Mirrors
/
cyber_threat_intelligence
mirror of https://github.com/vuldb/cyber_threat_intelligence
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Converted from AsciiDoc to Markdown

This commit is contained in:
Marc Ruef 2021-09-30 11:58:16 +02:00
parent 06e3701ee0
commit 60147741e3
867 changed files with 29870 additions and 29756 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
1937CN/README.adoc
View File

@ -1,32 +0,0 @@
= 1937CN - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.1937cn[1937CN]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.1937cn
== Campaigns
The following campaigns are known and can be associated with the actor.
- Rehashed RAT
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|1.3.30.3|-|High
|2|1.3.33.5|-|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=RehashedRATUsedinAPTCampaignAgainstVietnameseOrganizations_FortinetBlog.pdf&y=2017
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

37
1937CN/README.md Normal file
View File

@ -0,0 +1,37 @@
# 1937CN - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [1937CN](https://vuldb.com/?actor.1937cn). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.1937cn](https://vuldb.com/?actor.1937cn)
## Campaigns
The following campaigns are known and can be associated with 1937CN:
* Rehashed RAT
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of 1937CN.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 1.3.30.3 | - | High
2 | 1.3.33.5 | - | High
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://www.threatminer.org/report.php?q=RehashedRATUsedinAPTCampaignAgainstVietnameseOrganizations_FortinetBlog.pdf&y=2017
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

32
9002/README.adoc
View File

@ -1,32 +0,0 @@
= 9002 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.9002[9002]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.9002
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. CN
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|222.239.91.30|-|High
|2|222.239.91.152|-|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=AttackDelivers%E2%80%989002%E2%80%99TrojanThroughGoogleDrive-PaloAltoNetworksBlogPaloAltoNetworksBlog.pdf&y=2016
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

37
9002/README.md Normal file
View File

@ -0,0 +1,37 @@
# 9002 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [9002](https://vuldb.com/?actor.9002). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.9002](https://vuldb.com/?actor.9002)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with 9002:
* CN
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of 9002.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 222.239.91.30 | - | High
2 | 222.239.91.152 | - | High
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://www.threatminer.org/report.php?q=AttackDelivers%E2%80%989002%E2%80%99TrojanThroughGoogleDrive-PaloAltoNetworksBlogPaloAltoNetworksBlog.pdf&y=2016
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

75
APT-C-01/README.adoc
View File

@ -1,75 +0,0 @@
= APT-C-01 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt-c-01[APT-C-01]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt-c-01
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. CN
. RU
. ...
There are 3 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|45.32.8.137|45.32.8.137.vultr.com|Medium
|2|45.76.125.176|45.76.125.176.vultr.com|Medium
|3|45.76.228.61|45.76.228.61.vultr.com|Medium
|4|131.213.66.10|p83d5420a.tocgnt01.ap.so-net.ne.jp|High
|5|146.0.32.168|al039.albit.dedi.server-hosting.expert|High
|6|165.227.220.223|musyfy.staging.collaborators.us|High
|7|188.166.67.36|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/forum/away.php|High
|2|File|/goform/saveParentControlInfo|High
|3|File|/uncpath/|Medium
|4|File|2020\Messages\SDNotify.exe|High
|5|File|admin/admin_disallow.php|High
|6|File|email.php|Medium
|7|File|entry.cgi|Medium
|8|File|ext/date/lib/parse_date.c|High
|9|File|goto.php|Medium
|10|File|index.php?tg=delegat&idx=mem|High
|11|...|...|...
|========================================
There are 25 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=APT-C-01-360.pdf&y=2018
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

75
APT-C-01/README.md Normal file
View File

@ -0,0 +1,75 @@
# APT-C-01 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT-C-01](https://vuldb.com/?actor.apt-c-01). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt-c-01](https://vuldb.com/?actor.apt-c-01)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT-C-01:
* US
* CN
* RU
* ...
There are 3 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT-C-01.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 45.32.8.137 | 45.32.8.137.vultr.com | Medium
2 | 45.76.125.176 | 45.76.125.176.vultr.com | Medium
3 | 45.76.228.61 | 45.76.228.61.vultr.com | Medium
4 | ... | ... | ...
There are 4 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT-C-01. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT-C-01. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/forum/away.php` | High
2 | File | `/goform/saveParentControlInfo` | High
3 | File | `/uncpath/` | Medium
4 | File | `2020\Messages\SDNotify.exe` | High
5 | File | `admin/admin_disallow.php` | High
6 | File | `email.php` | Medium
7 | File | `entry.cgi` | Medium
8 | File | `ext/date/lib/parse_date.c` | High
9 | File | `goto.php` | Medium
10 | File | `index.php?tg=delegat&idx=mem` | High
11 | ... | ... | ...
There are 25 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://www.threatminer.org/report.php?q=APT-C-01-360.pdf&y=2018
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

47
APT-C-07/README.adoc
View File

@ -1,47 +0,0 @@
= APT-C-07 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt-c-07[APT-C-07]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt-c-07
== Campaigns
The following campaigns are known and can be associated with the actor.
- Mermaid
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|69.195.129.72|-|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|Argument|widget_template|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=Operation_Mermaid_360cn.pdf&y=2016
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

50
APT-C-07/README.md Normal file
View File

@ -0,0 +1,50 @@
# APT-C-07 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT-C-07](https://vuldb.com/?actor.apt-c-07). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt-c-07](https://vuldb.com/?actor.apt-c-07)
## Campaigns
The following campaigns are known and can be associated with APT-C-07:
* Mermaid
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT-C-07:
* US
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT-C-07.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 69.195.129.72 | - | High
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT-C-07. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | Argument | `widget_template` | High
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://www.threatminer.org/report.php?q=Operation_Mermaid_360cn.pdf&y=2016
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

76
APT-C-36/README.adoc
View File

@ -1,76 +0,0 @@
= APT-C-36 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt-c-36[APT-C-36]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt-c-36
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. BR
. FR
. ...
There are 3 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|128.90.106.22|undefined.hostname.localhost|High
|2|128.90.107.21|undefined.hostname.localhost|High
|3|128.90.107.189|undefined.hostname.localhost|High
|4|128.90.107.236|undefined.hostname.localhost|High
|5|128.90.108.126|undefined.hostname.localhost|High
|6|128.90.114.5|undefined.hostname.localhost|High
|7|128.90.115.28|undefined.hostname.localhost|High
|8|128.90.115.179|undefined.hostname.localhost|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1499|Resource Consumption|High
|2|T1600|Cryptographic Issues|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|.htaccess|Medium
|2|File|FileSeek.cgi|Medium
|3|File|includes/dbal.php|High
|4|File|index.php|Medium
|5|File|modules/mappers/mod_rewrite.c|High
|6|File|personalData/resumeDetail.cfm|High
|7|File|prod.php|Medium
|8|File|products.php|Medium
|9|File|shop.pl|Low
|10|File|software-description.php|High
|11|...|...|...
|========================================
There are 10 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

75
APT-C-36/README.md Normal file
View File

@ -0,0 +1,75 @@
# APT-C-36 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT-C-36](https://vuldb.com/?actor.apt-c-36). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt-c-36](https://vuldb.com/?actor.apt-c-36)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT-C-36:
* US
* BR
* FR
* ...
There are 3 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT-C-36.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 128.90.106.22 | undefined.hostname.localhost | High
2 | 128.90.107.21 | undefined.hostname.localhost | High
3 | 128.90.107.189 | undefined.hostname.localhost | High
4 | ... | ... | ...
There are 5 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT-C-36. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1499 | Resource Consumption | High
2 | T1600 | Cryptographic Issues | High
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT-C-36. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `.htaccess` | Medium
2 | File | `FileSeek.cgi` | Medium
3 | File | `includes/dbal.php` | High
4 | File | `index.php` | Medium
5 | File | `modules/mappers/mod_rewrite.c` | High
6 | File | `personalData/resumeDetail.cfm` | High
7 | File | `prod.php` | Medium
8 | File | `products.php` | Medium
9 | File | `shop.pl` | Low
10 | File | `software-description.php` | High
11 | ... | ... | ...
There are 10 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

97
APT1/README.adoc
View File

@ -1,97 +0,0 @@
= APT1 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt1[APT1]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt1
== Campaigns
The following campaigns are known and can be associated with the actor.
- Mandiant
- Oceansalt
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. CN
. US
. FR
. ...
There are 1 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|23.236.62.147|147.62.236.23.bc.googleusercontent.com|Medium
|2|27.102.112.179|-|High
|3|58.246.|-|High
|4|58.247.|-|High
|5|67.222.16.131|host.dnsweb.org|High
|6|100.42.216.230|tfs2480.sipnav.in|High
|7|103.42.182.241|-|High
|8|104.31.82.32|-|High
|9|158.69.131.78|ip78.ip-158-69-131.net|High
|10|172.81.132.62|ip-172-81-132-62.host.datawagon.net|High
|11|211.104.160.196|-|High
|12|223.166.|-|High
|13|223.167.|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1211|7PK Security Features|High
|5|T1222|Permission Issues|High
|6|...|...|...
|========================================
There are 7 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|$HOME/.nylas-mail|High
|2|File|$JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups|High
|3|File|$SPLUNK_HOME/etc/splunk-launch.conf|High
|4|File|%ProgramData%\CTES|High
|5|File|%PROGRAMFILES%\Cylance\Desktop\log|High
|6|File|%SYSTEMDRIVE%\ProgramData\exclusions.dat|High
|7|File|'phpshell.php|High
|8|File|*-sub-menu.php|High
|9|File|-X/path/to/wwwroot/file.php.|High
|10|File|.../gogo/|Medium
|11|...|...|...
|========================================
There are 10537 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf
* https://www.circleid.com/posts/20201215-revisiting-apt1-iocs-with-dns-and-subdomain-intelligence/
* https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdfa
* https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

92
APT1/README.md Normal file
View File

@ -0,0 +1,92 @@
# APT1 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT1](https://vuldb.com/?actor.apt1). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt1](https://vuldb.com/?actor.apt1)
## Campaigns
The following campaigns are known and can be associated with APT1:
* Mandiant
* Oceansalt
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT1:
* CN
* US
* FR
* ...
There are 1 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT1.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 23.236.62.147 | 147.62.236.23.bc.googleusercontent.com | Medium
2 | 27.102.112.179 | - | High
3 | 58.246. | - | High
4 | 58.247. | - | High
5 | 67.222.16.131 | host.dnsweb.org | High
6 | ... | ... | ...
There are 8 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT1. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | T1211 | 7PK Security Features | High
5 | ... | ... | ...
There are 8 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT1. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `$HOME/.nylas-mail` | High
2 | File | `$JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups` | High
3 | File | `$SPLUNK_HOME/etc/splunk-launch.conf` | High
4 | File | `%ProgramData%\CTES` | High
5 | File | `%PROGRAMFILES%\Cylance\Desktop\log` | High
6 | File | `%SYSTEMDRIVE%\ProgramData\exclusions.dat` | High
7 | File | `'phpshell.php` | High
8 | File | `*-sub-menu.php` | High
9 | File | `-X/path/to/wwwroot/file.php.` | High
10 | File | `.../gogo/` | Medium
11 | ... | ... | ...
There are 10537 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf
* https://www.circleid.com/posts/20201215-revisiting-apt1-iocs-with-dns-and-subdomain-intelligence/
* https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdfa
* https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

110
APT10/README.adoc
View File

@ -1,110 +0,0 @@
= APT10 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt10[APT10]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt10
== Campaigns
The following campaigns are known and can be associated with the actor.
- A41APT
- Cloud Hopper
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. CN
. DE
. ...
There are 18 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|23.89.193.34|-|High
|2|23.110.64.147|-|High
|3|23.252.105.137|23.252.105.137.16clouds.com|High
|4|27.102.66.67|-|High
|5|27.102.115.249|-|High
|6|27.102.127.75|-|High
|7|27.102.127.80|-|High
|8|27.102.128.157|-|High
|9|31.184.197.215|31-184-197-215.static.x5x-noc.ru|High
|10|31.184.197.227|31-184-197-227.static.x5x-noc.ru|High
|11|31.184.198.23|-|High
|12|31.184.198.38|-|High
|13|37.187.7.74|ns3372567.ip-37-187-7.eu|High
|14|37.235.52.18|18.52.235.37.in-addr.arpa|High
|15|38.72.112.45|-|High
|16|38.72.114.16|-|High
|17|38.72.115.9|-|High
|18|45.62.112.161|45.62.112.161.16clouds.com|High
|19|45.138.157.83|lilanews.serveexchange.com|High
|20|46.108.39.134|-|High
|21|...|...|...
|========================================
There are 94 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1211|7PK Security Features|High
|5|T1222|Permission Issues|High
|6|...|...|...
|========================================
There are 4 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/+CSCOE+/logon.html|High
|2|File|/.env|Low
|3|File|/addnews.html|High
|4|File|/admin/index.php|High
|5|File|/assets/something/services/AppModule.class|High
|6|File|/cgi-bin/admin/testserver.cgi|High
|7|File|/cgi-bin/go|Medium
|8|File|/dev/kvm|Medium
|9|File|/etc/config/rpcd|High
|10|File|/etc/gsissh/sshd_config|High
|11|...|...|...
|========================================
There are 481 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://github.com/janhenrikdotcom/iocs/blob/master/APT10/Operation%20Cloud%20Hopper%20-%20Indicators%20of%20Compromise%20v3.csv
* https://github.com/PwCUK-CTO/OperationCloudHopper/blob/master/cloud-hopper-indicators-of-compromise-v3.csv
* https://github.com/riduangan/APT10/blob/master/IOC
* https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/
* https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html
* https://www.threatminer.org/report.php?q=Accenture-Hogfish-Threat-Analysis.pdf&y=2018
* https://www.threatminer.org/report.php?q=cloud-hopper-indicators-of-compromise-v3-PwC.pdf&y=2017
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

109
APT10/README.md Normal file
View File

@ -0,0 +1,109 @@
# APT10 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT10](https://vuldb.com/?actor.apt10). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt10](https://vuldb.com/?actor.apt10)
## Campaigns
The following campaigns are known and can be associated with APT10:
* A41APT
* Cloud Hopper
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT10:
* US
* CN
* DE
* ...
There are 18 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT10.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 23.89.193.34 | - | High
2 | 23.110.64.147 | - | High
3 | 23.252.105.137 | 23.252.105.137.16clouds.com | High
4 | 27.102.66.67 | - | High
5 | 27.102.115.249 | - | High
6 | 27.102.127.75 | - | High
7 | 27.102.127.80 | - | High
8 | 27.102.128.157 | - | High
9 | 31.184.197.215 | 31-184-197-215.static.x5x-noc.ru | High
10 | 31.184.197.227 | 31-184-197-227.static.x5x-noc.ru | High
11 | 31.184.198.23 | - | High
12 | 31.184.198.38 | - | High
13 | 37.187.7.74 | ns3372567.ip-37-187-7.eu | High
14 | 37.235.52.18 | 18.52.235.37.in-addr.arpa | High
15 | 38.72.112.45 | - | High
16 | 38.72.114.16 | - | High
17 | 38.72.115.9 | - | High
18 | 45.62.112.161 | 45.62.112.161.16clouds.com | High
19 | 45.138.157.83 | lilanews.serveexchange.com | High
20 | 46.108.39.134 | - | High
21 | ... | ... | ...
There are 94 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT10. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 6 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT10. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/+CSCOE+/logon.html` | High
2 | File | `/.env` | Low
3 | File | `/addnews.html` | High
4 | File | `/admin/index.php` | High
5 | File | `/assets/something/services/AppModule.class` | High
6 | File | `/cgi-bin/admin/testserver.cgi` | High
7 | File | `/cgi-bin/go` | Medium
8 | File | `/dev/kvm` | Medium
9 | File | `/etc/config/rpcd` | High
10 | File | `/etc/gsissh/sshd_config` | High
11 | ... | ... | ...
There are 481 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://github.com/janhenrikdotcom/iocs/blob/master/APT10/Operation%20Cloud%20Hopper%20-%20Indicators%20of%20Compromise%20v3.csv
* https://github.com/PwCUK-CTO/OperationCloudHopper/blob/master/cloud-hopper-indicators-of-compromise-v3.csv
* https://github.com/riduangan/APT10/blob/master/IOC
* https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/
* https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html
* https://www.threatminer.org/report.php?q=Accenture-Hogfish-Threat-Analysis.pdf&y=2018
* https://www.threatminer.org/report.php?q=cloud-hopper-indicators-of-compromise-v3-PwC.pdf&y=2017
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

76
APT12/README.adoc
View File

@ -1,76 +0,0 @@
= APT12 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt12[APT12]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt12
== Campaigns
The following campaigns are known and can be associated with the actor.
- Etumbot
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. ES
. US
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|32.114.251.129|-|High
|2|59.0.249.11|-|High
|3|92.54.232.142|-|High
|4|98.188.111.244|-|High
|5|133.87.242.63|turonian.cris.hokudai.ac.jp|High
|6|133.87.242.631|-|High
|7|141.108.2.157|fabernext.roma1.infn.it|High
|8|143.89.47.132|eea132.ee.ust.hk|High
|9|143.89.145.156|dy145-156.ust.hk|High
|10|190.16.246.129|129-246-16-190.fibertel.com.ar|High
|11|190.193.44.138|138-44-193-190.cab.prima.net.ar|High
|12|196.1.99.15|-|High
|13|196.1.99.154|-|High
|14|200.27.173.58|-|High
|15|200.42.69.140|mail1.argus.com.ar|High
|16|211.53.164.152|recruit.dhc.co.kr|High
|17|217.119.240.118|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1499|Resource Consumption|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|Network Port|tcp/264|Low
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html
* https://www.threatminer.org/report.php?q=ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf&y=2014
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

69
APT12/README.md Normal file
View File

@ -0,0 +1,69 @@
# APT12 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT12](https://vuldb.com/?actor.apt12). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt12](https://vuldb.com/?actor.apt12)
## Campaigns
The following campaigns are known and can be associated with APT12:
* Etumbot
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT12:
* ES
* US
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT12.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 32.114.251.129 | - | High
2 | 59.0.249.11 | - | High
3 | 92.54.232.142 | - | High
4 | 98.188.111.244 | - | High
5 | 133.87.242.63 | turonian.cris.hokudai.ac.jp | High
6 | 133.87.242.631 | - | High
7 | ... | ... | ...
There are 11 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT12. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1499 | Resource Consumption | High
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT12. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | Network Port | `tcp/264` | Low
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html
* https://www.threatminer.org/report.php?q=ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf&y=2014
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

32
APT15/README.adoc
View File

@ -1,32 +0,0 @@
= APT15 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt15[APT15]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt15
== Campaigns
The following campaigns are known and can be associated with the actor.
- Ke3chang
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|61.128.110.38|-|High
|2|180.149.252.181|-|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=XSLCmd_OSX.pdf&y=2014
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

37
APT15/README.md Normal file
View File

@ -0,0 +1,37 @@
# APT15 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT15](https://vuldb.com/?actor.apt15). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt15](https://vuldb.com/?actor.apt15)
## Campaigns
The following campaigns are known and can be associated with APT15:
* Ke3chang
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT15.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 61.128.110.38 | - | High
2 | 180.149.252.181 | - | High
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://www.threatminer.org/report.php?q=XSLCmd_OSX.pdf&y=2014
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

65
APT16/README.adoc
View File

@ -1,65 +0,0 @@
= APT16 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt16[APT16]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt16
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. CN
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|121.127.249.74|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/download|Medium
|2|File|comment_add.asp|High
|3|File|data/gbconfiguration.dat|High
|4|File|email.php|Medium
|5|File|inc/config.php|High
|6|File|inc/filebrowser/browser.php|High
|7|File|ogp_show.php|Medium
|8|File|register.php|Medium
|9|Argument|basePath|Medium
|10|Argument|display|Low
|11|...|...|...
|========================================
There are 4 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

66
APT16/README.md Normal file
View File

@ -0,0 +1,66 @@
# APT16 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT16](https://vuldb.com/?actor.apt16). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt16](https://vuldb.com/?actor.apt16)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT16:
* US
* CN
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT16.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 121.127.249.74 | - | High
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT16. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT16. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/download` | Medium
2 | File | `comment_add.asp` | High
3 | File | `data/gbconfiguration.dat` | High
4 | File | `email.php` | Medium
5 | File | `inc/config.php` | High
6 | File | `inc/filebrowser/browser.php` | High
7 | File | `ogp_show.php` | Medium
8 | File | `register.php` | Medium
9 | Argument | `basePath` | Medium
10 | Argument | `display` | Low
11 | ... | ... | ...
There are 4 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

89
APT17/README.adoc
View File

@ -1,89 +0,0 @@
= APT17 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt17[APT17]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt17
== Campaigns
The following campaigns are known and can be associated with the actor.
- CCleaner
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. DE
. US
. JP
. ...
There are 2 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|1.234.52.111|-|High
|2|69.80.72.165|-|High
|3|103.250.72.39|sv01growth.bulks.jp|High
|4|103.250.72.254|103x250x72x254.bulks.jp|High
|5|110.45.151.43|-|High
|6|121.101.73.231|p6549e7.fkokff01.ap.so-net.ne.jp|High
|7|130.184.156.62|-|High
|8|148.251.71.75|hotspot.nwwc.de|High
|9|175.126.104.175|-|High
|10|178.62.20.110|-|High
|11|216.126.225.148|-|High
|12|217.198.143.40|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1211|7PK Security Features|High
|4|T1587.003|Improper Certificate Validation|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|.htaccess|Medium
|2|File|/wbg/core/_includes/authorization.inc.php|High
|3|File|data/gbconfiguration.dat|High
|4|File|inc/config.php|High
|5|File|inc/filebrowser/browser.php|High
|6|File|register/check/username?username|High
|7|File|wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php|High
|8|File|wp-login.php|Medium
|9|Argument|basePath|Medium
|10|Argument|file|Low
|11|...|...|...
|========================================
There are 2 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://github.com/fireeye/iocs/blob/master/APT17/7b9e87c5-b619-4a13-b862-0145614d359a.ioc
* https://www.threatminer.org/report.php?q=EvidenceAuroraOperationStillActive_SupplyChainAttackThroughCCleaner-Intezer.pdf&y=2017
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

87
APT17/README.md Normal file
View File

@ -0,0 +1,87 @@
# APT17 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT17](https://vuldb.com/?actor.apt17). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt17](https://vuldb.com/?actor.apt17)
## Campaigns
The following campaigns are known and can be associated with APT17:
* CCleaner
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT17:
* DE
* US
* JP
* ...
There are 2 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT17.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 1.234.52.111 | - | High
2 | 69.80.72.165 | - | High
3 | 103.250.72.39 | sv01growth.bulks.jp | High
4 | 103.250.72.254 | 103x250x72x254.bulks.jp | High
5 | ... | ... | ...
There are 8 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT17. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1211 | 7PK Security Features | High
4 | ... | ... | ...
There are 1 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT17. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `.htaccess` | Medium
2 | File | `/wbg/core/_includes/authorization.inc.php` | High
3 | File | `data/gbconfiguration.dat` | High
4 | File | `inc/config.php` | High
5 | File | `inc/filebrowser/browser.php` | High
6 | File | `register/check/username?username` | High
7 | File | `wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php` | High
8 | File | `wp-login.php` | Medium
9 | Argument | `basePath` | Medium
10 | Argument | `file` | Low
11 | ... | ... | ...
There are 2 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://github.com/fireeye/iocs/blob/master/APT17/7b9e87c5-b619-4a13-b862-0145614d359a.ioc
* https://www.threatminer.org/report.php?q=EvidenceAuroraOperationStillActive_SupplyChainAttackThroughCCleaner-Intezer.pdf&y=2017
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

36
APT18/README.adoc
View File

@ -1,36 +0,0 @@
= APT18 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt18[APT18]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt18
== Campaigns
The following campaigns are known and can be associated with the actor.
- Wekby
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|23.252.166.89|-|High
|2|23.252.166.99|-|High
|3|107.180.58.70|ip-107-180-58-70.ip.secureserver.net|High
|4|137.175.4.132|-|High
|5|223.25.233.248|-|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://github.com/fireeye/iocs/blob/master/APT18/0ae061d7-c624-4a84-8adf-00281b97797b.ioc
* https://unit42.paloaltonetworks.com/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

42
APT18/README.md Normal file
View File

@ -0,0 +1,42 @@
# APT18 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT18](https://vuldb.com/?actor.apt18). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt18](https://vuldb.com/?actor.apt18)
## Campaigns
The following campaigns are known and can be associated with APT18:
* Wekby
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT18.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 23.252.166.89 | - | High
2 | 23.252.166.99 | - | High
3 | 107.180.58.70 | ip-107-180-58-70.ip.secureserver.net | High
4 | ... | ... | ...
There are 2 more IOC items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://github.com/fireeye/iocs/blob/master/APT18/0ae061d7-c624-4a84-8adf-00281b97797b.ioc
* https://unit42.paloaltonetworks.com/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

44
APT19/README.adoc
View File

@ -1,44 +0,0 @@
= APT19 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt19[APT19]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt19
== Campaigns
The following campaigns are known and can be associated with the actor.
- c0d0s0
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. CN
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|42.200.18.194|-|High
|2|104.236.77.169|-|High
|3|121.54.168.230|-|High
|4|138.68.45.9|openpubsource.com|High
|5|162.243.143.145|-|High
|6|210.181.184.64|-|High
|7|218.54.139.20|-|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://unit42.paloaltonetworks.com/new-attacks-linked-to-c0d0s0-group/
* https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

48
APT19/README.md Normal file
View File

@ -0,0 +1,48 @@
# APT19 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT19](https://vuldb.com/?actor.apt19). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt19](https://vuldb.com/?actor.apt19)
## Campaigns
The following campaigns are known and can be associated with APT19:
* c0d0s0
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT19:
* CN
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT19.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 42.200.18.194 | - | High
2 | 104.236.77.169 | - | High
3 | 121.54.168.230 | - | High
4 | ... | ... | ...
There are 4 more IOC items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://unit42.paloaltonetworks.com/new-attacks-linked-to-c0d0s0-group/
* https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

83
APT2/README.adoc
View File

@ -1,83 +0,0 @@
= APT2 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt2[APT2]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt2
== Campaigns
The following campaigns are known and can be associated with the actor.
- Putter Panda
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. KR
. US
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|31.170.110.163|io.uu3.net|High
|2|58.196.156.15|-|High
|3|59.120.168.199|59-120-168-199.hinet-ip.hinet.net|High
|4|61.34.97.69|-|High
|5|61.74.190.14|-|High
|6|61.78.37.121|-|High
|7|61.78.75.96|-|High
|8|61.221.54.99|61-221-54-99.hinet-ip.hinet.net|High
|9|67.42.255.50|rory.net|High
|10|100.42.216.230|tfs2480.sipnav.in|High
|11|121.157.104.122|-|High
|12|134.129.140.212|eercvpn.eerc.und.nodak.edu|High
|13|140.112.19.195|ipserver.ee.ntu.edu.tw|High
|14|140.112.40.7|bpADServer.bp.ntu.edu.tw|High
|15|140.113.88.216|IP-88-216.cs.nctu.edu.tw|High
|16|140.113.241.33|mipserv.cs.nctu.edu.tw|High
|17|140.119.46.35|econo2008.nccu.edu.tw|High
|18|173.231.36.139|173-231-36-139.hosted.static.webnx.com|High
|19|173.252.205.56|173-252-205-56.genericreverse.com|High
|20|173.252.207.51|173-252-207-51.genericreverse.com|High
|21|...|...|...
|========================================
There are 22 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/bin/boa|Medium
|2|Argument|Authorization|High
|3|Argument|Username|Medium
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf
* https://www.threatminer.org/report.php?q=putter-panda.pdf&y=2014
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

78
APT2/README.md Normal file
View File

@ -0,0 +1,78 @@
# APT2 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT2](https://vuldb.com/?actor.apt2). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt2](https://vuldb.com/?actor.apt2)
## Campaigns
The following campaigns are known and can be associated with APT2:
* Putter Panda
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT2:
* KR
* US
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT2.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 31.170.110.163 | io.uu3.net | High
2 | 58.196.156.15 | - | High
3 | 59.120.168.199 | 59-120-168-199.hinet-ip.hinet.net | High
4 | 61.34.97.69 | - | High
5 | 61.74.190.14 | - | High
6 | 61.78.37.121 | - | High
7 | 61.78.75.96 | - | High
8 | 61.221.54.99 | 61-221-54-99.hinet-ip.hinet.net | High
9 | 67.42.255.50 | rory.net | High
10 | 100.42.216.230 | tfs2480.sipnav.in | High
11 | 121.157.104.122 | - | High
12 | 134.129.140.212 | eercvpn.eerc.und.nodak.edu | High
13 | 140.112.19.195 | ipserver.ee.ntu.edu.tw | High
14 | 140.112.40.7 | bpADServer.bp.ntu.edu.tw | High
15 | ... | ... | ...
There are 28 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT2. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT2. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/bin/boa` | Medium
2 | Argument | `Authorization` | High
3 | Argument | `Username` | Medium
## References
The following list contains external sources which discuss the actor and the associated activities:
* http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf
* https://www.threatminer.org/report.php?q=putter-panda.pdf&y=2014
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

95
APT27/README.adoc
View File

@ -1,95 +0,0 @@
= APT27 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt27[APT27]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt27
== Campaigns
The following campaigns are known and can be associated with the actor.
- SysUpdate
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. CN
. ES
. ...
There are 3 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|34.90.207.23|23.207.90.34.bc.googleusercontent.com|Medium
|2|34.93.247.126|126.247.93.34.bc.googleusercontent.com|Medium
|3|35.187.148.253|253.148.187.35.bc.googleusercontent.com|Medium
|4|35.220.135.85|85.135.220.35.bc.googleusercontent.com|Medium
|5|45.142.214.188|mts.ru|High
|6|47.75.49.32|-|High
|7|85.204.74.143|-|High
|8|89.35.178.105|-|High
|9|103.79.78.48|103.79.78.48.static.hostdare.com|High
|10|104.09.198.177|-|High
|11|139.59.81.253|-|High
|12|139.180.208.225|139.180.208.225.vultr.com|Medium
|13|185.12.45.134|server5.cygda.info|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1008|Algorithm Downgrade|High
|2|T1040|Authentication Bypass by Capture-replay|High
|3|T1059.007|Cross Site Scripting|High
|4|T1068|Execution with Unnecessary Privileges|High
|5|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|6|...|...|...
|========================================
There are 7 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/+CSCOE+/logon.html|High
|2|File|/cgi-bin/live_api.cgi|High
|3|File|/config/getuser|High
|4|File|/etc/shadow|Medium
|5|File|/infusions/shoutbox_panel/shoutbox_admin.php|High
|6|File|/oscommerce/admin/currencies.php|High
|7|File|/proc/pid/syscall|High
|8|File|/session/list/allActiveSession|High
|9|File|/syslog_rules|High
|10|File|/upload|Low
|11|...|...|...
|========================================
There are 186 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
* https://vxug.fakedoma.in/archive/APTs/2021/2021.04.09/Iron%20Tiger.pdf
* https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

90
APT27/README.md Normal file
View File

@ -0,0 +1,90 @@
# APT27 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT27](https://vuldb.com/?actor.apt27). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt27](https://vuldb.com/?actor.apt27)
## Campaigns
The following campaigns are known and can be associated with APT27:
* SysUpdate
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT27:
* US
* CN
* ES
* ...
There are 3 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT27.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 34.90.207.23 | 23.207.90.34.bc.googleusercontent.com | Medium
2 | 34.93.247.126 | 126.247.93.34.bc.googleusercontent.com | Medium
3 | 35.187.148.253 | 253.148.187.35.bc.googleusercontent.com | Medium
4 | 35.220.135.85 | 85.135.220.35.bc.googleusercontent.com | Medium
5 | 45.142.214.188 | mts.ru | High
6 | ... | ... | ...
There are 8 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT27. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1008 | Algorithm Downgrade | High
2 | T1040 | Authentication Bypass by Capture-replay | High
3 | T1059.007 | Cross Site Scripting | High
4 | T1068 | Execution with Unnecessary Privileges | High
5 | ... | ... | ...
There are 8 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT27. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/+CSCOE+/logon.html` | High
2 | File | `/cgi-bin/live_api.cgi` | High
3 | File | `/config/getuser` | High
4 | File | `/etc/shadow` | Medium
5 | File | `/infusions/shoutbox_panel/shoutbox_admin.php` | High
6 | File | `/oscommerce/admin/currencies.php` | High
7 | File | `/proc/pid/syscall` | High
8 | File | `/session/list/allActiveSession` | High
9 | File | `/syslog_rules` | High
10 | File | `/upload` | Low
11 | ... | ... | ...
There are 186 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
* https://vxug.fakedoma.in/archive/APTs/2021/2021.04.09/Iron%20Tiger.pdf
* https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

139
APT28/README.adoc
View File

@ -1,139 +0,0 @@
= APT28 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt28[APT28]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt28
== Campaigns
The following campaigns are known and can be associated with the actor.
- Carberp
- Fysbis
- Global Brute Force
- ...
There are 3 more campaign items available. Please use our online service to access the data.
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. DE
. ES
. ...
There are 52 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.63.153.177|5-63-153-177.ovz.vps.regruhosting.ru|High
|2|5.100.155.82|5.100.155-82.publicdomainregistry.com|High
|3|5.100.155.91|5.100.155-91.publicdomainregistry.com|High
|4|5.135.183.154|ns3290077.ip-5-135-183.eu|High
|5|5.199.171.58|-|High
|6|23.163.0.59|naomi.rem2d.com|High
|7|23.227.196.21|23-227-196-21.static.hvvc.us|High
|8|23.227.196.215|23-227-196-215.static.hvvc.us|High
|9|23.227.196.217|23-227-196-217.static.hvvc.us|High
|10|31.184.198.23|-|High
|11|31.184.198.38|-|High
|12|31.220.43.99|-|High
|13|31.220.61.251|-|High
|14|37.235.52.18|18.52.235.37.in-addr.arpa|High
|15|45.32.129.185|45.32.129.185.vultr.com|Medium
|16|45.32.227.21|45.32.227.21.mobiltel.mx|High
|17|45.64.105.23|-|High
|18|45.124.132.127|-|High
|19|46.19.138.66|ab2.alchibasystems.in.net|High
|20|46.21.147.55|55.147.21.46.in-addr.arpa|High
|21|...|...|...
|========================================
There are 211 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1040|Authentication Bypass by Capture-replay|High
|2|T1059.007|Cross Site Scripting|High
|3|T1068|Execution with Unnecessary Privileges|High
|4|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|5|T1211|7PK Security Features|High
|6|...|...|...
|========================================
There are 10 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|.htaccess|Medium
|2|File|.procmailrc|Medium
|3|File|/$({curl|Medium
|4|File|/+CSCOE+/logon.html|High
|5|File|/.env|Low
|6|File|/.ssh/authorized_keys|High
|7|File|/.vnc/sesman_${username}_passwd|High
|8|File|/account/details.php|High
|9|File|/admin.php|Medium
|10|File|/admin/adclass.php|High
|11|...|...|...
|========================================
There are 2654 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://documents.trendmicro.com/assets/wp/wp-two-years-of-pawn-storm.pdf
* https://github.com/blackorbird/APT_REPORT/blob/master/APT28/IOC/2019-04-05-ioc-mark.txt
* https://github.com/blackorbird/APT_REPORT/blob/master/APT28/IOC/2019-04-09-ioc-mark.txt
* https://github.com/fireeye/iocs/blob/master/APT28/e1cbf7ca-4938-4d3c-a7e6-3ff966516191.ioc
* https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF
* https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
* https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/
* https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/
* https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.11.04_Evolving_Threats/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf
* https://unit42.paloaltonetworks.com/a-look-into-fysbis-sofacys-linux-backdoor/
* https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/
* https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/
* https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
* https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/
* https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/
* https://unit42.paloaltonetworks.com/unit42-xagentosx-sofacys-xagent-macos-tool/
* https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50
* https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
* https://www.ncsc.gov.uk/files/NCSC_APT28.pdf
* https://www.threatminer.org/report.php?q=ASongofIntelandFancy_ExploitingFancyBear%E2%80%99suseofSSLcertificate.pdf&y=2018
* https://www.threatminer.org/report.php?q=eset-sednit-part-2-ESET.pdf&y=2016
* https://www.threatminer.org/report.php?q=eset-sednit-part1-ESET.pdf&y=2016
* https://www.threatminer.org/report.php?q=FancyBearcontinuetooperatethroughphishingemailsandmuchmore_ESET.pdf&y=2017
* https://www.threatminer.org/report.php?q=OperationRussianDoll.pdf&y=2015
* https://www.threatminer.org/report.php?q=TheDeceptionProjectANewJapanese-CentricThreat-Cylance.pdf&y=2017
* https://www.threatminer.org/report.php?q=ThreatConnectandFidelisTeamUptoExploretheDCCCBreach-ThreatConnect.pdf&y=2016
* https://www.threatminer.org/report.php?q=ThreatConnectIdentifiesFANCYBEARWorldAnti-DopingAgencyBreach-ThreatConnect.pdf&y=2016
* https://www.threatminer.org/report.php?q=wp-operation-pawn-storm.pdf&y=2014
* https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/
* https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf
* https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf
* https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

140
APT28/README.md Normal file
View File

@ -0,0 +1,140 @@
# APT28 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT28](https://vuldb.com/?actor.apt28). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt28](https://vuldb.com/?actor.apt28)
## Campaigns
The following campaigns are known and can be associated with APT28:
* Carberp
* Fysbis
* Global Brute Force
* ...
There are 3 more campaign items available. Please use our online service to access the data.
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT28:
* US
* DE
* ES
* ...
There are 52 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT28.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 5.63.153.177 | 5-63-153-177.ovz.vps.regruhosting.ru | High
2 | 5.100.155.82 | 5.100.155-82.publicdomainregistry.com | High
3 | 5.100.155.91 | 5.100.155-91.publicdomainregistry.com | High
4 | 5.135.183.154 | ns3290077.ip-5-135-183.eu | High
5 | 5.199.171.58 | - | High
6 | 23.163.0.59 | naomi.rem2d.com | High
7 | 23.227.196.21 | 23-227-196-21.static.hvvc.us | High
8 | 23.227.196.215 | 23-227-196-215.static.hvvc.us | High
9 | 23.227.196.217 | 23-227-196-217.static.hvvc.us | High
10 | 31.184.198.23 | - | High
11 | 31.184.198.38 | - | High
12 | 31.220.43.99 | - | High
13 | 31.220.61.251 | - | High
14 | 37.235.52.18 | 18.52.235.37.in-addr.arpa | High
15 | 45.32.129.185 | 45.32.129.185.vultr.com | Medium
16 | 45.32.227.21 | 45.32.227.21.mobiltel.mx | High
17 | 45.64.105.23 | - | High
18 | 45.124.132.127 | - | High
19 | 46.19.138.66 | ab2.alchibasystems.in.net | High
20 | 46.21.147.55 | 55.147.21.46.in-addr.arpa | High
21 | ... | ... | ...
There are 211 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT28. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1040 | Authentication Bypass by Capture-replay | High
2 | T1059.007 | Cross Site Scripting | High
3 | T1068 | Execution with Unnecessary Privileges | High
4 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
5 | T1211 | 7PK Security Features | High
6 | ... | ... | ...
There are 10 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT28. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `.htaccess` | Medium
2 | File | `.procmailrc` | Medium
3 | File | `/$({curl` | Medium
4 | File | `/+CSCOE+/logon.html` | High
5 | File | `/.env` | Low
6 | File | `/.ssh/authorized_keys` | High
7 | File | `/.vnc/sesman_${username}_passwd` | High
8 | File | `/account/details.php` | High
9 | File | `/admin.php` | Medium
10 | File | `/admin/adclass.php` | High
11 | ... | ... | ...
There are 2654 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://documents.trendmicro.com/assets/wp/wp-two-years-of-pawn-storm.pdf
* https://github.com/blackorbird/APT_REPORT/blob/master/APT28/IOC/2019-04-05-ioc-mark.txt
* https://github.com/blackorbird/APT_REPORT/blob/master/APT28/IOC/2019-04-09-ioc-mark.txt
* https://github.com/fireeye/iocs/blob/master/APT28/e1cbf7ca-4938-4d3c-a7e6-3ff966516191.ioc
* https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF
* https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
* https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/
* https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/
* https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.11.04_Evolving_Threats/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf
* https://unit42.paloaltonetworks.com/a-look-into-fysbis-sofacys-linux-backdoor/
* https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/
* https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/
* https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
* https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/
* https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/
* https://unit42.paloaltonetworks.com/unit42-xagentosx-sofacys-xagent-macos-tool/
* https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50
* https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
* https://www.ncsc.gov.uk/files/NCSC_APT28.pdf
* https://www.threatminer.org/report.php?q=ASongofIntelandFancy_ExploitingFancyBear%E2%80%99suseofSSLcertificate.pdf&y=2018
* https://www.threatminer.org/report.php?q=eset-sednit-part-2-ESET.pdf&y=2016
* https://www.threatminer.org/report.php?q=eset-sednit-part1-ESET.pdf&y=2016
* https://www.threatminer.org/report.php?q=FancyBearcontinuetooperatethroughphishingemailsandmuchmore_ESET.pdf&y=2017
* https://www.threatminer.org/report.php?q=OperationRussianDoll.pdf&y=2015
* https://www.threatminer.org/report.php?q=TheDeceptionProjectANewJapanese-CentricThreat-Cylance.pdf&y=2017
* https://www.threatminer.org/report.php?q=ThreatConnectandFidelisTeamUptoExploretheDCCCBreach-ThreatConnect.pdf&y=2016
* https://www.threatminer.org/report.php?q=ThreatConnectIdentifiesFANCYBEARWorldAnti-DopingAgencyBreach-ThreatConnect.pdf&y=2016
* https://www.threatminer.org/report.php?q=wp-operation-pawn-storm.pdf&y=2014
* https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/
* https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf
* https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf
* https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

111
APT29/README.adoc
View File

@ -1,111 +0,0 @@
= APT29 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt29[APT29]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt29
== Campaigns
The following campaigns are known and can be associated with the actor.
- COVID-19
- PowerDuke
- Wellmail
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. CN
. RU
. ...
There are 14 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.45.66.134|-|High
|2|5.199.174.164|-|High
|3|27.102.130.115|-|High
|4|31.7.63.141|game.bignamegamereviewz.com|High
|5|31.170.107.186|ohra.supplrald.com|High
|6|45.120.156.69|-|High
|7|45.123.190.167|-|High
|8|45.123.190.168|-|High
|9|45.129.229.48|-|High
|10|45.152.84.57|-|High
|11|46.19.143.69|-|High
|12|46.246.120.178|-|High
|13|50.7.192.146|-|High
|14|64.18.143.66|-|High
|15|65.15.88.243|adsl-065-015-088-243.sip.asm.bellsouth.net|High
|16|66.29.115.55|647807.ds.nac.net|High
|17|66.70.247.215|ip215.ip-66-70-247.net|High
|18|69.59.28.57|-|High
|19|79.141.168.109|-|High
|20|81.17.17.213|customer20.tamic.info|High
|21|...|...|...
|========================================
There are 77 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1211|7PK Security Features|High
|4|T1499|Resource Consumption|High
|5|T1552|Unprotected Storage of Credentials|High
|6|...|...|...
|========================================
There are 1 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|.procmailrc|Medium
|2|File|/+CSCOE+/logon.html|High
|3|File|/../../conf/template/uhttpd.json|High
|4|File|/cgi-bin/portal|High
|5|File|/CMD_ACCOUNT_ADMIN|High
|6|File|/etc/shadow|Medium
|7|File|/etc/sudoers|Medium
|8|File|/firewall/policy/|High
|9|File|/includes/plugins/mobile/scripts/login.php|High
|10|File|/notice-edit.php|High
|11|...|...|...
|========================================
There are 236 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf
* https://github.com/blackorbird/APT_REPORT/blob/master/International%20Strategic/Russia/Advisory-APT29-targets-COVID-19-vaccine-development.pdf
* https://us-cert.cisa.gov/ncas/alerts/aa21-148a
* https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c
* https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
* https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf
* https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

110
APT29/README.md Normal file
View File

@ -0,0 +1,110 @@
# APT29 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT29](https://vuldb.com/?actor.apt29). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt29](https://vuldb.com/?actor.apt29)
## Campaigns
The following campaigns are known and can be associated with APT29:
* COVID-19
* PowerDuke
* Wellmail
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT29:
* US
* CN
* RU
* ...
There are 14 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT29.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 5.45.66.134 | - | High
2 | 5.199.174.164 | - | High
3 | 27.102.130.115 | - | High
4 | 31.7.63.141 | game.bignamegamereviewz.com | High
5 | 31.170.107.186 | ohra.supplrald.com | High
6 | 45.120.156.69 | - | High
7 | 45.123.190.167 | - | High
8 | 45.123.190.168 | - | High
9 | 45.129.229.48 | - | High
10 | 45.152.84.57 | - | High
11 | 46.19.143.69 | - | High
12 | 46.246.120.178 | - | High
13 | 50.7.192.146 | - | High
14 | 64.18.143.66 | - | High
15 | 65.15.88.243 | adsl-065-015-088-243.sip.asm.bellsouth.net | High
16 | 66.29.115.55 | 647807.ds.nac.net | High
17 | 66.70.247.215 | ip215.ip-66-70-247.net | High
18 | 69.59.28.57 | - | High
19 | 79.141.168.109 | - | High
20 | 81.17.17.213 | customer20.tamic.info | High
21 | ... | ... | ...
There are 77 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT29. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1211 | 7PK Security Features | High
4 | ... | ... | ...
There are 3 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT29. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `.procmailrc` | Medium
2 | File | `/+CSCOE+/logon.html` | High
3 | File | `/../../conf/template/uhttpd.json` | High
4 | File | `/cgi-bin/portal` | High
5 | File | `/CMD_ACCOUNT_ADMIN` | High
6 | File | `/etc/shadow` | Medium
7 | File | `/etc/sudoers` | Medium
8 | File | `/firewall/policy/` | High
9 | File | `/includes/plugins/mobile/scripts/login.php` | High
10 | File | `/notice-edit.php` | High
11 | ... | ... | ...
There are 236 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf
* https://github.com/blackorbird/APT_REPORT/blob/master/International%20Strategic/Russia/Advisory-APT29-targets-COVID-19-vaccine-development.pdf
* https://us-cert.cisa.gov/ncas/alerts/aa21-148a
* https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c
* https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
* https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf
* https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

66
APT3/README.adoc
View File

@ -1,66 +0,0 @@
= APT3 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt3[APT3]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt3
== Campaigns
The following campaigns are known and can be associated with the actor.
- CVE-2015-5119
- Doubletap
- Double Tap
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|23.99.20.198|-|High
|2|54.169.89.240|ec2-54-169-89-240.ap-southeast-1.compute.amazonaws.com|Medium
|3|104.151.248.173|173.248-151-104.rdns.scalabledns.com|High
|4|107.20.255.57|ec2-107-20-255-57.compute-1.amazonaws.com|Medium
|5|112.74.87.60|-|High
|6|137.175.4.132|-|High
|7|192.157.198.103|-|High
|8|192.184.60.229|unassigned.psychz.net|High
|9|194.44.130.179|-|High
|10|198.55.115.71|hosted-by.securefastserver.com|High
|11|210.109.99.64|-|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/forum/away.php|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://github.com/fireeye/iocs/blob/master/APT3/62f65dae-9475-44b0-a9eb-c1baebbd9885.ioc
* https://github.com/fireeye/iocs/blob/master/APT3/db0b6ac6-874a-498e-892b-ac7c2020e061.ioc
* https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html
* https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html
* https://www.recordedfuture.com/chinese-mss-behind-apt3/
* https://www.threatminer.org/report.php?q=APTGroupUPSTargetsUSGovernmentwithHackingTeamFlashExploit-PaloAltoNetworksBlogPaloAltoNetworksBlog.pdf&y=2015
* https://www.threatminer.org/report.php?q=OperationDoubleTap.pdf&y=2014
* https://www.threatminer.org/report.php?q=SecondAdobeFlashZero-DayCVE-2015-5122fromHackingTeamExploitedinStrategicWebCompromiseTargetingJapaneseVictims%C2%ABThreatResearchBlog_FireEyeInc.pdf&y=2015
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

65
APT3/README.md Normal file
View File

@ -0,0 +1,65 @@
# APT3 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT3](https://vuldb.com/?actor.apt3). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt3](https://vuldb.com/?actor.apt3)
## Campaigns
The following campaigns are known and can be associated with APT3:
* CVE-2015-5119
* Doubletap
* Double Tap
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT3:
* US
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT3.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 23.99.20.198 | - | High
2 | 54.169.89.240 | ec2-54-169-89-240.ap-southeast-1.compute.amazonaws.com | Medium
3 | 104.151.248.173 | 173.248-151-104.rdns.scalabledns.com | High
4 | 107.20.255.57 | ec2-107-20-255-57.compute-1.amazonaws.com | Medium
5 | ... | ... | ...
There are 7 more IOC items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT3. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/forum/away.php` | High
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://github.com/fireeye/iocs/blob/master/APT3/62f65dae-9475-44b0-a9eb-c1baebbd9885.ioc
* https://github.com/fireeye/iocs/blob/master/APT3/db0b6ac6-874a-498e-892b-ac7c2020e061.ioc
* https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html
* https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html
* https://www.recordedfuture.com/chinese-mss-behind-apt3/
* https://www.threatminer.org/report.php?q=APTGroupUPSTargetsUSGovernmentwithHackingTeamFlashExploit-PaloAltoNetworksBlogPaloAltoNetworksBlog.pdf&y=2015
* https://www.threatminer.org/report.php?q=OperationDoubleTap.pdf&y=2014
* https://www.threatminer.org/report.php?q=SecondAdobeFlashZero-DayCVE-2015-5122fromHackingTeamExploitedinStrategicWebCompromiseTargetingJapaneseVictims%C2%ABThreatResearchBlog_FireEyeInc.pdf&y=2015
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

27
APT30/README.adoc
View File

@ -1,27 +0,0 @@
= APT30 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt30[APT30]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt30
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.1.0.29|5-1-0-29.datagroup.ua|High
|2|112.117.9.222|-|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=rpt-apt30.pdf&y=2015
* https://www.threatminer.org/_reports/2015/rpt-apt30.pdf#viewer.action=download
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

32
APT30/README.md Normal file
View File

@ -0,0 +1,32 @@
# APT30 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT30](https://vuldb.com/?actor.apt30). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt30](https://vuldb.com/?actor.apt30)
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT30.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 5.1.0.29 | 5-1-0-29.datagroup.ua | High
2 | 112.117.9.222 | - | High
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://www.threatminer.org/report.php?q=rpt-apt30.pdf&y=2015
* https://www.threatminer.org/_reports/2015/rpt-apt30.pdf#viewer.action=download
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

79
APT31/README.adoc
View File

@ -1,79 +0,0 @@
= APT31 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt31[APT31]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt31
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. FR
. US
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|105.154.12.165|-|High
|2|105.157.234.0|-|High
|3|105.159.122.85|-|High
|4|110.36.231.150|WGPON-36231-150.wateen.net|High
|5|115.31.133.26|-|High
|6|115.133.136.29|-|High
|7|119.110.222.94|static-119-110-222-94.violin.co.th|High
|8|121.121.46.10|mail.worldtech.my|High
|9|122.154.56.106|-|High
|10|125.25.204.59|node-14cb.pool-125-25.dynamic.totinternet.net|High
|11|125.31.50.150|n12531z50l150.static.ctmip.net|High
|12|141.101.253.109|-|High
|13|147.50.50.50|-|High
|14|154.181.248.88|host-154.181.88.248-static.tedata.net|High
|15|154.182.91.196|host-154.182.196.91-static.tedata.net|High
|16|156.222.101.141|host-156.222.141.101-static.tedata.net|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1222|Permission Issues|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/get_getnetworkconf.cgi|High
|2|File|/horde/util/go.php|High
|3|File|administrator/components/com_media/helpers/media.php|High
|4|File|comments.php|Medium
|5|File|data/gbconfiguration.dat|High
|6|File|inc/config.php|High
|7|File|item_details.php|High
|8|File|KeyHelp.ocx|Medium
|9|File|phpinfo.php|Medium
|10|File|picture.php|Medium
|11|...|...|...
|========================================
There are 12 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://blogs.infoblox.com/cyber-threat-intelligence/cyber-threat-advisory-apt31-targeting-france/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

73
APT31/README.md Normal file
View File

@ -0,0 +1,73 @@
# APT31 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT31](https://vuldb.com/?actor.apt31). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt31](https://vuldb.com/?actor.apt31)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT31:
* FR
* US
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT31.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 105.154.12.165 | - | High
2 | 105.157.234.0 | - | High
3 | 105.159.122.85 | - | High
4 | 110.36.231.150 | WGPON-36231-150.wateen.net | High
5 | 115.31.133.26 | - | High
6 | 115.133.136.29 | - | High
7 | ... | ... | ...
There are 10 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT31. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1222 | Permission Issues | High
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT31. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/get_getnetworkconf.cgi` | High
2 | File | `/horde/util/go.php` | High
3 | File | `administrator/components/com_media/helpers/media.php` | High
4 | File | `comments.php` | Medium
5 | File | `data/gbconfiguration.dat` | High
6 | File | `inc/config.php` | High
7 | File | `item_details.php` | High
8 | File | `KeyHelp.ocx` | Medium
9 | File | `phpinfo.php` | Medium
10 | File | `picture.php` | Medium
11 | ... | ... | ...
There are 12 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://blogs.infoblox.com/cyber-threat-intelligence/cyber-threat-advisory-apt31-targeting-france/
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

106
APT32/README.adoc
View File

@ -1,106 +0,0 @@
= APT32 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt32[APT32]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt32
== Campaigns
The following campaigns are known and can be associated with the actor.
- Cobalt Kitty
- OceanLotus
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. CN
. TR
. ...
There are 10 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|23.227.196.126|23-227-196-126.static.hvvc.us|High
|2|23.227.196.210|23-227-196-210.static.hvvc.us|High
|3|23.227.199.121|23-227-199-121.static.hvvc.us|High
|4|27.102.70.211|-|High
|5|37.59.198.130|-|High
|6|37.59.198.131|-|High
|7|45.32.100.179|45.32.100.179.vultr.com|Medium
|8|45.32.105.45|45.32.105.45.vultr.com|Medium
|9|45.32.114.49|45.32.114.49.vultr.com|Medium
|10|45.76.147.201|45.76.147.201.vultr.com|Medium
|11|45.76.179.28|45.76.179.28.vultr.com|Medium
|12|45.76.179.151|45.76.179.151.vultr.com|Medium
|13|45.77.39.101|45.77.39.101.vultr.com|Medium
|14|45.114.117.137|-|High
|15|45.114.117.164|folien.reisnart.com|High
|16|64.62.174.9|unassigned9.net2.fc.aoindustries.com|High
|17|64.62.174.16|unassigned16.net2.fc.aoindustries.com|High
|18|64.62.174.17|unassigned17.net2.fc.aoindustries.com|High
|19|64.62.174.21|unassigned21.net2.fc.aoindustries.com|High
|20|64.62.174.41|unassigned41.net2.fc.aoindustries.com|High
|21|...|...|...
|========================================
There are 40 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1211|7PK Security Features|High
|5|T1222|Permission Issues|High
|6|...|...|...
|========================================
There are 5 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/cgi-bin/cgiServer.exx|High
|2|File|/cgi-bin/login_action.cgi|High
|3|File|/dev/sg0|Medium
|4|File|/event/runquery.do|High
|5|File|/forum/away.php|High
|6|File|/manager?action=getlogcat|High
|7|File|/password.html|High
|8|File|/system/ws/v11/ss/email)|High
|9|File|/uncpath/|Medium
|10|File|add_vhost.php|High
|11|...|...|...
|========================================
There are 177 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf
* https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
* https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

106
APT32/README.md Normal file
View File

@ -0,0 +1,106 @@
# APT32 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT32](https://vuldb.com/?actor.apt32). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt32](https://vuldb.com/?actor.apt32)
## Campaigns
The following campaigns are known and can be associated with APT32:
* Cobalt Kitty
* OceanLotus
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT32:
* US
* CN
* TR
* ...
There are 10 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT32.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 23.227.196.126 | 23-227-196-126.static.hvvc.us | High
2 | 23.227.196.210 | 23-227-196-210.static.hvvc.us | High
3 | 23.227.199.121 | 23-227-199-121.static.hvvc.us | High
4 | 27.102.70.211 | - | High
5 | 37.59.198.130 | - | High
6 | 37.59.198.131 | - | High
7 | 45.32.100.179 | 45.32.100.179.vultr.com | Medium
8 | 45.32.105.45 | 45.32.105.45.vultr.com | Medium
9 | 45.32.114.49 | 45.32.114.49.vultr.com | Medium
10 | 45.76.147.201 | 45.76.147.201.vultr.com | Medium
11 | 45.76.179.28 | 45.76.179.28.vultr.com | Medium
12 | 45.76.179.151 | 45.76.179.151.vultr.com | Medium
13 | 45.77.39.101 | 45.77.39.101.vultr.com | Medium
14 | 45.114.117.137 | - | High
15 | 45.114.117.164 | folien.reisnart.com | High
16 | 64.62.174.9 | unassigned9.net2.fc.aoindustries.com | High
17 | 64.62.174.16 | unassigned16.net2.fc.aoindustries.com | High
18 | 64.62.174.17 | unassigned17.net2.fc.aoindustries.com | High
19 | 64.62.174.21 | unassigned21.net2.fc.aoindustries.com | High
20 | 64.62.174.41 | unassigned41.net2.fc.aoindustries.com | High
21 | ... | ... | ...
There are 40 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT32. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | T1211 | 7PK Security Features | High
5 | ... | ... | ...
There are 6 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT32. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/cgi-bin/cgiServer.exx` | High
2 | File | `/cgi-bin/login_action.cgi` | High
3 | File | `/dev/sg0` | Medium
4 | File | `/event/runquery.do` | High
5 | File | `/forum/away.php` | High
6 | File | `/manager?action=getlogcat` | High
7 | File | `/password.html` | High
8 | File | `/system/ws/v11/ss/email)` | High
9 | File | `/uncpath/` | Medium
10 | File | `add_vhost.php` | High
11 | ... | ... | ...
There are 178 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf
* https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
* https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

110
APT33/README.adoc
View File

@ -1,110 +0,0 @@
= APT33 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt33[APT33]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt33
== Campaigns
The following campaigns are known and can be associated with the actor.
- Elfin
- PoshC2
- Powerton
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. FR
. DE
. ES
. ...
There are 18 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.79.66.241|-|High
|2|5.79.127.177|-|High
|3|5.135.120.57|-|High
|4|5.135.199.25|-|High
|5|5.187.21.70|-|High
|6|5.187.21.71|-|High
|7|8.26.21.117|117.21.26.8.serverpronto.com|High
|8|8.26.21.119|ns1.glasscitysoftware.net|High
|9|8.26.21.120|ns2.glasscitysoftware.net|High
|10|8.26.21.220|mail2.boldinbox.com|High
|11|8.26.21.221|mail3.boldinbox.com|High
|12|8.26.21.222|mail9.servidorz.com|High
|13|8.26.21.223|mail5.boldinbox.com|High
|14|31.7.62.48|-|High
|15|37.48.105.178|-|High
|16|45.32.186.33|45.32.186.33.vultr.com|Medium
|17|45.76.32.252|45.76.32.252.vultr.com|Medium
|18|51.77.11.46|ip46.ip-51-77-11.eu|High
|19|51.254.71.223|ip223.ip-51-254-71.eu|High
|20|54.36.73.108|mail.snap-status.com|High
|21|...|...|...
|========================================
There are 55 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1008|Algorithm Downgrade|High
|2|T1040|Authentication Bypass by Capture-replay|High
|3|T1059.007|Cross Site Scripting|High
|4|T1068|Execution with Unnecessary Privileges|High
|5|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|6|...|...|...
|========================================
There are 11 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|$SPLUNK_HOME/etc/splunk-launch.conf|High
|2|File|%PROGRAMDATA%\1E\Client|High
|3|File|%PROGRAMDATA%\ASUS\GamingCenterLib|High
|4|File|%PROGRAMDATA%\WrData\PKG|High
|5|File|%PROGRAMFILES(X86)%/Aternity Information Systems/Assistant/plugins|High
|6|File|.folder|Low
|7|File|.forward|Medium
|8|File|.git/hooks/post-update|High
|9|File|.gitlab-ci.yml|High
|10|File|.htaccess|Medium
|11|...|...|...
|========================================
There are 4712 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md
* https://securelist.com/twas-the-night-before/91599/
* https://securityaffairs.co/wordpress/93845/apt/apt33-vpn-networks.html
* https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-apt33-espionage
* https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
* https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

111
APT33/README.md Normal file
View File

@ -0,0 +1,111 @@
# APT33 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT33](https://vuldb.com/?actor.apt33). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt33](https://vuldb.com/?actor.apt33)
## Campaigns
The following campaigns are known and can be associated with APT33:
* Elfin
* PoshC2
* Powerton
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT33:
* FR
* DE
* ES
* ...
There are 18 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT33.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 5.79.66.241 | - | High
2 | 5.79.127.177 | - | High
3 | 5.135.120.57 | - | High
4 | 5.135.199.25 | - | High
5 | 5.187.21.70 | - | High
6 | 5.187.21.71 | - | High
7 | 8.26.21.117 | 117.21.26.8.serverpronto.com | High
8 | 8.26.21.119 | ns1.glasscitysoftware.net | High
9 | 8.26.21.120 | ns2.glasscitysoftware.net | High
10 | 8.26.21.220 | mail2.boldinbox.com | High
11 | 8.26.21.221 | mail3.boldinbox.com | High
12 | 8.26.21.222 | mail9.servidorz.com | High
13 | 8.26.21.223 | mail5.boldinbox.com | High
14 | 31.7.62.48 | - | High
15 | 37.48.105.178 | - | High
16 | 45.32.186.33 | 45.32.186.33.vultr.com | Medium
17 | 45.76.32.252 | 45.76.32.252.vultr.com | Medium
18 | 51.77.11.46 | ip46.ip-51-77-11.eu | High
19 | 51.254.71.223 | ip223.ip-51-254-71.eu | High
20 | 54.36.73.108 | mail.snap-status.com | High
21 | ... | ... | ...
There are 55 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT33. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1008 | Algorithm Downgrade | High
2 | T1040 | Authentication Bypass by Capture-replay | High
3 | T1059.007 | Cross Site Scripting | High
4 | T1068 | Execution with Unnecessary Privileges | High
5 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
6 | ... | ... | ...
There are 11 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT33. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `$SPLUNK_HOME/etc/splunk-launch.conf` | High
2 | File | `%PROGRAMDATA%\1E\Client` | High
3 | File | `%PROGRAMDATA%\ASUS\GamingCenterLib` | High
4 | File | `%PROGRAMDATA%\WrData\PKG` | High
5 | File | `%PROGRAMFILES(X86)%/Aternity Information Systems/Assistant/plugins` | High
6 | File | `.folder` | Low
7 | File | `.forward` | Medium
8 | File | `.git/hooks/post-update` | High
9 | File | `.gitlab-ci.yml` | High
10 | File | `.htaccess` | Medium
11 | ... | ... | ...
There are 4716 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md
* https://securelist.com/twas-the-night-before/91599/
* https://securityaffairs.co/wordpress/93845/apt/apt33-vpn-networks.html
* https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-apt33-espionage
* https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
* https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

104
APT34/README.adoc
View File

@ -1,104 +0,0 @@
= APT34 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt34[APT34]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt34
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. IR
. DE
. ...
There are 19 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|23.19.226.69|-|High
|2|23.106.215.76|-|High
|3|23.227.201.6|23-227-201-6.static.hvvc.us|High
|4|38.132.124.153|-|High
|5|46.4.69.52|static.52.69.4.46.clients.your-server.de|High
|6|46.105.221.247|-|High
|7|46.105.251.42|ip42.ip-46-105-251.eu|High
|8|46.165.246.196|-|High
|9|70.36.107.34|-|High
|10|74.91.19.108|-|High
|11|74.91.19.122|-|High
|12|80.82.79.221|-|High
|13|80.82.79.240|-|High
|14|81.17.56.249|-|High
|15|82.102.14.216|h82-102-14-216.host.redstation.co.uk|High
|16|82.102.14.219|h82-102-14-219.host.redstation.co.uk|High
|17|82.102.14.222|h82-102-14-222.host.redstation.co.uk|High
|18|82.102.14.246|h82-102-14-246.host.redstation.co.uk|High
|19|83.142.230.138|-|High
|20|88.99.246.174|static.174.246.99.88.clients.your-server.de|High
|21|...|...|...
|========================================
There are 52 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1211|7PK Security Features|High
|5|T1222|Permission Issues|High
|6|...|...|...
|========================================
There are 5 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/admin/index.php|High
|2|File|/bdswebui/assignusers/|High
|3|File|/bin/goahead|Medium
|4|File|/cgi-bin/luci|High
|5|File|/cgi-bin/supervisor/PwdGrp.cgi|High
|6|File|/dev/dri/card1|High
|7|File|/etc/fstab|Medium
|8|File|/forum/away.php|High
|9|File|/getcfg.php|Medium
|10|File|/GetCSSashx/?CP=%2fwebconfig|High
|11|...|...|...
|========================================
There are 374 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://github.com/blackorbird/APT_REPORT/tree/master/APT34
* https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/
* https://unit42.paloaltonetworks.com/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/
* https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/
* https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/
* https://www.clearskysec.com/oilrig/
* https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html
* https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

104
APT34/README.md Normal file
View File

@ -0,0 +1,104 @@
# APT34 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT34](https://vuldb.com/?actor.apt34). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt34](https://vuldb.com/?actor.apt34)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT34:
* US
* IR
* DE
* ...
There are 19 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT34.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 23.19.226.69 | - | High
2 | 23.106.215.76 | - | High
3 | 23.227.201.6 | 23-227-201-6.static.hvvc.us | High
4 | 38.132.124.153 | - | High
5 | 46.4.69.52 | static.52.69.4.46.clients.your-server.de | High
6 | 46.105.221.247 | - | High
7 | 46.105.251.42 | ip42.ip-46-105-251.eu | High
8 | 46.165.246.196 | - | High
9 | 70.36.107.34 | - | High
10 | 74.91.19.108 | - | High
11 | 74.91.19.122 | - | High
12 | 80.82.79.221 | - | High
13 | 80.82.79.240 | - | High
14 | 81.17.56.249 | - | High
15 | 82.102.14.216 | h82-102-14-216.host.redstation.co.uk | High
16 | 82.102.14.219 | h82-102-14-219.host.redstation.co.uk | High
17 | 82.102.14.222 | h82-102-14-222.host.redstation.co.uk | High
18 | 82.102.14.246 | h82-102-14-246.host.redstation.co.uk | High
19 | 83.142.230.138 | - | High
20 | 88.99.246.174 | static.174.246.99.88.clients.your-server.de | High
21 | ... | ... | ...
There are 52 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT34. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | T1211 | 7PK Security Features | High
5 | ... | ... | ...
There are 6 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT34. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/admin/index.php` | High
2 | File | `/bdswebui/assignusers/` | High
3 | File | `/bin/goahead` | Medium
4 | File | `/cgi-bin/luci` | High
5 | File | `/cgi-bin/supervisor/PwdGrp.cgi` | High
6 | File | `/dev/dri/card1` | High
7 | File | `/etc/fstab` | Medium
8 | File | `/forum/away.php` | High
9 | File | `/getcfg.php` | Medium
10 | File | `/GetCSSashx/?CP=%2fwebconfig` | High
11 | ... | ... | ...
There are 376 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://github.com/blackorbird/APT_REPORT/tree/master/APT34
* https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/
* https://unit42.paloaltonetworks.com/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/
* https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/
* https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/
* https://www.clearskysec.com/oilrig/
* https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html
* https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

104
APT36/README.adoc
View File

@ -1,104 +0,0 @@
= APT36 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt36[APT36]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt36
== Campaigns
The following campaigns are known and can be associated with the actor.
- C-Major
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. NL
. RU
. ...
There are 12 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.189.137.8|vending.softjourn.if.ua|High
|2|5.189.143.225|-|High
|3|5.189.152.147|ccloud.armax.de|High
|4|5.189.167.23|mltx.de|High
|5|5.189.167.65|vmi437585.contaboserver.net|High
|6|23.254.119.11|-|High
|7|64.188.12.126|64.188.12.126.static.quadranet.com|High
|8|64.188.25.232|64.188.25.232.static.quadranet.com|High
|9|75.98.175.79|a2s83.a2hosting.com|High
|10|75.119.139.169|server1.immacolata.com|High
|11|80.240.134.51|-|High
|12|82.196.13.94|-|High
|13|95.85.43.35|-|High
|14|95.168.176.141|-|High
|15|107.175.64.209|107-175-64-209-host.colocrossing.com|High
|16|107.175.64.251|107-175-64-251-host.colocrossing.com|High
|17|151.106.14.125|-|High
|18|151.106.19.218|-|High
|19|151.106.56.32|-|High
|20|162.218.122.126|162.218.122.126.static.quadranet.com|High
|21|...|...|...
|========================================
There are 37 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1211|7PK Security Features|High
|5|T1222|Permission Issues|High
|6|...|...|...
|========================================
There are 4 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/etc/sudoers|Medium
|2|File|/forum/away.php|High
|3|File|/inc/HTTPClient.php|High
|4|File|/out.php|Medium
|5|File|/service/upload|High
|6|File|/uncpath/|Medium
|7|File|adclick.php|Medium
|8|File|add_comment.php|High
|9|File|admin/system_manage/save.html|High
|10|File|admin/sysUser/save.do?callbackType=closeCurrent&navTabId=sysUser/list|High
|11|...|...|...
|========================================
There are 232 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://vxug.fakedoma.in/archive/APTs/2021/2021.05.13/Transparent%20Tribe.pdf
* https://www.threatminer.org/report.php?q=indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf&y=2016
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

102
APT36/README.md Normal file
View File

@ -0,0 +1,102 @@
# APT36 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT36](https://vuldb.com/?actor.apt36). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt36](https://vuldb.com/?actor.apt36)
## Campaigns
The following campaigns are known and can be associated with APT36:
* C-Major
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT36:
* US
* NL
* RU
* ...
There are 12 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT36.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 5.189.137.8 | vending.softjourn.if.ua | High
2 | 5.189.143.225 | - | High
3 | 5.189.152.147 | ccloud.armax.de | High
4 | 5.189.167.23 | mltx.de | High
5 | 5.189.167.65 | vmi437585.contaboserver.net | High
6 | 23.254.119.11 | - | High
7 | 64.188.12.126 | 64.188.12.126.static.quadranet.com | High
8 | 64.188.25.232 | 64.188.25.232.static.quadranet.com | High
9 | 75.98.175.79 | a2s83.a2hosting.com | High
10 | 75.119.139.169 | server1.immacolata.com | High
11 | 80.240.134.51 | - | High
12 | 82.196.13.94 | - | High
13 | 95.85.43.35 | - | High
14 | 95.168.176.141 | - | High
15 | 107.175.64.209 | 107-175-64-209-host.colocrossing.com | High
16 | 107.175.64.251 | 107-175-64-251-host.colocrossing.com | High
17 | 151.106.14.125 | - | High
18 | 151.106.19.218 | - | High
19 | 151.106.56.32 | - | High
20 | ... | ... | ...
There are 38 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT36. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 6 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT36. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/etc/sudoers` | Medium
2 | File | `/forum/away.php` | High
3 | File | `/inc/HTTPClient.php` | High
4 | File | `/out.php` | Medium
5 | File | `/service/upload` | High
6 | File | `/uncpath/` | Medium
7 | File | `adclick.php` | Medium
8 | File | `add_comment.php` | High
9 | File | `admin/system_manage/save.html` | High
10 | File | `admin/sysUser/save.do?callbackType=closeCurrent&navTabId=sysUser/list` | High
11 | ... | ... | ...
There are 232 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://vxug.fakedoma.in/archive/APTs/2021/2021.05.13/Transparent%20Tribe.pdf
* https://www.threatminer.org/report.php?q=indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf&y=2016
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

76
APT37/README.adoc
View File

@ -1,76 +0,0 @@
= APT37 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt37[APT37]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt37
== Campaigns
The following campaigns are known and can be associated with the actor.
- Daybreak
- Scarcruft
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. PL
. RU
. ...
There are 1 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|34.13.42.35|-|High
|2|120.192.73.202|-|High
|3|180.182.52.76|-|High
|4|212.7.217.10|212-7-217-10.lukman.pl|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1600|Cryptographic Issues|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|examples/openid.php|High
|2|File|FormDisplay.php|High
|3|File|includes/startup.php|High
|4|File|libraries/Header.php|High
|5|File|wp-includes/class-wp-query.php|High
|6|Argument|name|Low
|7|Argument|Password|Medium
|8|Argument|STARTTLS|Medium
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://securelist.com/operation-daybreak/75100/
* https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

79
APT37/README.md Normal file
View File

@ -0,0 +1,79 @@
# APT37 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT37](https://vuldb.com/?actor.apt37). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt37](https://vuldb.com/?actor.apt37)
## Campaigns
The following campaigns are known and can be associated with APT37:
* Daybreak
* Scarcruft
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT37:
* US
* PL
* RU
* ...
There are 1 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT37.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 34.13.42.35 | - | High
2 | 120.192.73.202 | - | High
3 | 180.182.52.76 | - | High
4 | ... | ... | ...
There are 1 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT37. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1600 | Cryptographic Issues | High
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT37. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `examples/openid.php` | High
2 | File | `FormDisplay.php` | High
3 | File | `includes/startup.php` | High
4 | File | `libraries/Header.php` | High
5 | File | `wp-includes/class-wp-query.php` | High
6 | Argument | `name` | Low
7 | Argument | `Password` | Medium
8 | Argument | `STARTTLS` | Medium
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://securelist.com/operation-daybreak/75100/
* https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

72
APT38/README.adoc
View File

@ -1,72 +0,0 @@
= APT38 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt38[APT38]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt38
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. KR
. CN
. ...
There are 1 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|175.45.176.|-|High
|2|175.45.177.|-|High
|3|175.45.178.|-|High
|4|175.45.179.|-|High
|5|210.52.109.|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1068|Execution with Unnecessary Privileges|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|json-stringifier.h|High
|2|File|mm/memory.c|Medium
|3|File|\\.\pipe\WPSCloudSvr\WpsCloudSvr|High
|4|Library|DNSAPI.dll|Medium
|5|Library|kso.dll|Low
|6|Library|mshtml.dll|Medium
|7|Library|system/libraries/Email.php|High
|8|Argument|content|Low
|9|Argument|email->from|Medium
|10|Argument|location.href|High
|11|...|...|...
|========================================
There are 5 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://content.fireeye.com/apt/rpt-apt38
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

74
APT38/README.md Normal file
View File

@ -0,0 +1,74 @@
# APT38 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT38](https://vuldb.com/?actor.apt38). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt38](https://vuldb.com/?actor.apt38)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT38:
* US
* KR
* CN
* ...
There are 1 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT38.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 175.45.176. | - | High
2 | 175.45.177. | - | High
3 | 175.45.178. | - | High
4 | ... | ... | ...
There are 2 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT38. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1068 | Execution with Unnecessary Privileges | High
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT38. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `json-stringifier.h` | High
2 | File | `mm/memory.c` | Medium
3 | File | `\\.\pipe\WPSCloudSvr\WpsCloudSvr` | High
4 | Library | `DNSAPI.dll` | Medium
5 | Library | `kso.dll` | Low
6 | Library | `mshtml.dll` | Medium
7 | Library | `system/libraries/Email.php` | High
8 | Argument | `content` | Low
9 | Argument | `email->from` | Medium
10 | Argument | `location.href` | High
11 | ... | ... | ...
There are 5 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://content.fireeye.com/apt/rpt-apt38
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

99
APT39/README.adoc
View File

@ -1,99 +0,0 @@
= APT39 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt39[APT39]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt39
== Campaigns
The following campaigns are known and can be associated with the actor.
- Chafer
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. RU
. GB
. ...
There are 15 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|83.142.230.113|-|High
|2|86.105.227.224|-|High
|3|87.117.204.113|-|High
|4|87.117.204.115|-|High
|5|89.38.97.112|-|High
|6|89.38.97.115 |-|High
|7|91.218.114.204|-|High
|8|91.218.114.225|-|High
|9|92.243.95.203|203.95.243.92.cust-fiber.enegan.it|High
|10|94.100.21.213|94-100-21-213.static.hvvc.us|High
|11|107.191.62.45|107.191.62.45.vultr.com|Medium
|12|108.61.189.174|108.61.189.174.vultr.com|Medium
|13|134.119.217.84|-|High
|14|134.119.217.87|-|High
|15|148.251.197.113|n38-05.vpsnow.ru|High
|16|185.22.172.40|mx2.privacyrequired.link|High
|17|185.177.59.70|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1211|7PK Security Features|High
|4|T1499|Resource Consumption|High
|5|T1552|Unprotected Storage of Credentials|High
|6|...|...|...
|========================================
There are 1 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|//etc/RT2870STA.dat|High
|2|File|/cwp_{SESSION_HASH}/admin/loader_ajax.php|High
|3|File|/magnoliaPublic/travel/members/login.html|High
|4|File|/Main_AdmStatus_Content.asp|High
|5|File|/uncpath/|Medium
|6|File|/var/log/nginx|High
|7|File|admin/index.php|High
|8|File|advertiser.php|High
|9|File|akocomments.php|High
|10|File|al_initialize.php|High
|11|...|...|...
|========================================
There are 49 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://securelist.com/chafer-used-remexi-malware/89538/
* https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions
* https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

90
APT39/README.md Normal file
View File

@ -0,0 +1,90 @@
# APT39 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT39](https://vuldb.com/?actor.apt39). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt39](https://vuldb.com/?actor.apt39)
## Campaigns
The following campaigns are known and can be associated with APT39:
* Chafer
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT39:
* US
* RU
* GB
* ...
There are 15 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT39.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 83.142.230.113 | - | High
2 | 86.105.227.224 | - | High
3 | 87.117.204.113 | - | High
4 | 87.117.204.115 | - | High
5 | 89.38.97.112 | - | High
6 | 89.38.97.115 | - | High
7 | ... | ... | ...
There are 11 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT39. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1211 | 7PK Security Features | High
4 | ... | ... | ...
There are 3 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT39. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `//etc/RT2870STA.dat` | High
2 | File | `/cwp_{SESSION_HASH}/admin/loader_ajax.php` | High
3 | File | `/magnoliaPublic/travel/members/login.html` | High
4 | File | `/Main_AdmStatus_Content.asp` | High
5 | File | `/uncpath/` | Medium
6 | File | `/var/log/nginx` | High
7 | File | `admin/index.php` | High
8 | File | `advertiser.php` | High
9 | File | `akocomments.php` | High
10 | File | `al_initialize.php` | High
11 | ... | ... | ...
There are 49 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://securelist.com/chafer-used-remexi-malware/89538/
* https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions
* https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

112
APT41/README.adoc
View File

@ -1,112 +0,0 @@
= APT41 - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.apt41[APT41]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.apt41
== Campaigns
The following campaigns are known and can be associated with the actor.
- CVE-2019-19781
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. CN
. TR
. ...
There are 7 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|43.255.191.255|-|High
|2|45.76.6.149|45.76.6.149.vultr.com|Medium
|3|45.76.75.219|45.76.75.219.vultr.com|Medium
|4|45.138.157.78|vpnru07.12.21.example.com|High
|5|61.78.62.21|-|High
|6|61.195.98.245|h61-195-98-245.ablenetvps.ne.jp|High
|7|66.42.48.186|66.42.48.186.vultr.com|Medium
|8|66.42.98.220|66.42.98.220.vultr.com|Medium
|9|66.42.103.222|66.42.103.222.vultr.com|Medium
|10|66.42.107.133|66.42.107.133.vultr.com|Medium
|11|66.98.126.203|66.98.126.203.16clouds.com|High
|12|67.198.161.250|67.198.161.250.CUSTOMER.KRYPT.COM|High
|13|67.198.161.251|67.198.161.251.CUSTOMER.KRYPT.COM|High
|14|67.198.161.252|67.198.161.252.CUSTOMER.KRYPT.COM|High
|15|74.82.201.8|74.82.201.8.16clouds.com|High
|16|91.208.184.78|wk-azure.biz|High
|17|103.19.3.21|-|High
|18|103.19.3.109|-|High
|19|103.79.76.205|103.79.76.205.static.hostdare.com|High
|20|103.224.83.95|-|High
|21|...|...|...
|========================================
There are 31 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1211|7PK Security Features|High
|4|T1222|Permission Issues|High
|5|T1499|Resource Consumption|High
|6|...|...|...
|========================================
There are 3 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/etc/config/rpcd|High
|2|File|/forum/away.php|High
|3|File|/get_getnetworkconf.cgi|High
|4|File|/lists/admin/|High
|5|File|/login.cgi?logout=1|High
|6|File|/public/login.htm|High
|7|File|/tmp/app/.env|High
|8|File|/wp-admin/admin-ajax.php|High
|9|File|/_next|Low
|10|File|addentry.php|Medium
|11|...|...|...
|========================================
There are 98 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://app.box.com/s/qtqlwejty7xz8wj8osz98webycgo5j9x
* https://github.com/eset/malware-ioc/tree/master/winnti_group
* https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.14/APT%2041.pdf
* https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
* https://www.threatminer.org/report.php?q=OfPigsandMalwareExaminingaPossibleMemberoftheWinntiGroup-TrendMicro.pdf&y=2017
* https://www.threatminer.org/report.php?q=WinntiAbusesGitHubforC&CCommunications-TrendMicro.pdf&y=2017
* https://www.threatminer.org/report.php?q=WinntiEvolution-GoingOpenSource-Protectwise.pdf&y=2017
* https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
* https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

108
APT41/README.md Normal file
View File

@ -0,0 +1,108 @@
# APT41 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT41](https://vuldb.com/?actor.apt41). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt41](https://vuldb.com/?actor.apt41)
## Campaigns
The following campaigns are known and can be associated with APT41:
* CVE-2019-19781
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT41:
* US
* CN
* TR
* ...
There are 7 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of APT41.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 43.255.191.255 | - | High
2 | 45.76.6.149 | 45.76.6.149.vultr.com | Medium
3 | 45.76.75.219 | 45.76.75.219.vultr.com | Medium
4 | 45.138.157.78 | vpnru07.12.21.example.com | High
5 | 61.78.62.21 | - | High
6 | 61.195.98.245 | h61-195-98-245.ablenetvps.ne.jp | High
7 | 66.42.48.186 | 66.42.48.186.vultr.com | Medium
8 | 66.42.98.220 | 66.42.98.220.vultr.com | Medium
9 | 66.42.103.222 | 66.42.103.222.vultr.com | Medium
10 | 66.42.107.133 | 66.42.107.133.vultr.com | Medium
11 | 66.98.126.203 | 66.98.126.203.16clouds.com | High
12 | 67.198.161.250 | 67.198.161.250.CUSTOMER.KRYPT.COM | High
13 | 67.198.161.251 | 67.198.161.251.CUSTOMER.KRYPT.COM | High
14 | 67.198.161.252 | 67.198.161.252.CUSTOMER.KRYPT.COM | High
15 | 74.82.201.8 | 74.82.201.8.16clouds.com | High
16 | 91.208.184.78 | wk-azure.biz | High
17 | 103.19.3.21 | - | High
18 | ... | ... | ...
There are 34 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by APT41. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1211 | 7PK Security Features | High
4 | ... | ... | ...
There are 5 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by APT41. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/etc/config/rpcd` | High
2 | File | `/forum/away.php` | High
3 | File | `/get_getnetworkconf.cgi` | High
4 | File | `/lists/admin/` | High
5 | File | `/login.cgi?logout=1` | High
6 | File | `/public/login.htm` | High
7 | File | `/tmp/app/.env` | High
8 | File | `/wp-admin/admin-ajax.php` | High
9 | File | `/_next` | Low
10 | File | `addentry.php` | Medium
11 | ... | ... | ...
There are 98 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://app.box.com/s/qtqlwejty7xz8wj8osz98webycgo5j9x
* https://github.com/eset/malware-ioc/tree/master/winnti_group
* https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.14/APT%2041.pdf
* https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
* https://www.threatminer.org/report.php?q=OfPigsandMalwareExaminingaPossibleMemberoftheWinntiGroup-TrendMicro.pdf&y=2017
* https://www.threatminer.org/report.php?q=WinntiAbusesGitHubforC&CCommunications-TrendMicro.pdf&y=2017
* https://www.threatminer.org/report.php?q=WinntiEvolution-GoingOpenSource-Protectwise.pdf&y=2017
* https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
* https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

72
ActionRAT/README.adoc
View File

@ -1,72 +0,0 @@
= ActionRAT - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.actionrat[ActionRAT]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.actionrat
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. DE
. CA
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|144.91.65.100|vmi652772.contaboserver.net|High
|2|144.91.91.236|vmi512038.contaboserver.net|High
|3|149.248.52.61|149.248.52.61.vultr.com|Medium
|4|173.212.224.110|vmi587275.contaboserver.net|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1499|Resource Consumption|High
|4|T1587.003|Improper Certificate Validation|High
|5|T1600|Cryptographic Issues|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/wordpress/wp-admin/admin.php|High
|2|File|admin/index.php|High
|3|File|books.php|Medium
|4|File|data/gbconfiguration.dat|High
|5|File|filter.php|Medium
|6|File|guestbook.cgi|High
|7|File|inc/config.php|High
|8|File|lib/krb5/asn.1/asn1_encode.c|High
|9|File|login.php|Medium
|10|File|mdeploy.php|Medium
|11|...|...|...
|========================================
There are 23 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

76
ActionRAT/README.md Normal file
View File

@ -0,0 +1,76 @@
# ActionRAT - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [ActionRAT](https://vuldb.com/?actor.actionrat). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.actionrat](https://vuldb.com/?actor.actionrat)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with ActionRAT:
* US
* DE
* CA
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of ActionRAT.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 144.91.65.100 | vmi652772.contaboserver.net | High
2 | 144.91.91.236 | vmi512038.contaboserver.net | High
3 | 149.248.52.61 | 149.248.52.61.vultr.com | Medium
4 | ... | ... | ...
There are 1 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by ActionRAT. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1499 | Resource Consumption | High
4 | ... | ... | ...
There are 2 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by ActionRAT. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/wordpress/wp-admin/admin.php` | High
2 | File | `admin/index.php` | High
3 | File | `books.php` | Medium
4 | File | `data/gbconfiguration.dat` | High
5 | File | `filter.php` | Medium
6 | File | `guestbook.cgi` | High
7 | File | `inc/config.php` | High
8 | File | `lib/krb5/asn.1/asn1_encode.c` | High
9 | File | `login.php` | Medium
10 | File | `mdeploy.php` | Medium
11 | ... | ... | ...
There are 23 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

26
Adrozek/README.adoc
View File

@ -1,26 +0,0 @@
= Adrozek - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.adrozek[Adrozek]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.adrozek
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|104.21.70.96|-|High
|2|172.67.222.123|-|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

31
Adrozek/README.md Normal file
View File

@ -0,0 +1,31 @@
# Adrozek - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Adrozek](https://vuldb.com/?actor.adrozek). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.adrozek](https://vuldb.com/?actor.adrozek)
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Adrozek.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 104.21.70.96 | - | High
2 | 172.67.222.123 | - | High
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

97
Adwind/README.adoc
View File

@ -1,97 +0,0 @@
= Adwind - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.adwind[Adwind]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.adwind
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. CO
. RU
. ...
There are 13 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|2.5.29.14|-|High
|2|5.79.79.67|-|High
|3|5.79.79.70|storage205.ntesrv.com|High
|4|5.187.34.231|231.34.187.5.in-addr.arpa.dynamic.gestiondeservidor.com|High
|5|5.254.112.21|-|High
|6|5.254.112.24|-|High
|7|5.254.112.36|-|High
|8|5.254.112.56|-|High
|9|5.254.112.60|-|High
|10|8.15.0.59|-|High
|11|14.3.210.2|ae210002.dynamic.ppp.asahi-net.or.jp|High
|12|23.227.196.198|23-227-196-198.static.hvvc.us|High
|13|23.227.199.72|23-227-199-72.static.hvvc.us|High
|14|23.227.199.118|23-227-199-118.static.hvvc.us|High
|15|23.227.199.121|23-227-199-121.static.hvvc.us|High
|16|23.231.23.182|-|High
|17|31.31.196.31|server31.hosting.reg.ru|High
|18|31.171.155.72|-|High
|19|37.61.235.30|-|High
|20|46.20.33.76|-|High
|21|...|...|...
|========================================
There are 106 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1211|7PK Security Features|High
|5|T1222|Permission Issues|High
|6|...|...|...
|========================================
There are 7 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|%windir%\Internet Logs\|High
|2|File|/admin/link.php?action=addlink|High
|3|File|/ajax/GetInheritedProperties|High
|4|File|/anony/mjpg.cgi|High
|5|File|/browse.PROJECTKEY|High
|6|File|/data/admin/#/app/config/|High
|7|File|/etc/group|Medium
|8|File|/forum/away.php|High
|9|File|/info.xml|Medium
|10|File|/knowage/restful-services/signup/update|High
|11|...|...|...
|========================================
There are 247 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=KL_AdwindPublicReport_2016.pdf&y=2016
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

97
Adwind/README.md Normal file
View File

@ -0,0 +1,97 @@
# Adwind - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Adwind](https://vuldb.com/?actor.adwind). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.adwind](https://vuldb.com/?actor.adwind)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Adwind:
* US
* CO
* RU
* ...
There are 13 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Adwind.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 2.5.29.14 | - | High
2 | 5.79.79.67 | - | High
3 | 5.79.79.70 | storage205.ntesrv.com | High
4 | 5.187.34.231 | 231.34.187.5.in-addr.arpa.dynamic.gestiondeservidor.com | High
5 | 5.254.112.21 | - | High
6 | 5.254.112.24 | - | High
7 | 5.254.112.36 | - | High
8 | 5.254.112.56 | - | High
9 | 5.254.112.60 | - | High
10 | 8.15.0.59 | - | High
11 | 14.3.210.2 | ae210002.dynamic.ppp.asahi-net.or.jp | High
12 | 23.227.196.198 | 23-227-196-198.static.hvvc.us | High
13 | 23.227.199.72 | 23-227-199-72.static.hvvc.us | High
14 | 23.227.199.118 | 23-227-199-118.static.hvvc.us | High
15 | 23.227.199.121 | 23-227-199-121.static.hvvc.us | High
16 | 23.231.23.182 | - | High
17 | 31.31.196.31 | server31.hosting.reg.ru | High
18 | 31.171.155.72 | - | High
19 | 37.61.235.30 | - | High
20 | 46.20.33.76 | - | High
21 | ... | ... | ...
There are 106 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Adwind. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | T1211 | 7PK Security Features | High
5 | ... | ... | ...
There are 8 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Adwind. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `%windir%\Internet Logs\` | High
2 | File | `/admin/link.php?action=addlink` | High
3 | File | `/ajax/GetInheritedProperties` | High
4 | File | `/anony/mjpg.cgi` | High
5 | File | `/browse.PROJECTKEY` | High
6 | File | `/data/admin/#/app/config/` | High
7 | File | `/etc/group` | Medium
8 | File | `/forum/away.php` | High
9 | File | `/info.xml` | Medium
10 | File | `/knowage/restful-services/signup/update` | High
11 | ... | ... | ...
There are 247 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://www.threatminer.org/report.php?q=KL_AdwindPublicReport_2016.pdf&y=2016
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

86
Agrius/README.adoc
View File

@ -1,86 +0,0 @@
= Agrius - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.agrius[Agrius]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.agrius
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. RU
. IR
. ...
There are 8 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.2.67.85|mail.astrilll.com|High
|2|5.2.73.67|-|High
|3|37.59.236.232|37.59.236.232.rdns.hasaserver.com|High
|4|37.120.238.15|-|High
|5|54.37.99.4|ip4.ip-54-37-99.eu|High
|6|81.177.22.16|-|High
|7|81.177.23.16|-|High
|8|95.211.140.221|-|High
|9|185.142.97.81|altvpn.mgn-host.ru|High
|10|185.142.98.32|free.mgnhost.com|High
|11|185.147.131.81|-|High
|12|195.123.208.152|unallocated.layer6.net|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1211|7PK Security Features|High
|4|T1222|Permission Issues|High
|5|T1499|Resource Consumption|High
|6|...|...|...
|========================================
There are 2 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/cgi-bin/kerbynet|High
|2|File|/opt/IBM/es/lib/libffq.cryptionjni.so|High
|3|File|/plugins/Dashboard/Controller.php|High
|4|File|/storage/app/media/evil.svg|High
|5|File|/uncpath/|Medium
|6|File|admin.asp|Medium
|7|File|admin.php|Medium
|8|File|admin/admin_users.php|High
|9|File|app/Controller/GalaxyElementsController.php|High
|10|File|Application/Common/Controller/BaseController.class.php|High
|11|...|...|...
|========================================
There are 62 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://github.com/blackorbird/APT_REPORT/blob/master/Agrius/evol-agrius.pdf
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

80
Agrius/README.md Normal file
View File

@ -0,0 +1,80 @@
# Agrius - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Agrius](https://vuldb.com/?actor.agrius). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.agrius](https://vuldb.com/?actor.agrius)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Agrius:
* US
* RU
* IR
* ...
There are 8 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Agrius.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 5.2.67.85 | mail.astrilll.com | High
2 | 5.2.73.67 | - | High
3 | 37.59.236.232 | 37.59.236.232.rdns.hasaserver.com | High
4 | 37.120.238.15 | - | High
5 | ... | ... | ...
There are 8 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Agrius. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1211 | 7PK Security Features | High
4 | ... | ... | ...
There are 4 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Agrius. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/cgi-bin/kerbynet` | High
2 | File | `/opt/IBM/es/lib/libffq.cryptionjni.so` | High
3 | File | `/plugins/Dashboard/Controller.php` | High
4 | File | `/storage/app/media/evil.svg` | High
5 | File | `/uncpath/` | Medium
6 | File | `admin.asp` | Medium
7 | File | `admin.php` | Medium
8 | File | `admin/admin_users.php` | High
9 | File | `app/Controller/GalaxyElementsController.php` | High
10 | File | `Application/Common/Controller/BaseController.class.php` | High
11 | ... | ... | ...
There are 62 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://github.com/blackorbird/APT_REPORT/blob/master/Agrius/evol-agrius.pdf
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

75
Allakore/README.adoc
View File

@ -1,75 +0,0 @@
= Allakore - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.allakore[Allakore]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.allakore
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. DE
. CA
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|144.91.65.100|vmi652772.contaboserver.net|High
|2|144.91.91.236|vmi512038.contaboserver.net|High
|3|161.97.142.96|vmi661694.contaboserver.net|High
|4|164.68.104.126|vmd76303.contaboserver.net|High
|5|167.86.83.29|vmi655047.contaboserver.net|High
|6|173.212.224.110|vmi587275.contaboserver.net|High
|7|173.249.50.230|vmi626137.contaboserver.net|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1499|Resource Consumption|High
|4|T1587.003|Improper Certificate Validation|High
|5|T1600|Cryptographic Issues|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/wordpress/wp-admin/admin.php|High
|2|File|admin/index.php|High
|3|File|data/gbconfiguration.dat|High
|4|File|filter.php|Medium
|5|File|inc/config.php|High
|6|File|item_show.php|High
|7|File|lib/krb5/asn.1/asn1_encode.c|High
|8|File|login.php|Medium
|9|File|mdeploy.php|Medium
|10|File|multipart/form-data|High
|11|...|...|...
|========================================
There are 20 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

76
Allakore/README.md Normal file
View File

@ -0,0 +1,76 @@
# Allakore - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Allakore](https://vuldb.com/?actor.allakore). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.allakore](https://vuldb.com/?actor.allakore)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Allakore:
* US
* DE
* CA
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Allakore.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 144.91.65.100 | vmi652772.contaboserver.net | High
2 | 144.91.91.236 | vmi512038.contaboserver.net | High
3 | 161.97.142.96 | vmi661694.contaboserver.net | High
4 | ... | ... | ...
There are 4 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Allakore. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1499 | Resource Consumption | High
4 | ... | ... | ...
There are 2 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Allakore. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/wordpress/wp-admin/admin.php` | High
2 | File | `admin/index.php` | High
3 | File | `data/gbconfiguration.dat` | High
4 | File | `filter.php` | Medium
5 | File | `inc/config.php` | High
6 | File | `item_show.php` | High
7 | File | `lib/krb5/asn.1/asn1_encode.c` | High
8 | File | `login.php` | Medium
9 | File | `mdeploy.php` | Medium
10 | File | `multipart/form-data` | High
11 | ... | ... | ...
There are 20 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

67
Amnesia/README.adoc
View File

@ -1,67 +0,0 @@
= Amnesia - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.amnesia[Amnesia]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.amnesia
== Campaigns
The following campaigns are known and can be associated with the actor.
- TVT Digital DVR Devices
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. IN
. NL
. ...
There are 3 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|93.174.95.38|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1068|Execution with Unnecessary Privileges|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/api/addusers|High
|2|File|/home/httpd/cgi-bin/cgi.cgi|High
|3|File|/public/login.htm|High
|4|File|forumrunner/includes/moderation.php|High
|5|Argument|Password|Medium
|6|Argument|postids|Low
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

68
Amnesia/README.md Normal file
View File

@ -0,0 +1,68 @@
# Amnesia - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Amnesia](https://vuldb.com/?actor.amnesia). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.amnesia](https://vuldb.com/?actor.amnesia)
## Campaigns
The following campaigns are known and can be associated with Amnesia:
* TVT Digital DVR Devices
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Amnesia:
* US
* IN
* NL
* ...
There are 3 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Amnesia.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 93.174.95.38 | - | High
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Amnesia. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1068 | Execution with Unnecessary Privileges | High
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Amnesia. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/api/addusers` | High
2 | File | `/home/httpd/cgi-bin/cgi.cgi` | High
3 | File | `/public/login.htm` | High
4 | File | `forumrunner/includes/moderation.php` | High
5 | Argument | `Password` | Medium
6 | Argument | `postids` | Low
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

76
Arid Viper/README.adoc
View File

@ -1,76 +0,0 @@
= Arid Viper - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.arid_viper[Arid Viper]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.arid_viper
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. DE
. PL
. ...
There are 1 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|54.255.143.112|ec2-54-255-143-112.ap-southeast-1.compute.amazonaws.com|Medium
|2|173.236.89.19|19.89.236.173.unassigned.ord.singlehop.net|High
|3|188.40.75.132|static.132.75.40.188.clients.your-server.de|High
|4|188.40.81.136|francisco.eox.at|High
|5|192.254.132.26|pst.pstcmedia.com|High
|6|195.154.133.228|195-154-133-228.rev.poneytelecom.eu|High
|7|195.154.252.2|hostd4.ahcorporation.com|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|addguest.cgi|Medium
|2|File|add_comment.php|High
|3|File|admin/index.php|High
|4|File|data/gbconfiguration.dat|High
|5|File|e2_header.inc.php|High
|6|File|email.php|Medium
|7|File|Forms/tools_admin_1|High
|8|File|ftpcmd.c|Medium
|9|File|gb.cgi|Low
|10|File|inc/config.php|High
|11|...|...|...
|========================================
There are 19 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=operation-arid-viper-whitepaper-en.pdf&y=2015
* https://www.threatminer.org/report.php?q=OperationAridViperSlithersBackintoView_Proofpoint.pdf&y=2015
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

76
Arid Viper/README.md Normal file
View File

@ -0,0 +1,76 @@
# Arid Viper - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Arid Viper](https://vuldb.com/?actor.arid_viper). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.arid_viper](https://vuldb.com/?actor.arid_viper)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Arid Viper:
* US
* DE
* PL
* ...
There are 1 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Arid Viper.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 54.255.143.112 | ec2-54-255-143-112.ap-southeast-1.compute.amazonaws.com | Medium
2 | 173.236.89.19 | 19.89.236.173.unassigned.ord.singlehop.net | High
3 | 188.40.75.132 | static.132.75.40.188.clients.your-server.de | High
4 | ... | ... | ...
There are 4 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Arid Viper. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Arid Viper. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `addguest.cgi` | Medium
2 | File | `add_comment.php` | High
3 | File | `admin/index.php` | High
4 | File | `data/gbconfiguration.dat` | High
5 | File | `e2_header.inc.php` | High
6 | File | `email.php` | Medium
7 | File | `Forms/tools_admin_1` | High
8 | File | `ftpcmd.c` | Medium
9 | File | `gb.cgi` | Low
10 | File | `inc/config.php` | High
11 | ... | ... | ...
There are 19 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://www.threatminer.org/report.php?q=operation-arid-viper-whitepaper-en.pdf&y=2015
* https://www.threatminer.org/report.php?q=OperationAridViperSlithersBackintoView_Proofpoint.pdf&y=2015
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

65
Armor Piercer/README.adoc
View File

@ -1,65 +0,0 @@
= Armor Piercer - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.armor_piercer[Armor Piercer]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.armor_piercer
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. CN
. IT
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.252.179.221|5-252-179-221.mivocloud.com|High
|2|45.79.81.88|li1180-88.members.linode.com|High
|3|64.188.13.46|64.188.13.46.static.quadranet.com|High
|4|66.154.103.106|66.154.103.106.static.quadranet.com|High
|5|66.154.112.212|66.154.112.212.static.quadranet.com|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|category.cfm|Medium
|2|File|itemlookup.asp|High
|3|File|mat5.c|Low
|4|File|phddns.lua|Medium
|5|File|register.php|Medium
|6|Argument|cat|Low
|7|Argument|new-interface|High
|8|Argument|PATH_INFO|Medium
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

67
Armor Piercer/README.md Normal file
View File

@ -0,0 +1,67 @@
# Armor Piercer - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Armor Piercer](https://vuldb.com/?actor.armor_piercer). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.armor_piercer](https://vuldb.com/?actor.armor_piercer)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Armor Piercer:
* US
* CN
* IT
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Armor Piercer.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 5.252.179.221 | 5-252-179-221.mivocloud.com | High
2 | 45.79.81.88 | li1180-88.members.linode.com | High
3 | 64.188.13.46 | 64.188.13.46.static.quadranet.com | High
4 | ... | ... | ...
There are 2 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Armor Piercer. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Armor Piercer. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `category.cfm` | Medium
2 | File | `itemlookup.asp` | High
3 | File | `mat5.c` | Low
4 | File | `phddns.lua` | Medium
5 | File | `register.php` | Medium
6 | Argument | `cat` | Low
7 | Argument | `new-interface` | High
8 | Argument | `PATH_INFO` | Medium
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

57
Astro Locker/README.adoc
View File

@ -1,57 +0,0 @@
= Astro Locker - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.astro_locker[Astro Locker]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.astro_locker
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. CN
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|45.134.21.8|-|High
|2|46.21.153.135|135.153.21.46.static.swiftway.net|High
|3|139.60.161.68|-|High
|4|185.38.185.87|-|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/htmlcode/html/indexdefault.asp|High
|2|File|ajax_admin_apis.php|High
|3|File|ajax_php_pecl.php|High
|4|File|books.php|Medium
|5|File|category.cfm|Medium
|6|Argument|bookid|Low
|7|Argument|cat|Low
|8|Argument|employee_id|Medium
|9|Argument|line|Low
|10|Argument|phpversion|Medium
|11|...|...|...
|========================================
There are 4 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://github.com/sophoslabs/IoCs/blob/master/Ransomware-AstroLocker.csv
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

62
Astro Locker/README.md Normal file
View File

@ -0,0 +1,62 @@
# Astro Locker - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Astro Locker](https://vuldb.com/?actor.astro_locker). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.astro_locker](https://vuldb.com/?actor.astro_locker)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Astro Locker:
* US
* CN
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Astro Locker.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 45.134.21.8 | - | High
2 | 46.21.153.135 | 135.153.21.46.static.swiftway.net | High
3 | 139.60.161.68 | - | High
4 | ... | ... | ...
There are 1 more IOC items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Astro Locker. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/htmlcode/html/indexdefault.asp` | High
2 | File | `ajax_admin_apis.php` | High
3 | File | `ajax_php_pecl.php` | High
4 | File | `books.php` | Medium
5 | File | `category.cfm` | Medium
6 | Argument | `bookid` | Low
7 | Argument | `cat` | Low
8 | Argument | `employee_id` | Medium
9 | Argument | `line` | Low
10 | Argument | `phpversion` | Medium
11 | ... | ... | ...
There are 4 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://github.com/sophoslabs/IoCs/blob/master/Ransomware-AstroLocker.csv
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

96
Autoit/README.adoc
View File

@ -1,96 +0,0 @@
= Autoit - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.autoit[Autoit]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.autoit
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. DE
. US
. ES
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|8.248.165.254|-|High
|2|8.249.217.254|-|High
|3|8.253.131.121|-|High
|4|13.56.128.67|ec2-13-56-128-67.us-west-1.compute.amazonaws.com|Medium
|5|23.3.13.88|a23-3-13-88.deploy.static.akamaitechnologies.com|High
|6|23.3.13.154|a23-3-13-154.deploy.static.akamaitechnologies.com|High
|7|23.63.245.19|a23-63-245-19.deploy.static.akamaitechnologies.com|High
|8|23.63.245.50|a23-63-245-50.deploy.static.akamaitechnologies.com|High
|9|23.199.71.136|a23-199-71-136.deploy.static.akamaitechnologies.com|High
|10|35.205.61.67|67.61.205.35.bc.googleusercontent.com|Medium
|11|72.21.81.240|-|High
|12|104.18.6.156|-|High
|13|104.18.7.156|-|High
|14|104.21.9.139|-|High
|15|104.21.19.200|-|High
|16|104.26.12.247|-|High
|17|104.26.13.247|-|High
|18|120.136.10.20|sv519.xserver.jp|High
|19|132.226.8.169|-|High
|20|144.76.201.136|static.136.201.76.144.clients.your-server.de|High
|21|...|...|...
|========================================
There are 10 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1222|Permission Issues|High
|5|T1499|Resource Consumption|High
|6|...|...|...
|========================================
There are 5 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/appLms/ajax.server.php|High
|2|File|/apps/|Low
|3|File|/onlineordering/GPST/store/initiateorder.php|High
|4|File|/rup|Low
|5|File|/var/hnap/timestamp|High
|6|File|admin.php|Medium
|7|File|admin/admin_login.php|High
|8|File|api/external.php?object=centreon_metric&action=listByService|High
|9|File|app\contacts\contact_edit.php|High
|10|File|audio_acdb.c|Medium
|11|...|...|...
|========================================
There are 91 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
* https://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
* https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

86
Autoit/README.md Normal file
View File

@ -0,0 +1,86 @@
# Autoit - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Autoit](https://vuldb.com/?actor.autoit). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.autoit](https://vuldb.com/?actor.autoit)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Autoit:
* DE
* US
* ES
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Autoit.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 8.248.165.254 | - | High
2 | 8.249.217.254 | - | High
3 | 8.253.131.121 | - | High
4 | 13.56.128.67 | ec2-13-56-128-67.us-west-1.compute.amazonaws.com | Medium
5 | 23.3.13.88 | a23-3-13-88.deploy.static.akamaitechnologies.com | High
6 | 23.3.13.154 | a23-3-13-154.deploy.static.akamaitechnologies.com | High
7 | 23.63.245.19 | a23-63-245-19.deploy.static.akamaitechnologies.com | High
8 | 23.63.245.50 | a23-63-245-50.deploy.static.akamaitechnologies.com | High
9 | 23.199.71.136 | a23-199-71-136.deploy.static.akamaitechnologies.com | High
10 | 35.205.61.67 | 67.61.205.35.bc.googleusercontent.com | Medium
11 | ... | ... | ...
There are 20 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Autoit. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | T1222 | Permission Issues | High
5 | ... | ... | ...
There are 6 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Autoit. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/appLms/ajax.server.php` | High
2 | File | `/apps/` | Low
3 | File | `/onlineordering/GPST/store/initiateorder.php` | High
4 | File | `/rup` | Low
5 | File | `/var/hnap/timestamp` | High
6 | File | `admin.php` | Medium
7 | File | `admin/admin_login.php` | High
8 | File | `api/external.php?object=centreon_metric&action=listByService` | High
9 | File | `app\contacts\contact_edit.php` | High
10 | File | `audio_acdb.c` | Medium
11 | ... | ... | ...
There are 91 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html
* https://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
* https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

45
Aveo/README.adoc
View File

@ -1,45 +0,0 @@
= Aveo - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.aveo[Aveo]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.aveo
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|50.63.202.38|ip-50-63-202-38.ip.secureserver.net|High
|2|104.202.173.82|104-202-173-82.dyn.grandenetworks.net|High
|3|107.180.36.179|ip-107-180-36-179.ip.secureserver.net|High
|4|172.16.95.184|-|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|themes/|Low
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://unit42.paloaltonetworks.com/unit42-aveo-malware-family-targets-japanese-speaking-users/
* https://www.threatminer.org/report.php?q=AveoMalwareFamilyTargetsJapaneseSpeakingUsers-PaloAltoNetworksBlogPaloAltoNetworksBlog.pdf&y=2016
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

50
Aveo/README.md Normal file
View File

@ -0,0 +1,50 @@
# Aveo - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Aveo](https://vuldb.com/?actor.aveo). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.aveo](https://vuldb.com/?actor.aveo)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Aveo:
* US
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Aveo.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 50.63.202.38 | ip-50-63-202-38.ip.secureserver.net | High
2 | 104.202.173.82 | 104-202-173-82.dyn.grandenetworks.net | High
3 | 107.180.36.179 | ip-107-180-36-179.ip.secureserver.net | High
4 | ... | ... | ...
There are 1 more IOC items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Aveo. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `themes/` | Low
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://unit42.paloaltonetworks.com/unit42-aveo-malware-family-targets-japanese-speaking-users/
* https://www.threatminer.org/report.php?q=AveoMalwareFamilyTargetsJapaneseSpeakingUsers-PaloAltoNetworksBlogPaloAltoNetworksBlog.pdf&y=2016
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

78
BEAR/README.adoc
View File

@ -1,78 +0,0 @@
= BEAR - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.bear[BEAR]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.bear
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. EE
. US
. UA
. ...
There are 3 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.149.248.67|mx1-mail.com|High
|2|5.149.248.193|-|High
|3|5.149.249.172|-|High
|4|5.149.254.114|mail1.auditoriavanzada.info|High
|5|95.153.32.53|mx1.servicetransfermail.com|High
|6|155.254.36.155|-|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1211|7PK Security Features|High
|4|T1552|Unprotected Storage of Credentials|High
|5|T1600|Cryptographic Issues|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/index.php|Medium
|2|File|/uncpath/|Medium
|3|File|add_comment.php|High
|4|File|data/gbconfiguration.dat|High
|5|File|FlexCell.ocx|Medium
|6|File|forums.aspx|Medium
|7|File|forums.php|Medium
|8|File|index.php|Medium
|9|File|install.php|Medium
|10|File|photo-gallery.php|High
|11|...|...|...
|========================================
There are 16 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=CanaBEARFitDownaRabbitHole_StateBoardofElectionAnalysis-ThreatConnect.pdf&y=2016
* https://www.threatminer.org/report.php?q=RussiaHacksBellingcatMH17Investigation_ThreatConnect.pdf&y=2016
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

80
BEAR/README.md Normal file
View File

@ -0,0 +1,80 @@
# BEAR - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [BEAR](https://vuldb.com/?actor.bear). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.bear](https://vuldb.com/?actor.bear)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BEAR:
* EE
* US
* UA
* ...
There are 3 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of BEAR.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 5.149.248.67 | mx1-mail.com | High
2 | 5.149.248.193 | - | High
3 | 5.149.249.172 | - | High
4 | ... | ... | ...
There are 3 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by BEAR. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1211 | 7PK Security Features | High
4 | ... | ... | ...
There are 2 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by BEAR. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/index.php` | Medium
2 | File | `/uncpath/` | Medium
3 | File | `add_comment.php` | High
4 | File | `data/gbconfiguration.dat` | High
5 | File | `FlexCell.ocx` | Medium
6 | File | `forums.aspx` | Medium
7 | File | `forums.php` | Medium
8 | File | `index.php` | Medium
9 | File | `install.php` | Medium
10 | File | `photo-gallery.php` | High
11 | ... | ... | ...
There are 16 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://www.threatminer.org/report.php?q=CanaBEARFitDownaRabbitHole_StateBoardofElectionAnalysis-ThreatConnect.pdf&y=2016
* https://www.threatminer.org/report.php?q=RussiaHacksBellingcatMH17Investigation_ThreatConnect.pdf&y=2016
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

78
Babar/README.adoc
View File

@ -1,78 +0,0 @@
= Babar - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.babar[Babar]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.babar
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|64.20.43.107|vps238561.trouble-free.net|High
|2|69.25.212.153|-|High
|3|83.149.75.58|reserved.ps-it.nl|High
|4|104.153.45.38|cpan6.webline-servers.com|High
|5|184.172.143.188|bc.8f.acb8.ip4.static.sl-reverse.com|High
|6|192.185.113.148|192-185-113-148.unifiedlayer.com|High
|7|199.119.202.195|danish.unixbsd.info|High
|8|199.231.93.221|cpan3s.webline-services.com|High
|9|206.41.94.190|handsets.voip.novavision.ca|High
|10|207.189.104.86|ppc.snapnames.com|High
|11|207.189.104.87|parked.snapnames.com|High
|12|208.87.242.66|ant.unixbsd.info|High
|13|209.62.21.228|ev1s-209-62-21-228.theplanet.com|High
|14|212.27.35.109|oldredir.online.net|High
|15|216.152.252.55|ip-216-152-252-55.wireless.dyn.beamspeed.net|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|addentry.php|Medium
|2|File|data/gbconfiguration.dat|High
|3|File|dc_categorieslist.asp|High
|4|File|detected_potential_files.cgi|High
|5|File|guestbook.cgi|High
|6|File|inc/config.php|High
|7|File|phpinfo.php|Medium
|8|File|reports_mta_queue_status.html|High
|9|File|template.class.php|High
|10|Argument|basePath|Medium
|11|...|...|...
|========================================
There are 4 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=Elephantosis.pdf&y=2015
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

72
Babar/README.md Normal file
View File

@ -0,0 +1,72 @@
# Babar - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Babar](https://vuldb.com/?actor.babar). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.babar](https://vuldb.com/?actor.babar)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Babar:
* US
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Babar.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 64.20.43.107 | vps238561.trouble-free.net | High
2 | 69.25.212.153 | - | High
3 | 83.149.75.58 | reserved.ps-it.nl | High
4 | 104.153.45.38 | cpan6.webline-servers.com | High
5 | 184.172.143.188 | bc.8f.acb8.ip4.static.sl-reverse.com | High
6 | ... | ... | ...
There are 10 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Babar. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Babar. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `addentry.php` | Medium
2 | File | `data/gbconfiguration.dat` | High
3 | File | `dc_categorieslist.asp` | High
4 | File | `detected_potential_files.cgi` | High
5 | File | `guestbook.cgi` | High
6 | File | `inc/config.php` | High
7 | File | `phpinfo.php` | Medium
8 | File | `reports_mta_queue_status.html` | High
9 | File | `template.class.php` | High
10 | Argument | `basePath` | Medium
11 | ... | ... | ...
There are 4 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://www.threatminer.org/report.php?q=Elephantosis.pdf&y=2015
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

31
BabyShark/README.adoc
View File

@ -1,31 +0,0 @@
= BabyShark - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.babyshark[BabyShark]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.babyshark
== Campaigns
The following campaigns are known and can be associated with the actor.
- BabyShark
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|173.248.170.149|-|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/_reports/2019/BabySharkMalwarePartTwo%E2%80%93AttacksContinueUsingKimJongRATandPCRat.pdf#viewer.action=download
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

36
BabyShark/README.md Normal file
View File

@ -0,0 +1,36 @@
# BabyShark - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [BabyShark](https://vuldb.com/?actor.babyshark). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.babyshark](https://vuldb.com/?actor.babyshark)
## Campaigns
The following campaigns are known and can be associated with BabyShark:
* BabyShark
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of BabyShark.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 173.248.170.149 | - | High
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://www.threatminer.org/_reports/2019/BabySharkMalwarePartTwo%E2%80%93AttacksContinueUsingKimJongRATandPCRat.pdf#viewer.action=download
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

87
BackdoorDiplomacy/README.adoc
View File

@ -1,87 +0,0 @@
= BackdoorDiplomacy - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.backdoordiplomacy[BackdoorDiplomacy]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.backdoordiplomacy
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. CN
. US
. GB
. ...
There are 1 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|23.83.224.178|23.83.224.178.16clouds.com|High
|2|23.106.140.207|23.106.140.207.16clouds.com|High
|3|23.228.203.130|unassigned.psychz.net|High
|4|23.247.47.252|-|High
|5|43.225.126.179|-|High
|6|43.251.105.139|-|High
|7|43.251.105.218|-|High
|8|43.251.105.222|-|High
|9|45.76.120.84|45.76.120.84.vultr.com|Medium
|10|45.77.215.53|45.77.215.53.vultr.com|Medium
|11|78.141.196.159|78.141.196.159.vultr.com|Medium
|12|78.141.243.45|78.141.243.45.vultr.com|Medium
|13|152.32.180.34|-|High
|14|162.209.167.154|-|High
|15|162.209.167.189|-|High
|16|199.247.9.67|199.247.9.67.vultr.com|Medium
|17|207.148.8.82|cabarruscounty.synkato.io|High
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1499|Resource Consumption|High
|4|T1555|Cleartext Storage of Sensitive Information|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/clientes/visualizar|High
|2|File|/oputilsServlet|High
|3|File|admin/conf_users_edit.php|High
|4|File|data/gbconfiguration.dat|High
|5|File|shoutbox.php|Medium
|6|File|wp-admin/post.php|High
|7|File|wp-login.php|Medium
|8|Argument|action|Low
|9|Argument|description|Medium
|10|Argument|filePath0|Medium
|11|...|...|...
|========================================
There are 6 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

82
BackdoorDiplomacy/README.md Normal file
View File

@ -0,0 +1,82 @@
# BackdoorDiplomacy - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [BackdoorDiplomacy](https://vuldb.com/?actor.backdoordiplomacy). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.backdoordiplomacy](https://vuldb.com/?actor.backdoordiplomacy)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BackdoorDiplomacy:
* CN
* US
* GB
* ...
There are 1 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of BackdoorDiplomacy.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 23.83.224.178 | 23.83.224.178.16clouds.com | High
2 | 23.106.140.207 | 23.106.140.207.16clouds.com | High
3 | 23.228.203.130 | unassigned.psychz.net | High
4 | 23.247.47.252 | - | High
5 | 43.225.126.179 | - | High
6 | 43.251.105.139 | - | High
7 | ... | ... | ...
There are 11 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by BackdoorDiplomacy. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1499 | Resource Consumption | High
4 | ... | ... | ...
There are 1 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by BackdoorDiplomacy. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/clientes/visualizar` | High
2 | File | `/oputilsServlet` | High
3 | File | `admin/conf_users_edit.php` | High
4 | File | `data/gbconfiguration.dat` | High
5 | File | `shoutbox.php` | Medium
6 | File | `wp-admin/post.php` | High
7 | File | `wp-login.php` | Medium
8 | Argument | `action` | Low
9 | Argument | `description` | Medium
10 | Argument | `filePath0` | Medium
11 | ... | ... | ...
There are 6 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

45
BadPatch/README.adoc
View File

@ -1,45 +0,0 @@
= BadPatch - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.badpatch[BadPatch]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.badpatch
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. DE
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|148.251.135.117|server.pogled.ba|High
|2|195.154.216.74|195-154-216-74.rev.poneytelecom.eu|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|includes/pages.inc.php|High
|2|File|setup.cgi|Medium
|3|Argument|PagePrefix|Medium
|4|Argument|TimeToLive|Medium
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://www.threatminer.org/report.php?q=BadPatch-PaloAltoNetworks.pdf&y=2017
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

48
BadPatch/README.md Normal file
View File

@ -0,0 +1,48 @@
# BadPatch - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [BadPatch](https://vuldb.com/?actor.badpatch). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.badpatch](https://vuldb.com/?actor.badpatch)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BadPatch:
* DE
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of BadPatch.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 148.251.135.117 | server.pogled.ba | High
2 | 195.154.216.74 | 195-154-216-74.rev.poneytelecom.eu | High
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by BadPatch. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `includes/pages.inc.php` | High
2 | File | `setup.cgi` | Medium
3 | Argument | `PagePrefix` | Medium
4 | Argument | `TimeToLive` | Medium
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://www.threatminer.org/report.php?q=BadPatch-PaloAltoNetworks.pdf&y=2017
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

97
Baldr/README.adoc
View File

@ -1,97 +0,0 @@
= Baldr - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.baldr[Baldr]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.baldr
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. RU
. CN
. ...
There are 16 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|5.8.88.198|-|High
|2|5.45.73.87|-|High
|3|5.188.60.7|-|High
|4|5.188.60.18|-|High
|5|5.188.60.24|-|High
|6|5.188.60.30|-|High
|7|5.188.60.54|-|High
|8|5.188.60.68|-|High
|9|5.188.60.74|-|High
|10|5.188.60.101|-|High
|11|5.188.60.115|-|High
|12|5.188.60.206|-|High
|13|5.188.231.96|-|High
|14|5.188.231.210|-|High
|15|18.207.217.146|ec2-18-207-217-146.compute-1.amazonaws.com|Medium
|16|18.221.49.166|ec2-18-221-49-166.us-east-2.compute.amazonaws.com|Medium
|17|23.19.58.101|-|High
|18|23.95.95.61|23-95-95-61-host.colocrossing.com|High
|19|23.254.217.112|hwsrv-901988.hostwindsdns.com|High
|20|23.254.225.240|hwsrv-907360.hostwindsdns.com|High
|21|...|...|...
|========================================
There are 101 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1211|7PK Security Features|High
|5|T1222|Permission Issues|High
|6|...|...|...
|========================================
There are 4 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/+CSCOE+/logon.html|High
|2|File|/admin/functions.php|High
|3|File|/auth/login|Medium
|4|File|/download|Medium
|5|File|/forum/away.php|High
|6|File|/goform/saveParentControlInfo|High
|7|File|/inc/lists/edit-list.php|High
|8|File|/Interface/DevManage/EC.php?cmd=upload|High
|9|File|/MicroStrategyWS/happyaxis.jsp|High
|10|File|/modules/projects/vw_files.php|High
|11|...|...|...
|========================================
There are 247 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://github.com/sophoslabs/IoCs/blob/master/Stealer-Baldr
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

96
Baldr/README.md Normal file
View File

@ -0,0 +1,96 @@
# Baldr - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Baldr](https://vuldb.com/?actor.baldr). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.baldr](https://vuldb.com/?actor.baldr)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Baldr:
* US
* CN
* RU
* ...
There are 16 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Baldr.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 5.8.88.198 | - | High
2 | 5.45.73.87 | - | High
3 | 5.188.60.7 | - | High
4 | 5.188.60.18 | - | High
5 | 5.188.60.24 | - | High
6 | 5.188.60.30 | - | High
7 | 5.188.60.54 | - | High
8 | 5.188.60.68 | - | High
9 | 5.188.60.74 | - | High
10 | 5.188.60.101 | - | High
11 | 5.188.60.115 | - | High
12 | 5.188.60.206 | - | High
13 | 5.188.231.96 | - | High
14 | 5.188.231.210 | - | High
15 | 18.207.217.146 | ec2-18-207-217-146.compute-1.amazonaws.com | Medium
16 | 18.221.49.166 | ec2-18-221-49-166.us-east-2.compute.amazonaws.com | Medium
17 | 23.19.58.101 | - | High
18 | 23.95.95.61 | 23-95-95-61-host.colocrossing.com | High
19 | 23.254.217.112 | hwsrv-901988.hostwindsdns.com | High
20 | 23.254.225.240 | hwsrv-907360.hostwindsdns.com | High
21 | ... | ... | ...
There are 101 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Baldr. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 6 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Baldr. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/+CSCOE+/logon.html` | High
2 | File | `/admin/functions.php` | High
3 | File | `/auth/login` | Medium
4 | File | `/download` | Medium
5 | File | `/forum/away.php` | High
6 | File | `/goform/saveParentControlInfo` | High
7 | File | `/inc/lists/edit-list.php` | High
8 | File | `/Interface/DevManage/EC.php?cmd=upload` | High
9 | File | `/MicroStrategyWS/happyaxis.jsp` | High
10 | File | `/modules/projects/vw_files.php` | High
11 | ... | ... | ...
There are 248 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://github.com/sophoslabs/IoCs/blob/master/Stealer-Baldr
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

97
Banjori/README.adoc
View File

@ -1,97 +0,0 @@
= Banjori - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.banjori[Banjori]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.banjori
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. JP
. DE
. US
. ...
There are 10 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|3.216.121.17|ec2-3-216-121-17.compute-1.amazonaws.com|Medium
|2|5.79.79.212|-|High
|3|13.59.74.74|ec2-13-59-74-74.us-east-2.compute.amazonaws.com|Medium
|4|14.192.4.75|-|High
|5|18.213.250.117|ec2-18-213-250-117.compute-1.amazonaws.com|Medium
|6|18.215.128.143|ec2-18-215-128-143.compute-1.amazonaws.com|Medium
|7|23.89.20.107|-|High
|8|23.89.102.123|-|High
|9|23.107.124.53|-|High
|10|23.110.15.74|-|High
|11|23.226.53.226|-|High
|12|23.227.38.65|myshopify.com|High
|13|23.231.218.195|-|High
|14|23.236.62.147|147.62.236.23.bc.googleusercontent.com|Medium
|15|34.98.99.30|30.99.98.34.bc.googleusercontent.com|Medium
|16|34.102.136.180|180.136.102.34.bc.googleusercontent.com|Medium
|17|35.186.238.101|101.238.186.35.bc.googleusercontent.com|Medium
|18|35.226.69.129|129.69.226.35.bc.googleusercontent.com|Medium
|19|43.230.142.125|-|High
|20|43.241.196.105|-|High
|21|...|...|...
|========================================
There are 116 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1211|7PK Security Features|High
|5|T1222|Permission Issues|High
|6|...|...|...
|========================================
There are 6 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|"/xml/system/setAttribute.xml|High
|2|File|#!/system|Medium
|3|File|$SPLUNK_HOME/etc/splunk-launch.conf|High
|4|File|%LOCALAPPDATA%\Zemana\ZALSDK\MyRules2.ini|High
|5|File|%ProgramData%\CTES|High
|6|File|%SYSTEMDRIVE%|High
|7|File|%TEMP%\par-%username%\cache-exiftool-8.32|High
|8|File|%windir%\Internet Logs\|High
|9|File|.../gogo/|Medium
|10|File|.asp|Low
|11|...|...|...
|========================================
There are 5749 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://github.com/firehol/blocklist-ipsets/blob/master/bambenek_banjori.ipset
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

97
Banjori/README.md Normal file
View File

@ -0,0 +1,97 @@
# Banjori - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Banjori](https://vuldb.com/?actor.banjori). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.banjori](https://vuldb.com/?actor.banjori)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Banjori:
* JP
* DE
* US
* ...
There are 10 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Banjori.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 3.216.121.17 | ec2-3-216-121-17.compute-1.amazonaws.com | Medium
2 | 5.79.79.212 | - | High
3 | 13.59.74.74 | ec2-13-59-74-74.us-east-2.compute.amazonaws.com | Medium
4 | 14.192.4.75 | - | High
5 | 18.213.250.117 | ec2-18-213-250-117.compute-1.amazonaws.com | Medium
6 | 18.215.128.143 | ec2-18-215-128-143.compute-1.amazonaws.com | Medium
7 | 23.89.20.107 | - | High
8 | 23.89.102.123 | - | High
9 | 23.107.124.53 | - | High
10 | 23.110.15.74 | - | High
11 | 23.226.53.226 | - | High
12 | 23.227.38.65 | myshopify.com | High
13 | 23.231.218.195 | - | High
14 | 23.236.62.147 | 147.62.236.23.bc.googleusercontent.com | Medium
15 | 34.98.99.30 | 30.99.98.34.bc.googleusercontent.com | Medium
16 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | Medium
17 | 35.186.238.101 | 101.238.186.35.bc.googleusercontent.com | Medium
18 | 35.226.69.129 | 129.69.226.35.bc.googleusercontent.com | Medium
19 | 43.230.142.125 | - | High
20 | 43.241.196.105 | - | High
21 | ... | ... | ...
There are 116 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Banjori. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | T1211 | 7PK Security Features | High
5 | ... | ... | ...
There are 7 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Banjori. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `"/xml/system/setAttribute.xml` | High
2 | File | `#!/system` | Medium
3 | File | `$SPLUNK_HOME/etc/splunk-launch.conf` | High
4 | File | `%LOCALAPPDATA%\Zemana\ZALSDK\MyRules2.ini` | High
5 | File | `%ProgramData%\CTES` | High
6 | File | `%SYSTEMDRIVE%` | High
7 | File | `%TEMP%\par-%username%\cache-exiftool-8.32` | High
8 | File | `%windir%\Internet Logs\` | High
9 | File | `.../gogo/` | Medium
10 | File | `.asp` | Low
11 | ... | ... | ...
There are 5749 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://github.com/firehol/blocklist-ipsets/blob/master/bambenek_banjori.ipset
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

94
Banload/README.adoc
View File

@ -1,94 +0,0 @@
= Banload - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.banload[Banload]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.banload
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|13.107.21.200|-|High
|2|31.13.66.19|xx-fbcdn-shv-01-iad3.fbcdn.net|High
|3|34.102.185.99|99.185.102.34.bc.googleusercontent.com|Medium
|4|34.212.89.14|ec2-34-212-89-14.us-west-2.compute.amazonaws.com|Medium
|5|52.95.165.35|s3-sa-east-1.amazonaws.com|Medium
|6|52.216.76.254|s3-1.amazonaws.com|Medium
|7|52.216.84.109|s3-1.amazonaws.com|Medium
|8|52.216.129.45|s3-1.amazonaws.com|Medium
|9|52.216.245.54|s3-1.amazonaws.com|Medium
|10|52.217.33.190|s3-1.amazonaws.com|Medium
|11|52.217.45.150|s3-1.amazonaws.com|Medium
|12|52.217.48.70|s3-1.amazonaws.com|Medium
|13|52.217.79.142|s3-1.amazonaws.com|Medium
|14|52.217.85.222|s3-1.amazonaws.com|Medium
|15|74.119.119.139|-|High
|16|74.125.192.94|qn-in-f94.1e100.net|High
|17|142.250.80.2|lga34s33-in-f2.1e100.net|High
|18|142.250.80.3|lga34s33-in-f3.1e100.net|High
|19|142.250.111.154|gb-in-f154.1e100.net|High
|20|143.204.150.172|server-143-204-150-172.ewr52.r.cloudfront.net|High
|21|...|...|...
|========================================
There are 50 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1211|7PK Security Features|High
|5|T1499|Resource Consumption|High
|6|...|...|...
|========================================
There are 2 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|/as/authorization.oauth2|High
|2|File|/Forms/WLAN_General_1|High
|3|File|/html/portal/flash.jsp|High
|4|File|/index.php|Medium
|5|File|/lua/set-passwd.lua|High
|6|File|/oauth/authorize|High
|7|File|/uncpath/|Medium
|8|File|/user/user/edit.php|High
|9|File|backupsettings.html|High
|10|File|comment_add.asp|High
|11|...|...|...
|========================================
There are 41 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
* https://blog.talosintelligence.com/2021/03/threat-roundup-0319-0326.html
* https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

93
Banload/README.md Normal file
View File

@ -0,0 +1,93 @@
# Banload - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Banload](https://vuldb.com/?actor.banload). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.banload](https://vuldb.com/?actor.banload)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Banload:
* US
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Banload.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 13.107.21.200 | - | High
2 | 31.13.66.19 | xx-fbcdn-shv-01-iad3.fbcdn.net | High
3 | 34.102.185.99 | 99.185.102.34.bc.googleusercontent.com | Medium
4 | 34.212.89.14 | ec2-34-212-89-14.us-west-2.compute.amazonaws.com | Medium
5 | 52.95.165.35 | s3-sa-east-1.amazonaws.com | Medium
6 | 52.216.76.254 | s3-1.amazonaws.com | Medium
7 | 52.216.84.109 | s3-1.amazonaws.com | Medium
8 | 52.216.129.45 | s3-1.amazonaws.com | Medium
9 | 52.216.245.54 | s3-1.amazonaws.com | Medium
10 | 52.217.33.190 | s3-1.amazonaws.com | Medium
11 | 52.217.45.150 | s3-1.amazonaws.com | Medium
12 | 52.217.48.70 | s3-1.amazonaws.com | Medium
13 | 52.217.79.142 | s3-1.amazonaws.com | Medium
14 | 52.217.85.222 | s3-1.amazonaws.com | Medium
15 | 74.119.119.139 | - | High
16 | 74.125.192.94 | qn-in-f94.1e100.net | High
17 | 142.250.80.2 | lga34s33-in-f2.1e100.net | High
18 | 142.250.80.3 | lga34s33-in-f3.1e100.net | High
19 | 142.250.111.154 | gb-in-f154.1e100.net | High
20 | 143.204.150.172 | server-143-204-150-172.ewr52.r.cloudfront.net | High
21 | ... | ... | ...
There are 50 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Banload. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 4 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Banload. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/as/authorization.oauth2` | High
2 | File | `/Forms/WLAN_General_1` | High
3 | File | `/html/portal/flash.jsp` | High
4 | File | `/index.php` | Medium
5 | File | `/lua/set-passwd.lua` | High
6 | File | `/oauth/authorize` | High
7 | File | `/uncpath/` | Medium
8 | File | `/user/user/edit.php` | High
9 | File | `backupsettings.html` | High
10 | File | `comment_add.asp` | High
11 | ... | ... | ...
There are 41 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
* https://blog.talosintelligence.com/2021/03/threat-roundup-0319-0326.html
* https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

40
Barys/README.adoc
View File

@ -1,40 +0,0 @@
= Barys - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.barys[Barys]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.barys
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|52.137.90.34|-|High
|2|52.185.71.28|-|High
|3|74.125.192.138|qn-in-f138.1e100.net|High
|4|104.18.11.39|-|High
|5|172.217.222.138|qi-in-f138.1e100.net|High
|6|173.194.204.94|qb-in-f94.1e100.net|High
|7|173.194.205.84|qm-in-f84.1e100.net|High
|8|173.194.207.132|qk-in-f132.1e100.net|High
|9|200.147.3.199|minnisinhashipi.com|High
|10|200.147.35.224|www.leitorpagseguro.com.br|High
|11|200.147.100.53|tvpanico.com|High
|12|209.85.144.106|qv-in-f106.1e100.net|High
|13|209.85.201.94|qu-in-f94.1e100.net|High
|14|216.218.208.114|216-218-208-114.sinkhole.shadowserver.org|High
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
* https://blog.talosintelligence.com/2021/08/threat-roundup-0820-0827.html
* https://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

39
Barys/README.md Normal file
View File

@ -0,0 +1,39 @@
# Barys - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Barys](https://vuldb.com/?actor.barys). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.barys](https://vuldb.com/?actor.barys)
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Barys.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 52.137.90.34 | - | High
2 | 52.185.71.28 | - | High
3 | 74.125.192.138 | qn-in-f138.1e100.net | High
4 | 104.18.11.39 | - | High
5 | 172.217.222.138 | qi-in-f138.1e100.net | High
6 | ... | ... | ...
There are 9 more IOC items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
* https://blog.talosintelligence.com/2021/08/threat-roundup-0820-0827.html
* https://blog.talosintelligence.com/2021/09/threat-roundup-0827-0903.html
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

98
BazarLoader/README.adoc
View File

@ -1,98 +0,0 @@
= BazarLoader - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.bazarloader[BazarLoader]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.bazarloader
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. US
. DK
. IT
. ...
There are 9 more country items available. Please use our online service to access the data.
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|31.171.251.118|ch.ns.mon0.li|High
|2|31.214.240.203|-|High
|3|34.209.40.84|ec2-34-209-40-84.us-west-2.compute.amazonaws.com|Medium
|4|34.221.188.35|ec2-34-221-188-35.us-west-2.compute.amazonaws.com|Medium
|5|45.71.112.70|host-45-71-112-70.nedetel.net|High
|6|45.76.254.23|45.76.254.23.vultr.com|Medium
|7|54.184.178.68|ec2-54-184-178-68.us-west-2.compute.amazonaws.com|Medium
|8|62.108.35.215|-|High
|9|72.21.81.240|-|High
|10|78.108.216.13|sshtunnel.itbyhf.xyz|High
|11|80.82.68.132|-|High
|12|91.217.137.37|frod.subnets.ru|High
|13|92.222.97.145|ip145.ip-92-222-97.eu|High
|14|94.247.43.254|opennic1.eth-services.de|High
|15|104.37.195.178|178.195.37.104.in-addr.arpa|High
|16|116.203.98.109|static.109.98.203.116.clients.your-server.de|High
|17|163.53.248.170|vmx20170.hosting24.com.au|High
|18|163.172.185.51|51-185-172-163.instances.scw.cloud|High
|19|165.22.224.164|-|High
|20|172.98.193.42|-|High
|21|...|...|...
|========================================
There are 7 more IOC items available. Please use our online service to access the data.
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1110.001|Improper Restriction of Excessive Authentication Attempts|High
|4|T1211|7PK Security Features|High
|5|T1222|Permission Issues|High
|6|...|...|...
|========================================
There are 5 more TTP items available. Please use our online service to access the data.
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|.user|Low
|2|File|/cgi-bin/system_mgr.cgi|High
|3|File|/Content/Template/root/reverse-shell.aspx|High
|4|File|/debug/pprof|Medium
|5|File|/inc/parser/xhtml.php|High
|6|File|/includes/db_adodb.php|High
|7|File|/PluXml/core/admin/parametres_edittpl.php|High
|8|File|/register.do|Medium
|9|File|/rest/project-templates/1.0/createshared|High
|10|File|/restoreinfo.cgi|High
|11|...|...|...
|========================================
There are 302 more IOA items available. Please use our online service to access the data.
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
* https://twitter.com/_pr4gma/status/1347617681197961225
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

87
BazarLoader/README.md Normal file
View File

@ -0,0 +1,87 @@
# BazarLoader - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [BazarLoader](https://vuldb.com/?actor.bazarloader). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.bazarloader](https://vuldb.com/?actor.bazarloader)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BazarLoader:
* US
* DK
* IT
* ...
There are 9 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of BazarLoader.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 31.171.251.118 | ch.ns.mon0.li | High
2 | 31.214.240.203 | - | High
3 | 34.209.40.84 | ec2-34-209-40-84.us-west-2.compute.amazonaws.com | Medium
4 | 34.221.188.35 | ec2-34-221-188-35.us-west-2.compute.amazonaws.com | Medium
5 | 45.71.112.70 | host-45-71-112-70.nedetel.net | High
6 | 45.76.254.23 | 45.76.254.23.vultr.com | Medium
7 | 54.184.178.68 | ec2-54-184-178-68.us-west-2.compute.amazonaws.com | Medium
8 | 62.108.35.215 | - | High
9 | 72.21.81.240 | - | High
10 | ... | ... | ...
There are 18 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by BazarLoader. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | T1211 | 7PK Security Features | High
5 | ... | ... | ...
There are 6 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by BazarLoader. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `.user` | Low
2 | File | `/cgi-bin/system_mgr.cgi` | High
3 | File | `/Content/Template/root/reverse-shell.aspx` | High
4 | File | `/debug/pprof` | Medium
5 | File | `/inc/parser/xhtml.php` | High
6 | File | `/includes/db_adodb.php` | High
7 | File | `/PluXml/core/admin/parametres_edittpl.php` | High
8 | File | `/register.do` | Medium
9 | File | `/rest/project-templates/1.0/createshared` | High
10 | File | `/restoreinfo.cgi` | High
11 | ... | ... | ...
There are 304 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
* https://twitter.com/_pr4gma/status/1347617681197961225
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

64
BelialDemon/README.adoc
View File

@ -1,64 +0,0 @@
= BelialDemon - Cyber Threat Intelligence
The indicators are related to https://vuldb.com/?doc.cti[VulDB CTI analysis] of the actor known as https://vuldb.com/?actor.belialdemon[BelialDemon]. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at https://vuldb.com/?actor.belialdemon
== Campaigns
The following campaigns are known and can be associated with the actor.
- Matanbuchus
== Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with the actor.
. TT
. CO
== IOC - Indicator of Compromise
The indicators of compromise indicate associated network ressources which are known to be part of research and attack activities.
[options="header"]
|========================================
|ID|IP address|Hostname|Confidence
|1|34.94.151.129|129.151.94.34.bc.googleusercontent.com|Medium
|2|34.105.89.82|82.89.105.34.bc.googleusercontent.com|Medium
|3|34.106.243.174|174.243.106.34.bc.googleusercontent.com|Medium
|========================================
== TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Technique|Access Vector|Confidence
|1|T1059.007|Cross Site Scripting|High
|2|T1068|Execution with Unnecessary Privileges|High
|3|T1499|Resource Consumption|High
|4|T1548.002|Improper Authorization|High
|========================================
== IOA - Indicator of Attack
The indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
[options="header"]
|========================================
|ID|Class|Indicator|Confidence
|1|File|include/ajax.draft.php|High
|2|Argument|request|Low
|========================================
== References
The following list contains external sources which discuss the actor and the associated activities.
* https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/
== License
(c) https://vuldb.com/?doc.changelog[1997-2021] by https://vuldb.com/?doc.about[vuldb.com]. All data on this page is shared under the license https://creativecommons.org/licenses/by-nc-sa/4.0/[CC BY-NC-SA 4.0]. Questions? Check the https://vuldb.com/?doc.faq[FAQ], read the https://vuldb.com/?doc[documentation] or https://vuldb.com/?contact[contact us]!

67
BelialDemon/README.md Normal file
View File

@ -0,0 +1,67 @@
# BelialDemon - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [BelialDemon](https://vuldb.com/?actor.belialdemon). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.belialdemon](https://vuldb.com/?actor.belialdemon)
## Campaigns
The following campaigns are known and can be associated with BelialDemon:
* Matanbuchus
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BelialDemon:
* TT
* CO
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of BelialDemon.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 34.94.151.129 | 129.151.94.34.bc.googleusercontent.com | Medium
2 | 34.105.89.82 | 82.89.105.34.bc.googleusercontent.com | Medium
3 | 34.106.243.174 | 174.243.106.34.bc.googleusercontent.com | Medium
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by BelialDemon. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1499 | Resource Consumption | High
4 | ... | ... | ...
There are 1 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by BelialDemon. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `include/ajax.draft.php` | High
2 | Argument | `request` | Low
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!

Some files were not shown because too many files have changed in this diff Show More