Mirrors
/
cyber_threat_intelligence
mirror of https://github.com/vuldb/cyber_threat_intelligence
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

CTI Update

This commit is contained in:
Marc Ruef 2021-09-28 17:49:45 +02:00
parent 72cd3bd4eb
commit 5a9687a59f
433 changed files with 29756 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
1937CN/README.adoc Normal file
View File

@ -0,0 +1,32 @@
= 1937CN - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.1937cn[1937CN]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.1937cn
== Campaigns
The following campaigns are known and can be associated with the actor.
- Rehashed RAT
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|1.3.30.3|-|High
|2|1.3.33.5|-|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=RehashedRATUsedinAPTCampaignAgainstVietnameseOrganizations_FortinetBlog.pdf&y=2017
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

32
9002/README.adoc Normal file
View File

@ -0,0 +1,32 @@
= 9002 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.9002[9002]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.9002
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. CN
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|222.239.91.30|-|High
|2|222.239.91.152|-|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=AttackDelivers%E2%80%989002%E2%80%99TrojanThroughGoogleDrive-PaloAltoNetworksBlogPaloAltoNetworksBlog.pdf&y=2016
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

75
APT-C-01/README.adoc Normal file
View File

@ -0,0 +1,75 @@
= APT-C-01 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt-c-01[APT-C-01]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt-c-01
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. CN
. RU
. ...
There are 3 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|45.32.8.137|45.32.8.137.vultr.com|Medium
|2|45.76.125.176|45.76.125.176.vultr.com|Medium
|3|45.76.228.61|45.76.228.61.vultr.com|Medium
|4|131.213.66.10|p83d5420a.tocgnt01.ap.so-net.ne.jp|High
|5|146.0.32.168|al039.albit.dedi.server-hosting.expert|High
|6|165.227.220.223|musyfy.staging.collaborators.us|High
|7|188.166.67.36|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/forum/away.php|High
|2|File|/goform/saveParentControlInfo|High
|3|File|/uncpath/|Medium
|4|File|2020\Messages\SDNotify.exe|High
|5|File|admin/admin_disallow.php|High
|6|File|email.php|Medium
|7|File|entry.cgi|Medium
|8|File|ext/date/lib/parse_date.c|High
|9|File|goto.php|Medium
|10|File|index.php?tg=delegat&idx=mem|High
|11|...|...|...
|========================================
There are 25 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=APT-C-01-360.pdf&y=2018
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

47
APT-C-07/README.adoc Normal file
View File

@ -0,0 +1,47 @@
= APT-C-07 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt-c-07[APT-C-07]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt-c-07
== Campaigns
The following campaigns are known and can be associated with the actor.
- Mermaid
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|69.195.129.72|-|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|Argument|widget_template|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=Operation_Mermaid_360cn.pdf&y=2016
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

76
APT-C-36/README.adoc Normal file
View File

@ -0,0 +1,76 @@
= APT-C-36 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt-c-36[APT-C-36]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt-c-36
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. BR
. FR
. ...
There are 3 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|128.90.106.22|undefined.hostname.localhost|High
|2|128.90.107.21|undefined.hostname.localhost|High
|3|128.90.107.189|undefined.hostname.localhost|High
|4|128.90.107.236|undefined.hostname.localhost|High
|5|128.90.108.126|undefined.hostname.localhost|High
|6|128.90.114.5|undefined.hostname.localhost|High
|7|128.90.115.28|undefined.hostname.localhost|High
|8|128.90.115.179|undefined.hostname.localhost|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1499|Resource Consumption|High
|2|T1600|Cryptographic Issues|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|.htaccess|Medium
|2|File|FileSeek.cgi|Medium
|3|File|includes/dbal.php|High
|4|File|index.php|Medium
|5|File|modules/mappers/mod_rewrite.c|High
|6|File|personalData/resumeDetail.cfm|High
|7|File|prod.php|Medium
|8|File|products.php|Medium
|9|File|shop.pl|Low
|10|File|software-description.php|High
|11|...|...|...
|========================================
There are 10 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

97
APT1/README.adoc Normal file
View File

@ -0,0 +1,97 @@
= APT1 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt1[APT1]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt1
== Campaigns
The following campaigns are known and can be associated with the actor.
- Mandiant
- Oceansalt
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. CN
. US
. FR
. ...
There are 1 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|23.236.62.147|147.62.236.23.bc.googleusercontent.com|Medium
|2|27.102.112.179|-|High
|3|58.246.|-|High
|4|58.247.|-|High
|5|67.222.16.131|host.dnsweb.org|High
|6|100.42.216.230|tfs2480.sipnav.in|High
|7|103.42.182.241|-|High
|8|104.31.82.32|-|High
|9|158.69.131.78|ip78.ip-158-69-131.net|High
|10|172.81.132.62|ip-172-81-132-62.host.datawagon.net|High
|11|211.104.160.196|-|High
|12|223.166.|-|High
|13|223.167.|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1211|7PK Security Features|High
|5|T1222|Permission Issues|High
|6|...|...|...
|========================================
There are 7 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|$HOME/.nylas-mail|High
|2|File|$JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups|High
|3|File|$SPLUNK_HOME/etc/splunk-launch.conf|High
|4|File|%ProgramData%\CTES|High
|5|File|%PROGRAMFILES%\Cylance\Desktop\log|High
|6|File|%SYSTEMDRIVE%\ProgramData\exclusions.dat|High
|7|File|'phpshell.php|High
|8|File|*-sub-menu.php|High
|9|File|-X/path/to/wwwroot/file.php.|High
|10|File|.../gogo/|Medium
|11|...|...|...
|========================================
There are 10537 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf
* https://www.circleid.com/posts/20201215-revisiting-apt1-iocs-with-dns-and-subdomain-intelligence/
* https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdfa
* https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

110
APT10/README.adoc Normal file
View File

@ -0,0 +1,110 @@
= APT10 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt10[APT10]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt10
== Campaigns
The following campaigns are known and can be associated with the actor.
- A41APT
- Cloud Hopper
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. CN
. DE
. ...
There are 18 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|23.89.193.34|-|High
|2|23.110.64.147|-|High
|3|23.252.105.137|23.252.105.137.16clouds.com|High
|4|27.102.66.67|-|High
|5|27.102.115.249|-|High
|6|27.102.127.75|-|High
|7|27.102.127.80|-|High
|8|27.102.128.157|-|High
|9|31.184.197.215|31-184-197-215.static.x5x-noc.ru|High
|10|31.184.197.227|31-184-197-227.static.x5x-noc.ru|High
|11|31.184.198.23|-|High
|12|31.184.198.38|-|High
|13|37.187.7.74|ns3372567.ip-37-187-7.eu|High
|14|37.235.52.18|18.52.235.37.in-addr.arpa|High
|15|38.72.112.45|-|High
|16|38.72.114.16|-|High
|17|38.72.115.9|-|High
|18|45.62.112.161|45.62.112.161.16clouds.com|High
|19|45.138.157.83|lilanews.serveexchange.com|High
|20|46.108.39.134|-|High
|21|...|...|...
|========================================
There are 94 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1211|7PK Security Features|High
|5|T1222|Permission Issues|High
|6|...|...|...
|========================================
There are 4 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/+CSCOE+/logon.html|High
|2|File|/.env|Low
|3|File|/addnews.html|High
|4|File|/admin/index.php|High
|5|File|/assets/something/services/AppModule.class|High
|6|File|/cgi-bin/admin/testserver.cgi|High
|7|File|/cgi-bin/go|Medium
|8|File|/dev/kvm|Medium
|9|File|/etc/config/rpcd|High
|10|File|/etc/gsissh/sshd_config|High
|11|...|...|...
|========================================
There are 481 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://github.com/janhenrikdotcom/iocs/blob/master/APT10/Operation%20Cloud%20Hopper%20-%20Indicators%20of%20Compromise%20v3.csv
* https://github.com/PwCUK-CTO/OperationCloudHopper/blob/master/cloud-hopper-indicators-of-compromise-v3.csv
* https://github.com/riduangan/APT10/blob/master/IOC
* https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/
* https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html
* https://www.threatminer.org/report.php?q=Accenture-Hogfish-Threat-Analysis.pdf&y=2018
* https://www.threatminer.org/report.php?q=cloud-hopper-indicators-of-compromise-v3-PwC.pdf&y=2017
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

76
APT12/README.adoc Normal file
View File

@ -0,0 +1,76 @@
= APT12 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt12[APT12]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt12
== Campaigns
The following campaigns are known and can be associated with the actor.
- Etumbot
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. ES
. US
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|32.114.251.129|-|High
|2|59.0.249.11|-|High
|3|92.54.232.142|-|High
|4|98.188.111.244|-|High
|5|133.87.242.63|turonian.cris.hokudai.ac.jp|High
|6|133.87.242.631|-|High
|7|141.108.2.157|fabernext.roma1.infn.it|High
|8|143.89.47.132|eea132.ee.ust.hk|High
|9|143.89.145.156|dy145-156.ust.hk|High
|10|190.16.246.129|129-246-16-190.fibertel.com.ar|High
|11|190.193.44.138|138-44-193-190.cab.prima.net.ar|High
|12|196.1.99.15|-|High
|13|196.1.99.154|-|High
|14|200.27.173.58|-|High
|15|200.42.69.140|mail1.argus.com.ar|High
|16|211.53.164.152|recruit.dhc.co.kr|High
|17|217.119.240.118|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1499|Resource Consumption|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|Network Port|tcp/264|Low
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html
* https://www.threatminer.org/report.php?q=ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf&y=2014
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

32
APT15/README.adoc Normal file
View File

@ -0,0 +1,32 @@
= APT15 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt15[APT15]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt15
== Campaigns
The following campaigns are known and can be associated with the actor.
- Ke3chang
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|61.128.110.38|-|High
|2|180.149.252.181|-|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=XSLCmd_OSX.pdf&y=2014
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

65
APT16/README.adoc Normal file
View File

@ -0,0 +1,65 @@
= APT16 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt16[APT16]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt16
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. CN
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|121.127.249.74|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/download|Medium
|2|File|comment_add.asp|High
|3|File|data/gbconfiguration.dat|High
|4|File|email.php|Medium
|5|File|inc/config.php|High
|6|File|inc/filebrowser/browser.php|High
|7|File|ogp_show.php|Medium
|8|File|register.php|Medium
|9|Argument|basePath|Medium
|10|Argument|display|Low
|11|...|...|...
|========================================
There are 4 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

89
APT17/README.adoc Normal file
View File

@ -0,0 +1,89 @@
= APT17 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt17[APT17]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt17
== Campaigns
The following campaigns are known and can be associated with the actor.
- CCleaner
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. DE
. US
. JP
. ...
There are 2 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|1.234.52.111|-|High
|2|69.80.72.165|-|High
|3|103.250.72.39|sv01growth.bulks.jp|High
|4|103.250.72.254|103x250x72x254.bulks.jp|High
|5|110.45.151.43|-|High
|6|121.101.73.231|p6549e7.fkokff01.ap.so-net.ne.jp|High
|7|130.184.156.62|-|High
|8|148.251.71.75|hotspot.nwwc.de|High
|9|175.126.104.175|-|High
|10|178.62.20.110|-|High
|11|216.126.225.148|-|High
|12|217.198.143.40|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1211|7PK Security Features|High
|4|T1587.003|Improper Certificate Validation|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|.htaccess|Medium
|2|File|/wbg/core/_includes/authorization.inc.php|High
|3|File|data/gbconfiguration.dat|High
|4|File|inc/config.php|High
|5|File|inc/filebrowser/browser.php|High
|6|File|register/check/username?username|High
|7|File|wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php|High
|8|File|wp-login.php|Medium
|9|Argument|basePath|Medium
|10|Argument|file|Low
|11|...|...|...
|========================================
There are 2 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://github.com/fireeye/iocs/blob/master/APT17/7b9e87c5-b619-4a13-b862-0145614d359a.ioc
* https://www.threatminer.org/report.php?q=EvidenceAuroraOperationStillActive_SupplyChainAttackThroughCCleaner-Intezer.pdf&y=2017
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

36
APT18/README.adoc Normal file
View File

@ -0,0 +1,36 @@
= APT18 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt18[APT18]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt18
== Campaigns
The following campaigns are known and can be associated with the actor.
- Wekby
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|23.252.166.89|-|High
|2|23.252.166.99|-|High
|3|107.180.58.70|ip-107-180-58-70.ip.secureserver.net|High
|4|137.175.4.132|-|High
|5|223.25.233.248|-|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://github.com/fireeye/iocs/blob/master/APT18/0ae061d7-c624-4a84-8adf-00281b97797b.ioc
* https://unit42.paloaltonetworks.com/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

44
APT19/README.adoc Normal file
View File

@ -0,0 +1,44 @@
= APT19 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt19[APT19]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt19
== Campaigns
The following campaigns are known and can be associated with the actor.
- c0d0s0
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. CN
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|42.200.18.194|-|High
|2|104.236.77.169|-|High
|3|121.54.168.230|-|High
|4|138.68.45.9|openpubsource.com|High
|5|162.243.143.145|-|High
|6|210.181.184.64|-|High
|7|218.54.139.20|-|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://unit42.paloaltonetworks.com/new-attacks-linked-to-c0d0s0-group/
* https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

83
APT2/README.adoc Normal file
View File

@ -0,0 +1,83 @@
= APT2 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt2[APT2]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt2
== Campaigns
The following campaigns are known and can be associated with the actor.
- Putter Panda
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. KR
. US
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|31.170.110.163|io.uu3.net|High
|2|58.196.156.15|-|High
|3|59.120.168.199|59-120-168-199.hinet-ip.hinet.net|High
|4|61.34.97.69|-|High
|5|61.74.190.14|-|High
|6|61.78.37.121|-|High
|7|61.78.75.96|-|High
|8|61.221.54.99|61-221-54-99.hinet-ip.hinet.net|High
|9|67.42.255.50|rory.net|High
|10|100.42.216.230|tfs2480.sipnav.in|High
|11|121.157.104.122|-|High
|12|134.129.140.212|eercvpn.eerc.und.nodak.edu|High
|13|140.112.19.195|ipserver.ee.ntu.edu.tw|High
|14|140.112.40.7|bpADServer.bp.ntu.edu.tw|High
|15|140.113.88.216|IP-88-216.cs.nctu.edu.tw|High
|16|140.113.241.33|mipserv.cs.nctu.edu.tw|High
|17|140.119.46.35|econo2008.nccu.edu.tw|High
|18|173.231.36.139|173-231-36-139.hosted.static.webnx.com|High
|19|173.252.205.56|173-252-205-56.genericreverse.com|High
|20|173.252.207.51|173-252-207-51.genericreverse.com|High
|21|...|...|...
|========================================
There are 22 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/bin/boa|Medium
|2|Argument|Authorization|High
|3|Argument|Username|Medium
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf
* https://www.threatminer.org/report.php?q=putter-panda.pdf&y=2014
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

95
APT27/README.adoc Normal file
View File

@ -0,0 +1,95 @@
= APT27 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt27[APT27]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt27
== Campaigns
The following campaigns are known and can be associated with the actor.
- SysUpdate
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. CN
. ES
. ...
There are 3 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|34.90.207.23|23.207.90.34.bc.googleusercontent.com|Medium
|2|34.93.247.126|126.247.93.34.bc.googleusercontent.com|Medium
|3|35.187.148.253|253.148.187.35.bc.googleusercontent.com|Medium
|4|35.220.135.85|85.135.220.35.bc.googleusercontent.com|Medium
|5|45.142.214.188|mts.ru|High
|6|47.75.49.32|-|High
|7|85.204.74.143|-|High
|8|89.35.178.105|-|High
|9|103.79.78.48|103.79.78.48.static.hostdare.com|High
|10|104.09.198.177|-|High
|11|139.59.81.253|-|High
|12|139.180.208.225|139.180.208.225.vultr.com|Medium
|13|185.12.45.134|server5.cygda.info|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1008|Algorithm Downgrade|High
|2|T1040|Authentication Bypass by Capture-replay|High
|3|T1059.007|Cross Site Scripting|High
|4|T1068|Execution with Unnecessary Privileges|High
|5|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|6|...|...|...
|========================================
There are 7 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/+CSCOE+/logon.html|High
|2|File|/cgi-bin/live_api.cgi|High
|3|File|/config/getuser|High
|4|File|/etc/shadow|Medium
|5|File|/infusions/shoutbox_panel/shoutbox_admin.php|High
|6|File|/oscommerce/admin/currencies.php|High
|7|File|/proc/pid/syscall|High
|8|File|/session/list/allActiveSession|High
|9|File|/syslog_rules|High
|10|File|/upload|Low
|11|...|...|...
|========================================
There are 186 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
* https://vxug.fakedoma.in/archive/APTs/2021/2021.04.09/Iron%20Tiger.pdf
* https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

139
APT28/README.adoc Normal file
View File

@ -0,0 +1,139 @@
= APT28 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt28[APT28]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt28
== Campaigns
The following campaigns are known and can be associated with the actor.
- Carberp
- Fysbis
- Global Brute Force
- ...
There are 3 more campaign items available. Please use our online service to access the data.
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. DE
. ES
. ...
There are 52 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.63.153.177|5-63-153-177.ovz.vps.regruhosting.ru|High
|2|5.100.155.82|5.100.155-82.publicdomainregistry.com|High
|3|5.100.155.91|5.100.155-91.publicdomainregistry.com|High
|4|5.135.183.154|ns3290077.ip-5-135-183.eu|High
|5|5.199.171.58|-|High
|6|23.163.0.59|naomi.rem2d.com|High
|7|23.227.196.21|23-227-196-21.static.hvvc.us|High
|8|23.227.196.215|23-227-196-215.static.hvvc.us|High
|9|23.227.196.217|23-227-196-217.static.hvvc.us|High
|10|31.184.198.23|-|High
|11|31.184.198.38|-|High
|12|31.220.43.99|-|High
|13|31.220.61.251|-|High
|14|37.235.52.18|18.52.235.37.in-addr.arpa|High
|15|45.32.129.185|45.32.129.185.vultr.com|Medium
|16|45.32.227.21|45.32.227.21.mobiltel.mx|High
|17|45.64.105.23|-|High
|18|45.124.132.127|-|High
|19|46.19.138.66|ab2.alchibasystems.in.net|High
|20|46.21.147.55|55.147.21.46.in-addr.arpa|High
|21|...|...|...
|========================================
There are 211 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1040|Authentication Bypass by Capture-replay|High
|2|T1059.007|Cross Site Scripting|High
|3|T1068|Execution with Unnecessary Privileges|High
|4|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|5|T1211|7PK Security Features|High
|6|...|...|...
|========================================
There are 10 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|.htaccess|Medium
|2|File|.procmailrc|Medium
|3|File|/$({curl|Medium
|4|File|/+CSCOE+/logon.html|High
|5|File|/.env|Low
|6|File|/.ssh/authorized_keys|High
|7|File|/.vnc/sesman_${username}_passwd|High
|8|File|/account/details.php|High
|9|File|/admin.php|Medium
|10|File|/admin/adclass.php|High
|11|...|...|...
|========================================
There are 2654 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://documents.trendmicro.com/assets/wp/wp-two-years-of-pawn-storm.pdf
* https://github.com/blackorbird/APT_REPORT/blob/master/APT28/IOC/2019-04-05-ioc-mark.txt
* https://github.com/blackorbird/APT_REPORT/blob/master/APT28/IOC/2019-04-09-ioc-mark.txt
* https://github.com/fireeye/iocs/blob/master/APT28/e1cbf7ca-4938-4d3c-a7e6-3ff966516191.ioc
* https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF
* https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
* https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/
* https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/
* https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.11.04_Evolving_Threats/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf
* https://unit42.paloaltonetworks.com/a-look-into-fysbis-sofacys-linux-backdoor/
* https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/
* https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/
* https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
* https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/
* https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/
* https://unit42.paloaltonetworks.com/unit42-xagentosx-sofacys-xagent-macos-tool/
* https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50
* https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
* https://www.ncsc.gov.uk/files/NCSC_APT28.pdf
* https://www.threatminer.org/report.php?q=ASongofIntelandFancy_ExploitingFancyBear%E2%80%99suseofSSLcertificate.pdf&y=2018
* https://www.threatminer.org/report.php?q=eset-sednit-part-2-ESET.pdf&y=2016
* https://www.threatminer.org/report.php?q=eset-sednit-part1-ESET.pdf&y=2016
* https://www.threatminer.org/report.php?q=FancyBearcontinuetooperatethroughphishingemailsandmuchmore_ESET.pdf&y=2017
* https://www.threatminer.org/report.php?q=OperationRussianDoll.pdf&y=2015
* https://www.threatminer.org/report.php?q=TheDeceptionProjectANewJapanese-CentricThreat-Cylance.pdf&y=2017
* https://www.threatminer.org/report.php?q=ThreatConnectandFidelisTeamUptoExploretheDCCCBreach-ThreatConnect.pdf&y=2016
* https://www.threatminer.org/report.php?q=ThreatConnectIdentifiesFANCYBEARWorldAnti-DopingAgencyBreach-ThreatConnect.pdf&y=2016
* https://www.threatminer.org/report.php?q=wp-operation-pawn-storm.pdf&y=2014
* https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/
* https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf
* https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf
* https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

111
APT29/README.adoc Normal file
View File

@ -0,0 +1,111 @@
= APT29 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt29[APT29]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt29
== Campaigns
The following campaigns are known and can be associated with the actor.
- COVID-19
- PowerDuke
- Wellmail
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. CN
. RU
. ...
There are 14 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.45.66.134|-|High
|2|5.199.174.164|-|High
|3|27.102.130.115|-|High
|4|31.7.63.141|game.bignamegamereviewz.com|High
|5|31.170.107.186|ohra.supplrald.com|High
|6|45.120.156.69|-|High
|7|45.123.190.167|-|High
|8|45.123.190.168|-|High
|9|45.129.229.48|-|High
|10|45.152.84.57|-|High
|11|46.19.143.69|-|High
|12|46.246.120.178|-|High
|13|50.7.192.146|-|High
|14|64.18.143.66|-|High
|15|65.15.88.243|adsl-065-015-088-243.sip.asm.bellsouth.net|High
|16|66.29.115.55|647807.ds.nac.net|High
|17|66.70.247.215|ip215.ip-66-70-247.net|High
|18|69.59.28.57|-|High
|19|79.141.168.109|-|High
|20|81.17.17.213|customer20.tamic.info|High
|21|...|...|...
|========================================
There are 77 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1211|7PK Security Features|High
|4|T1499|Resource Consumption|High
|5|T1552|Unprotected Storage of Credentials|High
|6|...|...|...
|========================================
There are 1 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|.procmailrc|Medium
|2|File|/+CSCOE+/logon.html|High
|3|File|/../../conf/template/uhttpd.json|High
|4|File|/cgi-bin/portal|High
|5|File|/CMD_ACCOUNT_ADMIN|High
|6|File|/etc/shadow|Medium
|7|File|/etc/sudoers|Medium
|8|File|/firewall/policy/|High
|9|File|/includes/plugins/mobile/scripts/login.php|High
|10|File|/notice-edit.php|High
|11|...|...|...
|========================================
There are 236 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf
* https://github.com/blackorbird/APT_REPORT/blob/master/International%20Strategic/Russia/Advisory-APT29-targets-COVID-19-vaccine-development.pdf
* https://us-cert.cisa.gov/ncas/alerts/aa21-148a
* https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c
* https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
* https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf
* https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

66
APT3/README.adoc Normal file
View File

@ -0,0 +1,66 @@
= APT3 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt3[APT3]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt3
== Campaigns
The following campaigns are known and can be associated with the actor.
- CVE-2015-5119
- Doubletap
- Double Tap
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|23.99.20.198|-|High
|2|54.169.89.240|ec2-54-169-89-240.ap-southeast-1.compute.amazonaws.com|Medium
|3|104.151.248.173|173.248-151-104.rdns.scalabledns.com|High
|4|107.20.255.57|ec2-107-20-255-57.compute-1.amazonaws.com|Medium
|5|112.74.87.60|-|High
|6|137.175.4.132|-|High
|7|192.157.198.103|-|High
|8|192.184.60.229|unassigned.psychz.net|High
|9|194.44.130.179|-|High
|10|198.55.115.71|hosted-by.securefastserver.com|High
|11|210.109.99.64|-|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/forum/away.php|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://github.com/fireeye/iocs/blob/master/APT3/62f65dae-9475-44b0-a9eb-c1baebbd9885.ioc
* https://github.com/fireeye/iocs/blob/master/APT3/db0b6ac6-874a-498e-892b-ac7c2020e061.ioc
* https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html
* https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html
* https://www.recordedfuture.com/chinese-mss-behind-apt3/
* https://www.threatminer.org/report.php?q=APTGroupUPSTargetsUSGovernmentwithHackingTeamFlashExploit-PaloAltoNetworksBlogPaloAltoNetworksBlog.pdf&y=2015
* https://www.threatminer.org/report.php?q=OperationDoubleTap.pdf&y=2014
* https://www.threatminer.org/report.php?q=SecondAdobeFlashZero-DayCVE-2015-5122fromHackingTeamExploitedinStrategicWebCompromiseTargetingJapaneseVictims%C2%ABThreatResearchBlog_FireEyeInc.pdf&y=2015
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

27
APT30/README.adoc Normal file
View File

@ -0,0 +1,27 @@
= APT30 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt30[APT30]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt30
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.1.0.29|5-1-0-29.datagroup.ua|High
|2|112.117.9.222|-|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=rpt-apt30.pdf&y=2015
* https://www.threatminer.org/_reports/2015/rpt-apt30.pdf#viewer.action=download
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

79
APT31/README.adoc Normal file
View File

@ -0,0 +1,79 @@
= APT31 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt31[APT31]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt31
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. FR
. US
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|105.154.12.165|-|High
|2|105.157.234.0|-|High
|3|105.159.122.85|-|High
|4|110.36.231.150|WGPON-36231-150.wateen.net|High
|5|115.31.133.26|-|High
|6|115.133.136.29|-|High
|7|119.110.222.94|static-119-110-222-94.violin.co.th|High
|8|121.121.46.10|mail.worldtech.my|High
|9|122.154.56.106|-|High
|10|125.25.204.59|node-14cb.pool-125-25.dynamic.totinternet.net|High
|11|125.31.50.150|n12531z50l150.static.ctmip.net|High
|12|141.101.253.109|-|High
|13|147.50.50.50|-|High
|14|154.181.248.88|host-154.181.88.248-static.tedata.net|High
|15|154.182.91.196|host-154.182.196.91-static.tedata.net|High
|16|156.222.101.141|host-156.222.141.101-static.tedata.net|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1222|Permission Issues|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/get_getnetworkconf.cgi|High
|2|File|/horde/util/go.php|High
|3|File|administrator/components/com_media/helpers/media.php|High
|4|File|comments.php|Medium
|5|File|data/gbconfiguration.dat|High
|6|File|inc/config.php|High
|7|File|item_details.php|High
|8|File|KeyHelp.ocx|Medium
|9|File|phpinfo.php|Medium
|10|File|picture.php|Medium
|11|...|...|...
|========================================
There are 12 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://blogs.infoblox.com/cyber-threat-intelligence/cyber-threat-advisory-apt31-targeting-france/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

106
APT32/README.adoc Normal file
View File

@ -0,0 +1,106 @@
= APT32 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt32[APT32]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt32
== Campaigns
The following campaigns are known and can be associated with the actor.
- Cobalt Kitty
- OceanLotus
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. CN
. TR
. ...
There are 10 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|23.227.196.126|23-227-196-126.static.hvvc.us|High
|2|23.227.196.210|23-227-196-210.static.hvvc.us|High
|3|23.227.199.121|23-227-199-121.static.hvvc.us|High
|4|27.102.70.211|-|High
|5|37.59.198.130|-|High
|6|37.59.198.131|-|High
|7|45.32.100.179|45.32.100.179.vultr.com|Medium
|8|45.32.105.45|45.32.105.45.vultr.com|Medium
|9|45.32.114.49|45.32.114.49.vultr.com|Medium
|10|45.76.147.201|45.76.147.201.vultr.com|Medium
|11|45.76.179.28|45.76.179.28.vultr.com|Medium
|12|45.76.179.151|45.76.179.151.vultr.com|Medium
|13|45.77.39.101|45.77.39.101.vultr.com|Medium
|14|45.114.117.137|-|High
|15|45.114.117.164|folien.reisnart.com|High
|16|64.62.174.9|unassigned9.net2.fc.aoindustries.com|High
|17|64.62.174.16|unassigned16.net2.fc.aoindustries.com|High
|18|64.62.174.17|unassigned17.net2.fc.aoindustries.com|High
|19|64.62.174.21|unassigned21.net2.fc.aoindustries.com|High
|20|64.62.174.41|unassigned41.net2.fc.aoindustries.com|High
|21|...|...|...
|========================================
There are 40 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1211|7PK Security Features|High
|5|T1222|Permission Issues|High
|6|...|...|...
|========================================
There are 5 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/cgi-bin/cgiServer.exx|High
|2|File|/cgi-bin/login_action.cgi|High
|3|File|/dev/sg0|Medium
|4|File|/event/runquery.do|High
|5|File|/forum/away.php|High
|6|File|/manager?action=getlogcat|High
|7|File|/password.html|High
|8|File|/system/ws/v11/ss/email)|High
|9|File|/uncpath/|Medium
|10|File|add_vhost.php|High
|11|...|...|...
|========================================
There are 177 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf
* https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
* https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

110
APT33/README.adoc Normal file
View File

@ -0,0 +1,110 @@
= APT33 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt33[APT33]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt33
== Campaigns
The following campaigns are known and can be associated with the actor.
- Elfin
- PoshC2
- Powerton
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. FR
. DE
. ES
. ...
There are 18 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.79.66.241|-|High
|2|5.79.127.177|-|High
|3|5.135.120.57|-|High
|4|5.135.199.25|-|High
|5|5.187.21.70|-|High
|6|5.187.21.71|-|High
|7|8.26.21.117|117.21.26.8.serverpronto.com|High
|8|8.26.21.119|ns1.glasscitysoftware.net|High
|9|8.26.21.120|ns2.glasscitysoftware.net|High
|10|8.26.21.220|mail2.boldinbox.com|High
|11|8.26.21.221|mail3.boldinbox.com|High
|12|8.26.21.222|mail9.servidorz.com|High
|13|8.26.21.223|mail5.boldinbox.com|High
|14|31.7.62.48|-|High
|15|37.48.105.178|-|High
|16|45.32.186.33|45.32.186.33.vultr.com|Medium
|17|45.76.32.252|45.76.32.252.vultr.com|Medium
|18|51.77.11.46|ip46.ip-51-77-11.eu|High
|19|51.254.71.223|ip223.ip-51-254-71.eu|High
|20|54.36.73.108|mail.snap-status.com|High
|21|...|...|...
|========================================
There are 55 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1008|Algorithm Downgrade|High
|2|T1040|Authentication Bypass by Capture-replay|High
|3|T1059.007|Cross Site Scripting|High
|4|T1068|Execution with Unnecessary Privileges|High
|5|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|6|...|...|...
|========================================
There are 11 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|$SPLUNK_HOME/etc/splunk-launch.conf|High
|2|File|%PROGRAMDATA%\1E\Client|High
|3|File|%PROGRAMDATA%\ASUS\GamingCenterLib|High
|4|File|%PROGRAMDATA%\WrData\PKG|High
|5|File|%PROGRAMFILES(X86)%/Aternity Information Systems/Assistant/plugins|High
|6|File|.folder|Low
|7|File|.forward|Medium
|8|File|.git/hooks/post-update|High
|9|File|.gitlab-ci.yml|High
|10|File|.htaccess|Medium
|11|...|...|...
|========================================
There are 4712 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md
* https://securelist.com/twas-the-night-before/91599/
* https://securityaffairs.co/wordpress/93845/apt/apt33-vpn-networks.html
* https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-apt33-espionage
* https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
* https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

104
APT34/README.adoc Normal file
View File

@ -0,0 +1,104 @@
= APT34 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt34[APT34]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt34
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. IR
. DE
. ...
There are 19 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|23.19.226.69|-|High
|2|23.106.215.76|-|High
|3|23.227.201.6|23-227-201-6.static.hvvc.us|High
|4|38.132.124.153|-|High
|5|46.4.69.52|static.52.69.4.46.clients.your-server.de|High
|6|46.105.221.247|-|High
|7|46.105.251.42|ip42.ip-46-105-251.eu|High
|8|46.165.246.196|-|High
|9|70.36.107.34|-|High
|10|74.91.19.108|-|High
|11|74.91.19.122|-|High
|12|80.82.79.221|-|High
|13|80.82.79.240|-|High
|14|81.17.56.249|-|High
|15|82.102.14.216|h82-102-14-216.host.redstation.co.uk|High
|16|82.102.14.219|h82-102-14-219.host.redstation.co.uk|High
|17|82.102.14.222|h82-102-14-222.host.redstation.co.uk|High
|18|82.102.14.246|h82-102-14-246.host.redstation.co.uk|High
|19|83.142.230.138|-|High
|20|88.99.246.174|static.174.246.99.88.clients.your-server.de|High
|21|...|...|...
|========================================
There are 52 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1211|7PK Security Features|High
|5|T1222|Permission Issues|High
|6|...|...|...
|========================================
There are 5 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/admin/index.php|High
|2|File|/bdswebui/assignusers/|High
|3|File|/bin/goahead|Medium
|4|File|/cgi-bin/luci|High
|5|File|/cgi-bin/supervisor/PwdGrp.cgi|High
|6|File|/dev/dri/card1|High
|7|File|/etc/fstab|Medium
|8|File|/forum/away.php|High
|9|File|/getcfg.php|Medium
|10|File|/GetCSSashx/?CP=%2fwebconfig|High
|11|...|...|...
|========================================
There are 374 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://github.com/blackorbird/APT_REPORT/tree/master/APT34
* https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/
* https://unit42.paloaltonetworks.com/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/
* https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/
* https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/
* https://www.clearskysec.com/oilrig/
* https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html
* https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

104
APT36/README.adoc Normal file
View File

@ -0,0 +1,104 @@
= APT36 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt36[APT36]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt36
== Campaigns
The following campaigns are known and can be associated with the actor.
- C-Major
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. NL
. RU
. ...
There are 12 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.189.137.8|vending.softjourn.if.ua|High
|2|5.189.143.225|-|High
|3|5.189.152.147|ccloud.armax.de|High
|4|5.189.167.23|mltx.de|High
|5|5.189.167.65|vmi437585.contaboserver.net|High
|6|23.254.119.11|-|High
|7|64.188.12.126|64.188.12.126.static.quadranet.com|High
|8|64.188.25.232|64.188.25.232.static.quadranet.com|High
|9|75.98.175.79|a2s83.a2hosting.com|High
|10|75.119.139.169|server1.immacolata.com|High
|11|80.240.134.51|-|High
|12|82.196.13.94|-|High
|13|95.85.43.35|-|High
|14|95.168.176.141|-|High
|15|107.175.64.209|107-175-64-209-host.colocrossing.com|High
|16|107.175.64.251|107-175-64-251-host.colocrossing.com|High
|17|151.106.14.125|-|High
|18|151.106.19.218|-|High
|19|151.106.56.32|-|High
|20|162.218.122.126|162.218.122.126.static.quadranet.com|High
|21|...|...|...
|========================================
There are 37 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1211|7PK Security Features|High
|5|T1222|Permission Issues|High
|6|...|...|...
|========================================
There are 4 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/etc/sudoers|Medium
|2|File|/forum/away.php|High
|3|File|/inc/HTTPClient.php|High
|4|File|/out.php|Medium
|5|File|/service/upload|High
|6|File|/uncpath/|Medium
|7|File|adclick.php|Medium
|8|File|add_comment.php|High
|9|File|admin/system_manage/save.html|High
|10|File|admin/sysUser/save.do?callbackType=closeCurrent&navTabId=sysUser/list|High
|11|...|...|...
|========================================
There are 232 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://vxug.fakedoma.in/archive/APTs/2021/2021.05.13/Transparent%20Tribe.pdf
* https://www.threatminer.org/report.php?q=indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf&y=2016
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

76
APT37/README.adoc Normal file
View File

@ -0,0 +1,76 @@
= APT37 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt37[APT37]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt37
== Campaigns
The following campaigns are known and can be associated with the actor.
- Daybreak
- Scarcruft
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. PL
. RU
. ...
There are 1 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|34.13.42.35|-|High
|2|120.192.73.202|-|High
|3|180.182.52.76|-|High
|4|212.7.217.10|212-7-217-10.lukman.pl|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1600|Cryptographic Issues|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|examples/openid.php|High
|2|File|FormDisplay.php|High
|3|File|includes/startup.php|High
|4|File|libraries/Header.php|High
|5|File|wp-includes/class-wp-query.php|High
|6|Argument|name|Low
|7|Argument|Password|Medium
|8|Argument|STARTTLS|Medium
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://securelist.com/operation-daybreak/75100/
* https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

72
APT38/README.adoc Normal file
View File

@ -0,0 +1,72 @@
= APT38 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt38[APT38]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt38
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. KR
. CN
. ...
There are 1 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|175.45.176.|-|High
|2|175.45.177.|-|High
|3|175.45.178.|-|High
|4|175.45.179.|-|High
|5|210.52.109.|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1068|Execution with Unnecessary Privileges|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|json-stringifier.h|High
|2|File|mm/memory.c|Medium
|3|File|\\.\pipe\WPSCloudSvr\WpsCloudSvr|High
|4|Library|DNSAPI.dll|Medium
|5|Library|kso.dll|Low
|6|Library|mshtml.dll|Medium
|7|Library|system/libraries/Email.php|High
|8|Argument|content|Low
|9|Argument|email->from|Medium
|10|Argument|location.href|High
|11|...|...|...
|========================================
There are 5 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://content.fireeye.com/apt/rpt-apt38
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

99
APT39/README.adoc Normal file
View File

@ -0,0 +1,99 @@
= APT39 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt39[APT39]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt39
== Campaigns
The following campaigns are known and can be associated with the actor.
- Chafer
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. RU
. GB
. ...
There are 15 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|83.142.230.113|-|High
|2|86.105.227.224|-|High
|3|87.117.204.113|-|High
|4|87.117.204.115|-|High
|5|89.38.97.112|-|High
|6|89.38.97.115 |-|High
|7|91.218.114.204|-|High
|8|91.218.114.225|-|High
|9|92.243.95.203|203.95.243.92.cust-fiber.enegan.it|High
|10|94.100.21.213|94-100-21-213.static.hvvc.us|High
|11|107.191.62.45|107.191.62.45.vultr.com|Medium
|12|108.61.189.174|108.61.189.174.vultr.com|Medium
|13|134.119.217.84|-|High
|14|134.119.217.87|-|High
|15|148.251.197.113|n38-05.vpsnow.ru|High
|16|185.22.172.40|mx2.privacyrequired.link|High
|17|185.177.59.70|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1211|7PK Security Features|High
|4|T1499|Resource Consumption|High
|5|T1552|Unprotected Storage of Credentials|High
|6|...|...|...
|========================================
There are 1 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|//etc/RT2870STA.dat|High
|2|File|/cwp_{SESSION_HASH}/admin/loader_ajax.php|High
|3|File|/magnoliaPublic/travel/members/login.html|High
|4|File|/Main_AdmStatus_Content.asp|High
|5|File|/uncpath/|Medium
|6|File|/var/log/nginx|High
|7|File|admin/index.php|High
|8|File|advertiser.php|High
|9|File|akocomments.php|High
|10|File|al_initialize.php|High
|11|...|...|...
|========================================
There are 49 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://securelist.com/chafer-used-remexi-malware/89538/
* https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions
* https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

112
APT41/README.adoc Normal file
View File

@ -0,0 +1,112 @@
= APT41 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt41[APT41]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt41
== Campaigns
The following campaigns are known and can be associated with the actor.
- CVE-2019-19781
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. CN
. TR
. ...
There are 7 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|43.255.191.255|-|High
|2|45.76.6.149|45.76.6.149.vultr.com|Medium
|3|45.76.75.219|45.76.75.219.vultr.com|Medium
|4|45.138.157.78|vpnru07.12.21.example.com|High
|5|61.78.62.21|-|High
|6|61.195.98.245|h61-195-98-245.ablenetvps.ne.jp|High
|7|66.42.48.186|66.42.48.186.vultr.com|Medium
|8|66.42.98.220|66.42.98.220.vultr.com|Medium
|9|66.42.103.222|66.42.103.222.vultr.com|Medium
|10|66.42.107.133|66.42.107.133.vultr.com|Medium
|11|66.98.126.203|66.98.126.203.16clouds.com|High
|12|67.198.161.250|67.198.161.250.CUSTOMER.KRYPT.COM|High
|13|67.198.161.251|67.198.161.251.CUSTOMER.KRYPT.COM|High
|14|67.198.161.252|67.198.161.252.CUSTOMER.KRYPT.COM|High
|15|74.82.201.8|74.82.201.8.16clouds.com|High
|16|91.208.184.78|wk-azure.biz|High
|17|103.19.3.21|-|High
|18|103.19.3.109|-|High
|19|103.79.76.205|103.79.76.205.static.hostdare.com|High
|20|103.224.83.95|-|High
|21|...|...|...
|========================================
There are 31 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1211|7PK Security Features|High
|4|T1222|Permission Issues|High
|5|T1499|Resource Consumption|High
|6|...|...|...
|========================================
There are 3 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/etc/config/rpcd|High
|2|File|/forum/away.php|High
|3|File|/get_getnetworkconf.cgi|High
|4|File|/lists/admin/|High
|5|File|/login.cgi?logout=1|High
|6|File|/public/login.htm|High
|7|File|/tmp/app/.env|High
|8|File|/wp-admin/admin-ajax.php|High
|9|File|/_next|Low
|10|File|addentry.php|Medium
|11|...|...|...
|========================================
There are 98 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://app.box.com/s/qtqlwejty7xz8wj8osz98webycgo5j9x
* https://github.com/eset/malware-ioc/tree/master/winnti_group
* https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.14/APT%2041.pdf
* https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
* https://www.threatminer.org/report.php?q=OfPigsandMalwareExaminingaPossibleMemberoftheWinntiGroup-TrendMicro.pdf&y=2017
* https://www.threatminer.org/report.php?q=WinntiAbusesGitHubforC&CCommunications-TrendMicro.pdf&y=2017
* https://www.threatminer.org/report.php?q=WinntiEvolution-GoingOpenSource-Protectwise.pdf&y=2017
* https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
* https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

72
ActionRAT/README.adoc Normal file
View File

@ -0,0 +1,72 @@
= ActionRAT - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.actionrat[ActionRAT]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.actionrat
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. DE
. CA
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|144.91.65.100|vmi652772.contaboserver.net|High
|2|144.91.91.236|vmi512038.contaboserver.net|High
|3|149.248.52.61|149.248.52.61.vultr.com|Medium
|4|173.212.224.110|vmi587275.contaboserver.net|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1499|Resource Consumption|High
|4|T1587.003|Improper Certificate Validation|High
|5|T1600|Cryptographic Issues|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/wordpress/wp-admin/admin.php|High
|2|File|admin/index.php|High
|3|File|books.php|Medium
|4|File|data/gbconfiguration.dat|High
|5|File|filter.php|Medium
|6|File|guestbook.cgi|High
|7|File|inc/config.php|High
|8|File|lib/krb5/asn.1/asn1_encode.c|High
|9|File|login.php|Medium
|10|File|mdeploy.php|Medium
|11|...|...|...
|========================================
There are 23 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

26
Adrozek/README.adoc Normal file
View File

@ -0,0 +1,26 @@
= Adrozek - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.adrozek[Adrozek]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.adrozek
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|104.21.70.96|-|High
|2|172.67.222.123|-|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

97
Adwind/README.adoc Normal file
View File

@ -0,0 +1,97 @@
= Adwind - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.adwind[Adwind]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.adwind
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. CO
. RU
. ...
There are 13 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|2.5.29.14|-|High
|2|5.79.79.67|-|High
|3|5.79.79.70|storage205.ntesrv.com|High
|4|5.187.34.231|231.34.187.5.in-addr.arpa.dynamic.gestiondeservidor.com|High
|5|5.254.112.21|-|High
|6|5.254.112.24|-|High
|7|5.254.112.36|-|High
|8|5.254.112.56|-|High
|9|5.254.112.60|-|High
|10|8.15.0.59|-|High
|11|14.3.210.2|ae210002.dynamic.ppp.asahi-net.or.jp|High
|12|23.227.196.198|23-227-196-198.static.hvvc.us|High
|13|23.227.199.72|23-227-199-72.static.hvvc.us|High
|14|23.227.199.118|23-227-199-118.static.hvvc.us|High
|15|23.227.199.121|23-227-199-121.static.hvvc.us|High
|16|23.231.23.182|-|High
|17|31.31.196.31|server31.hosting.reg.ru|High
|18|31.171.155.72|-|High
|19|37.61.235.30|-|High
|20|46.20.33.76|-|High
|21|...|...|...
|========================================
There are 106 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1211|7PK Security Features|High
|5|T1222|Permission Issues|High
|6|...|...|...
|========================================
There are 7 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|%windir%\Internet Logs\|High
|2|File|/admin/link.php?action=addlink|High
|3|File|/ajax/GetInheritedProperties|High
|4|File|/anony/mjpg.cgi|High
|5|File|/browse.PROJECTKEY|High
|6|File|/data/admin/#/app/config/|High
|7|File|/etc/group|Medium
|8|File|/forum/away.php|High
|9|File|/info.xml|Medium
|10|File|/knowage/restful-services/signup/update|High
|11|...|...|...
|========================================
There are 247 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=KL_AdwindPublicReport_2016.pdf&y=2016
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

86
Agrius/README.adoc Normal file
View File

@ -0,0 +1,86 @@
= Agrius - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.agrius[Agrius]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.agrius
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. RU
. IR
. ...
There are 8 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.2.67.85|mail.astrilll.com|High
|2|5.2.73.67|-|High
|3|37.59.236.232|37.59.236.232.rdns.hasaserver.com|High
|4|37.120.238.15|-|High
|5|54.37.99.4|ip4.ip-54-37-99.eu|High
|6|81.177.22.16|-|High
|7|81.177.23.16|-|High
|8|95.211.140.221|-|High
|9|185.142.97.81|altvpn.mgn-host.ru|High
|10|185.142.98.32|free.mgnhost.com|High
|11|185.147.131.81|-|High
|12|195.123.208.152|unallocated.layer6.net|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1211|7PK Security Features|High
|4|T1222|Permission Issues|High
|5|T1499|Resource Consumption|High
|6|...|...|...
|========================================
There are 2 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/cgi-bin/kerbynet|High
|2|File|/opt/IBM/es/lib/libffq.cryptionjni.so|High
|3|File|/plugins/Dashboard/Controller.php|High
|4|File|/storage/app/media/evil.svg|High
|5|File|/uncpath/|Medium
|6|File|admin.asp|Medium
|7|File|admin.php|Medium
|8|File|admin/admin_users.php|High
|9|File|app/Controller/GalaxyElementsController.php|High
|10|File|Application/Common/Controller/BaseController.class.php|High
|11|...|...|...
|========================================
There are 62 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://github.com/blackorbird/APT_REPORT/blob/master/Agrius/evol-agrius.pdf
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

75
Allakore/README.adoc Normal file
View File

@ -0,0 +1,75 @@
= Allakore - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.allakore[Allakore]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.allakore
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. DE
. CA
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|144.91.65.100|vmi652772.contaboserver.net|High
|2|144.91.91.236|vmi512038.contaboserver.net|High
|3|161.97.142.96|vmi661694.contaboserver.net|High
|4|164.68.104.126|vmd76303.contaboserver.net|High
|5|167.86.83.29|vmi655047.contaboserver.net|High
|6|173.212.224.110|vmi587275.contaboserver.net|High
|7|173.249.50.230|vmi626137.contaboserver.net|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1499|Resource Consumption|High
|4|T1587.003|Improper Certificate Validation|High
|5|T1600|Cryptographic Issues|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/wordpress/wp-admin/admin.php|High
|2|File|admin/index.php|High
|3|File|data/gbconfiguration.dat|High
|4|File|filter.php|Medium
|5|File|inc/config.php|High
|6|File|item_show.php|High
|7|File|lib/krb5/asn.1/asn1_encode.c|High
|8|File|login.php|Medium
|9|File|mdeploy.php|Medium
|10|File|multipart/form-data|High
|11|...|...|...
|========================================
There are 20 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

67
Amnesia/README.adoc Normal file
View File

@ -0,0 +1,67 @@
= Amnesia - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.amnesia[Amnesia]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.amnesia
== Campaigns
The following campaigns are known and can be associated with the actor.
- TVT Digital DVR Devices
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. IN
. NL
. ...
There are 3 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|93.174.95.38|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1068|Execution with Unnecessary Privileges|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/api/addusers|High
|2|File|/home/httpd/cgi-bin/cgi.cgi|High
|3|File|/public/login.htm|High
|4|File|forumrunner/includes/moderation.php|High
|5|Argument|Password|Medium
|6|Argument|postids|Low
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

76
Arid Viper/README.adoc Normal file
View File

@ -0,0 +1,76 @@
= Arid Viper - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.arid_viper[Arid Viper]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.arid_viper
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. DE
. PL
. ...
There are 1 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|54.255.143.112|ec2-54-255-143-112.ap-southeast-1.compute.amazonaws.com|Medium
|2|173.236.89.19|19.89.236.173.unassigned.ord.singlehop.net|High
|3|188.40.75.132|static.132.75.40.188.clients.your-server.de|High
|4|188.40.81.136|francisco.eox.at|High
|5|192.254.132.26|pst.pstcmedia.com|High
|6|195.154.133.228|195-154-133-228.rev.poneytelecom.eu|High
|7|195.154.252.2|hostd4.ahcorporation.com|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|addguest.cgi|Medium
|2|File|add_comment.php|High
|3|File|admin/index.php|High
|4|File|data/gbconfiguration.dat|High
|5|File|e2_header.inc.php|High
|6|File|email.php|Medium
|7|File|Forms/tools_admin_1|High
|8|File|ftpcmd.c|Medium
|9|File|gb.cgi|Low
|10|File|inc/config.php|High
|11|...|...|...
|========================================
There are 19 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=operation-arid-viper-whitepaper-en.pdf&y=2015
* https://www.threatminer.org/report.php?q=OperationAridViperSlithersBackintoView_Proofpoint.pdf&y=2015
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

65
Armor Piercer/README.adoc Normal file
View File

@ -0,0 +1,65 @@
= Armor Piercer - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.armor_piercer[Armor Piercer]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.armor_piercer
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. CN
. IT
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.252.179.221|5-252-179-221.mivocloud.com|High
|2|45.79.81.88|li1180-88.members.linode.com|High
|3|64.188.13.46|64.188.13.46.static.quadranet.com|High
|4|66.154.103.106|66.154.103.106.static.quadranet.com|High
|5|66.154.112.212|66.154.112.212.static.quadranet.com|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|category.cfm|Medium
|2|File|itemlookup.asp|High
|3|File|mat5.c|Low
|4|File|phddns.lua|Medium
|5|File|register.php|Medium
|6|Argument|cat|Low
|7|Argument|new-interface|High
|8|Argument|PATH_INFO|Medium
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

57
Astro Locker/README.adoc Normal file
View File

@ -0,0 +1,57 @@
= Astro Locker - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.astro_locker[Astro Locker]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.astro_locker
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. CN
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|45.134.21.8|-|High
|2|46.21.153.135|135.153.21.46.static.swiftway.net|High
|3|139.60.161.68|-|High
|4|185.38.185.87|-|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/htmlcode/html/indexdefault.asp|High
|2|File|ajax_admin_apis.php|High
|3|File|ajax_php_pecl.php|High
|4|File|books.php|Medium
|5|File|category.cfm|Medium
|6|Argument|bookid|Low
|7|Argument|cat|Low
|8|Argument|employee_id|Medium
|9|Argument|line|Low
|10|Argument|phpversion|Medium
|11|...|...|...
|========================================
There are 4 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://github.com/sophoslabs/IoCs/blob/master/Ransomware-AstroLocker.csv
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

96
Autoit/README.adoc Normal file
View File

@ -0,0 +1,96 @@
= Autoit - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.autoit[Autoit]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.autoit
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. DE
. US
. ES
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|8.248.165.254|-|High
|2|8.249.217.254|-|High
|3|8.253.131.121|-|High
|4|13.56.128.67|ec2-13-56-128-67.us-west-1.compute.amazonaws.com|Medium
|5|23.3.13.88|a23-3-13-88.deploy.static.akamaitechnologies.com|High
|6|23.3.13.154|a23-3-13-154.deploy.static.akamaitechnologies.com|High
|7|23.63.245.19|a23-63-245-19.deploy.static.akamaitechnologies.com|High
|8|23.63.245.50|a23-63-245-50.deploy.static.akamaitechnologies.com|High
|9|23.199.71.136|a23-199-71-136.deploy.static.akamaitechnologies.com|High
|10|35.205.61.67|67.61.205.35.bc.googleusercontent.com|Medium
|11|72.21.81.240|-|High
|12|104.18.6.156|-|High
|13|104.18.7.156|-|High
|14|104.21.9.139|-|High
|15|104.21.19.200|-|High
|16|104.26.12.247|-|High
|17|104.26.13.247|-|High
|18|120.136.10.20|sv519.xserver.jp|High
|19|132.226.8.169|-|High
|20|144.76.201.136|static.136.201.76.144.clients.your-server.de|High
|21|...|...|...
|========================================
There are 10 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1222|Permission Issues|High
|5|T1499|Resource Consumption|High
|6|...|...|...
|========================================
There are 5 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/appLms/ajax.server.php|High
|2|File|/apps/|Low
|3|File|/onlineordering/GPST/store/initiateorder.php|High
|4|File|/rup|Low
|5|File|/var/hnap/timestamp|High
|6|File|admin.php|Medium
|7|File|admin/admin_login.php|High
|8|File|api/external.php?object=centreon_metric&action=listByService|High
|9|File|app\contacts\contact_edit.php|High
|10|File|audio_acdb.c|Medium
|11|...|...|...
|========================================
There are 91 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
* https://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
* https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

45
Aveo/README.adoc Normal file
View File

@ -0,0 +1,45 @@
= Aveo - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.aveo[Aveo]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.aveo
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|50.63.202.38|ip-50-63-202-38.ip.secureserver.net|High
|2|104.202.173.82|104-202-173-82.dyn.grandenetworks.net|High
|3|107.180.36.179|ip-107-180-36-179.ip.secureserver.net|High
|4|172.16.95.184|-|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|themes/|Low
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://unit42.paloaltonetworks.com/unit42-aveo-malware-family-targets-japanese-speaking-users/
* https://www.threatminer.org/report.php?q=AveoMalwareFamilyTargetsJapaneseSpeakingUsers-PaloAltoNetworksBlogPaloAltoNetworksBlog.pdf&y=2016
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

78
BEAR/README.adoc Normal file
View File

@ -0,0 +1,78 @@
= BEAR - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.bear[BEAR]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.bear
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. EE
. US
. UA
. ...
There are 3 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.149.248.67|mx1-mail.com|High
|2|5.149.248.193|-|High
|3|5.149.249.172|-|High
|4|5.149.254.114|mail1.auditoriavanzada.info|High
|5|95.153.32.53|mx1.servicetransfermail.com|High
|6|155.254.36.155|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1211|7PK Security Features|High
|4|T1552|Unprotected Storage of Credentials|High
|5|T1600|Cryptographic Issues|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/index.php|Medium
|2|File|/uncpath/|Medium
|3|File|add_comment.php|High
|4|File|data/gbconfiguration.dat|High
|5|File|FlexCell.ocx|Medium
|6|File|forums.aspx|Medium
|7|File|forums.php|Medium
|8|File|index.php|Medium
|9|File|install.php|Medium
|10|File|photo-gallery.php|High
|11|...|...|...
|========================================
There are 16 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=CanaBEARFitDownaRabbitHole_StateBoardofElectionAnalysis-ThreatConnect.pdf&y=2016
* https://www.threatminer.org/report.php?q=RussiaHacksBellingcatMH17Investigation_ThreatConnect.pdf&y=2016
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

78
Babar/README.adoc Normal file
View File

@ -0,0 +1,78 @@
= Babar - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.babar[Babar]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.babar
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|64.20.43.107|vps238561.trouble-free.net|High
|2|69.25.212.153|-|High
|3|83.149.75.58|reserved.ps-it.nl|High
|4|104.153.45.38|cpan6.webline-servers.com|High
|5|184.172.143.188|bc.8f.acb8.ip4.static.sl-reverse.com|High
|6|192.185.113.148|192-185-113-148.unifiedlayer.com|High
|7|199.119.202.195|danish.unixbsd.info|High
|8|199.231.93.221|cpan3s.webline-services.com|High
|9|206.41.94.190|handsets.voip.novavision.ca|High
|10|207.189.104.86|ppc.snapnames.com|High
|11|207.189.104.87|parked.snapnames.com|High
|12|208.87.242.66|ant.unixbsd.info|High
|13|209.62.21.228|ev1s-209-62-21-228.theplanet.com|High
|14|212.27.35.109|oldredir.online.net|High
|15|216.152.252.55|ip-216-152-252-55.wireless.dyn.beamspeed.net|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|addentry.php|Medium
|2|File|data/gbconfiguration.dat|High
|3|File|dc_categorieslist.asp|High
|4|File|detected_potential_files.cgi|High
|5|File|guestbook.cgi|High
|6|File|inc/config.php|High
|7|File|phpinfo.php|Medium
|8|File|reports_mta_queue_status.html|High
|9|File|template.class.php|High
|10|Argument|basePath|Medium
|11|...|...|...
|========================================
There are 4 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=Elephantosis.pdf&y=2015
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

31
BabyShark/README.adoc Normal file
View File

@ -0,0 +1,31 @@
= BabyShark - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.babyshark[BabyShark]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.babyshark
== Campaigns
The following campaigns are known and can be associated with the actor.
- BabyShark
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|173.248.170.149|-|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/_reports/2019/BabySharkMalwarePartTwo%E2%80%93AttacksContinueUsingKimJongRATandPCRat.pdf#viewer.action=download
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

87
BackdoorDiplomacy/README.adoc Normal file
View File

@ -0,0 +1,87 @@
= BackdoorDiplomacy - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.backdoordiplomacy[BackdoorDiplomacy]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.backdoordiplomacy
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. CN
. US
. GB
. ...
There are 1 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|23.83.224.178|23.83.224.178.16clouds.com|High
|2|23.106.140.207|23.106.140.207.16clouds.com|High
|3|23.228.203.130|unassigned.psychz.net|High
|4|23.247.47.252|-|High
|5|43.225.126.179|-|High
|6|43.251.105.139|-|High
|7|43.251.105.218|-|High
|8|43.251.105.222|-|High
|9|45.76.120.84|45.76.120.84.vultr.com|Medium
|10|45.77.215.53|45.77.215.53.vultr.com|Medium
|11|78.141.196.159|78.141.196.159.vultr.com|Medium
|12|78.141.243.45|78.141.243.45.vultr.com|Medium
|13|152.32.180.34|-|High
|14|162.209.167.154|-|High
|15|162.209.167.189|-|High
|16|199.247.9.67|199.247.9.67.vultr.com|Medium
|17|207.148.8.82|cabarruscounty.synkato.io|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1499|Resource Consumption|High
|4|T1555|Cleartext Storage of Sensitive Information|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/clientes/visualizar|High
|2|File|/oputilsServlet|High
|3|File|admin/conf_users_edit.php|High
|4|File|data/gbconfiguration.dat|High
|5|File|shoutbox.php|Medium
|6|File|wp-admin/post.php|High
|7|File|wp-login.php|Medium
|8|Argument|action|Low
|9|Argument|description|Medium
|10|Argument|filePath0|Medium
|11|...|...|...
|========================================
There are 6 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

45
BadPatch/README.adoc Normal file
View File

@ -0,0 +1,45 @@
= BadPatch - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.badpatch[BadPatch]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.badpatch
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. DE
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|148.251.135.117|server.pogled.ba|High
|2|195.154.216.74|195-154-216-74.rev.poneytelecom.eu|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|includes/pages.inc.php|High
|2|File|setup.cgi|Medium
|3|Argument|PagePrefix|Medium
|4|Argument|TimeToLive|Medium
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=BadPatch-PaloAltoNetworks.pdf&y=2017
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

97
Baldr/README.adoc Normal file
View File

@ -0,0 +1,97 @@
= Baldr - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.baldr[Baldr]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.baldr
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. RU
. CN
. ...
There are 16 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.8.88.198|-|High
|2|5.45.73.87|-|High
|3|5.188.60.7|-|High
|4|5.188.60.18|-|High
|5|5.188.60.24|-|High
|6|5.188.60.30|-|High
|7|5.188.60.54|-|High
|8|5.188.60.68|-|High
|9|5.188.60.74|-|High
|10|5.188.60.101|-|High
|11|5.188.60.115|-|High
|12|5.188.60.206|-|High
|13|5.188.231.96|-|High
|14|5.188.231.210|-|High
|15|18.207.217.146|ec2-18-207-217-146.compute-1.amazonaws.com|Medium
|16|18.221.49.166|ec2-18-221-49-166.us-east-2.compute.amazonaws.com|Medium
|17|23.19.58.101|-|High
|18|23.95.95.61|23-95-95-61-host.colocrossing.com|High
|19|23.254.217.112|hwsrv-901988.hostwindsdns.com|High
|20|23.254.225.240|hwsrv-907360.hostwindsdns.com|High
|21|...|...|...
|========================================
There are 101 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1211|7PK Security Features|High
|5|T1222|Permission Issues|High
|6|...|...|...
|========================================
There are 4 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/+CSCOE+/logon.html|High
|2|File|/admin/functions.php|High
|3|File|/auth/login|Medium
|4|File|/download|Medium
|5|File|/forum/away.php|High
|6|File|/goform/saveParentControlInfo|High
|7|File|/inc/lists/edit-list.php|High
|8|File|/Interface/DevManage/EC.php?cmd=upload|High
|9|File|/MicroStrategyWS/happyaxis.jsp|High
|10|File|/modules/projects/vw_files.php|High
|11|...|...|...
|========================================
There are 247 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://github.com/sophoslabs/IoCs/blob/master/Stealer-Baldr
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

97
Banjori/README.adoc Normal file
View File

@ -0,0 +1,97 @@
= Banjori - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.banjori[Banjori]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.banjori
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. JP
. DE
. US
. ...
There are 10 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|3.216.121.17|ec2-3-216-121-17.compute-1.amazonaws.com|Medium
|2|5.79.79.212|-|High
|3|13.59.74.74|ec2-13-59-74-74.us-east-2.compute.amazonaws.com|Medium
|4|14.192.4.75|-|High
|5|18.213.250.117|ec2-18-213-250-117.compute-1.amazonaws.com|Medium
|6|18.215.128.143|ec2-18-215-128-143.compute-1.amazonaws.com|Medium
|7|23.89.20.107|-|High
|8|23.89.102.123|-|High
|9|23.107.124.53|-|High
|10|23.110.15.74|-|High
|11|23.226.53.226|-|High
|12|23.227.38.65|myshopify.com|High
|13|23.231.218.195|-|High
|14|23.236.62.147|147.62.236.23.bc.googleusercontent.com|Medium
|15|34.98.99.30|30.99.98.34.bc.googleusercontent.com|Medium
|16|34.102.136.180|180.136.102.34.bc.googleusercontent.com|Medium
|17|35.186.238.101|101.238.186.35.bc.googleusercontent.com|Medium
|18|35.226.69.129|129.69.226.35.bc.googleusercontent.com|Medium
|19|43.230.142.125|-|High
|20|43.241.196.105|-|High
|21|...|...|...
|========================================
There are 116 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1211|7PK Security Features|High
|5|T1222|Permission Issues|High
|6|...|...|...
|========================================
There are 6 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|"/xml/system/setAttribute.xml|High
|2|File|#!/system|Medium
|3|File|$SPLUNK_HOME/etc/splunk-launch.conf|High
|4|File|%LOCALAPPDATA%\Zemana\ZALSDK\MyRules2.ini|High
|5|File|%ProgramData%\CTES|High
|6|File|%SYSTEMDRIVE%|High
|7|File|%TEMP%\par-%username%\cache-exiftool-8.32|High
|8|File|%windir%\Internet Logs\|High
|9|File|.../gogo/|Medium
|10|File|.asp|Low
|11|...|...|...
|========================================
There are 5749 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://github.com/firehol/blocklist-ipsets/blob/master/bambenek_banjori.ipset
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

94
Banload/README.adoc Normal file
View File

@ -0,0 +1,94 @@
= Banload - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.banload[Banload]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.banload
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|13.107.21.200|-|High
|2|31.13.66.19|xx-fbcdn-shv-01-iad3.fbcdn.net|High
|3|34.102.185.99|99.185.102.34.bc.googleusercontent.com|Medium
|4|34.212.89.14|ec2-34-212-89-14.us-west-2.compute.amazonaws.com|Medium
|5|52.95.165.35|s3-sa-east-1.amazonaws.com|Medium
|6|52.216.76.254|s3-1.amazonaws.com|Medium
|7|52.216.84.109|s3-1.amazonaws.com|Medium
|8|52.216.129.45|s3-1.amazonaws.com|Medium
|9|52.216.245.54|s3-1.amazonaws.com|Medium
|10|52.217.33.190|s3-1.amazonaws.com|Medium
|11|52.217.45.150|s3-1.amazonaws.com|Medium
|12|52.217.48.70|s3-1.amazonaws.com|Medium
|13|52.217.79.142|s3-1.amazonaws.com|Medium
|14|52.217.85.222|s3-1.amazonaws.com|Medium
|15|74.119.119.139|-|High
|16|74.125.192.94|qn-in-f94.1e100.net|High
|17|142.250.80.2|lga34s33-in-f2.1e100.net|High
|18|142.250.80.3|lga34s33-in-f3.1e100.net|High
|19|142.250.111.154|gb-in-f154.1e100.net|High
|20|143.204.150.172|server-143-204-150-172.ewr52.r.cloudfront.net|High
|21|...|...|...
|========================================
There are 50 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1211|7PK Security Features|High
|5|T1499|Resource Consumption|High
|6|...|...|...
|========================================
There are 2 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/as/authorization.oauth2|High
|2|File|/Forms/WLAN_General_1|High
|3|File|/html/portal/flash.jsp|High
|4|File|/index.php|Medium
|5|File|/lua/set-passwd.lua|High
|6|File|/oauth/authorize|High
|7|File|/uncpath/|Medium
|8|File|/user/user/edit.php|High
|9|File|backupsettings.html|High
|10|File|comment_add.asp|High
|11|...|...|...
|========================================
There are 41 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
* https://blog.talosintelligence.com/2021/03/threat-roundup-0319-0326.html
* https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

40
Barys/README.adoc Normal file
View File

@ -0,0 +1,40 @@
= Barys - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.barys[Barys]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.barys
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|52.137.90.34|-|High
|2|52.185.71.28|-|High
|3|74.125.192.138|qn-in-f138.1e100.net|High
|4|104.18.11.39|-|High
|5|172.217.222.138|qi-in-f138.1e100.net|High
|6|173.194.204.94|qb-in-f94.1e100.net|High
|7|173.194.205.84|qm-in-f84.1e100.net|High
|8|173.194.207.132|qk-in-f132.1e100.net|High
|9|200.147.3.199|minnisinhashipi.com|High
|10|200.147.35.224|www.leitorpagseguro.com.br|High
|11|200.147.100.53|tvpanico.com|High
|12|209.85.144.106|qv-in-f106.1e100.net|High
|13|209.85.201.94|qu-in-f94.1e100.net|High
|14|216.218.208.114|216-218-208-114.sinkhole.shadowserver.org|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
* https://blog.talosintelligence.com/2021/08/threat-roundup-0820-0827.html
* https://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

98
BazarLoader/README.adoc Normal file
View File

@ -0,0 +1,98 @@
= BazarLoader - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.bazarloader[BazarLoader]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.bazarloader
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. DK
. IT
. ...
There are 9 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|31.171.251.118|ch.ns.mon0.li|High
|2|31.214.240.203|-|High
|3|34.209.40.84|ec2-34-209-40-84.us-west-2.compute.amazonaws.com|Medium
|4|34.221.188.35|ec2-34-221-188-35.us-west-2.compute.amazonaws.com|Medium
|5|45.71.112.70|host-45-71-112-70.nedetel.net|High
|6|45.76.254.23|45.76.254.23.vultr.com|Medium
|7|54.184.178.68|ec2-54-184-178-68.us-west-2.compute.amazonaws.com|Medium
|8|62.108.35.215|-|High
|9|72.21.81.240|-|High
|10|78.108.216.13|sshtunnel.itbyhf.xyz|High
|11|80.82.68.132|-|High
|12|91.217.137.37|frod.subnets.ru|High
|13|92.222.97.145|ip145.ip-92-222-97.eu|High
|14|94.247.43.254|opennic1.eth-services.de|High
|15|104.37.195.178|178.195.37.104.in-addr.arpa|High
|16|116.203.98.109|static.109.98.203.116.clients.your-server.de|High
|17|163.53.248.170|vmx20170.hosting24.com.au|High
|18|163.172.185.51|51-185-172-163.instances.scw.cloud|High
|19|165.22.224.164|-|High
|20|172.98.193.42|-|High
|21|...|...|...
|========================================
There are 7 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1211|7PK Security Features|High
|5|T1222|Permission Issues|High
|6|...|...|...
|========================================
There are 5 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|.user|Low
|2|File|/cgi-bin/system_mgr.cgi|High
|3|File|/Content/Template/root/reverse-shell.aspx|High
|4|File|/debug/pprof|Medium
|5|File|/inc/parser/xhtml.php|High
|6|File|/includes/db_adodb.php|High
|7|File|/PluXml/core/admin/parametres_edittpl.php|High
|8|File|/register.do|Medium
|9|File|/rest/project-templates/1.0/createshared|High
|10|File|/restoreinfo.cgi|High
|11|...|...|...
|========================================
There are 302 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
* https://twitter.com/_pr4gma/status/1347617681197961225
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

64
BelialDemon/README.adoc Normal file
View File

@ -0,0 +1,64 @@
= BelialDemon - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.belialdemon[BelialDemon]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.belialdemon
== Campaigns
The following campaigns are known and can be associated with the actor.
- Matanbuchus
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. TT
. CO
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|34.94.151.129|129.151.94.34.bc.googleusercontent.com|Medium
|2|34.105.89.82|82.89.105.34.bc.googleusercontent.com|Medium
|3|34.106.243.174|174.243.106.34.bc.googleusercontent.com|Medium
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1499|Resource Consumption|High
|4|T1548.002|Improper Authorization|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|include/ajax.draft.php|High
|2|Argument|request|Low
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

44
Bifrost/README.adoc Normal file
View File

@ -0,0 +1,44 @@
= Bifrost - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.bifrost[Bifrost]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.bifrost
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. ES
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|104.18.10.39|-|High
|2|172.105.155.183|li2071-183.members.linode.com|High
|3|173.194.5.216|lhr25s06-in-f8.1e100.net|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
* https://blog.talosintelligence.com/2021/05/threat-roundup-0430-0507.html
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

26
Bisonal/README.adoc Normal file
View File

@ -0,0 +1,26 @@
= Bisonal - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.bisonal[Bisonal]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.bisonal
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|116.193.155.38|-|High
|2|196.44.49.154|-|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=BisonalMalwareUsedinAttacksAgainstRussiaandSouthKorea-PaloAltoNetworksBlog.pdf&y=2018
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

48
Bitter/README.adoc Normal file
View File

@ -0,0 +1,48 @@
= Bitter - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.bitter[Bitter]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.bitter
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|82.221.129.17|hengill.orangewebsite.com|High
|2|82.221.129.18|baula.orangewebsite.com|High
|3|82.221.129.19|jolnir.orangewebsite.com|High
|4|94.156.175.61|gray.warez-host.com|High
|5|162.222.215.2|-|High
|6|162.222.215.96|-|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|shopreviewlist.asp|High
|2|File|test-cgi|Medium
|3|Argument|catalogid|Medium
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=SuspectedBITTERAPTContinuesTargetingGovernmentofChinaandChineseOrganizations.pdf&y=2019
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

78
Black KingDom/README.adoc Normal file
View File

@ -0,0 +1,78 @@
= Black KingDom - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.black_kingdom[Black KingDom]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.black_kingdom
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. ES
. CN
. ...
There are 25 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|104.21.89.10|-|High
|2|172.64.80.0|-|High
|3|185.220.101.204|tor-exit-204.relayon.org|High
|4|185.220.101.216|tor-exit-216.relayon.org|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1008|Algorithm Downgrade|High
|2|T1040|Authentication Bypass by Capture-replay|High
|3|T1059.007|Cross Site Scripting|High
|4|T1068|Execution with Unnecessary Privileges|High
|5|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|6|...|...|...
|========================================
There are 11 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|%LOCALAPPDATA%\SaferVPN\Log|High
|2|File|%PROGRAMDATA%\ASUS\GamingCenterLib|High
|3|File|%PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10|High
|4|File|%PROGRAMDATA%\Razer Chroma\SDK\Apps|High
|5|File|%PROGRAMFILES(X86)%/Aternity Information Systems/Assistant/plugins|High
|6|File|%PROGRAMFILES(X86)%\Teradici\PCoIP.exe|High
|7|File|%SYSTEMDRIVE%\Course Software Material 18.0.1.9\cmd.exe|High
|8|File|.authlie|Medium
|9|File|.config/Yubico|High
|10|File|.htaccess|Medium
|11|...|...|...
|========================================
There are 6387 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://github.com/sophoslabs/IoCs/blob/master/Ransomware_BlackKingDom.csv
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

25
Black Vine/README.adoc Normal file
View File

@ -0,0 +1,25 @@
= Black Vine - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.black_vine[Black Vine]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.black_vine
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|192.199.254.126|-|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=the-black-vine-cyberespionage-group.pdf&y=2015
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

69
BlackNet/README.adoc Normal file
View File

@ -0,0 +1,69 @@
= BlackNet - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.blacknet[BlackNet]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.blacknet
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. NL
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|1.1.1.1|one.one.one.one|High
|2|37.221.67.91|-|High
|3|45.133.1.98|-|High
|4|137.220.53.57|137.220.53.57.vultr.com|Medium
|5|185.239.243.112|ns1.20mb.nl|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1499|Resource Consumption|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/about.php|Medium
|2|File|/it-IT/splunkd/__raw/services/get_snapshot|High
|3|File|/phpwcms/setup/setup.php|High
|4|File|category.cfm|Medium
|5|File|comersus_optreviewreadexec.asp|High
|6|File|data/gbconfiguration.dat|High
|7|File|index.php|Medium
|8|File|item_show.php|High
|9|File|wp-postratings.php|High
|10|Argument|cat|Low
|11|...|...|...
|========================================
There are 7 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://blog.talosintelligence.com/2021/06/threat-roundup-0528-0604.html
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

83
BlackTech/README.adoc Normal file
View File

@ -0,0 +1,83 @@
= BlackTech - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.blacktech[BlackTech]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.blacktech
== Campaigns
The following campaigns are known and can be associated with the actor.
- Taiwan Government Agencies
- TSCookie
- WaterBear
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. CN
. MS
. US
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|10.0.0.211|-|High
|2|43.240.12.81|mail.terascape.net|High
|3|45.76.102.145|45.76.102.145.vultr.com|Medium
|4|45.124.25.31|hkhdc.laws.ms|High
|5|45.124.25.226|hkhdc.laws.ms|High
|6|60.244.52.29|60-244-52-29.tinp.apol.com.tw|High
|7|103.193.149.26|-|High
|8|103.240.202.34|-|High
|9|211.72.242.120|211-72-242-120.hinet-ip.hinet.net|High
|10|220.130.216.76|220-130-216-76.hinet-ip.hinet.net|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1600|Cryptographic Issues|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/wp-json/oembed/1.0/embed?url|High
|2|File|base/ErrorHandler.php|High
|3|File|goto.php|Medium
|4|File|isc/get_sid_js.aspx|High
|5|File|item_show.php|High
|6|Argument|author_name|Medium
|7|Argument|code_no|Low
|8|Argument|dbg_buf|Low
|9|Argument|url|Low
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html
* https://www.ithome.com.tw/news/139504
* https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html
* https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

78
Bookworm/README.adoc Normal file
View File

@ -0,0 +1,78 @@
= Bookworm - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.bookworm[Bookworm]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.bookworm
== Campaigns
The following campaigns are known and can be associated with the actor.
- Thailand
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. CN
. KR
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|43.248.8.249|-|High
|2|103.226.127.47|-|High
|3|104.156.239.105|104.156.239.105.vultr.com|Medium
|4|112.167.143.179|-|High
|5|115.144.107.22|-|High
|6|115.144.107.46|-|High
|7|115.144.107.52|-|High
|8|115.144.107.53|-|High
|9|115.144.107.134|-|High
|10|115.144.166.209|-|High
|11|119.205.158.70|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1499|Resource Consumption|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/install/index.php|High
|2|File|/var/WEB-GUI/cgi-bin/telnet.cgi|High
|3|File|cirrus_vga.c|Medium
|4|File|func.php|Medium
|5|File|packages/strapi-admin/controllers/Auth.js|High
|6|File|register/check/username?username|High
|7|Argument|returnPath|Medium
|8|Argument|theme/lang|Medium
|9|Argument|username|Medium
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://unit42.paloaltonetworks.com/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

81
Bouncing Golf/README.adoc Normal file
View File

@ -0,0 +1,81 @@
= Bouncing Golf - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.bouncing_golf[Bouncing Golf]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.bouncing_golf
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. FR
. DE
. ...
There are 20 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|54.38.51.159|-|High
|2|82.211.31.181|-|High
|3|84.234.96.167|eronn.erivermle.com|High
|4|185.183.99.116|otp.s0x.eu|High
|5|190.2.130.53|190-2-130-53.hosted-by-worldstream.net|High
|6|194.187.249.134|-|High
|7|212.8.248.179|212-8-248-179.hosted-by-worldstream.net|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1211|7PK Security Features|High
|5|T1222|Permission Issues|High
|6|...|...|...
|========================================
There are 3 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|.htaccess|Medium
|2|File|/.env|Low
|3|File|/cgi-bin/nobody|High
|4|File|/cgi-bin/nobody/Search.cgi|High
|5|File|/etc/passwd|Medium
|6|File|/forum/away.php|High
|7|File|/get_getnetworkconf.cgi|High
|8|File|/horde/util/go.php|High
|9|File|/new|Low
|10|File|/show_news.php|High
|11|...|...|...
|========================================
There are 195 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://documents.trendmicro.com/assets/appendix-mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.pdf
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

39
Brazil Unknown/README.adoc Normal file
View File

@ -0,0 +1,39 @@
= Brazil Unknown - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.brazil_unknown[Brazil Unknown]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.brazil_unknown
== Campaigns
The following campaigns are known and can be associated with the actor.
- Boleto Mestre
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. NP
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|65.181.113.87|mx1.lifestylefundings.com|High
|2|65.181.127.152|portal2.brewmyidea.com|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://unit42.paloaltonetworks.com/unit42-master-channel-the-boleto-mestre-campaign-targets-brazil/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

72
Bronze Butler/README.adoc Normal file
View File

@ -0,0 +1,72 @@
= Bronze Butler - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.bronze_butler[Bronze Butler]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.bronze_butler
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. CN
. KR
. ...
There are 1 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|27.255.69.209|-|High
|2|27.255.91.238|-|High
|3|106.184.5.30|-|High
|4|115.144.166.240|-|High
|5|160.16.243.147|tk2-263-41393.vs.sakura.ne.jp|High
|6|203.111.252.40|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1222|Permission Issues|High
|4|T1600|Cryptographic Issues|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/out.php|Medium
|2|File|data/gbconfiguration.dat|High
|3|File|wp-login.php|Medium
|4|File|Xvpnd.exe|Medium
|5|Library|jscript9.dll|Medium
|6|Argument|HOST|Low
|7|Argument|id|Low
|8|Argument|reason|Low
|9|Network Port|tcp/2015|Medium
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

70
Bronze Union/README.adoc Normal file
View File

@ -0,0 +1,70 @@
= Bronze Union - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.bronze_union[Bronze Union]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.bronze_union
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. CN
. US
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|45.114.9.174|-|High
|2|96.90.63.57|nleq.com|High
|3|117.136.63.145|-|High
|4|198.56.185.179|-|High
|5|211.255.155.194|-|High
|6|211.255.155.199|-|High
|7|211.255.155.215|-|High
|8|211.255.155.218|-|High
|9|211.255.155.219|-|High
|10|211.255.155.224|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1548.002|Improper Authorization|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/getcfg.php|Medium
|2|File|http_auth.c|Medium
|3|File|public/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]|High
|4|File|ticket.php|Medium
|5|Argument|SERVICES|Medium
|6|Argument|tid|Low
|7|Input Value|curl -d SERVICES=DEVICE.ACCOUNT http://192.168.0.1/getcfg.php|High
|8|Network Port|Web Server Port|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=BRONZEUNIONCyberespionagePersistsDespiteDisclosures_SecureWorks.pdf&y=2017
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

69
Brunhilda/README.adoc Normal file
View File

@ -0,0 +1,69 @@
= Brunhilda - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.brunhilda[Brunhilda]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.brunhilda
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. FR
. US
. DE
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|45.142.212.216|holkitsor4.example.com|High
|2|95.142.40.68|vm482228.eurodir.ru|High
|3|185.177.92.213|ip-185-177-92-213.ah-server.com|High
|4|185.177.93.32|ip-185-177-93-32.ah-server.com|High
|5|185.177.93.44|ip-185-177-93-44.ah-server.com|High
|6|185.177.93.72|ip-185-177-93-72.ah-server.com|High
|7|185.177.93.73|ip-185-177-93-73.ah-server.com|High
|8|185.177.93.105|ip-185-177-93-105.ah-server.com|High
|9|185.177.93.111|ip-185-177-93-111.ah-server.com|High
|10|185.177.93.120|ip-185-177-93-120.ah-server.com|High
|11|185.177.93.145|ip-185-177-93-145.ah-server.com|High
|12|185.177.93.242|ip-185-177-93-242.ah-server.com|High
|13|198.54.125.121|premium101-3.web-hosting.com|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1211|7PK Security Features|High
|4|T1600|Cryptographic Issues|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|asm/preproc.c|High
|2|File|data/gbconfiguration.dat|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.07/BrunHilda.pdf
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

28
Bublik/README.adoc Normal file
View File

@ -0,0 +1,28 @@
= Bublik - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.bublik[Bublik]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.bublik
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|66.128.53.179|-|High
|2|104.21.57.186|-|High
|3|157.240.2.35|edge-star-mini-shv-01-ort2.facebook.com|High
|4|204.11.237.59|olacs.us|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://blog.talosintelligence.com/2021/05/threat-roundup-0507-0514.html
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

66
Buhtrap/README.adoc Normal file
View File

@ -0,0 +1,66 @@
= Buhtrap - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.buhtrap[Buhtrap]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.buhtrap
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. RU
. US
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.63.159.32|5-63-159-32.cloudvps.regruhosting.ru|High
|2|37.140.195.165|console.teonet.cloud|High
|3|37.143.12.190|www.portnov.dev|High
|4|151.248.125.251|dbm1.dommebeli.local|High
|5|178.21.10.33|178-21-10-33.ovz.vps.regruhosting.ru|High
|6|193.124.17.223|-|High
|7|194.58.97.249|supersail.ru|High
|8|194.58.100.211|194-58-100-211.ovz.vps.regruhosting.ru|High
|9|213.159.215.119|cms.cake.ru|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|adclick.php|Medium
|2|File|adrotate.pm|Medium
|3|File|article.php|Medium
|4|File|_debugging_center_utils___.php|High
|5|Argument|dest|Low
|6|Argument|log|Low
|7|Argument|sid|Low
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=gib-buhtrap-report-GroupIB.pdf&y=2016
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

78
Butterfly/README.adoc Normal file
View File

@ -0,0 +1,78 @@
= Butterfly - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.butterfly[Butterfly]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.butterfly
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. NL
. US
. DE
. ...
There are 4 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|46.165.237.75|-|High
|2|46.183.217.132|skalli.pereformed.com|High
|3|178.162.197.9|-|High
|4|217.23.3.112|217-23-3-112.hosted-by-worldstream.net|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1211|7PK Security Features|High
|4|T1222|Permission Issues|High
|5|T1499|Resource Consumption|High
|6|...|...|...
|========================================
There are 1 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/cgi-bin/webviewer_login_page|High
|2|File|/forum/away.php|High
|3|File|/getcfg.php|Medium
|4|File|/proc/ioports|High
|5|File|/services/details.asp|High
|6|File|/tmp|Low
|7|File|/uncpath/|Medium
|8|File|/Upload.ashx|Medium
|9|File|/var/tmp/sess_*|High
|10|File|14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi|High
|11|...|...|...
|========================================
There are 120 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=butterfly-corporate-spies-out-for-financial-gain.pdf&y=2015
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

41
C0d0so/README.adoc Normal file
View File

@ -0,0 +1,41 @@
= C0d0so - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.c0d0so[C0d0so]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.c0d0so
== Campaigns
The following campaigns are known and can be associated with the actor.
- Bergard
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. CN
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|42.200.18.194|-|High
|2|121.54.168.230|-|High
|3|210.181.184.64|-|High
|4|218.54.139.20|-|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=ExploringBergard_OldMalwarewithNewTricks_Proofpoint.pdf&y=2016
* https://www.threatminer.org/report.php?q=NewAttacksLinkedtoC0d0so0Group-PaloAltoNetworksBlogPaloAltoNetworksBlog.pdf&y=2016
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

46
CDRThief/README.adoc Normal file
View File

@ -0,0 +1,46 @@
= CDRThief - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.cdrthief[CDRThief]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.cdrthief
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. CN
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|34.94.199.142|142.199.94.34.bc.googleusercontent.com|Medium
|2|35.236.173.187|187.173.236.35.bc.googleusercontent.com|Medium
|3|119.29.173.65|-|High
|4|129.211.157.244|-|High
|5|129.226.134.180|-|High
|6|150.109.79.136|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://github.com/eset/malware-ioc/tree/master/cdrthief
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

112
Carbanak/README.adoc Normal file
View File

@ -0,0 +1,112 @@
= Carbanak - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.carbanak[Carbanak]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.carbanak
== Campaigns
The following campaigns are known and can be associated with the actor.
- Anunak
- Grand Mars
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. DE
. RU
. ...
There are 28 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.1.83.133|mail.printonrug.com|High
|2|5.45.179.173|mail.kincoss.info|High
|3|5.45.179.185|-|High
|4|5.45.192.117|-|High
|5|5.61.32.118|-|High
|6|5.61.38.52|-|High
|7|5.101.146.184|3928081.securefastserver.com|High
|8|5.135.111.89|-|High
|9|5.199.169.188|-|High
|10|10.74.5.100|-|High
|11|23.227.196.99|23-227-196-99.static.hvvc.us|High
|12|31.3.155.123|swe-net-ip.as51430.net|High
|13|31.131.17.79|-|High
|14|31.131.17.81|-|High
|15|31.131.17.125|-|High
|16|31.131.17.128|-|High
|17|37.46.114.148|bg.as51430.net|High
|18|37.59.202.124|ip124.ip-37-59-202.eu|High
|19|37.235.54.48|48.54.235.37.in-addr.arpa|High
|20|45.63.23.135|45.63.23.135.vultr.com|Medium
|21|...|...|...
|========================================
There are 155 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1211|7PK Security Features|High
|5|T1222|Permission Issues|High
|6|...|...|...
|========================================
There are 8 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|$HOME/.cdrdao|High
|2|File|%windir%\Internet Logs\|High
|3|File|/+CSCOE+/logon.html|High
|4|File|//etc/RT2870STA.dat|High
|5|File|/api/addusers|High
|6|File|/api/upload|Medium
|7|File|/bin/boa|Medium
|8|File|/cgi-bin/hotspot-changepw.cgi|High
|9|File|/ClickAndBanexDemo/admin/admin.asp|High
|10|File|/core/vendor/meenie/javascript-packer/example-inline.php|High
|11|...|...|...
|========================================
There are 615 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf
* https://www.forcepoint.com/blog/x-labs/carbanak-group-uses-google-malware-command-and-control
* https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf
* https://www.threatminer.org/report.php?q=Carbanak-Oraclebreach-KresonSecurity.pdf&y=2016
* https://www.threatminer.org/report.php?q=Carbanakgangisbackandpackingnewguns-ESET.pdf&y=2016
* https://www.threatminer.org/report.php?q=NewCarbanak-Trustwave.pdf&y=2016
* https://www.threatminer.org/report.php?q=proofpoint-threat-insight-carbanak-group-en.pdf&y=2016
* https://www.threatminer.org/report.php?q=the-shadows-of-ghosts-carbanak-report_RSA.pdf&y=2017
* https://www.threatminer.org/_reports/2017/OperationGrandMars-Trustwave.pdf#viewer.action=download
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

85
Cardinal RAT/README.adoc Normal file
View File

@ -0,0 +1,85 @@
= Cardinal RAT - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.cardinal_rat[Cardinal RAT]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.cardinal_rat
== Campaigns
The following campaigns are known and can be associated with the actor.
- Cardinal RAT
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. CR
. AR
. ...
There are 4 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|127.194.73.243|-|High
|2|127.194.87.192|-|High
|3|185.20.187.4|185.20.187.4.deltahost-ptr|High
|4|185.247.211.198|185.247.211.198.deltahost-ptr|High
|5|190.10.8.238|easyrobustads.com|High
|6|193.22.96.98|193.22.96.98.deltahost-ptr|High
|7|193.22.98.182|193.22.98.182.deltahost-ptr|High
|8|193.22.99.168|193.22.99.168.deltahost-ptr|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1499|Resource Consumption|High
|5|T1600|Cryptographic Issues|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/admin/?/plugin/comment/settings|High
|2|File|/filemanager/upload.php|High
|3|File|/forum/away.php|High
|4|File|/inc/parser/xhtml.php|High
|5|File|/uncpath/|Medium
|6|File|/webconsole/APIController|High
|7|File|/webmail/|Medium
|8|File|adclick.php|Medium
|9|File|admin.php?s=/Admin/doedit|High
|10|File|admin/web_config.php|High
|11|...|...|...
|========================================
There are 85 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

90
Careto/README.adoc Normal file
View File

@ -0,0 +1,90 @@
= Careto - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.careto[Careto]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.careto
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. DE
. US
. AU
. ...
There are 2 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|8.28.16.254|-|High
|2|12.0.0.38|-|High
|3|23.20.44.92|ec2-23-20-44-92.compute-1.amazonaws.com|Medium
|4|37.235.63.127|127-63-235-37.static.edis.at|High
|5|62.149.227.3|host3-227-149-62.serverdedicati.aruba.it|High
|6|72.52.91.30|-|High
|7|75.126.146.114|72.92.7e4b.ip4.static.sl-reverse.com|High
|8|81.0.233.15|assigned-81-0-233-015.casablanca.cz|High
|9|174.122.254.42|2a.fe.7aae.static.theplanet.com|High
|10|187.122.176.14|bb7ab00e.virtua.com.br|High
|11|196.40.84.94|-|High
|12|200.122.160.25|-|High
|13|210.48.153.236|mercumaya.net|High
|14|213.61.149.100|tor-exit-node.7by7.de|High
|15|217.115.10.132|tor2.anonymizer.ccc.de|High
|16|223.25.232.161|fishball3.singhost.com|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1211|7PK Security Features|High
|4|T1222|Permission Issues|High
|5|T1499|Resource Consumption|High
|6|...|...|...
|========================================
There are 3 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/platform.cgi|High
|2|File|/Status/wan_button_action.asp|High
|3|File|/Users|Low
|4|File|Aavmker4.sys|Medium
|5|File|add_user.php|Medium
|6|File|admin/app/physical/physical.php|High
|7|File|admin/auto.def|High
|8|File|app/admin/custom-fields/filter.php|High
|9|File|auth-gss2.c|Medium
|10|File|backoffice/login.asp|High
|11|...|...|...
|========================================
There are 96 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=unveilingthemask_v1.0.pdf&y=2014
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

70
Carrotbat/README.adoc Normal file
View File

@ -0,0 +1,70 @@
= Carrotbat - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.carrotbat[Carrotbat]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.carrotbat
== Campaigns
The following campaigns are known and can be associated with the actor.
- Fractured Block
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. CN
. US
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|61.14.210.72|former-enews-out.squarspace.net|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|anonymous/authenticated|High
|2|File|count.cgi|Medium
|3|File|data/gbconfiguration.dat|High
|4|File|dede\co_do.php|High
|5|File|email.php|Medium
|6|File|index.php|Medium
|7|File|mod_mysql_vhost.c|High
|8|Argument|id|Low
|9|Argument|ids|Low
|10|Argument|skipSessionCheck|High
|11|...|...|...
|========================================
There are 2 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=TheFracturedBlockCampaign_CARROTBATUsedtoDeliverMalwareTargetingSoutheastAsia-PaloAltoNetworksBlog.pdf&y=2018
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

32
Center-1/README.adoc Normal file
View File

@ -0,0 +1,32 @@
= Center-1 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.center-1[Center-1]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.center-1
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. IT
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|80.211.37.240|host240-37-211-80.serverdedicati.aruba.it|High
|2|161.35.38.8|-|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

75
Center-2/README.adoc Normal file
View File

@ -0,0 +1,75 @@
= Center-2 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.center-2[Center-2]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.center-2
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. FR
. IT
. US
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|80.211.35.111|host111-35-211-80.serverdedicati.aruba.it|High
|2|89.40.115.27|host27-115-40-89.static.arubacloud.fr|High
|3|134.122.68.221|-|High
|4|209.250.230.12|209.250.230.12.vultr.com|Medium
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1211|7PK Security Features|High
|5|T1222|Permission Issues|High
|6|...|...|...
|========================================
There are 4 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/docs/captcha_(number).jpeg|High
|2|File|/etc/keystone/user-project-map.json|High
|3|File|/forum/away.php|High
|4|File|/horde/util/go.php|High
|5|File|/SM8250_Q_Master/android/vendor/oppo_charger/oppo/oppo_charger.c|High
|6|File|/webapps/Bb-sites-user-profile-BBLEARN/profile.form|High
|7|File|/wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php|High
|8|File|action/addproject.php|High
|9|File|adclick.php|Medium
|10|File|admin/page/system/nav.php?del|High
|11|...|...|...
|========================================
There are 64 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

103
Cerber/README.adoc Normal file
View File

@ -0,0 +1,103 @@
= Cerber - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.cerber[Cerber]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.cerber
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. IR
. CN
. ...
There are 3 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|23.152.0.36|tcts-000036.techtrapes.com|High
|2|34.199.22.139|ec2-34-199-22-139.compute-1.amazonaws.com|Medium
|3|45.56.79.23|li929-23.members.linode.com|High
|4|52.2.101.52|ec2-52-2-101-52.compute-1.amazonaws.com|Medium
|5|52.21.132.24|ec2-52-21-132-24.compute-1.amazonaws.com|Medium
|6|54.84.252.139|ec2-54-84-252-139.compute-1.amazonaws.com|Medium
|7|54.87.5.88|ec2-54-87-5-88.compute-1.amazonaws.com|Medium
|8|54.88.175.149|ec2-54-88-175-149.compute-1.amazonaws.com|Medium
|9|54.152.181.87|ec2-54-152-181-87.compute-1.amazonaws.com|Medium
|10|78.128.92.96|-|High
|11|85.93.0.0|-|High
|12|87.96.148.0|h87-96-148-0.cust.a3fiber.se|High
|13|87.97.148.0|-|High
|14|87.98.148.0|sbg5-mail-137.bouncer.cloud|High
|15|87.106.18.141|-|High
|16|91.119.56.0|91-119-56-0.dsl.dynamic.surfer.at|High
|17|91.119.216.0|91-119-216-0.dsl.dynamic.surfer.at|High
|18|91.120.56.0|-|High
|19|91.120.216.0|-|High
|20|91.121.56.0|-|High
|21|...|...|...
|========================================
There are 40 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1211|7PK Security Features|High
|5|T1495|Download of Code Without Integrity Check|High
|6|...|...|...
|========================================
There are 5 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|+CSCO|Low
|2|File|/cgi-bin/login_action.cgi|High
|3|File|/cns/|Low
|4|File|/DbXmlInfo.xml|High
|5|File|/etc/auditlog-keeper.conf|High
|6|File|/forms/web_importTFTP|High
|7|File|/OA_HTML/cabo/jsps/a.jsp|High
|8|File|/plugin/extended-choice-parameter/js/|High
|9|File|/rest/api/1.0/render|High
|10|File|/shell?cmd|Medium
|11|...|...|...
|========================================
There are 519 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://blog.talosintelligence.com/2021/01/threat-roundup-0122.html
* https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
* https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
* https://blog.talosintelligence.com/2021/02/threat-roundup-0219-0226.html
* https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
* https://blog.talosintelligence.com/2021/04/threat-roundup-0402-0409.html
* https://blog.talosintelligence.com/2021/09/threat-roundup-0917-0924.html
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

69
CetaRAT/README.adoc Normal file
View File

@ -0,0 +1,69 @@
= CetaRAT - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.cetarat[CetaRAT]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.cetarat
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. NL
. SA
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|109.236.85.152|customer.worldstream.nl|High
|2|161.97.142.96|vmi661694.contaboserver.net|High
|3|164.68.104.126|vmd76303.contaboserver.net|High
|4|167.86.75.119|vmi594989.contaboserver.net|High
|5|173.249.41.175|vmi642039.contaboserver.net|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1068|Execution with Unnecessary Privileges|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|adclick.php|Medium
|2|File|data/gbconfiguration.dat|High
|3|File|exit.php|Medium
|4|File|goto.php|Medium
|5|File|ipsconnect.php|High
|6|File|redir.php|Medium
|7|File|register/check/username?username|High
|8|Argument|dest|Low
|9|Argument|foaf|Low
|10|Argument|id|Low
|11|...|...|...
|========================================
There are 3 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

85
Chafer/README.adoc Normal file
View File

@ -0,0 +1,85 @@
= Chafer - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.chafer[Chafer]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.chafer
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. RU
. GB
. ...
There are 15 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|83.142.230.113|-|High
|2|89.38.97.112|-|High
|3|89.38.97.115|89-38-97-115.hosted-by-worldstream.net|High
|4|91.218.114.225|-|High
|5|94.100.21.213|94-100-21-213.static.hvvc.us|High
|6|134.119.217.84|-|High
|7|134.119.217.87|-|High
|8|148.251.197.113|n38-05.vpsnow.ru|High
|9|185.22.172.40|mx2.privacyrequired.link|High
|10|185.177.59.70|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1211|7PK Security Features|High
|4|T1499|Resource Consumption|High
|5|T1552|Unprotected Storage of Credentials|High
|6|...|...|...
|========================================
There are 1 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|//etc/RT2870STA.dat|High
|2|File|/cwp_{SESSION_HASH}/admin/loader_ajax.php|High
|3|File|/magnoliaPublic/travel/members/login.html|High
|4|File|/Main_AdmStatus_Content.asp|High
|5|File|/uncpath/|Medium
|6|File|/var/log/nginx|High
|7|File|advertiser.php|High
|8|File|akocomments.php|High
|9|File|al_initialize.php|High
|10|File|category.cfm|Medium
|11|...|...|...
|========================================
There are 42 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=Chafer_LatestAttacksRevealHeightenedAmbitions_SymantecBlogs.pdf&y=2018
* https://www.threatminer.org/_reports/2019/NewPython-BasedPayloadMechaFlounderUsedbyChafer.pdf#viewer.action=download
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

99
Charming Kitten/README.adoc Normal file
View File

@ -0,0 +1,99 @@
= Charming Kitten - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.charming_kitten[Charming Kitten]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.charming_kitten
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. NL
. ES
. ...
There are 17 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.79.69.198|-|High
|2|5.79.69.206|-|High
|3|5.79.105.153|-|High
|4|5.79.105.156|-|High
|5|5.79.105.161|-|High
|6|5.79.105.165|-|High
|7|5.152.202.51|h5-152-202-51.host.redstation.co.uk|High
|8|5.152.202.52|h5-152-202-52.host.redstation.co.uk|High
|9|31.3.236.90|h31-3-236-90.host.redstation.co.uk|High
|10|31.3.236.91|h31-3-236-91.host.redstation.co.uk|High
|11|31.3.236.92|h31-3-236-92.host.redstation.co.uk|High
|12|37.220.8.13|h37-220-8-13.host.redstation.co.uk|High
|13|46.17.97.37|-|High
|14|46.17.97.40|-|High
|15|46.17.97.240|-|High
|16|46.17.97.243|-|High
|17|51.254.254.217|me14.mecide.com|High
|18|51.255.28.57|-|High
|19|54.36.217.8|ip8.ip-54-36-217.eu|High
|20|54.37.164.254|ip254.ip-54-37-164.eu|High
|21|...|...|...
|========================================
There are 87 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1040|Authentication Bypass by Capture-replay|High
|2|T1059.007|Cross Site Scripting|High
|3|T1068|Execution with Unnecessary Privileges|High
|4|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|5|T1211|7PK Security Features|High
|6|...|...|...
|========================================
There are 6 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|'phpshell.php|High
|2|File|..\WWWRoot\CustomPages\aspshell.asp|High
|3|File|/about-us/locations/index|High
|4|File|/admin/|Low
|5|File|/admin/account/changepassword|High
|6|File|/admin/index.php|High
|7|File|/admin/pin/websitepin|High
|8|File|/admin_giant/add_gallery.php|High
|9|File|/admin_giant/add_team_member.php|High
|10|File|/api/addusers|High
|11|...|...|...
|========================================
There are 1236 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://github.com/blackorbird/APT_REPORT/tree/master/Charming%20Kitten
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.08/Charming%20Kitten.pdf
* https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

26
ChessMaster/README.adoc Normal file
View File

@ -0,0 +1,26 @@
= ChessMaster - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.chessmaster[ChessMaster]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.chessmaster
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|62.75.197.131|static-ip-62-75-197-131.inaddr.ip-pool.com|High
|2|89.18.27.159|-|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=ChessMaster%E2%80%99sNewStrategy_EvolvingToolsandTactics-TrendLabsSecurityIntelligenceBlog.pdf&y=2017
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

95
Chimera/README.adoc Normal file
View File

@ -0,0 +1,95 @@
= Chimera - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.chimera[Chimera]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.chimera
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. CN
. NU
. ...
There are 3 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|1.3.35.342|-|High
|2|5.254.64.234|-|High
|3|5.254.112.226|-|High
|4|14.229.140.66|static.vnpt.vn|High
|5|23.236.77.94|-|High
|6|39.109.5.135|-|High
|7|43.250.200.106|-|High
|8|43.250.201.71|-|High
|9|45.9.248.74|te-4-3-177.pe2.man4.uk.m247.com|High
|10|47.75.0.147|-|High
|11|59.47.4.27|27.4.47.59.broad.bx.ln.dynamic.163data.com.cn|High
|12|103.51.145.123|smtphk.71.com|High
|13|119.39.248.20|-|High
|14|119.39.248.32|-|High
|15|119.39.248.101|-|High
|16|120.227.35.98|-|High
|17|172.111.210.53|-|High
|18|185.170.210.84|-|High
|19|188.72.99.41|-|High
|20|220.202.152.47|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1211|7PK Security Features|High
|4|T1499|Resource Consumption|High
|5|T1566.003|Clickjacking|High
|6|...|...|...
|========================================
There are 1 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|%windir%\Internet Logs\|High
|2|File|/admin/system/database/filedown.php|High
|3|File|/cgi-bin/supervisor/adcommand.cgi|High
|4|File|/common/info.cgi|High
|5|File|/getcfg.php|Medium
|6|File|/uncpath/|Medium
|7|File|/usr/local/www/csrf/csrf-magic.php|High
|8|File|admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1|High
|9|File|administrator/components/com_media/helpers/media.php|High
|10|File|APPFLT.SYS|Medium
|11|...|...|...
|========================================
There are 115 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.12/Chimera.pdf
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

38
China Unknown/README.adoc Normal file
View File

@ -0,0 +1,38 @@
= China Unknown - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.china_unknown[China Unknown]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.china_unknown
== Campaigns
The following campaigns are known and can be associated with the actor.
- RedXOR
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. CN
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|34.92.228.216|216.228.92.34.bc.googleusercontent.com|Medium
|2|158.247.208.230|158.247.208.230.vultr.com|Medium
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://vxug.fakedoma.in/archive/APTs/2021/2021.03.10(1)/RedXOR.pdf
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

95
Chthonic/README.adoc Normal file
View File

@ -0,0 +1,95 @@
= Chthonic - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.chthonic[Chthonic]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.chthonic
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. PL
. DE
. US
. ...
There are 3 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|40.70.224.146|-|High
|2|51.254.83.231|pob01.mulx.net|High
|3|52.137.90.34|-|High
|4|52.185.71.28|-|High
|5|79.133.44.139|-|High
|6|82.197.164.46|aquila.init7.net|High
|7|85.199.214.98|-|High
|8|88.198.193.213|static.88-198-193-213.clients.your-server.de|High
|9|91.198.10.1|shyber.tntu.edu.ua|High
|10|91.209.0.17|ntp-b.0x5e.se|High
|11|91.236.251.129|mail.agrogradv.com|High
|12|92.62.34.78|-|High
|13|104.215.148.63|-|High
|14|151.80.44.158|vega.ap-i.net|High
|15|159.253.242.123|ip-159-253-242-123.rev.snt.net.pl|High
|16|172.217.222.113|qi-in-f113.1e100.net|High
|17|176.9.1.211|hotel.zq1.de|High
|18|184.105.192.2|184-105-192-2.sinkhole.shadowserver.org|High
|19|195.113.20.2|vpn.ms.mff.cuni.cz|High
|20|213.154.236.182|services.freshdot.net|High
|21|...|...|...
|========================================
There are 1 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1211|7PK Security Features|High
|5|T1499|Resource Consumption|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/tmp|Low
|2|File|admin/?n=tags&c=index&a=doSaveTags|High
|3|File|AniGIF.ocx|Medium
|4|File|config.php|Medium
|5|File|data/gbconfiguration.dat|High
|6|File|ext/gd/libgd/gd_interpolation.c|High
|7|File|http_auth.c|Medium
|8|File|index.php|Medium
|9|File|install.php|Medium
|10|File|login.php|Medium
|11|...|...|...
|========================================
There are 20 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://blog.talosintelligence.com/2021/01/threat-roundup-0122.html
* https://blog.talosintelligence.com/2021/09/threat-roundup-0903-0910.html
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

99
Cleaver/README.adoc Normal file
View File

@ -0,0 +1,99 @@
= Cleaver - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.cleaver[Cleaver]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.cleaver
== Campaigns
The following campaigns are known and can be associated with the actor.
- Cleaver
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. CA
. NL
. ...
There are 6 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|23.238.17.181|s1.regulatorfix.com|High
|2|50.23.164.161|a1.a4.1732.ip4.static.sl-reverse.com|High
|3|64.120.128.154|-|High
|4|64.120.208.74|-|High
|5|64.120.208.75|-|High
|6|64.120.208.76|-|High
|7|64.120.208.78|-|High
|8|66.96.252.198|host-66-96-252-198.myrepublic.co.id|High
|9|78.109.194.96|-|High
|10|78.109.194.114|-|High
|11|80.243.182.149|149-182-243-80.rackcentre.redstation.net.uk|High
|12|87.98.167.71|-|High
|13|87.98.167.85|ip85.ip-87-98-167.eu|High
|14|87.98.167.141|-|High
|15|88.150.214.162|h88-150-214-162.host.redstation.co.uk|High
|16|88.150.214.166|h88-150-214-166.host.redstation.co.uk|High
|17|88.150.214.168|h88-150-214-168.host.redstation.co.uk|High
|18|88.150.214.170|h88-150-214-170.host.redstation.co.uk|High
|19|95.211.191.225|-|High
|20|95.211.191.247|-|High
|21|...|...|...
|========================================
There are 20 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1587.003|Improper Certificate Validation|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/forum/away.php|High
|2|File|/home/httpd/cgi-bin/cgi.cgi|High
|3|File|adclick.php|Medium
|4|File|data/gbconfiguration.dat|High
|5|File|Default.aspx|Medium
|6|File|inc/config.php|High
|7|File|libraries/idna_convert/example.php|High
|8|File|mod_proxy_fcgi.c|High
|9|File|ogp_show.php|Medium
|10|File|redir.php|Medium
|11|...|...|...
|========================================
There are 17 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf
* https://www.threatminer.org/report.php?q=Cylance_Operation_Cleaver_Report.pdf&y=2014
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

99
Cobalt Group/README.adoc Normal file
View File

@ -0,0 +1,99 @@
= Cobalt Group - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.cobalt_group[Cobalt Group]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.cobalt_group
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. DE
. PL
. IT
. ...
There are 8 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.45.66.161|-|High
|2|5.135.237.216|-|High
|3|23.152.0.210|nordns.crowncloud.net|High
|4|23.249.164.26|-|High
|5|37.1.207.202|free.ispiria.net|High
|6|46.21.147.61|61.147.21.46.in-addr.arpa|High
|7|46.102.152.157|-|High
|8|52.15.209.133|ec2-52-15-209-133.us-east-2.compute.amazonaws.com|Medium
|9|85.204.74.117|-|High
|10|86.106.131.207|-|High
|11|95.142.39.109|vm480817.eurodir.ru|High
|12|96.44.188.57|hosted-by.securefastserver.com|High
|13|104.144.207.207|mta14.veiligheidsprotocol.info|High
|14|138.68.234.128|-|High
|15|139.60.163.10|-|High
|16|142.91.104.135|i2.alluringpleasuresforu.com|High
|17|149.56.115.70|-|High
|18|173.254.204.67|limitu.csmilectp.co.uk|High
|19|176.9.99.134|gtw02.rankingcoach.com|High
|20|185.82.202.232|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1040|Authentication Bypass by Capture-replay|High
|2|T1059.007|Cross Site Scripting|High
|3|T1068|Execution with Unnecessary Privileges|High
|4|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|5|T1211|7PK Security Features|High
|6|...|...|...
|========================================
There are 10 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|%PROGRAMDATA%\WrData\PKG|High
|2|File|%PROGRAMFILES%\Cylance\Desktop\log|High
|3|File|.gitolite.rc|Medium
|4|File|.xserverrc|Medium
|5|File|/+CSCOE+/logon.html|High
|6|File|/.vnc/sesman_${username}_passwd|High
|7|File|/32|Low
|8|File|/?/admin/page/edit/3|High
|9|File|/?/admin/snippet/add|High
|10|File|/?mobile=1|Medium
|11|...|...|...
|========================================
There are 2395 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html
* https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target
* https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf
* https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/
* https://www.riskiq.com/blog/labs/cobalt-strike/
* https://www.trendmicro.com/en_us/research/17/k/cobalt-spam-runs-use-macros-cve-2017-8759-exploit.html
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

81
Cobalt Strike/README.adoc Normal file
View File

@ -0,0 +1,81 @@
= Cobalt Strike - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.cobalt_strike[Cobalt Strike]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.cobalt_strike
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. CN
. US
. IT
. ...
There are 2 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|23.108.57.108|-|High
|2|62.128.111.176|polyminners.nl|High
|3|82.118.21.221|vds-805975.hosted-by-itldc.com|High
|4|83.171.237.173|83.171.237.173.static.as201206.net|High
|5|86.105.18.116|-|High
|6|89.34.111.11|-|High
|7|192.99.221.77|ip77.ip-192-99-221.net|High
|8|208.75.122.11|rs6.net|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1499|Resource Consumption|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/etc/tomcat8/Catalina/attack|High
|2|File|/notice-edit.php|High
|3|File|archive_read_support_format_rar5.c|High
|4|File|burl.c|Low
|5|File|CFM File Handler|High
|6|File|http_auth.c|Medium
|7|File|profile.php?cmd=download|High
|8|File|ViewLog.asp|Medium
|9|Argument|aid|Low
|10|Argument|display name/title name/content|High
|11|...|...|...
|========================================
There are 3 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://twitter.com/malware_traffic/status/1400876426497253379
* https://twitter.com/malware_traffic/status/1415740795622248452
* https://twitter.com/Unit42_Intel/status/1392174941181812737
* https://us-cert.cisa.gov/ncas/alerts/aa21-148a
* https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

104
CoinMiner/README.adoc Normal file
View File

@ -0,0 +1,104 @@
= CoinMiner - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.coinminer[CoinMiner]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.coinminer
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. DE
. NL
. US
. ...
There are 9 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.196.13.29|29.ip-5-196-13.eu|High
|2|5.196.23.240|240.ip-5-196-23.eu|High
|3|13.107.21.200|-|High
|4|18.210.126.40|ec2-18-210-126-40.compute-1.amazonaws.com|Medium
|5|23.21.48.44|ec2-23-21-48-44.compute-1.amazonaws.com|Medium
|6|23.21.76.253|ec2-23-21-76-253.compute-1.amazonaws.com|Medium
|7|23.21.126.66|ec2-23-21-126-66.compute-1.amazonaws.com|Medium
|8|23.21.140.41|ec2-23-21-140-41.compute-1.amazonaws.com|Medium
|9|23.21.252.4|ec2-23-21-252-4.compute-1.amazonaws.com|Medium
|10|49.12.80.38|static.38.80.12.49.clients.your-server.de|High
|11|49.12.80.40|static.40.80.12.49.clients.your-server.de|High
|12|50.19.96.218|ec2-50-19-96-218.compute-1.amazonaws.com|Medium
|13|50.19.252.36|ec2-50-19-252-36.compute-1.amazonaws.com|Medium
|14|51.15.54.102|102-54-15-51.instances.scw.cloud|High
|15|51.15.58.224|224-58-15-51.instances.scw.cloud|High
|16|51.15.65.182|182-65-15-51.instances.scw.cloud|High
|17|51.15.67.17|17-67-15-51.instances.scw.cloud|High
|18|51.15.69.136|136-69-15-51.instances.scw.cloud|High
|19|51.15.78.68|68-78-15-51.instances.scw.cloud|High
|20|51.68.21.188|ip188.ip-51-68-21.eu|High
|21|...|...|...
|========================================
There are 37 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1040|Authentication Bypass by Capture-replay|High
|2|T1059.007|Cross Site Scripting|High
|3|T1068|Execution with Unnecessary Privileges|High
|4|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|5|T1211|7PK Security Features|High
|6|...|...|...
|========================================
There are 8 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|%windir%\Internet Logs\|High
|2|File|.htaccess|Medium
|3|File|.imwheelrc|Medium
|4|File|.jpilot|Low
|5|File|.php|Low
|6|File|.plan|Low
|7|File|.tin|Low
|8|File|/?Key=PhoneRequestAuthorization|High
|9|File|/adfs/ls|Medium
|10|File|/api/users/admin/check|High
|11|...|...|...
|========================================
There are 760 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
* https://blog.talosintelligence.com/2021/02/threat-roundup-0219-0226.html
* https://blog.talosintelligence.com/2021/03/threat-roundup-0305-0312.html
* https://blog.talosintelligence.com/2021/04/threat-roundup-0416-0423.html
* https://blog.talosintelligence.com/2021/05/threat-roundup-0507-0514.html
* https://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
* https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
* https://blog.talosintelligence.com/2021/06/threat-roundup-0617-0624.html
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

32
Comnie/README.adoc Normal file
View File

@ -0,0 +1,32 @@
= Comnie - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.comnie[Comnie]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.comnie
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. IT
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|113.196.70.11|113.196.70.11.ll.static.sparqnet.net|High
|2|121.126.211.94|-|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=ComnieContinuestoTargetOrganizationsinEastAsia_PaloAltoNetworks.pdf&y=2018
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

100
Confucius/README.adoc Normal file
View File

@ -0,0 +1,100 @@
= Confucius - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.confucius[Confucius]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.confucius
== Campaigns
The following campaigns are known and can be associated with the actor.
- Tibbar
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. LU
. DE
. ...
There are 5 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.39.23.192|ip192.ip-5-39-23.eu|High
|2|5.135.85.16|flotweb-o20.bestonthenet.fr|High
|3|46.165.207.98|-|High
|4|46.165.207.99|-|High
|5|46.165.207.108|-|High
|6|46.165.207.109|-|High
|7|46.165.207.112|-|High
|8|46.165.207.113|-|High
|9|46.165.207.114|-|High
|10|46.165.207.116|-|High
|11|46.165.207.120|v608.ce02.fra-10.de.leaseweb.net|High
|12|46.165.207.132|-|High
|13|46.165.207.134|-|High
|14|46.165.207.138|-|High
|15|46.165.207.140|-|High
|16|46.165.207.142|-|High
|17|46.165.249.223|-|High
|18|78.128.92.101|-|High
|19|91.210.107.107|-|High
|20|91.210.107.108|-|High
|21|...|...|...
|========================================
There are 21 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1211|7PK Security Features|High
|4|T1600|Cryptographic Issues|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|.rediscli_history|High
|2|File|/admin/index.php|High
|3|File|/core/vb/vurl.php|High
|4|File|/forum/away.php|High
|5|File|/out.php|Medium
|6|File|/uncpath/|Medium
|7|File|adclick.php|Medium
|8|File|admin-ajax.php|High
|9|File|admin/index.php|High
|10|File|administrator/components/com_media/helpers/media.php|High
|11|...|...|...
|========================================
There are 89 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://github.com/blackorbird/APT_REPORT/blob/master/Confucius/OperationTibbar-A-retaliatory-targeted-attack-from-SouthAsian-APT-Group-Confucius.pdf
* https://www.threatminer.org/report.php?q=Confucius%C2%A0Says%E2%80%A6Malware%C2%A0Families%C2%A0Get%C2%A0Further-PaloAltoNetworks.pdf&y=2016
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

86
Conti/README.adoc Normal file
View File

@ -0,0 +1,86 @@
= Conti - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.conti[Conti]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.conti
== Campaigns
The following campaigns are known and can be associated with the actor.
- Cobalt Strike
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. DE
. US
. TR
. ...
There are 4 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|23.82.140.137|-|High
|2|23.106.160.174|-|High
|3|82.118.21.1|77626-46583.hyperdomen.com|High
|4|85.93.88.165|malta2419.startdedicated.com|High
|5|89.45.4.98|-|High
|6|162.244.80.235|-|High
|7|185.141.63.120|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1211|7PK Security Features|High
|4|T1499|Resource Consumption|High
|5|T1600|Cryptographic Issues|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/bin/bw|Low
|2|File|/etc/tomcat8/Catalina/attack|High
|3|File|/servlet/webacc|High
|4|File|/uncpath/|Medium
|5|File|abook_database.php|High
|6|File|add_comment.php|High
|7|File|admin/index.php/template/upload|High
|8|File|agent/Core/Controller/SendRequest.cpp|High
|9|File|AjaxResponse.jsp|High
|10|File|apl_42.c|Medium
|11|...|...|...
|========================================
There are 181 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://github.com/sophoslabs/IoCs/blob/master/Ransomware-Conti.csv
* https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/
* https://twitter.com/vxunderground/status/1414809517993435139
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

106
CopyKittens/README.adoc Normal file
View File

@ -0,0 +1,106 @@
= CopyKittens - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.copykittens[CopyKittens]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.copykittens
== Campaigns
The following campaigns are known and can be associated with the actor.
- Wilted Tulip
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. PL
. DE
. FR
. ...
There are 12 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.34.180.252|vds-uuallex-113169.hosted-by-itldc.com|High
|2|5.34.181.13|backups231.com|High
|3|31.192.105.16|-|High
|4|31.192.105.17|wikileaks.org|High
|5|31.192.105.28|-|High
|6|38.130.75.20|h20-us75.fcsrv.net|High
|7|51.254.76.54|-|High
|8|62.109.2.52|ns.leangroup.ru|High
|9|62.109.2.109|mediclick.ru|High
|10|66.55.152.164|66-55-152-164.choopa.net|High
|11|68.232.180.122|68-232-180-122.choopa.net|High
|12|80.179.42.37|80.179.42.37.forward.012.net.il|High
|13|80.179.42.44|lnkrten-dazling.linegrace.com|High
|14|86.105.18.5|-|High
|15|93.190.138.137|93-190-138-137.hosted-by-worldstream.net|High
|16|104.200.128.48|-|High
|17|104.200.128.58|-|High
|18|104.200.128.64|-|High
|19|104.200.128.71|-|High
|20|104.200.128.126|-|High
|21|...|...|...
|========================================
There are 64 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1040|Authentication Bypass by Capture-replay|High
|2|T1059.007|Cross Site Scripting|High
|3|T1068|Execution with Unnecessary Privileges|High
|4|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|5|T1211|7PK Security Features|High
|6|...|...|...
|========================================
There are 10 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|%LOCALAPPDATA%\Zemana\ZALSDK\MyRules2.ini|High
|2|File|.backup/|Medium
|3|File|.gemspec|Medium
|4|File|.mscreenrc|Medium
|5|File|.pref.xml|Medium
|6|File|/?ajax-request=jnews|High
|7|File|/?mobile=1|Medium
|8|File|/admin|Low
|9|File|/ADMIN.ASP|Medium
|10|File|/admin.php/Foodcat/editsave|High
|11|...|...|...
|========================================
There are 2712 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf
* https://www.clearskysec.com/copykitten-jpost/
* https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf
* https://www.threatminer.org/report.php?q=CopyKittens-MinervaandClearsky.pdf&y=2015
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

47
Corkow/README.adoc Normal file
View File

@ -0,0 +1,47 @@
= Corkow - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.corkow[Corkow]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.corkow
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|1.17.6.4|-|High
|2|3.8.9.6|ec2-3-8-9-6.eu-west-2.compute.amazonaws.com|Medium
|3|4.1.0.1|-|High
|4|4.3.1.2|-|High
|5|4.3.9.1|-|High
|6|4.3.9.5|-|High
|7|4.3.9.7|-|High
|8|4.3.9.8|-|High
|9|4.4.7.1|lag-32-1065-99.ear3.Chicago2.Level3.net|High
|10|4.4.7.2|ANDERSEN-CO.ear3.Chicago2.Level3.net|High
|11|4.4.7.7|-|High
|12|5.5.1.2|dynamic-005-005-001-002.5.5.pool.telefonica.de|High
|13|5.7.9.1|dynamic-005-007-009-001.5.7.pool.telefonica.de|High
|14|5.9.3.1|static.1.3.9.5.clients.your-server.de|High
|15|6.0.8.1|-|High
|16|6.0.8.2|-|High
|17|6.0.8.4|-|High
|18|6.2.0.1|-|High
|19|6.4.1.3|-|High
|20|7.5.0.1|-|High
|21|...|...|...
|========================================
There are 36 more IOC items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/#apt_report_19
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

55
CosmicDuke/README.adoc Normal file
View File

@ -0,0 +1,55 @@
= CosmicDuke - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.cosmicduke[CosmicDuke]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.cosmicduke
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. LU
. DE
. SE
. ...
There are 1 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|46.246.120.178|-|High
|2|91.224.141.235|-|High
|3|94.242.199.88|ip-static-94-242-199-88.server.lu|High
|4|176.74.216.14|cz10131-d1z1-kvm.host-telecom.com|High
|5|178.21.172.157|-|High
|6|178.63.149.142|static.142.149.63.178.clients.your-server.de|High
|7|178.170.164.84|o84.itliteclient.ru|High
|8|188.116.32.164|-|High
|9|188.241.115.41|188-241-115-41.static.intovps.com|High
|10|212.76.128.149|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1068|Execution with Unnecessary Privileges|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=cosmicduke_whitepaper.pdf&y=2014
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

66
CozyDuke/README.adoc Normal file
View File

@ -0,0 +1,66 @@
= CozyDuke - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.cozyduke[CozyDuke]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.cozyduke
== Campaigns
The following campaigns are known and can be associated with the actor.
- MiniDionis
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|64.244.34.200|-|High
|2|121.193.130.170|-|High
|3|122.228.193.115|-|High
|4|183.78.169.5|-|High
|5|200.119.128.45|-|High
|6|200.125.133.28|pnet_133_28.panchonet.net|High
|7|200.125.142.11|webuio.panchonet.net|High
|8|210.59.2.20|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1068|Execution with Unnecessary Privileges|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|data/gbconfiguration.dat|High
|2|File|drivers/net/ethernet/msm/rndis_ipa.c|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=MiniDionis_CozyCar_Seaduke.pdf&y=2015
* https://www.threatminer.org/report.php?q=TheCozyDukeAPT-Securelist.pdf&y=2015
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

56
Crashoverride/README.adoc Normal file
View File

@ -0,0 +1,56 @@
= Crashoverride - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.crashoverride[Crashoverride]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.crashoverride
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. RU
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.39.218.152|-|High
|2|93.115.27.57|-|High
|3|195.16.88.6|server10005.hostlife.net|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/cgi-bin/supervisor/PwdGrp.cgi|High
|2|File|/CMD_SELECT_USERS|High
|3|Argument|location|Medium
|4|Input Value|CMD_ALL_USER_SHOW'"><script>alert(/IrIsT.Ir/)</script>|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=CrashOverride-01-DragosSecurity.pdf&y=2017
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

53
Cridex/README.adoc Normal file
View File

@ -0,0 +1,53 @@
= Cridex - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.cridex[Cridex]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.cridex
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.135.28.118|-|High
|2|37.187.156.123|connor.playragnarokzero.com|High
|3|46.165.241.0|-|High
|4|50.56.200.226|50-56-200-226.static.cloud-ips.com|High
|5|62.76.44.174|62-76-44-174.vm.clodoserver.ru|High
|6|72.249.190.70|-|High
|7|89.31.144.214|vserver-gempassion.nexen.net|High
|8|89.188.121.106|rurik-e1.citytelecom.ru|High
|9|91.121.162.48|ks360250.kimsufi.com|High
|10|173.203.208.139|173-203-208-139.static.cloud-ips.com|High
|11|194.28.132.33|spline.org.ua|High
|12|209.54.58.186|-|High
|13|212.111.1.212.2|-|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|.htaccess|Medium
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://gist.githubusercontent.com/BBcan177/bf29d47ea04391cb3eb0/raw/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

75
Crimeware/README.adoc Normal file
View File

@ -0,0 +1,75 @@
= Crimeware - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.crimeware[Crimeware]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.crimeware
== Campaigns
The following campaigns are known and can be associated with the actor.
- CTB-Locker
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. FR
. US
. IT
. ...
There are 1 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.134.122.150|hpt01.web.l1.armada.it|High
|2|64.71.33.177|-|High
|3|188.93.8.7|-|High
|4|213.186.33.3|cluster015.ovh.net|High
|5|213.186.33.4|cluster003.ovh.net|High
|6|213.186.33.19|cluster010.hosting.ovh.net|High
|7|213.186.33.150|basic-cdn-01.cluster011.ovh.net|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1068|Execution with Unnecessary Privileges|High
|2|T1587.003|Improper Certificate Validation|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|admin_store_form|High
|2|File|cscopf.ocx|Medium
|3|File|fs/inode.c|Medium
|4|File|Util/PHP/eval-stdin.php|High
|5|Argument|cntnt01fbrp_forma_form_template|High
|6|Argument|Initialization|High
|7|Input Value|admin/password|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://unit42.paloaltonetworks.com/newest-ctb-locker-campaign-bypasses-legacy-security-products/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

50
Crouching Yeti/README.adoc Normal file
View File

@ -0,0 +1,50 @@
= Crouching Yeti - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.crouching_yeti[Crouching Yeti]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.crouching_yeti
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|1.0.154.36|node-55w.pool-1-0.dynamic.totinternet.net|High
|2|3.3.6.1|-|High
|3|6.0.472.59|-|High
|4|37.140.193.27|server39.hosting.reg.ru|High
|5|66.39.134.254|-|High
|6|78.63.99.143|78-63-99-143.static.zebra.lt|High
|7|93.188.161.235|-|High
|8|174.37.240.18|12.f0.25ae.ip4.static.sl-reverse.com|High
|9|195.16.89.46|-|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|inc/config.php|High
|2|Argument|basePath|Medium
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=Kaspersky_Lab_crouching_yeti_appendixes_eng_final.pdf&y=2014
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

93
CryptoPHP/README.adoc Normal file
View File

@ -0,0 +1,93 @@
= CryptoPHP - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.cryptophp[CryptoPHP]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.cryptophp
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. PL
. RU
. ...
There are 2 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|50.17.195.149|ec2-50-17-195-149.compute-1.amazonaws.com|Medium
|2|78.138.118.195|-|High
|3|78.138.118.196|-|High
|4|78.138.118.197|-|High
|5|78.138.118.198|-|High
|6|78.138.118.199|-|High
|7|78.138.118.200|-|High
|8|78.138.118.201|-|High
|9|78.138.118.202|-|High
|10|78.138.118.203|-|High
|11|78.138.118.204|-|High
|12|78.138.118.205|-|High
|13|78.138.118.206|-|High
|14|78.138.118.207|-|High
|15|78.138.118.208|-|High
|16|78.138.118.209|-|High
|17|78.138.126.220|-|High
|18|78.138.126.223|-|High
|19|78.138.126.224|-|High
|20|87.119.221.40|-|High
|21|...|...|...
|========================================
There are 24 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1600|Cryptographic Issues|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/mics/j_spring_security_check|High
|2|File|examples/openid.php|High
|3|File|FormDisplay.php|High
|4|File|includes/startup.php|High
|5|File|libraries/Header.php|High
|6|File|member.php|Medium
|7|File|shopping-cart.php|High
|8|File|wp-includes/class-wp-query.php|High
|9|Argument|cusid|Low
|10|Argument|j_username|Medium
|11|...|...|...
|========================================
There are 5 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://github.com/fox-it/cryptophp/blob/master/ips.txt
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

25
CryptoWall 2.0/README.adoc Normal file
View File

@ -0,0 +1,25 @@
= CryptoWall 2.0 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.cryptowall_2.0[CryptoWall 2.0]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.cryptowall_2.0
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|151.248.115.146|et-cetera.ru|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://unit42.paloaltonetworks.com/tracking-new-ransomware-cryptowall-2-0/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

53
DEV-0322/README.adoc Normal file
View File

@ -0,0 +1,53 @@
= DEV-0322 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.dev-0322[DEV-0322]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.dev-0322
== Campaigns
The following campaigns are known and can be associated with the actor.
- CVE-2021-35211
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. CN
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|68.235.178.32|huntres-cgo-cm1-68-235-178-32.vianet.ca|High
|2|97.77.97.58|rrcs-97-77-97-58.sw.biz.rr.com|High
|3|98.176.196.89|ip98-176-196-89.sd.sd.cox.net|High
|4|144.34.179.162|144.34.179.162.16clouds.com|High
|5|208.113.35.58|58.35.113.208.static.addr.dsl4u.ca|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|flow.php|Medium
|2|Argument|--config/--debugger|High
|3|Argument|goods_number|Medium
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

Some files were not shown because too many files have changed in this diff Show More