmhost.hosting | High
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://blog.talosintelligence.com/2021/09/fakeantipegasusamnesty.html
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

36
TeslaCrypt/README.md
View File

@ -9,11 +9,11 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with TeslaCrypt:
* US
* DE
* CN
* TR
* ...
There are 2 more country items available. Please use our online service to access the data.
There are 7 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -24,10 +24,17 @@ ID | IP address | Hostname | Confidence
1 | 2.57.138.47 | s27.zenbox.pl | High
2 | 5.79.68.109 | - | High
3 | 5.79.68.110 | - | High
4 | 35.205.61.67 | 67.61.205.35.bc.googleusercontent.com | Medium
5 | ... | ... | ...
4 | 23.63.245.19 | a23-63-245-19.deploy.static.akamaitechnologies.com | High
5 | 23.63.245.50 | a23-63-245-50.deploy.static.akamaitechnologies.com | High
6 | 23.196.73.160 | a23-196-73-160.deploy.static.akamaitechnologies.com | High
7 | 35.205.61.67 | 67.61.205.35.bc.googleusercontent.com | Medium
8 | 35.209.43.160 | 160.43.209.35.bc.googleusercontent.com | Medium
9 | 52.216.22.34 | s3-website-us-east-1.amazonaws.com | Medium
10 | 52.216.128.178 | s3-website-us-east-1.amazonaws.com | Medium
11 | 52.216.142.11 | s3-website-us-east-1.amazonaws.com | Medium
12 | ... | ... | ...
There are 8 more IOC items available. Please use our online service to access the data.
There are 22 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -37,10 +44,10 @@ ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1211 | 7PK Security Features | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 2 more TTP items available. Please use our online service to access the data.
There are 4 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -52,21 +59,22 @@ ID | Type | Indicator | Confidence
2 | File | `/admin/views/freepbx_reload.php` | High
3 | File | `/cimom` | Low
4 | File | `/dhtml/index.php` | High
5 | File | `/drivers/vhost/net.c` | High
6 | File | `/flash/mypage.php` | High
7 | File | `/forum/away.php` | High
8 | File | `/index_amp.php` | High
9 | File | `/principals` | Medium
10 | File | `/recordings/index.php` | High
5 | File | `/downloadmaster/dm_apply.cgi?action_mode=initial&download_type=General&special_cgi=get_language` | High
6 | File | `/drivers/vhost/net.c` | High
7 | File | `/flash/mypage.php` | High
8 | File | `/forum/away.php` | High
9 | File | `/index_amp.php` | High
10 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
11 | ... | ... | ...
There are 138 more IOA items available. Please use our online service to access the data.
There are 155 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://blog.talosintelligence.com/2021/03/threat-roundup-0226-0305.html
* https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
## Literature

23
Tofsee/README.md
View File

@ -13,7 +13,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
* RU
* ...
There are 12 more country items available. Please use our online service to access the data.
There are 14 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -43,7 +43,7 @@ ID | IP address | Hostname | Confidence
20 | 40.76.4.15 | - | High
21 | ... | ... | ...
There are 177 more IOC items available. Please use our online service to access the data.
There are 187 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -67,17 +67,17 @@ ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/+CSCOE+/logon.html` | High
2 | File | `/admin/blocks/blocks/edit/8` | High
3 | File | `/admin/menus/menus/edit/3` | High
4 | File | `/admin/nodes/nodes/add/blog` | High
5 | File | `/admin/taxonomy/vocabularies` | High
6 | File | `/cgi/networkDiag.cgi` | High
7 | File | `/exponent_constants.php` | High
8 | File | `/forum/away.php` | High
9 | File | `/mods/_core/users/admins/my_edit.php` | High
10 | File | `/plain` | Low
3 | File | `/admin/login/login_check.php` | High
4 | File | `/admin/menus/menus/edit/3` | High
5 | File | `/admin/nodes/nodes/add/blog` | High
6 | File | `/admin/taxonomy/vocabularies` | High
7 | File | `/bin/goahead` | Medium
8 | File | `/cgi/networkDiag.cgi` | High
9 | File | `/exponent_constants.php` | High
10 | File | `/forum/away.php` | High
11 | ... | ... | ...
There are 172 more IOA items available. Please use our online service to access the data.
There are 189 more IOA items available. Please use our online service to access the data.
## References
@ -107,6 +107,7 @@ The following list contains external sources which discuss the actor and the ass
* https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
* https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
* https://blog.talosintelligence.com/2021/09/threat-roundup-0917-0924.html
* https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
## Literature

2
Tomiris/README.md
View File

@ -20,7 +20,7 @@ ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 51.195.68.217 | time1.lyhuao.com | High
2 | 185.193.126.172 | b9c17eac.host.njalla.net | High
3 | 185.193.127.92 | host-185-193-127-92.njalla.net | High
3 | 185.193.127.92 | arbf.io | High
## TTP - Tactics, Techniques, Procedures

17
TrickBot/README.md
View File

@ -24,7 +24,7 @@ ID | IP address | Hostname | Confidence
1 | 5.1.81.68 | mx4.tarifvergleichbhv.net | High
2 | 5.2.75.93 | - | High
3 | 5.2.75.167 | coms.a9v34.com.cn | High
4 | 5.39.47.22 | mail.newsbit.fun | High
4 | 5.39.47.22 | mail.dmgs.site | High
5 | 5.59.205.32 | dhcp-32-205-59-5.metro86.ru | High
6 | 5.133.179.108 | 5-133-179-108.freeucouponsnow.ru | High
7 | 5.182.210.132 | - | High
@ -36,14 +36,14 @@ ID | IP address | Hostname | Confidence
13 | 18.233.90.151 | ec2-18-233-90-151.compute-1.amazonaws.com | Medium
14 | 23.3.13.88 | a23-3-13-88.deploy.static.akamaitechnologies.com | High
15 | 23.3.13.154 | a23-3-13-154.deploy.static.akamaitechnologies.com | High
16 | 23.21.27.29 | ec2-23-21-27-29.compute-1.amazonaws.com | Medium
17 | 23.21.48.44 | ec2-23-21-48-44.compute-1.amazonaws.com | Medium
18 | 23.21.252.4 | ec2-23-21-252-4.compute-1.amazonaws.com | Medium
19 | 23.96.30.229 | - | High
20 | 23.160.192.125 | unknown.ip-xfer.net | High
16 | 23.3.125.111 | a23-3-125-111.deploy.static.akamaitechnologies.com | High
17 | 23.21.27.29 | ec2-23-21-27-29.compute-1.amazonaws.com | Medium
18 | 23.21.48.44 | ec2-23-21-48-44.compute-1.amazonaws.com | Medium
19 | 23.21.252.4 | ec2-23-21-252-4.compute-1.amazonaws.com | Medium
20 | 23.96.30.229 | - | High
21 | ... | ... | ...
There are 235 more IOC items available. Please use our online service to access the data.
There are 257 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -78,7 +78,7 @@ ID | Type | Indicator | Confidence
10 | File | `/admin/config.php?display=backup` | High
11 | ... | ... | ...
There are 966 more IOA items available. Please use our online service to access the data.
There are 987 more IOA items available. Please use our online service to access the data.
## References
@ -92,6 +92,7 @@ The following list contains external sources which discuss the actor and the ass
* https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
* https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
* https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
* https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
* https://feodotracker.abuse.ch/downloads/ipblocklist.csv
## Literature