Date,Filename,Title,Download_url,Source,CVE,MITRE_ID,YARA,Threat_actor,Threat_country,Motivation,First_seen,Victim_country,Zero-day,Attack_vector,Malware,Target_sector,Attack_start_date,Attack_end_date,Attack_duration 2014-01-06,airbus-cyber-security.com-PlugX some uncovered points,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.01.06.PlugX/airbus-cyber-security.com-PlugX%20some%20uncovered%20points.pdf,360,,,,,,,,,,,"PlugX, Destory",,,, 2014-01-13,targeted_attacks_against_the_energy_sector,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.01.13.Targeted_Attacks_Energy_Sector/targeted_attacks_against_the_energy_sector.pdf,Symantec,CVE-2010-2568,,,,,,,,FALSE,"Spear Phishing, Watering Hole, Social Engineering, Malicious Documents","Poison Ivy Trojan Backdoor.Darkmoon, Trojan droppers, Backdoor.Trojan, Shamoon/Disttrack","Government and Defense Agencies, Energy and Utilities",,, 2014-01-14,securelist.com-The Icefog APT Hits US Targets With Java Backdoor,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.01.14.Icefog_APT/securelist.com-The%20Icefog%20APT%20Hits%20US%20Targets%20With%20Java%20Backdoor.pdf,CrowdStrike,,,,icefog,CN,"Espionage, Information theft and espionage",2014,"JP, KR, US",,"Exploit Vulnerability, Malicious Documents","Javafog, Icefog, JSUNPACK","Government and Defense Agencies, Corporations and Businesses, Energy and Utilities, Manufacturing",,, 2014-01-15,FTA 1001 FINAL 1.15.14,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.01.15.Sneakernet_Trojan/FTA%201001%20FINAL%201.15.14.pdf,Fidelis Cybersecurity,,,,,,,,,,Removable Media,"netsat.exe, netui3.dll, winmgt.dll",,2012-12-14,2014-01-08,390.0 2014-01-21,h12756-wp-shell-crew,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.01.21.Shell_Crew/h12756-wp-shell-crew.pdf,RSA,CVE-2010-2861,,,shell crew,CN,"Financial crime, Information theft and espionage",2010,,FALSE,Exploit Vulnerability,"notepad.exe, inetinfo.exe, mszip.exe, Trojan.Derusbi, sethc.exe, Web shells",,,, 2014-01-31,FTA 1011 Follow UP,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.01.31.Sneakernet_Trojan/FTA%201011%20Follow%20UP.pdf,Fidelis Cybersecurity,,,,,,,,,,Removable Media,"netsat.exe, netui3.dll, Autorun.inf, ~disk.ini, netwi.drv, setup35.exe",,,, 2014-02-01,Unveiling 'Careto' - The Masked APT,,https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133638/unveilingthemask_v1.0.pdf,Kaspersky,"CVE-2011-3544, CVE-2012-0773",,,mask,ES,"Espionage, Information theft and espionage",2007,"CU, ES, FR, MA, VE",TRUE,Spear Phishing,"JavaUpdate.jar, javaupdt.exe, objframe.dll, SGH, Careto, Metasploit (win7elevate module), The Mask","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Energy and Utilities, Education and Research Institutions, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2014-02-13,Operation_SnowMan,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.02.13_Operation_SnowMan/Operation_SnowMan.pdf,FireEye,CVE-2014-0322,,,deputydog,CN,"Espionage, Information theft and espionage",2009,"JP, US",TRUE,"Watering Hole, Exploit Vulnerability","Gh0stRat, ZxShell backdoor","Government and Defense Agencies, Corporations and Businesses, Non-Governmental Organizations (NGOs) and Nonprofits",2013-05-02,2014-01-02,245.0 2014-02-19,XtremeRAT_fireeye,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.02.19.XtremeRAT/XtremeRAT_fireeye.pdf,FireEye,,,,molerats,PS,Information theft and espionage,2012,,,"Phishing, Malicious Documents","SpyEye, Citadel, Zeus, XtremeRAT, Poison Ivy","Energy and Utilities, Financial Institutions, Corporations and Businesses",,, 2014-02-19,The_Monju_Incident,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.02.19.Monju_Incident/The_Monju_Incident.pdf,Contextis,,,"rule Trojan_W32_Gh0stMiancha_1_0_0 \n{ \n strings: \n $0x = { 57 5b 5a 5a 51 57 40 34 31 67 2e 31 70 34 5c 40 40 44 3b 25 3a 19 1e 5c 7b \n67 60 2e 34 31 67 2e 31 70 19 1e 55 77 77 71 64 60 2e 34 3e 3b 3e 19 1e 57 7b 7a 60 71 7a \n60 39 40 6d 64 71 2e 34 60 71 6c 60 3b 7c 60 79 78 19 1e 44 66 7b 6c 6d 39 57 7b 7a 7a 71 \n77 60 7d 7b 7a 2e 34 5f 71 71 64 39 55 78 7d 62 71 19 1e 57 7b 7a 60 71 7a 60 39 78 71 7a \n73 60 7c 2e 34 24 19 1e 19 1e } \n $1 = { 5c e7 99 bd e5 8a a0 e9 bb 91 5c } \n $1x = { 48 f3 8d a9 f1 9e b4 fd af 85 48 } \n $2 = ""DllCanLoadNow"" \n $2x = { 50 78 78 57 75 7a 58 7b 75 70 5a 7b 63 } \n $3x = { 5a 61 79 76 71 66 34 7b 72 34 67 61 76 7f 71 6d 67 2e 34 31 70 } \n $4 = ""JXNcc2hlbGxcb3Blblxjb21tYW5k"" \n $4x = { 5e 4c 5a 77 77 26 7c 78 76 53 6c 77 76 27 56 78 76 78 6c 7e 76 26 25 60 4d \n43 21 7f } \n $5 = ""SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA=="" \n $5x = { 47 51 52 47 46 52 70 56 41 7f 42 77 46 51 42 40 45 25 5e 5e 41 52 46 5e 40 \n24 21 77 41 27 78 6e 70 53 42 60 4c 51 5a 78 76 7a 46 6d 4d 43 6c 45 77 79 2d 7e 4e 4c 5a \n6e 76 27 5e 77 59 55 29 29 } \n $6 = ""C:\\\\Users\\\\why\\\\"" \n $6x = { 57 2e 48 41 67 71 66 67 48 63 7c 6d 48 } \n $7 = ""g:\\\\ykcx\\\\"" \n $7x = { 73 2E 48 6D 7F 77 6C 48 } \n $8 = ""(miansha)"" \n $8x = { 3C 79 7D 75 7A 67 7C 75 3D } \n $9 = ""server(\\xE5\\xA3\\xB3)"" \n $9x = { 7C 2E 48 26 24 25 27 3A 25 25 3A 26 21 48 67 71 66 62 71 66 3C F1 B7 A7 3D \n48 46 71 78 71 75 67 71 48 67 71 66 62 71 66 3A 64 70 76 } \n $cfgDecode = { 8a ?? ?? 80 c2 7a 80 f2 19 88 ?? ?? 41 3b ce 7c ??} \n condition: \n any of them \n}",,,,,JP,FALSE,Watering Hole,"Gh0st RAT, GOM Player, Backdoor.Miancha",Energy and Utilities,2011-10-15,2014-01-16,824.0 2014-02-20,Mo' Shells Mo' Problems - Network Detection,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.02.20.deep-panda-webshells/Mo%27%20Shells%20Mo%27%20Problems%20-%20Network%20Detection%20%C2%BB.pdf,CrowdStrike,,,,deep panda,CN,"Espionage, Information theft and espionage",2013,,,,,Corporations and Businesses,,, 2014-02-20,deep-panda-webshells,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.02.20.deep-panda-webshells/deep-panda-webshells.pdf,CrowdStrike,,,,deep panda,CN,"Espionage, Information theft and espionage",2013,,,,"showimg.asp, system_web.aspx","Corporations and Businesses, Financial Institutions, Government and Defense Agencies",,, 2014-02-20,Mo' Shells Mo' Problems - File List Stacking,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.02.20.deep-panda-webshells/Mo%27%20Shells%20Mo%27%20Problems%20-%20File%20List%20Stacking%20%C2%BB.pdf,CrowdStrike,,,,deep panda,CN,"Espionage, Information theft and espionage",2013,,,,,Corporations and Businesses,,, 2014-02-20,Operation_GreedyWonk,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.02.20.Operation_GreedyWonk/Operation_GreedyWonk.pdf,FireEye,"CVE-2012-0507, CVE-2012-0779",,,,,,,,TRUE,Watering Hole,"Adobe Flash, PlugX/Kaba remote access tool (RAT)",Non-Governmental Organizations (NGOs) and Nonprofits,,, 2014-02-23,FTA 1012 STTEAM Final,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.02.23.Operation_STTEAM/FTA%201012%20STTEAM%20Final.pdf,Fidelis Cybersecurity,,,,st group,CN,"Espionage, Information theft and espionage",2010,,,,"Zehir ASP Shell, K-Shell/ZHC Shell 1.0/Aspx Shell","Energy and Utilities, Government and Defense Agencies",,, 2014-02-25,french-connection-french-aerospace-focused-cve-2014-0322-attack-shares-similarities-2012,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.02.25.The_French_Connection/french-connection-french-aerospace-focused-cve-2014-0322-attack-shares-similarities-2012.pdf,CrowdStrike,"CVE-2012-4792, CVE-2014-0322",,,aurora panda,CN,"Espionage, Information theft and espionage",2009,FR,TRUE,Watering Hole,"Sakula malware, ZxShell malware","Corporations and Businesses, Manufacturing",,, 2014-02-25,Crowdstrike_The French Connection(Feb-25-14),The French Connection: French Aerospace-Focused CVE-2014-0322 Attack Shares Similarities with 2012 Capstone Turbine Activity,https://app.box.com/s/yh95vh5l17z2vcffwjvg3v05fzn0pzp1,CrowdStrike,"CVE-2012-4792, CVE-2014-0322",,,aurora panda,CN,"Espionage, Information theft and espionage",2009,"FR, US",TRUE,"Exploit Vulnerability, Watering Hole",Sakula malware,"Corporations and Businesses, Manufacturing, Critical Infrastructure",,, 2014-02-28,GData_Uroburos_RedPaper_EN_v1,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.02.28.Uroburos/GData_Uroburos_RedPaper_EN_v1.pdf,G Data,,,,,,,,,,Removable Media,"Uroburos, Agent.BTZ, Dumper for NTLM, RAR tools","Government and Defense Agencies, Education and Research Institutions, Corporations and Businesses",,, 2014-03-06,The_Siesta_Campaign,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.03.06.The_Siesta_Campaign/The_Siesta_Campaign.pdf,Trend Micro,,,,,,,,,FALSE,Spear Phishing,"TROJ_SLOTH, BKDR_SLOTH.A, UIODsevr.exe","Corporations and Businesses, Financial Institutions, Healthcare, Energy and Utilities, Media and Entertainment Companies, Government and Defense Agencies, Critical Infrastructure",,, 2014-03-07,snake_whitepaper,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.03.07.Snake_Campaign/snake_whitepaper.pdf,BAE Systems Applied Intelligence,,,,,,,,"BE, GB, GE, HU, IT, LT, RO, UA, US",,"Removable Media, Spear Phishing, Exploit Vulnerability","Snake, uroburos, sengoku, snark, Agent.BTZ, Metasploit",,,, 2014-03-08,Reuters_Turla,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.03.08.Russian_spyware_Turla/Reuters_Turla.pdf,Reuters,,,,turla,RU,"Espionage, Information theft and espionage",1996,"GB, LT, UA",,,"Agent.BTZ, Turla, password stealers, document stealers, command and control servers.",Government and Defense Agencies,,, 2014-03-12,a-detailed-examination-of-the-siesta-campaign,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.03.12.Detailed_Siesta_Campaign/a-detailed-examination-of-the-siesta-campaign.pdf,FireEye,,,,apt1,CN,"Espionage, Information theft and espionage",2006,,,Spear Phishing,"Spear-phishing emails, Callback traffic, Binder tool",Corporations and Businesses,,, 2014-04-26,Op_Clandestine_Fox,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.04.26.Operation_Clandestine_Fox/Op_Clandestine_Fox.pdf,FireEye,"CVE-2010-3962, CVE-2014-1776",,,,,,,,TRUE,Exploit Vulnerability,"Pirpi, Adobe Flash, Internet Explorer, EMET, SWF, RC4.",,,, 2014-05-13,fireeye-operation-saffron-rose,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.05.13.Operation_Saffron_Rose/fireeye-operation-saffron-rose.pdf,FireEye,,,,ajax security team,IR,"Espionage, Information theft and espionage",2010,IR,TRUE,"Spear Phishing, Phishing, Social Engineering","Stealer malware, IntelRapidStart.exe, RapidStartTech.stl, Ultrasms[.]ir","Government and Defense Agencies, Corporations and Businesses",2009-07-13,2014-03-15,1706.0 2014-05-13,CrowdStrike_Flying_Kitten,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.05.13.Flying.Kitten/CrowdStrike_Flying_Kitten.pdf,CrowdStrike,,,"rule CrowdStrike_CSIT_14003_03 : installer \n{ \n meta: \n copyright = ""CrowdStrike, Inc"" \n description = ""Flying Kitten Installer"" \n version = ""1.0"" \n actor = ""FLYING KITTEN"" \n in_the_wild = true \n strings: \n $exename = ""IntelRapidStart.exe"" \n $confname = ""IntelRapidStart.exe.config"" \n $cabhdr = { 4d 53 43 46 00 00 00 00 } \n condition: \n all of them \n}, rule CrowdStrike_FlyingKitten : rat\n{\nmeta: \n copyright = ""CrowdStrike, Inc"" \n description = ""Flying Kitten RAT"" \n version = ""1.0"" \n actor = ""FLYING KITTEN"" \n in_the_wild = true \n strings: \n $classpath = ""Stealer.Properties.Resources.resources"" \n $pdbstr = ""\\Stealer\\obj\\x86\\Release\\Stealer.pdb"" \n condition: \n all of them and \n uint16(0) == 0x5A4D and uint32(uint32(0x3c)) == 0x4550 and \n uint16(uint32(0x3C) + 0x16) & 0x2000 == 0 and \n ((uint16(uint32(0x3c)+24) == 0x010b and \n uint32(uint32(0x3c)+232) > 0) or \n (uint16(uint32(0x3c)+24) == 0x020b and \n uint32(uint32(0x3c)+248) > 0)) \n}",flying kitten,IR,"Espionage, Information theft and espionage",2010,US,FALSE,"Phishing, Credential Reuse, Website Equipping",Stealer malware,"Government and Defense Agencies, Education and Research Institutions",,, 2014-05-16,APT Campaign Leverages the Cueisfry Trojan and Microsoft Word Vulnerability CVE-2014-1761,,https://www.secureworks.com/blog/apt-campaign-leverages-the-cueisfry-trojan-and-microsoft-word-vulnerability-cve-2014-1761,SecureWorks,CVE-2014-1761,,,,,,,,TRUE,"Spear Phishing, Exploit Vulnerability, Malicious Documents","Cueisfry trojan, Epdate.exe, Microsoft Word","Government and Defense Agencies, Financial Institutions",2014-04-21,2014-05-16,25.0 2014-05-20,Miniduke_twitter,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.05.20.Miniduke_Twitter_CnC/Miniduke_twitter.pdf,Kaspersky,CVE-2014-1761,,,,,,,"BE, FR, GB",TRUE,"Exploit Vulnerability, Malicious Documents","MiniDuke, Win32/SandyEva, Win32/Exploit.CVE-2014-1761.D, TwitterJS",Government and Defense Agencies,2013-03-15,2014-04-08,389.0 2014-05-21,FTA_1013_RAT_in_a_jar,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.05.21.Unrecom_Rat/FTA_1013_RAT_in_a_jar.pdf,Fidelis Cybersecurity,,,,,,,,"RU, SA, US",,Phishing,"Adwind RAT, DarkComet, ArcomRAT, Unrecom RAT","Government and Defense Agencies, Healthcare, Corporations and Businesses",,, 2014-05-28,Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation _ SecurityWeek,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks/Iranian%20Hackers%20Targeted%20US%20Officials%20in%20Elaborate%20Social%20Media%20Attack%20Operation%20_%20SecurityWeek.pdf,Mandiant,,,,newscaster,IR,Espionage,,"GB, IL, IQ, SA, US",FALSE,"Spear Phishing, Social Engineering",,"Government and Defense Agencies, Critical Infrastructure, Media and Entertainment Companies, Individuals",,, 2014-05-28,file-2581720763-pdf,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks/file-2581720763-pdf.pdf,Mandiant,,,,newscaster,IR,Espionage,,"AF, GB, IL, IQ, SA, SY, US",FALSE,"Phishing, Social Engineering",,"Government and Defense Agencies, Corporations and Businesses",,, 2014-05-28,newscaster-iranian-threat-inside-social-media,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks/newscaster-iranian-threat-inside-social-media.pdf,Mandiant,,,,newscaster,IR,Espionage,,"GB, IL, IQ, SA, US",FALSE,"Spear Phishing, Social Engineering",,"Government and Defense Agencies, Critical Infrastructure",,, 2014-06-06,ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.06.06.Etumbot_APT_Backdoor/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf,"Arbor Networks, Inc.",,,,numbered panda,CN,"Espionage, Information theft and espionage",2009,TW,,Malicious Documents,"sysupdate.exe, JavaSvc.exe",Education and Research Institutions,,, 2014-06-09,putter-panda,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.06.09.Putter_Panda/putter-panda.pdf,CrowdStrike,,,,putter panda,CN,"Espionage, Information theft and espionage",2007,JP,,,"Remote Access Tools (RATs), Custom malware, Pngdowner malware, HttpClient malware, Droppers – RC4 and XOR Based, 4H RAT",Corporations and Businesses,,, 2014-06-10,Bluecoat_SnakeInTheGrass-Python-Malware-Targeted(06-10-2014),Snake In The Grass: Python-based Malware Used For Targeted Attacks,https://app.box.com/s/4n263mzodo4mb7jz1w3deidg9xuu2teh,Bluecoat,CVE-2012-0158,,,,,,,,FALSE,"Spear Phishing, Malicious Documents","AutoIt, Python",Government and Defense Agencies,,, 2014-06-20,Compromise_Greece_Beijing,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.06.20.Embassy_of_Greece_Beijing/Compromise_Greece_Beijing.pdf,Microsoft,,,,,,,,,,Watering Hole,"IDA Pro, Java Decompiler, Wireshark, cmd.exe, Internet Explorer",Government and Defense Agencies,,, 2014-06-30,Dragonfly_Threat_Against_Western_Energy_Suppliers,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.06.30.Dragonfly/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf,Symantec,"CVE-2012-1723, CVE-2012-4792, CVE-2013-1347, CVE-2013-2465",,private rule isPE\n{\n condition:\n uint16(0) == 0x5A4D and uint32\n(uint32\n(0x3c)\n) == 0x00004550\n},dragonfly,RU,"Espionage, Sabotage and destruction",2010,"DE, ES, FR, IT, US",,"Spear Phishing, Watering Hole, Malicious Documents","Backdoor.Oldrea (also known as Havex or the Energetic Bear RAT), Trojan.Karagany, Lightsout exploit kit, Hello exploit kit","Energy and Utilities, Critical Infrastructure",,, 2014-07-07,Deep in Thought_ Chinese Targeting of National Security Think Tanks,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.07.07.Deep_in_Thought/Deep%20in%20Thought_%20Chinese%20Targeting%20of%20National%20Security%20Think%20Tanks%20%C2%BB.pdf,CrowdStrike,,,,deep panda,CN,"Espionage, Information theft and espionage",2013,"CN, IQ, IR, RU",FALSE,Credential Reuse,"NetE tool, 7-zip, RAR archiver, MadHatter .NET Remote Access Tool (RAT)","Non-Governmental Organizations (NGOs) and Nonprofits, Education and Research Institutions",,, 2014-07-07,AdversaryIntelligenceReport_DeepPanda_0,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.07.07.Deep_in_Thought/AdversaryIntelligenceReport_DeepPanda_0.pdf,CrowdStrike,,,,deep panda,CN,"Espionage, Information theft and espionage",2013,"JP, US",,,"Remote Access Tool (RAT), Dynamic Link Library (DLL)","Government and Defense Agencies, Corporations and Businesses, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2014-07-10,TrapX_ZOMBIE_Report_Final,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.07.10.Zombie_Zero/TrapX_ZOMBIE_Report_Final.pdf,TrapX Security,,,,,,,,,FALSE,Removable Media,"SMB protocol, RADMIN protocol","Manufacturing, Corporations and Businesses",,, 2014-07-10,circl-tr25-analysis-turla-pfinet-snake-uroburos,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.07.10.Turla_Pfinet_Snake_Uroburos/circl-tr25-analysis-turla-pfinet-snake-uroburos.pdf,CIRCL,,,,,,,,,,,"Uroburos, Turla, Sengoku, Snark, Pfinet, Agent.btz",,,, 2014-07-11,The-Eye-of-the-Tiger2,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.07.11.Pitty_Tiger/The-Eye-of-the-Tiger2.pdf,Symantec,"CVE-2012-0158, CVE-2014-1761",,,pitty tiger,,,,,,"Spear Phishing, Exploit Vulnerability, Malicious Documents","Troj/ReRol.A, MM RAT, CT RAT, Pitty Tiger, Paladin RAT, cp.exe, mailpv.exe, gsecdump, NirSoft tools, Mimikatz, pr.exe, po.exe, ssql.exe, Fluxay","Government and Defense Agencies, Education and Research Institutions, Energy and Utilities",,, 2014-07-20,Sayad_Flying_Kitten_analysis,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.07.20.Flying_Kitten/Sayad_Flying_Kitten_analysis.pdf,RSA,,,"rule Vinsula_Sayad_Binder : infostealer\n{\n \nmeta: \n \n \ncopyright = ""Vinsula, Inc"" \n \n \ndescription = ""Sayad Infostealer Binder"" \n \n \nversion = ""1.0"" \n \n \nactor = ""Sayad Binder"" \n \n \nin_the_wild = true \n strings: \n \n \n$pdbstr = \n""\\\\Projects\\\\C#\\\\Sayad\\\\Source\\\\Binder\\\\obj\\\\Debug\\\\Binder.pdb"" \n \n \n$delphinativestr = ""DelphiNative.dll"" nocase\n \n \n$sqlite3str = ""sqlite3.dll"" nocase\n \n \n$winexecstr = ""WinExec"" \n \n \n$sayadconfig = ""base.dll"" wide\n condition:\n all of them\n}, rule Vinsula_Sayad_Client : infostealer\n{\n \nmeta: \n \n \ncopyright = ""Vinsula, Inc"" \n \n \ndescription = ""Sayad Infostealer Client"" \n \n \nversion = ""1.0"" \n \n \nactor = ""Sayad Client"" \n \n \nin_the_wild = true \n strings: \n \n \n$pdbstr = \n""\\\\Projects\\\\C#\\\\Sayad\\\\Source\\\\Client\\\\bin\\\\x86\\\\Debug\\\\Client.pdb"" \n \n \n$sayadconfig = ""base.dll"" wide\n \n \n$sqlite3str = ""sqlite3.dll"" nocase\n \n \n$debugstr01 = ""Config loaded"" wide\n \n \n$debugstr02 = ""Config parsed"" wide\n \n \n$debugstr03 = ""storage uploader"" wide\n \n \n$debugstr04 = ""updater"" wide\n \n \n$debugstr05 = ""keylogger"" wide\n \n \n$debugstr06 = ""Screenshot"" wide\n \n \n$debugstr07 = ""sqlite found & start collectiong data"" wide\n \n \n$debugstr08 = ""Machine info collected"" wide\n \n \n$debugstr09 = ""browser ok"" wide\n \n \n$debugstr10 = ""messenger ok"" wide\n \n \n$debugstr11 = ""vpn ok"" wide\n \n \n$debugstr12 = ""ftp client ok"" wide\n \n \n$debugstr13 = ""ftp server ok"" wide\n \n \n$debugstr14 = ""rdp ok"" wide\n \n \n$debugstr15 = ""kerio ok"" wide\n \n \n$debugstr16 = ""skype ok"" wide\n \n \n$debugstr17 = ""serialize data ok"" wide\n \n \n$debugstr18 = ""Keylogged"" wide\n condition:\n all of them\n}",ajax security team,IR,"Espionage, Information theft and espionage",2010,,,Phishing,"Sayad malware, Vinsula Execution Engine, IDA Pro, WinDBG, .NET Reflector, Dependency Walker, PEview, Fiddler, SysInternals Process Explorer, IP Geolocator, WHOIS Search, YARA, Hashmyfiles","Corporations and Businesses, Government and Defense Agencies, Individuals",2014-07-14,2014-07-24,10.0 2014-07-29,group-3279-targets-the-video-game-industry,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.07.29.Threat_Group-3279_Targets_the_Video_Game_Industry/group-3279-targets-the-video-game-industry.pdf,SecureWorks,,,,apt41,CN,"Financial crime, Information theft and espionage",2010,,,"Credential Reuse, Exploit Vulnerability","Conpee, gsi.exe, Etso, pwdump6, Gh0st, NetCommander, Carberp",Media and Entertainment Companies,,, 2014-07-31,EB-YetiJuly2014-Public,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.07.31.Energetic_Bear/EB-YetiJuly2014-Public.pdf,Kaspersky,"CVE-2011-0611, CVE-2012-1723, CVE-2013-1347, CVE-2013-2465",,,energetic bear,RU,"Espionage, Sabotage and destruction",2010,"AR, AZ, BD, BR, CH, CN, CO, CZ, DE, EC, ES, GB, HK, IN, IQ, IR, IT, KR, MX, MY, QA, TJ, TW, VN, ZA",FALSE,"Spear Phishing, Watering Hole, Exploit Vulnerability, Malicious Documents","Havex Trojan, Sysmain Trojan, The ClientX backdoor, Karagany backdoor, LightsOut exploit kit, Metasploit framework","Corporations and Businesses, Manufacturing, Healthcare, Education and Research Institutions, Critical Infrastructure, Cloud/IoT Services, Energy and Utilities",2010-10-15,2014-07-15,1369.0 2014-08-04,fireeye-sidewinder-targeted-attack,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.08.04.Sidewinder_GoldenAge/fireeye-sidewinder-targeted-attack.pdf,FireEye,CVE-2014-0224,,,sidewinder,,Information theft and espionage,2012,,,Exploit Vulnerability,,"Financial Institutions, Individuals",,, 2014-08-05,ThreatConnect_Operation_Arachnophobia_Report,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.08.05.Operation_Arachnophobia/ThreatConnect_Operation_Arachnophobia_Report.pdf,Cyber Squared Inc.,,,,,,,,IN,,,"BITTERBUG, Libcurl40",Government and Defense Agencies,2013-05-08,2014-03-17,313.0 2014-08-06,Operation_Poisoned_Hurricane,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.08.06.Operation_Poisoned_Hurricane/Operation_Poisoned_Hurricane.pdf,FireEye,,,,,,,,US,,,Kaba (aka PlugX or SOGU),"Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Media and Entertainment Companies",2013-10-15,2014-08-04,293.0 2014-08-07,The_Epic_Turla_Operation,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.08.07.Epic_Turla_Operation_Appendix/The_Epic_Turla_Operation.pdf,Kaspersky,"CVE-2009-3129, CVE-2012-1723, CVE-2012-4681, CVE-2013-2729, CVE-2013-3346, CVE-2013-5065",,,turla,RU,"Espionage, Information theft and espionage",1996,,FALSE,"Spear Phishing, Watering Hole, Social Engineering, Exploit Vulnerability, Malicious Documents","Epic / Tavdig / Wipbot backdoor, CVE-2013-5065 EoP exploit, Trojan.Wipbot, Carbon/Cobra system, winsvclg.exe, winrs.exe","Government and Defense Agencies, Education and Research Institutions",,, 2014-08-07,KL_Epic_Turla_Technical_Appendix_20140806,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.08.07.Epic_Turla_Operation_Appendix/KL_Epic_Turla_Technical_Appendix_20140806.pdf,Kaspersky,CVE-2012-1723,,,turla,RU,"Espionage, Information theft and espionage",1996,,TRUE,"Spear Phishing, Social Engineering, Watering Hole, Malicious Documents","Custom keylogger, UPX compressed “dnsquery.exe”, dnsquery.exe, Epic/Tavdig backdoors, SCR/EXE files, NATO position on Syria.scr, Russia position on Syria.scr, Talking Points.scr, Program.scr, Security protocol.scr, unknown.exe (“WorldCupSec”), unknown.exe (“TadjMakhal”), unknown.exe (“RussiaPositions”), pdfview.exe, winword.exe, Adobe Flash Player Epic backdoor installers, adobe_flash_player.exe, Shockwave_Flash_Player.exe, 19",,,, 2014-08-12,NYTimes_Attackers_Evolve_Quickly,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.08.12.New_York_Times_Attackers/NYTimes_Attackers_Evolve_Quickly.pdf,FireEye,,,,apt12,CN,"Espionage, Information theft and espionage",2009,,,Watering Hole,"Aumlib, Ixeshe","Education and Research Institutions, Media and Entertainment Companies",,, 2014-08-13,sec14-paper-blond,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.08.13.TargetAttack.NGO/sec14-paper-blond.pdf,Symantec,"CVE-2009-4324, CVE-2010-2883, CVE-2010-3333, CVE-2012-0158",,,pla unit 61398,CN,"Espionage, Information theft and espionage",2006,,FALSE,"Spear Phishing, Watering Hole, Social Engineering, Malicious Documents","Surtr, TravNet","Critical Infrastructure, Corporations and Businesses, Media and Entertainment Companies, Non-Governmental Organizations (NGOs) and Nonprofits, Education and Research Institutions",,, 2014-08-16,HPSR SecurityBriefing_Episode16_NorthKorea,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.08.16.North_Korea_cyber_threat_landscape/HPSR%20SecurityBriefing_Episode16_NorthKorea.pdf,HP,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,"KR, US",TRUE,"Spear Phishing, Watering Hole, Exploit Vulnerability","DarkSeoul, IRC remote access trojan (RAT), AgentBase.exe, taskkill","Government and Defense Agencies, Financial Institutions, Media and Entertainment Companies",,, 2014-08-18,KL_report_syrian_malware,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.08.18.Syrian_Malware_House_of_Cards/KL_report_syrian_malware.pdf,Kaspersky,,,,syrian electronic army,SY,Information theft and espionage,2011,"AE, EG, IL, JO, LB, MA, PS, SA, SY, TR, US",FALSE,Social Engineering,"ShadowTech RAT, Xtreme RAT, NjRAT, Bitcomet RAT, Dark Comet RAT, Blackshades RAT, SSH VPN program",,,, 2014-08-18,The Syrian Malware House of Cards - Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.08.18.Syrian_Malware_House_of_Cards/The%20Syrian%20Malware%20House%20of%20Cards%20-%20Securelist.pdf,Kaspersky,,,,,,,,"AE, FR, IL, LB, MA, PS, SA, TR, US",,"Social Engineering, Malicious Documents, Watering Hole","Trojan.MSIL.Zapchast, Backdoor.Win32.Bifrose, Backdoor.Win32.Fynloski, Backdoor.Win32.Xtreme",Individuals,,, 2014-08-19,APT Gang Branches Out to Medical Espionage in Community Health Breach,,https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828,ThreatPost,,,,apt 18,CN,"Espionage, Information theft and espionage",2009,,,,,Healthcare,,, 2014-08-20,El_Machete,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.08.20.El_Machete/El_Machete.pdf,Kaspersky,,,,,,,,"CO, CU, EC, ES, PE, RU, VE",,"Spear Phishing, Social Engineering, Malicious Documents","Trojan-Spy.Python.Ragua, Nullsoft Installer, PowerPoint, The Social Engineering Toolkit (SET)",Government and Defense Agencies,,, 2014-08-24,Another country-sponsored #malware Vietnam APT Campaign,,http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html,Malware Must Die!,CVE-2013-0634,,,,,,,"HK, MN",,,"PowerSploit, Poison Ivy","Individuals, Media and Entertainment Companies",,, 2014-08-27,NetTraveler_Makeover_10th_Birthday,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.08.27.NetTraveler/NetTraveler_Makeover_10th_Birthday.pdf,Kaspersky,CVE-2012-0158,,,nettraveler,CN,"Espionage, Information theft and espionage",2004,,FALSE,"Spear Phishing, Malicious Documents","NetTraveler backdoor, Exploit.MSWord.CVE-2012-0158.db, Trojan-Dropper.Win32.Agent.lifr, Trojan-Spy.Win32.TravNet.qfr, Trojan.BAT.Tiny.b","Government and Defense Agencies, Energy and Utilities, Education and Research Institutions, Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",,, 2014-08-28,Alienvault_Scanbox,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.08.28.Scanbox_Framework_Watering_Hole_Attack/Alienvault_Scanbox.pdf,Microsoft,,,,,,,,,FALSE,Watering Hole,"Scanbox, Metasploit","Corporations and Businesses, Manufacturing",,, 2014-08-29,Syrian_Malware_Team_BlackWorm,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.08.29.BlackWorm_Syrian/Syrian_Malware_Team_BlackWorm.pdf,Microsoft,,,,,,,,,,,"BlackWorm, Dark Edition BlackWorm, njw0rm, njRAT/LV, H-worm/Houdini, Fallaga, Spygate",Media and Entertainment Companies,2011-01-01,2014-07-16,1292.0 2014-08-30,rpt-china-chopper,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2013/2013.00.00.China_Chopper_Web_Shell/rpt-china-chopper.pdf,FireEye,,,,,,,,,,Exploit Vulnerability,"China Chopper Web Shell, PEiD, Fiddler Web debugger, Microsoft Visual C++ 6.0","Corporations and Businesses, Government and Defense Agencies",,, 2014-09-03,Darwin_fav_APT_Group,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.09.03.Darwin_APT/Darwin_fav_APT_Group.pdf,FireEye,CVE-2012-0158,,,apt12,CN,"Espionage, Information theft and espionage",2009,"JP, TW",FALSE,"Spear Phishing, Malicious Documents, Exploit Vulnerability","RIPTIDE, HIGHTIDE, THREEBYTE, WATERSPOUT, Tran Duy Linh exploit kit","Government and Defense Agencies, Corporations and Businesses, Education and Research Institutions",,, 2014-09-04,Gholee_Protective_Edge_themed_spear_phishing_campaign,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.09.04.Gholee/Gholee_Protective_Edge_themed_spear_phishing_campaign.pdf,ClearSky,,,,gholee,,,,,,"Spear Phishing, Malicious Documents, Social Engineering","Gholee, Core Impact",,2014-06-02,2014-08-15,74.0 2014-09-04,XSLCmd_OSX,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.09.04.XSLCmd_OSX/XSLCmd_OSX.pdf,FireEye,"CVE-2010-0806, CVE-2010-1297, CVE-2010-2884",,,icefog,CN,"Espionage, Information theft and espionage",2014,,TRUE,"Exploit Vulnerability, Watering Hole","MacControl, IceFog, Careto/Mask, sbd, XSLCmd, SQLMap, Acunetix, web shells",Government and Defense Agencies,,, 2014-09-04,Chinese_MITM_Google,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.09.04.Analysis_of_Chinese_MITM_on_Google/Chinese_MITM_Google.pdf,Google,,,,,,,,CN,,,,Education and Research Institutions,,, 2014-09-08,sec14-paper-marczak,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.09.08.When_Governments_Hack_Opponents/sec14-paper-marczak.pdf,RSA,"CVE-2010-3333, CVE-2012-0158, CVE-2013-0422",,,,,,,"AE, AZ, BH, KZ, NG, OM, SA, SD, SY, TR, UZ",FALSE,"Spear Phishing, Social Engineering, Malicious Documents, Drive-by Download","DarkComet RAT, njRAT, FinFisher, iplogger.org, TEMU: The BitBlaze Dynamic Analysis Component","Individuals, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2014-09-10,fireeye-operation-quantum-entanglement,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.09.10.Operation_Quantum_Entanglement/fireeye-operation-quantum-entanglement.pdf,FireEye,,,,dragonok,CN,"Espionage, Information theft and espionage",2014,"HK, ID, JP, MY, PH, TW",,Spear Phishing,"CT/NewCT, Mongall, Nflog, PoisonIvy, Sysget/HelloBridge, HTRAN","Government and Defense Agencies, Manufacturing",,, 2014-09-17,armed-services.senate.gov-Press Release Press United States Commitee on Armed Services,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.09.17.Chinese_APT_defense_contractors/armed-services.senate.gov-Press%20Release%20%20Press%20%20United%20States%20Commitee%20on%20Armed%20Services.pdf,NATO,,,,,,,,US,,,,"Government and Defense Agencies, Corporations and Businesses, Critical Infrastructure",,, 2014-09-18,cosmicduke_whitepaper,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.09.18.COSMICDUKE/cosmicduke_whitepaper.pdf,F-Secure,CVE-2011-0611,,,,,,,"PL, RU, TR, UA",FALSE,"Exploit Vulnerability, Social Engineering, Malicious Documents","CosmicDuke, MiniDuke, Cosmu",,,, 2014-09-19,th3bug_Watering_Hole_PoisonIvy,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.09.19.th3bug_Poison_Ivy/th3bug_Watering_Hole_PoisonIvy.pdf,FireEye,CVE-2014-0515,,,th3bug,CN,Information theft and espionage,2014,"CN, US",TRUE,Watering Hole,Poison Ivy Remote Administration Tool (RAT),"Corporations and Businesses, Financial Institutions, Education and Research Institutions",2014-01-22,2014-07-21,180.0 2014-09-26,blackenergy_whitepaper,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.09.26.BlackEnergy_Quedagh/blackenergy_whitepaper.pdf,SecureWorks,CVE-2010-3333,,,sandworm,RU,"Espionage, Sabotage and destruction",2015,UA,,Malicious Documents,"BlackEnergy, BlackEnergy 3",Government and Defense Agencies,,, 2014-09-26,Aided_Frame_Aided_Direction,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.09.26.Aided_Frame_Aided_Direction/Aided_Frame_Aided_Direction.pdf,FireEye,,,,sunshop digital quartermaster,CN,"Espionage, Information theft and espionage",2013,CN,,Watering Hole,"Poison Ivy remote access tool (RAT), Sunshop Digital Quartermaster builder toolkit",Non-Governmental Organizations (NGOs) and Nonprofits,,, 2014-10-03,PAN_Nitro,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.10.03.Nitro_APT/PAN_Nitro.pdf,Palo Alto,,,,nitro,CN,Information theft and espionage,2011,"KR, US",,Watering Hole,"Spindest, PCClient, Farfli","Corporations and Businesses, Healthcare, Energy and Utilities, Manufacturing",,, 2014-10-09,Democracy_HongKong_Under_Attack,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.10.09.Democracy_Hong_Kong_Under_Attack/Democracy_HongKong_Under_Attack.pdf,Volexity,,,,,,,,"HK, JP",,"Watering Hole, Drive-by Download","PlugX, Java Archives",Non-Governmental Organizations (NGOs) and Nonprofits,,, 2014-10-14,Derusbi_Server_Analysis-Final,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.10.14.Derusbi_Analysis/Derusbi_Server_Analysis-Final.pdf,Novetta,,,"rule Derusbi_Server \n{ \n \n \n \nstrings: \n \n \n$uuid = ""{93144EB0-8E3E-4591-B307-8EEBFE7DB28F}"" wide ascii \n \n \n$infectionID1 = ""-%s-%03d"" \n \n \n$infectionID2 = ""-%03d"" \n \n \n$other = ""ZwLoadDriver"" \n \ncondition: \n \n \n$uuid or ($infectionID1 and $infectionID2 and $other) \n}",,,,,,,,Derusbi,,,, 2014-10-14,Sandworm_briefing2,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.10.14.Sandworm/Sandworm_briefing2.pdf,Mandiant,"CVE-2013-3906, CVE-2014-4114",,,sandworm,RU,"Espionage, Sabotage and destruction",2015,"PL, UA",TRUE,"Spear Phishing, Malicious Documents","BlackEnergy malware, BlackEnergy 2, BlackEnergy 3 (Lite)","Government and Defense Agencies, Corporations and Businesses, Critical Infrastructure, Energy and Utilities, Education and Research Institutions",,, 2014-10-14,Hikit_Analysis-Final,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.10.14.Hikit_Preliminary_Analysis/Hikit_Analysis-Final.pdf,Symantec,,,"rule hikit \n{ \n \nstrings: \n \n \n$hikit_pdb1 = /(H|h)ikit_/ \n \n \n$hikit_pdb2 = ""hikit\\\\"" \n \n \n$hikit_str3 = ""hikit>"" wide \n \n \n \n$driver = ""w7fw.sys"" wide \n \n \n$device = ""\\\\Device\\\\w7fw"" wide \n \n \n$global = ""Global\\\\%s__HIDE__"" wide nocase \n \n \n$backdr = ""backdoor closed"" wide \n \n \n$hidden = ""*****Hidden:"" wide \n \n \ncondition: \n \n \n(1 of ($hikit_pdb1,$hikit_pdb2,$hikit_str3)) and ($driver or \n$device or $global or $backdr or $hidden) \n}, rule hidkit \n{ \n \nstrings: \n \n $a = ""---HIDE"" \n \n $b = ""hide---port = %d"" \n \ncondition: \n \n uint16(0)==0x5A4D and uint32(uint32(0x3c))==0x00004550 and $a and $b \n}, rule hikit2 \n{ \n \nstrings: \n \n $magic1 = {8C 24 24 43 2B 2B 22 13 13 13 00} \n \n $magic2 = {8A 25 25 42 28 28 20 1C 1C 1C 15 15 15 0E 0E 0E 05 05 05 \n00} \n \ncondition: \n \n $magic1 and $magic2 \n}",,,,,,,,"Hikit, RAT (Remote Access Trojan), rootkit",,,, 2014-10-14,Group_72,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.10.14.Group_72/Group_72.pdf,Cisco,"CVE-2012-1889, CVE-2012-4792, CVE-2013-3893, CVE-2014-0322",,,group 72,CN,"Espionage, Information theft and espionage",2009,"JP, KR, TW, US",TRUE,"Spear Phishing, Watering Hole, Exploit Vulnerability","Gh0st RAT (aka Moudoor), Poison Ivy (aka Darkmoon), HydraQ (aka 9002 RAT aka McRAT aka Naid), Hikit (aka Matrix RAT aka Gaolmay), Zxshell (aka Sensode), DeputyDog (aka Fexel), Derusbi, PlugX (aka Destroy RAT aka Thoper aka Sogu)","Manufacturing, Media and Entertainment Companies, Government and Defense Agencies",,, 2014-10-14,ZoxPNG_Full_Analysis-Final,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.10.14.ZoxPNG/ZoxPNG_Full_Analysis-Final.pdf,Novetta,,,"rule zox \n{ \n \nstrings: \n \n \n$url = \n""png&w=800&h=600&ei=CnJcUcSBL4rFkQX444HYCw&zoom=1&ved=1t:3588,r:1,s:0,\ni:92&iact=rc&dur=368&page=1&tbnh=184&tbnw=259&start=0&ndsp=20&tx=114&t\ny=58"" \n \ncondition: \n \n \n$url \n}",,,,,"CN, JP, KR, TW",FALSE,Exploit Vulnerability,"ZoxRPC, ZoxPNG",,,, 2014-10-20,OrcaRAT,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.10.20.OrcaRAT_tale/OrcaRAT.pdf,SecureWorks,,,"rule OrcaRAT\n {\n meta: \n author = “PwC Cyber Threat Operations :: @tlansec""\n distribution = ""TLP WHITE""\n sha1 = ""253a704acd7952677c70e0c2d787791b8359efe2c92a5e77acea028393a85613""\n strings:\n $MZ=""MZ""\n $apptype1=""application/x-ms-application""\n $apptype2=""application/x-ms-xbap""\n $apptype3=""application/vnd.ms-xpsdocument""\n $apptype4=""application/xaml+xml""\n $apptype5=""application/x-shockwave-flash""\n $apptype6=""image/pjpeg""\n $err1=""Set return time error = %d!""\n $err2=""Set return time success!""\n $err3=""Quit success!""\n \ncondition:\n $MZ at 0 and filesize < 500KB and (all of ($apptype*) and 1 of ($err*))\n }",comfoo,,,,,,,"Comfoo, OrcaRAT",,,, 2014-10-22,wp-operation-pawn-storm,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.10.22.Operation_Pawn_Storm/wp-operation-pawn-storm.pdf,Trend Micro,"CVE-2010-3333, CVE-2012-0158",,,,,,,"AT, DE, FR, HU, IQ, PK, PL, US",FALSE,"Spear Phishing, Exploit Vulnerability, Malicious Documents","SEDNIT, Sofacy","Government and Defense Agencies, Corporations and Businesses, Media and Entertainment Companies",,, 2014-10-22,tactical-intelligence-bulletin---sofacy-phishing-,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.10.22.Sofacy_Phishing/tactical-intelligence-bulletin---sofacy-phishing-.pdf,RSA,,,,apt28,RU,"Espionage, Information theft and espionage",2004,US,TRUE,"Phishing, Malicious Documents, Spear Phishing, Watering Hole",Sofacy malware,"Government and Defense Agencies, Corporations and Businesses, Cloud/IoT Services, Energy and Utilities, Media and Entertainment Companies",,, 2014-10-23,leviathansecurity.com-The Case of the Modified Binaries,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.10.23.Modified_Binaries/leviathansecurity.com-The%20Case%20of%20the%20Modified%20Binaries.pdf,RSA,,,,,,,,,FALSE,Drive-by Download,"BDFProxy, exitmap",Individuals,,, 2014-10-24,Novetta_Operation-SMN(10-24-2014),Operation SMN,https://app.box.com/s/tp6i8x92oxp2jjs1gajmimxsbgwb3hpa,Novetta,,,,axiom,CN,"Espionage, Information theft and espionage",2009,"JP, KR, TW, US",TRUE,"Spear Phishing, Watering Hole, Exploit Vulnerability","Hydraq, Gh0st RAT, Hikit, Derusbi, DeputyDog, McRat, HydraQ/HidraQ, Naid, Homux, HomeUnix, MdmBot, Roarur, Moudoor, Mydoor, PlugX, Korplug, Sogu, Kaba, DestroyRat, TVT, Thoper, Poison Ivy, Breut, Darkmoon, Photos, Etso, Ocrums, win32.Agent.dbwr, Hikiti, Fexel, ZoxPNG, gresim, ZoxRPC.","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Healthcare, Energy and Utilities, Cloud/IoT Services",,, 2014-10-24,LeoUncia_OrcaRat,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.10.24.LeoUncia_and_OrcaRat/LeoUncia_OrcaRat.pdf,FireEye,,,,,,,,,,,"LeoUncia, OrcaRat, RC4",,,, 2014-10-27,pwc_ScanBox_framework,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.10.27.ScanBox_framework/pwc_ScanBox_framework.pdf,Symantec,,,,,,,,"CN, JP, KR, US",FALSE,Watering Hole,"ScanBox, Snort (for detection rules)","Corporations and Businesses, Manufacturing, Healthcare, Education and Research Institutions, Non-Governmental Organizations (NGOs) and Nonprofits",2014-08-01,2014-10-01,61.0 2014-10-27,ICS_Havex_backdoors,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.10.27.Havex_Trojans/ICS_Havex_backdoors.pdf,Symantec,,,,dragonfly,RU,"Espionage, Sabotage and destruction",2010,"BE, CH, DE",,Website Equipping,"Havex RAT/backdoor, Sysmain RAT, Havex RAT 038","Energy and Utilities, Manufacturing, Critical Infrastructure",2013-06-15,2014-04-23,312.0 2014-10-27,Micro-Targeted-Malvertising-WP-10-27-14-1,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.10.27.Micro-Targeted_Malvertising/Micro-Targeted-Malvertising-WP-10-27-14-1.pdf,"Invincea, Inc.",,,,,,,,,FALSE,"Spear Phishing, Watering Hole",Trojan backdoor,"Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Healthcare, Manufacturing",,, 2014-10-28,apt28,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.10.28.APT28/apt28.pdf,FireEye,,,,apt28,RU,"Espionage, Information theft and espionage",2004,"AM, CL, GE, HU, IQ, JO, MX, NO, PK, PL, RU, US",,Spear Phishing,"SOURFACE, EVILTOSS, CHOPSTICK, CORESHELL, OLDBAIT","Government and Defense Agencies, Education and Research Institutions, Media and Entertainment Companies, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2014-10-28,Group72_Opening_ZxShell,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.10.28.Group_72_ZxShell/Group72_Opening_ZxShell.pdf,Symantec,"CVE-2013-3163, CVE-2014-0322",,,group 72,CN,"Espionage, Information theft and espionage",2009,,,"Spear Phishing, Watering Hole, Exploit Vulnerability","Advanced Malware Protection (AMP), CWS, WSA, IPS, NGFW, ESA, ZxShell (aka Sensocode), Snort, ClamAV","Corporations and Businesses, Manufacturing, Media and Entertainment Companies, Government and Defense Agencies",,, 2014-10-30,sophos-rotten-tomato-campaign,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.10.30.Rotten_Tomato_Campaign/sophos-rotten-tomato-campaign.pdf,FireEye,"CVE-2012-0158, CVE-2014-1761",,,,,,,,FALSE,"Exploit Vulnerability, Malicious Documents","Zbot, CVE-2012-0158 exploit, Plugx shellcode, CVE-2014-1761 exploit, Goldsun shellcode",,,, 2014-10-31,GDATA_TooHash_CaseStudy_102014_EN_v1,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.10.31.Operation_TooHash/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf,G DATA,CVE-2012-0158,,,shiqiang,,,,"CN, TW",FALSE,"Spear Phishing, Malicious Documents, Exploit Vulnerability","The specific malware used in the attack from this report is a remote administration tool, or RAT, named ""Cohhoc"".","Government and Defense Agencies, Education and Research Institutions, Corporations and Businesses, Critical Infrastructure",,, 2014-11-03,BlackEnergy2_Plugins_Router,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.11.03.BlackEnergy2_APT/BlackEnergy2_Plugins_Router.pdf,Kaspersky,,,,sandworm,RU,"Espionage, Sabotage and destruction",2015,"AZ, BE, BY, DE, HR, IL, IN, IR, KG, KW, KZ, LT, LY, PL, RU, SE, TR, TW, UA, VN",TRUE,"Spear Phishing, Malicious Documents, Exploit Vulnerability","BlackEnergy, BlackEnergy2, BlackEnergy3, main.dll","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Energy and Utilities, Education and Research Institutions, Critical Infrastructure",,, 2014-11-10,Kaspersky_Darkhotel_kl_07.11_1.1(11-10-2014),The Darkhotel APT A Story of Unusual Hospitality v1.1,https://app.box.com/s/f6bmfscrmam0oq111f9u4bwiqu74bxyi,Kaspersky,,,,darkhotel,KR,"Espionage, Information theft and espionage",2007,"CN, IE, IN, JP, KR, RU, TW",TRUE,"Spear Phishing, Watering Hole, Malicious Documents","Darkhotel toolset, keylogger, small downloader, information stealer, Trojan, dropper and self-injector, selective infector, Apache webservers, dynamic DNS records, crypto libraries, PHP webapps","Government and Defense Agencies, Corporations and Businesses, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2014-11-10,darkhotelappendixindicators_kl_1.1,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.11.10.Darkhotel/darkhotelappendixindicators_kl_1.1.pdf,Kaspersky,"CVE-2009-0556, CVE-2010-0188, CVE-2010-0806, CVE-2010-2883",,,darkhotel,KR,"Espionage, Information theft and espionage",2007,"CN, IN, JP, RU, US",TRUE,"Spear Phishing, Malicious Documents, Exploit Vulnerability",,,,, 2014-11-11,The_Uroburos_case,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.11.11.ComRAT/The_Uroburos_case.pdf,G DATA,,,,,,,,,,,"Uroburos, Agent.BTZ, ComRAT",Government and Defense Agencies,2013-01-03,2014-10-30,665.0 2014-11-12,Korplug_Afghanistan_Tajikistan,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.11.12.Korplug/Korplug_Afghanistan_Tajikistan.pdf,ESET,"CVE-2012-0158, CVE-2014-1761",,,sandworm,RU,"Espionage, Sabotage and destruction",2015,"AF, KG, KZ, RU, TJ",FALSE,"Spear Phishing, Malicious Documents","BlackEnergy 2, Korplug RAT (a.k.a. PlugX), CVE-2014-1761, DarkStRat, Sednit, MiniDuke",Government and Defense Agencies,,, 2014-11-13,Operation_CloudyOmega_Ichitaro,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.11.13.Operation_CloudyOmega/Operation_CloudyOmega_Ichitaro.pdf,Symantec,"CVE-2012-5054, CVE-2013-0634",,,hidden lynx,CN,"Espionage, Information theft and espionage",2009,JP,TRUE,"Spear Phishing, Malicious Documents","Backdoor.Emdivi, Backdoor.Korplug, Backdoor.ZXshell",Government and Defense Agencies,,, 2014-11-14,OnionDuke APT Attacks Via the Tor Network,,https://www.f-secure.com/weblog/archives/00002764.html,F-Secure,,,,miniduke,,,,,FALSE,Drive-by Download,"MiniDuke, OnionDuke, Backdoor:W32/OnionDuke.A",Government and Defense Agencies,,, 2014-11-14,roaming_tiger_zeronights_2014,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.11.14.Roaming_Tiger/roaming_tiger_zeronights_2014.pdf,ESET,"CVE-2012-0158, CVE-2014-1761",,,roaming tiger,,Information theft and espionage,2014,"BY, KG, KZ, RU, TJ, UA, UZ",FALSE,Malicious Documents,"RTF exploits, Win32/Korplug (aka PlugX RAT), Win32/Farfli.BEK (aka Gh0st RAT)",,,, 2014-11-20,EvilBunny_Suspect4_v1.0,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.11.20.EvilBunny/EvilBunny_Suspect4_v1.0.pdf,Kaspersky,CVE-2011-4369,,,,,,,,TRUE,"Malicious Documents, Exploit Vulnerability","EvilBunny, netmgr.exe",,,, 2014-11-21,OperationDoubleTap,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.11.21.Operation_Double_Tap/OperationDoubleTap.pdf,Blog,"CVE-2014-4113, CVE-2014-6332",,,apt3,CN,"Espionage, Information theft and espionage",2007,,FALSE,"Spear Phishing, Exploit Vulnerability","Metasploit, CVE-2014-6332 exploit, CVE-2014-4113 exploit",Corporations and Businesses,,, 2014-11-24,Regin_The_Intercept,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.11.24.Regin_TheIntercept/Regin_The_Intercept.pdf,The Intercept,,,,,,,,"BE, IE, IR, MX, RU, SA",,,"Regin, GetThis, ProcMon (Process Monitor)","Government and Defense Agencies, Corporations and Businesses, Education and Research Institutions",,, 2014-11-24,DEEP_PANDA_Sakula,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.11.24.Ironman/DEEP_PANDA_Sakula.pdf,CrowdStrike,,,,deep panda,CN,"Espionage, Information theft and espionage",2013,"MN, US",FALSE,"Watering Hole, Malicious Documents","Sakula malware, Derusbi malware, Scanbox (SWC framework)","Government and Defense Agencies, Corporations and Businesses, Healthcare, Education and Research Institutions",2014-04-15,2014-09-15,153.0 2014-11-24,regin-analysis,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.11.24.Regin_Top-tier_espionage/regin-analysis.pdf,Symantec,,,,,,,,,,"Watering Hole, Exploit Vulnerability","Regin, Flamer, Weevil (The Mask), Duqu, Stuxnet","Government and Defense Agencies, Corporations and Businesses, Education and Research Institutions, Individuals",,, 2014-11-24,Kaspersky_Lab_whitepaper_Regin_platform_eng,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.11.24.Regin_Platform/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf,Kaspersky,,,"rule apt_regin_2013_64bit_stage1 {\nmeta:\ncopyright = “Kaspersky Lab”\ndescription = “Rule to detect Regin 64 bit stage 1 loaders”\nversion = “1.0”\nlast_modified = “2014-11-24”\nfilename=”wshnetc.dll”\nmd5=”bddf5afbea2d0eed77f2ad4e9a4f044d”\nfilename=”wsharp.dll”\nmd5=”c053a0a3f1edcbbfc9b51bc640e808ce”\nstrings:\n$mz=”MZ”\n$a1=”PRIVHEAD”\n$a2=”\\\\\\\\.\\\\PhysicalDrive%d”\n$a3=”ZwDeviceIoControlFile”\ncondition:\n($mz at 0) and (all of ($a*)) and filesize < 100000\n}, rules:\nrule apt_regin_vfs {\nmeta:\ncopyright = “Kaspersky Lab”\ndescription = “Rule to detect Regin VFSes”\nversion = “1.0”\nlast_modified = “2014-11-24”\nstrings:\n$a1={00 02 00 08 00 08 03 F6 D7 F3 52}\n$a2={00 10 F0 FF F0 FF 11 C7 7F E8 52}\n$a3={00 04 00 10 00 10 03 C2 D3 1C 93}\n$a4={00 04 00 10 C8 00 04 C8 93 06 D8}\ncondition:\n($a1 at 0) or ($a2 at 0) or ($a3 at 0) or ($a4 at 0)\n}, rule apt_regin_2011_32bit_stage1 {\nmeta:\ncopyright = “Kaspersky Lab”\ndescription = “Rule to detect Regin 32 bit stage 1 loaders”\nversion = “1.0”\nlast_modified = “2014-11-24”\nstrings:\n$key1={331015EA261D38A7}\n$key2={9145A98BA37617DE}\n$key3={EF745F23AA67243D}\n$mz=”MZ”\ncondition:\n($mz at 0) and any of ($key*) and filesize < 300000\n}, rule apt_regin_rc5key {\nmeta:\ncopyright = “Kaspersky Lab”\ndescription = “Rule to detect Regin RC5 decryption keys”\nversion = “1.0”\nlast_modified = “2014-11-24”\nstrings:\n$key1={73 23 1F 43 93 E1 9F 2F 99 0C 17 81 5C FF B4 01}\n$key2={10 19 53 2A 11 ED A3 74 3F C3 72 3F 9D 94 3D 78}\ncondition:\nany of ($key*)\n}, rule apt_regin_dispatcher_disp_dll {\nmeta:\ncopyright = “Kaspersky Lab”\ndescription = “Rule to detect Regin disp.dll dispatcher”\nversion = “1.0”\nlast_modified = “2014-11-24”\nstrings:\n$mz=”MZ”\n$string1=”shit”\n$string2=”disp.dll”\n$string3=”255.255.255.255”\n$string4=”StackWalk64”\n$string5=”imagehlp.dll”\ncondition:\n($mz at 0) and (all of ($string*))\n}",,,,,"AF, BE, BR, DE, DZ, FJ, ID, IN, IR, KI, MY, PK, RU, SY",FALSE,Exploit Vulnerability,Regin malware,,,, 2014-11-25,Regin APT Attacks Among the Most Sophisticated Ever Analyzed,,https://www.kaspersky.com/blog/regin-apt-most-sophisticated/6852/,Kaspersky,,,,regin,,,,,,,"Regin, Trojan.Win32.Regin.gen, Rootkit.Win32.Regin.","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Education and Research Institutions, Individuals",,, 2014-11-30,rpt-fin4,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.11.30.FIN4/rpt-fin4.pdf,FireEye,,,,fin4,RO,Financial crime,2013,,FALSE,"Spear Phishing, Malicious Documents, Social Engineering",,"Healthcare, Corporations and Businesses",,, 2014-12-02,Cylance_Operation_Cleaver_Report,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.12.02.Operation_Cleaver/Cylance_Operation_Cleaver_Report.pdf,Cylance,CVE-2010-0232,,"rule mimikatzWrapper\n{\n strings:\n $s1 = “mimikatzWrapper”\n $s2 = “get_mimikatz”\n condition:\n all of them\n}, rule ZhoupinExploitCrew\n{\n strings:\n $s1 = “zhoupin exploit crew” nocase\n $s2 = “zhopin exploit crew” nocase\n condition:\n 1 of them\n}, rule antivirusdetector\n{\n\t\nstrings:\n\t\n\t\n$s1 = “getShadyProcess”\n\t\n\t\n$s2 = “getSystemAntiviruses”\n\t\n\t\n$s3 = “AntiVirusDetector”\n\t\ncondition:\n\t\n\t\nall of them\n}, rule kagent\n{\n strings:\n $s1 = “kill command is in last machine, going back”\n $s2 = “message data length in B64: %d Bytes”\n condition:\n all of them\n}, rule zhCat\n{\n strings:\n $s1 = “zhCat -l -h -tp 1234”\n $s2 = “ABC ( A Big Company )” wide\n condition:\n all of them\n}, rule SynFlooder\n{\n strings:\n $s1 = “Unable to resolve %s . ErrorCode %d”\n $s2 = “your target’s IP is : %s”\n $s3 = “Raw TCP Socket Created successfully.”\n condition:\n all of them\n}, rule csext\n{\n strings:\n $s1 = “COM+ System Extentions”\n $s2 = “csext.exe”\n $s3 = “COM_Extentions_bin”\n condition:\n all of them\n}, rule ShellCreator2\n{\n strings:\n $s1 = “ShellCreator2.Properties”\n $s2 = “set_IV”\n condition:\n all of them\n}, rule SmartCopy2\n{\n strings:\n $s1 = “SmartCopy2.Properties”\n $s2 = “ZhuFrameWork”\n condition:\n all of them\n}, rule NetC\n{\n strings:\n $s1 = “NetC.exe” wide\n $s2 = “Net Service”\n condition:\n all of them\n}, rule pvz_out\n{\n strings:\n $s1 = “Network Connectivity Module” wide\n $s2 = “OSPPSVC” wide\n condition:\n all of them\n}, rule zhmimikatz\n{\n strings:\n $s1 = “MimikatzRunner”\n $s2 = “zhmimikatz”\n condition:\n all of them\n}, rule LoggerModule\n{\n strings:\n $s1 = “%s-%02d%02d%02d%02d%02d.r”\n $s2 = “C:\\\\Users\\\\%s\\\\AppData\\\\Cookies\\\\”\n condition:\n all of them\n}, rule zhLookUp\n{\n strings:\n $s1 = “zhLookUp.Properties”\n condition:\n all of them\n}, rule TinyZBot\n{\n strings:\n $s1 = “NetScp” wide\n $s2 = “TinyZBot.Properties.Resources.resources”\n $s3 = “Aoao WaterMark”\n $s4 = “Run_a_exe”\n $s5 = “netscp.exe”\n $s6 = “get_MainModule_WebReference_DefaultWS”\n $s7 = “remove_CheckFileMD5Completed”\n $s8 = “http://tempuri.org/”\n $s9 = “Zhoupin_Cleaver”\n condition:\n ($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or \n$s9)\n}, rule Jasus\n{\n strings:\n $s1 = “pcap_dump_open”\n $s2 = “Resolving IPs to poison...”\n $s3 = “WARNNING: Gateway IP can not be found”\n condition:\n all of them\n}, rule BackDoorLogger\n{\n strings:\n $s1 = “BackDoorLogger”\n $s2 = “zhuAddress”\n condition:\n all of them\n}, rule wndTest\n{\n strings:\n $s1 = “Alt” wide\n $s2 = “<< %s >>:” wide\n $s3 = “Content-Disposition: inline; comp=%s; account=%s; product=%d;”\n condition:\n all of them\n}, rule pvz_in\n{\n strings:\n $s1 = “LAST_TIME=00/00/0000:00:00PM$”\n $s2 = “if %%ERRORLEVEL%% == 1 GOTO line”\n condition:\n all of them\n}",tarh andishan,IR,"Espionage, Information theft and espionage",2012,"AE, CA, CN, DE, FR, GB, IL, IN, KR, KW, MX, PK, QA, SA, TR, US",FALSE,"Spear Phishing, Exploit Vulnerability","SQL injection, MS08-067, ARP poisoning, ASP.NET shells, Web backdoors, TinyZBot, PsExec, PLink, NetCat","Government and Defense Agencies, Corporations and Businesses, Healthcare, Energy and Utilities, Manufacturing, Education and Research Institutions, Critical Infrastructure",,, 2014-12-03,OperationCleaver_The_Notepad_Files,Operation Cleaver: The Notepad Files,https://app.box.com/s/vsret8sjx5qd6xaxzv0rxdw4pocdmjll,Cylance,,,,cleaver,IR,"Espionage, Information theft and espionage",2012,,,,"Metasploit, msfvenom",,,, 2014-12-08,Turla_2_Penquin,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.12.08.Penquin_Turla/Turla_2_Penquin.pdf,Kaspersky,,,,turla,RU,"Espionage, Information theft and espionage",1996,,,,"HEUR:Backdoor.Linux.Turla.gen, cd00r, openssl v0.9.6, libpcap",,,, 2014-12-09,bcs_wp_InceptionReport_EN_v12914,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.12.09_The_Inception_Framework/bcs_wp_InceptionReport_EN_v12914.pdf,"Blue Coat Systems, Inc.","CVE-2010-3333, CVE-2012-0158, CVE-2014-1761",,"rule InceptionRTF { \n \nmeta: \n \n \nauthor = ""Blue Coat Systems, Inc"" \n \n \ninfo = ""Used by unknown APT actors: Inception"" \n \nstrings: \n \n \n$a = ""}}PT@T"" \n \n \n$b = ""XMLVERSION \\""3.1.11.5604.5606"" \n \n \n$c = ""objclass Word.Document.12}\\\\objw9355"" \n \ncondition: \n \n \nall of them \n}, rule InceptionVBS { \n \nmeta: \n \n \nauthor = ""Blue Coat Systems, Inc"" \n \n \ninfo = ""Used by unknown APT actors: Inception"" \n \nstrings: \n \n \n$a = ""c = Crypt(c,k)"" \n$b = ""fso.BuildPath( WshShell.ExpandEnvironmentStrings(a), \nnn)"" \n \ncondition: \n \nall of them \n}, rule InceptionAndroid { \n \nmeta: \n \n \nauthor = ""Blue Coat Systems, Inc"" \n \n \ninfo = ""Used by unknown APT actors: Inception"" \n \nstrings: \n \n \n$a1 = ""BLOGS AVAILABLE="" \n \n$a2 = ""blog-index"" \n \n \n$a3 = ""Cant create dex="" \n \n \n \n \ncondition: \n \nall of them \n}, rules: \n \nrule InceptionDLL \n{ \n \nmeta: \n \n \nauthor = ""Blue Coat Systems, Inc"" \n \n \ninfo = ""Used by unknown APT actors: Inception"" \n \nstrings: \n \n \n$a = ""dll.polymorphed.dll"" \n$b = {83 7d 08 00 0f 84 cf 00 00 00 83 7d 0c 00 0f 84 c5 00 \n00 00 83 7d 10 00 0f 84 bb 00 00 00 83 7d 14 08 0f 82 b1 00 \n00 00 c7 45 fc 00 00 00 00 8b 45 10 89 45 dc 68 00 00} \n$c = {FF 15 ?? ?? ?? ?? 8B 4D 08 8B 11 C7 42 14 00 00 00 00 \n8B 45 08 8B 08 8B 55 14 89 51 18 8B 45 08 8B 08 8B 55 0C 89 \n51 1C 8B 45 08 8B 08 8B 55 10 89 51 20 8B 45 08 8B 08} \n$d = {68 10 27 00 00 FF 15 ?? ?? ?? ?? 83 7D CC 0A 0F 8D 47 \n01 00 00 83 7D D0 00 0F 85 3D 01 00 00 6A 20 6A 00 8D 4D D4 \n51 E8 ?? ?? ?? ?? 83 C4 0C 8B 55 08 89 55 E8 C7 45 D8} \n$e = {55 8B EC 8B 45 08 8B 88 AC 23 03 00 51 8B 55 0C 52 8B \n45 0C 8B 48 04 FF D1 83 C4 08 8B 55 08 8B 82 14 BB 03 00 50 \n8B 4D 0C 51 8B 55 0C 8B 42 04} \n \ncondition: \n \n \nany of them \n}, rule InceptionIOS { \n \nmeta: \n \n \nauthor = ""Blue Coat Systems, Inc"" \n \n \ninfo = ""Used by unknown APT actors: Inception"" \n \nstrings: \n \n \n$a1 = ""Developer/iOS/JohnClerk/"" \n \n \n$b1 = ""SkypeUpdate"" \n \n \n$b2 = ""/Syscat/"" \n \n \n$b3 = ""WhatsAppUpdate"" \n \ncondition: \n $a1 and any of ($b*) \n}, rule InceptionBlackberry { \n \nmeta: \n \n \nauthor = ""Blue Coat Systems, Inc"" \n \n \ninfo = ""Used by unknown APT actors: Inception"" \n \nstrings: \n \n \n$a1 = ""POSTALCODE:"" \n \n$a2 = ""SecurityCategory:"" \n \n \n$a3 = ""amount of free flash:"" \n \n \n$a4 = ""$Ø71|\1\|:"" \n \n \n$b1 = ""God_Save_The_Queen"" \n \n \n$b2 = ""UrlBlog"" \n \n \n \n \ncondition: \n \nall of ($a*) or all of ($b*) \n}, rule InceptionMips { \n \nmeta: \n \n \nauthor = ""Blue Coat Systems, Inc"" \n \n \ninfo = ""Used by unknown APT actors: Inception"" \n \nstrings: \n \n \n$a = ""start_sockat"" ascii wide \n \n$b = ""start_sockss"" ascii wide \n \n \n$c = ""13CStatusServer"" ascii wide \n \ncondition: \n \nall of them \n}",,,,,"AT, AU, BG, BR, CA, CN, CZ, DE, DK, ES, FR, KR, KW, LV, NO, RO, RU, SE, UA, US",FALSE,"Spear Phishing, Exploit Vulnerability, Malicious Documents",Inception framework,"Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Energy and Utilities",2014-05-15,2014-11-21,190.0 2014-12-09,Linux Modules Connected to Turla APT Discovered,,https://threatpost.com/linux-modules-connected-to-turla-apt-discovered/109765/,Threatpost,,,,turla,RU,"Espionage, Information theft and espionage",1996,,TRUE,"Spear Phishing, Social Engineering, Watering Hole","cd00r, Sysprint AG, GNU C library, OpenSSL, Agent.btz, Sunburst backdoor","Government and Defense Agencies, Critical Infrastructure",,, 2014-12-10,CloudAtlas_RedOctober_APT,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.12.10.RedOctober_APT/CloudAtlas_RedOctober_APT.pdf,Kaspersky,CVE-2012-0158,,,redoctober,RU,"Espionage, Information theft and espionage",2012,"KZ, RU",FALSE,"Spear Phishing, Malicious Documents","Mevade, Cloud Atlas, Exploit.Win32.CVE-2012-0158.j, Exploit.Win32.CVE-2012-0158.eu, Exploit.Win32.CVE-2012-0158.aw, Exploit.MSWord.CVE-2012-0158.ea, HEUR:Trojan.Win32.CloudAtlas.gen",Government and Defense Agencies,,, 2014-12-10,w64_regin_stage_1,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.12.10.W64_Regin/w64_regin_stage_1.pdf,F-Secure,,,,,,,,,,,Regin,,,, 2014-12-10,w32_regin_stage_1,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.12.10.W32_Regin/w32_regin_stage_1.pdf,F-Secure,,,,,,,,,,,Regin,,,, 2014-12-10,korea_power_plant_wiper,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.12.10_South_Korea_MBR_Wiper/korea_power_plant_wiper.pdf,Blog,,,,,,,,,TRUE,"Malicious Documents, Spear Phishing",Trojan / Win32.Destroyer,,2014-12-09,2014-12-11,2.0 2014-12-12,FTA_1014_Bots_Machines_and_the_Matrix,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.12.12.Bots_Machines_and_the_Matrix/FTA_1014_Bots_Machines_and_the_Matrix.pdf,Fidelis Cybersecurity,CVE-2013-2729,,,,,,,"CN, PL, US",,"Drive-by Download, Removable Media, Social Engineering","Andromeda, Beta Bot, Neutrino Bot, NgrBot/DorkBot","Corporations and Businesses, Government and Defense Agencies, Manufacturing, Healthcare",,, 2014-12-12,Vinself_steganography,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.12.12.Vinself/Vinself_steganography.pdf,EFF,,,,,,,,,,,"VinSelf, HC-128",,,, 2014-12-17,Wiper_Malware,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.12.17.Wiper_Malware_Deep_Dive/Wiper_Malware.pdf,Cisco,,,,,,,,,,,"Cryptolocker, Cryptowall, DarkSeoul",,,, 2014-12-18,Targeting_Syrian_ISIS_Critics,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.12.18.Syrian_ISIS_Critics/Targeting_Syrian_ISIS_Critics.pdf,FireEye,,,,raqqah,,,,"CA, SY",,"Social Engineering, Malicious Documents","njRAT, Xtreme Rat, ShadowTech Rat, DarkComet RAT, Blackshades RAT","Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",,, 2014-12-19,TA14-353A_wiper,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.12.19.Targeted_Destructive_Malware/TA14-353A_wiper.pdf,RSA,,,,,,,,,,Credential Reuse,"SMB Worm Tool, Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, Destructive Target Cleaning Tool","Critical Infrastructure, Manufacturing, Energy and Utilities",,, 2014-12-21,operation-poisoned-helmand,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.12.21.Operation_Poisoned_Helmand/operation-poisoned-helmand.pdf,TCIRT,,,,,,,,,FALSE,"Watering Hole, Drive-by Download","XOR 0xC8 encoded Windows PE executable, Microsoft Cabinet executable (SFX)",Government and Defense Agencies,2014-08-15,2014-12-18,125.0 2014-12-22,Anunak_APT_against_financial_institutions,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2014/2014.12.22.Anunak_APT/Anunak_APT_against_financial_institutions.pdf,Group-IB,"CVE-2012-0158, CVE-2012-2539",,,fin7,RU,"Financial gain, Financial crime",2013,"AU, ES, IT, LV, RU, UA, US",FALSE,"Spear Phishing, Malicious Documents","Metasploit, Mimikatz, Anunak, Meterpreter, BITS, PowerShell","Corporations and Businesses, Financial Institutions, Media and Entertainment Companies",,, 2015-01-01,New Pacifier APT Components Point to Russian-Linked Turla Group,,https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf,Bitdefender,,,,,,,,,,,,,,, 2015-01-11,DTL-12012015-01,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.01.11.Hong_Kong_SWC_Attack/DTL-12012015-01.pdf,Dragon Threat Labs,CVE-2014-6332,,"rule apt_win_swisyn { \nmeta: \n \nauthor = ""@dragonthreatlab"" \n \nmd5 = ""a6a18c846e5179259eba9de238f67e41"" \n \ndescription = ""File matching the md5 above tends to only live \nin memory, hence the lack of MZ header check."" \nstrings: \n \n$mz = {4D 5A} \n \n$str1 = ""/ShowWU"" ascii \n \n$str2 = ""IsWow64Process"" \n \n$str3 = ""regsvr32 "" \n \n$str4 = {8A 11 2A 55 FC 8B 45 08 88 10 8B 4D 08 8A 11 32 55 FC \n8B 45 08 88 10} \ncondition: \n \n$mz at 0 and all of ($str*) \n}, rule apt_win_wateringhole { \nmeta: \n \nauthor = ""@dragonthreatlab "" \n \ndescription = ""Detects code from APT wateringhole"" \nstrings: \n \n$str1 = ""function runmumaa()"" \n \n$str2 = ""Invoke-Expression $(New-Object IO.StreamReader ($(New-\nObject IO.Compression.DeflateStream ($(New-Object IO.MemoryStream \n(,$(Convert::FromBase64String("" \n \n$str3 = ""function MoSaklgEs7(k)"" \ncondition: \n \nany of ($str*) \n}, rule apt_win_disk_pcclient { \nmeta: \n \nauthor = ""@dragonthreatlab "" \n \nmd5 = ""55f84d88d84c221437cd23cdbc541d2e"" \n \ndescription = ""Encoded version of pcclient found on disk"" \nstrings: \n \n$header = {51 5C 96 06 03 06 06 06 0A 06 06 06 FF FF 06 06 BE \n06 06 06 06 06 06 06 46 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 \n06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 EE 06 06 \n06 10 1F BC 10 06 BA 0D D1 25 BE 05 52 D1 25 5A 6E 6D 73 26 76 74 6F \n67 74 65 71 26 63 65 70 70 6F 7A 26 64 69 26 74 79 70 26 6D 70 26 4A \n4F 53 26 71 6F 6A 69 30 11 11 0C 2A 06 06 06 06 06 06 06 73 43 96 1B \n37 24 00 4E 37 24 00 4E 37 24 00 4E BA 40 F6 4E 39 24 00 4E 5E 41 FA \n4E 33 24 00 4E 5E 41 FC 4E 39 24 00 4E 37 24 FF 4E 0D 24 00 4E FA 31 \nA3 4E 40 24 00 4E DF 41 F9 4E 36 24 00 4E F6 2A FE 4E 38 24 00 4E DF \n41 FC 4E 38 24 00 4E 54 6D 63 6E 37 24 00 4E 06 06 06 06 06 06 06 06 \n06 06 06 06 06 06 06 06 56 49 06 06 52 05 09 06 5D 87 8C 5A 06 06 06 \n06 06 06 06 06 E6 06 10 25 0B 05 08 06 06 1C 06 06 06 1A 06 06 06 06 \n06 06 E5 27 06 06 06 16 06 06 06 36 06 06 06 06 06 16 06 16 06 06 06 \n04 06 06 0A 06 06 06 06 06 06 06 0A 06 06 06 06 06 06 06 06 76 06 06 \n06 0A 06 06 06 06 06 06 04 06 06 06 06 06 16 06 06 16 06 06} \ncondition: \n \n$header at 0 \n}, rule apt_win32_dropper { \nmeta: \n \nauthor = ""@dragonthreatlab"" \n \nmd5 = ""ad17eff26994df824be36db246c8fb6a"" \n \ndescription = ""APT malware used to drop PcClient RAT"" \nstrings: \n \n$mz = {4D 5A} \n \n$str1 = ""clbcaiq.dll"" ascii \n \n$str2 = ""profapi_104"" ascii \n \n$str3 = ""/ShowWU"" ascii \n \n$str4 = ""Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\"" ascii \n \n \nD r a g o n T h r e a t L a b s , H o n g K o n g \n \nPage 12 \n \n$str5 = {8A 08 2A CA 32 CA 88 08 40 4E 75 F4 5E} \ncondition: \n \n$mz at 0 and all of ($str*) \n}, rule apt_win_memory_pcclient { \nmeta: \n \nauthor = ""@dragonthreatlab "" \n \nmd5 = ""ec532bbe9d0882d403473102e9724557"" \n \ndescription = ""File matching the md5 above tends to only live \nin memory, hence the lack of MZ header check."" \nstrings: \n \n$str1 = ""Kill You"" ascii \n \n$str2 = ""%4d-%02d-%02d %02d:%02d:%02d"" ascii \n \n$str3 = ""%4.2f KB"" ascii \n \n$encodefunc = {8A 08 32 CA 02 CA 88 08 40 4E 75 F4} \ncondition: \n \nall of them \n}, rule apt_win64_dropper { \nmeta: \n \nauthor = ""@dragonthreatlab"" \n \nmd5 = ""ad17eff26994df824be36db246c8fb6a"" \n \ndescription = ""APT malware used to drop PcClient RAT"" \nstrings: \n \n$mz = {4D 5A} \n \n$str1 = ""clbcaiq.dll"" ascii \n \n$str2 = ""profapi_104"" ascii \n \n$str3 = ""\\\\Microsoft\\\\wuauclt\\\\wuauclt.dat"" ascii \n \n$str4 = {0F B6 0A 48 FF C2 80 E9 03 80 F1 03 49 FF C8 88 4A FF \n75 EC} \ncondition: \n \n$mz at 0 and all of ($str*) \n}",,,,,HK,FALSE,"Watering Hole, Exploit Vulnerability","Internet Explorer, Snort, Yara, Swisyn, PCClient","Government and Defense Agencies, Education and Research Institutions",,, 2015-01-12,Skeleton_Key_Analysis,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.01.12.skeleton-key-malware-analysis/Skeleton_Key_Analysis.pdf,SecureWorks,,,"rule skeleton_key_patcher\n{\nstrings:\n $target_process = ""lsass.exe"" wide\n $dll1 = ""cryptdll.dll""\n $dll2 = ""samsrv.dll""\n $name = ""HookDC.dll""\n $patched1 = ""CDLocateCSystem""\n $patched2 = ""SamIRetrievePrimaryCredentials""\n $patched3 = ""SamIRetrieveMultiplePrimaryCredentials""\ncondition:\n all of them\n}, rule skeleton_key_injected_code\n{\nstrings:\n $injected = { 33 C0 85 C9 0F 95 C0 48 8B 8C 24 40 01 00 00 48 33 CC E8 \n4D 02 00 \n \n 00 48 81 C4 58 01 00 00 C3 }\n \n \n \n $patch_CDLocateCSystem = { 48 89 5C 24 08 48 89 74 24 10 57 48 83 \nEC 20 48 8B FA \n \n 8B F1 E8 ?? ?? ?? ?? 48 8B D7 8B CE 48 8B D8 FF 50 10 44 8B D8 85 \nC0 0F 88 A5 00 \n \n 00 00 48 85 FF 0F 84 9C 00 00 00 83 FE 17 0F 85 93 00 00 00 48 8B \n07 48 85 C0 0F \n \n 84 84 00 00 00 48 83 BB 48 01 00 00 00 75 73 48 89 83 48 01 00 00 \n33 D2 }\n \n \n \n $patch_SamIRetrievePrimaryCredential = { 48 89 5C 24 08 48 89 6C 24 \n10 48 89 74 \n \n 24 18 57 48 83 EC 20 49 8B F9 49 8B F0 48 8B DA 48 8B E9 48 85 D2 \n74 2A 48 8B 42 \n \n 08 48 85 C0 74 21 66 83 3A 26 75 1B 66 83 38 4B 75 15 66 83 78 0E \n73 75 0E 66 83 \n \n 78 1E 4B 75 07 B8 A1 02 00 C0 EB 14 E8 ?? ?? ?? ?? 4C 8B CF 4C 8B \nC6 48 8B D3 48 \n \n 8B CD FF 50 18 48 8B 5C 24 30 48 8B 6C 24 38 48 8B 74 24 40 48 83 \nC4 20 5F C3 }\n \n \n \n $patch_SamIRetrieveMultiplePrimaryCredential = { 48 89 5C 24 08 48 \n89 6C 24 10 \n \n 48 89 74 24 18 57 48 83 EC 20 41 8B F9 49 8B D8 8B F2 8B E9 4D 85 \nC0 74 2B 49 8B \n \n 40 08 48 85 C0 74 22 66 41 83 38 26 75 1B 66 83 38 4B 75 15 66 83 \n78 0E 73 75 0E \n \n 66 83 78 1E 4B 75 07 B8 A1 02 00 C0 EB 12 E8 ?? ?? ?? ?? 44 8B CF \n4C 8B C3 8B D6 \n \n 8B CD FF 50 20 48 8B 5C 24 30 48 8B 6C 24 38 48 8B 74 24 40 48 83 \nC4 20 5F C3 }\ncondition:\n any of them\n}",,,,,,FALSE,Credential Reuse,"Skeleton Key, PsExec.exe, rundll32.exe",,,, 2015-01-15,Agent.BTZ_to_ComRAT,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.01.15.Evolution_of_Agent.BTZ_to_ComRAT/Agent.BTZ_to_ComRAT.pdf,G DATA,,,,,,,,"BE, FI, US",,Removable Media,"Uroburos, Agent.BTZ, ComRAT, Linux malware",Government and Defense Agencies,,, 2015-01-20,Project_Cobra_Analysis,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.01.20.Project_Cobra/Project_Cobra_Analysis.pdf,G DATA,,,,turla,RU,"Espionage, Information theft and espionage",1996,,,,"Backdoor.TurlaCarbon.A, Win32.Trojan.Cobra.B, Carbon System, Uroburos, Tavdig (also known as Wipbot), Epic Backdoor",,,, 2015-01-20,Inception_APT_Analysis_Bluecoat,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.01.20.Reversing_the_Inception_APT_malware/Inception_APT_Analysis_Bluecoat.pdf,Bluecoat,CVE-2012-0158,,,,,,,,FALSE,"Malicious Documents, Exploit Vulnerability",Inception Framework,,,, 2015-01-22,Regin_Hopscotch_Legspin,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.01.22.Regin_Hopscotch_and_Legspin/Regin_Hopscotch_Legspin.pdf,Microsoft,,,,,,,,,FALSE,Credential Reuse,"Regin, Hopscotch, Legspin",,,, 2015-01-22,Scarab_Russian,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.01.22.Scarab_attackers_Russian_targets/Scarab_Russian.pdf,Symantec,,,,scarab,CN,"Espionage, Information theft and espionage",2012,RU,FALSE,"Spear Phishing, Malicious Documents, Exploit Vulnerability","Trojan.Scieron, Trojan.Scieron.B","Government and Defense Agencies, Education and Research Institutions, Financial Institutions",,, 2015-01-27,Comparing_Regin_Qwerty,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.01.27.QWERTY_keylog_Regin_compare/Comparing_Regin_Qwerty.pdf,Kaspersky,,,,,,,,,,,"QWERTY malware, Regin platform",Government and Defense Agencies,,, 2015-01-29,Backdoor.Winnti_Trojan.Skelky,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.01.29.Backdoor.Winnti_attackers/Backdoor.Winnti_Trojan.Skelky.pdf,Symantec,,,,,,,,"US, VN",,,"Trojan.Skelky, Backdoor.Winnti",Media and Entertainment Companies,,, 2015-01-29,P2P_PlugX_Analysis,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.01.29.P2P_PlugX/P2P_PlugX_Analysis.pdf,JPCERT,,,,,,,,JP,,,PlugX,Corporations and Businesses,,, 2015-02-01,CARBANAK APTTHE GREAT BANK ROBBERY,,https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf,Kaspersky,"CVE-2012-0158, CVE-2013-3660, CVE-2013-3906",,,fin7,RU,"Financial gain, Financial crime",2013,"CN, DE, RU, UA, US",FALSE,"Spear Phishing, Malicious Documents, Drive-by Download","Metasploit, PsExec, Mimikatz",Financial Institutions,,, 2015-02-04,PawnStorm_iOS,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.02.04.Pawn_Storm_Update_iOS_Espionage/PawnStorm_iOS.pdf,Microsoft,,,,apt28,RU,"Espionage, Information theft and espionage",2004,,,Removable Media,"XAgent, MadCap, SEDNIT, Apple's ad hoc provisioning","Government and Defense Agencies, Media and Entertainment Companies",,, 2015-02-16,blog_equation-the-death-star,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.02.16.equation-the-death-star/blog_equation-the-death-star.pdf,Kaspersky,CVE-2012-1723,,"rule apt_equation_doublefantasy_genericresource { \n \xa0 \n meta: \n \xa0 \n \xa0\xa0\xa0\xa0copyright = “Kaspersky Lab” \n \xa0\xa0\xa0\xa0description = “Rule to detect DoubleFantasy encoded config\n \xa0\xa0\xa0\xa0version = “1.0” \n \xa0\xa0\xa0\xa0last_modified = “2015-02-16” \n \xa0\xa0\xa0\xa0reference = “https://securelist.com/blog/” \n \xa0 \n strings: \n \xa0 \n \xa0\xa0\xa0\xa0$mz=“MZ” \n \xa0\xa0\xa0\xa0$a1={06 00 42 00 49 00 4E 00 52 00 45 00 53 00} \n \xa0\xa0\xa0\xa0$a2=“yyyyyyyyyyyyyyyy” \n \xa0\xa0\xa0\xa0$a3=“002” \n\xa0\n pseudonym, to protect the original victim’s identity >> \n the name “Equation group” was given because of their preference for\nsophisticated encryption schemes >>\n1\n2\n18\n19\n20\n21\n22\n \xa0 \n \xa0 \n condition: \n \xa0 \n (($mz at 0) and all of ($a*))\xa0\xa0and filesize < 500000 \n }, rule apt_equation_cryptotable { \n \xa0 \n meta: \n \xa0 \n \xa0\xa0\xa0\xa0copyright = “Kaspersky Lab” \n \xa0\xa0\xa0\xa0description = “Rule to detect the crypto library used in E\n \xa0\xa0\xa0\xa0version = “1.0” \n \xa0\xa0\xa0\xa0last_modified = “2015-02-16” \n \xa0\xa0\xa0\xa0reference = “https://securelist.com/blog/” \n \xa0 \n strings: \n \xa0 \n \xa0 \n \xa0\xa0\xa0\xa0$a={37 DF E8 B6 C7 9C 0B AE 91 EF F0 3B 90 C6 80 85 5D 19 \n \xa0 \n condition: \n \xa0 \n \xa0\xa0\xa0\xa0$a \n }, rules:\n1\n2\n3\n4\n5\n6\n7\n8\n9\n10\n11\n12\n13\n14\n15\n16\n17\n18\n19\n20\n21\n22\n23\n24\n25\n \n rule apt_equation_exploitlib_mutexes { \n \xa0 \n meta: \n \xa0 \n \xa0\xa0\xa0\xa0copyright = “Kaspersky Lab” \n \xa0\xa0\xa0\xa0description = “Rule to detect Equation group’s Exploitatio\n \xa0\xa0\xa0\xa0version = “1.0” \n \xa0\xa0\xa0\xa0last_modified = “2015-02-16” \n \xa0\xa0\xa0\xa0reference = “https://securelist.com/blog/” \n \xa0 \n \xa0 \n strings: \n \xa0 \n \xa0\xa0\xa0\xa0$mz=“MZ” \n \xa0 \n \xa0\xa0\xa0\xa0$a1=“prkMtx” wide \n \xa0\xa0\xa0\xa0$a2=“cnFormSyncExFBC” wide \n \xa0\xa0\xa0\xa0$a3=“cnFormVoidFBC” wide \n \xa0\xa0\xa0\xa0$a4=“cnFormSyncExFBC” \n \xa0\xa0\xa0\xa0$a5=“cnFormVoidFBC” \n \xa0 \n condition: \n \xa0 \n (($mz at 0) and any of ($a*)) \n }, rule apt_equation_equationlaser_runtimeclasses { \n \xa0 \n meta: \n \xa0 \n \xa0\xa0\xa0\xa0copyright = “Kaspersky Lab” \n \xa0\xa0\xa0\xa0description = “Rule to detect the EquationLaser malware” \n \xa0\xa0\xa0\xa0version = “1.0” \n \xa0\xa0\xa0\xa0last_modified = “2015-02-16” \n \xa0\xa0\xa0\xa0reference = “https://securelist.com/blog/” \n \xa0 \n strings: \n \xa0 \n \xa0\xa0\xa0\xa0$a1=“?a73957838_2@@YAXXZ” \n \xa0\xa0\xa0\xa0$a2=“?a84884@@YAXXZ” \n \xa0\xa0\xa0\xa0$a3=“?b823838_9839@@YAXXZ” \n \xa0\xa0\xa0\xa0$a4=“?e747383_94@@YAXXZ” \n \xa0\xa0\xa0\xa0$a5=“?e83834@@YAXXZ” \n \xa0\xa0\xa0\xa0$a6=“?e929348_827@@YAXXZ” \n \xa0 \n condition: \n \xa0 \n \xa0\xa0\xa0\xa0any of them \n }",equation group,US,"Espionage, Sabotage and destruction, Information theft and espionage",2001,IR,TRUE,Removable Media,"EQUATIONLASER, EQUATIONDRUG, DOUBLEFANTASY, TRIPLEFANTASY, FANNY, GRAYFISH, SKYHOOKCHOW, UR, KS, SF, STEALTHFIGHTER, DRINKPARSLEY, STRAITACID, LUTEUSOBSTOS, STRAITSHOOTER, DESERTWINTER, GROK, nls_933w.dll","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Energy and Utilities, Education and Research Institutions, Media and Entertainment Companies, Critical Infrastructure",,, 2015-02-17,"Ali Baba, the APT group from the Middle East",,https://securityaffairs.co/wordpress/33682/cyber-crime/ali-baba-apt-middle-east.html,SecurityAffairs,,,,ali baba,,,,"GB, KR, PK",,,Fakeddos.exe,"Energy and Utilities, Critical Infrastructure",,, 2015-02-17,A_Fanny_Equation,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.02.17.A_Fanny_Equation/A_Fanny_Equation.pdf,Kaspersky,CVE-2010-2568,,,equation group,US,"Espionage, Sabotage and destruction, Information theft and espionage",2001,"ID, PK, VN",TRUE,Removable Media,"Stuxnet, Zlob PE, Fanny, USB-Backdoors, agentcpd.dll (backdoor module)",,,, 2015-02-17,The-Desert-Falcons-targeted-attacks,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.02.17.Desert_Falcons_APT/The-Desert-Falcons-targeted-attacks.pdf,Kaspersky,,,,desert falcons,,,,"EG, IL, JO, PS",FALSE,"Spear Phishing, Social Engineering, Malicious Documents",,"Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Energy and Utilities, Education and Research Institutions, Media and Entertainment Companies",,, 2015-02-18,24270-babar-espionage-software-finally-found-and-put-under-the-microscope,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.02.18.Babar/24270-babar-espionage-software-finally-found-and-put-under-the-microscope.pdf,G DATA,,,,,,,,,,,"EvilBunny, Babar, Remote Administration Tools (RATs)",,,, 2015-02-18,Elephantosis,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.02.18.Shooting_Elephants/Elephantosis.pdf,CIRCL Luxembourg,CVE-2011-4369,,,french intelligence,,,,,TRUE,,"Babar64, Bunny, SHOOTING ELEPHANTS Dropper, SHOOTING ELEPHANTS Implant",Individuals,,, 2015-02-24,cto-tib-20150223-01a,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.02.24.Deeper_Scanbox/cto-tib-20150223-01a.pdf,PricewaterhouseCoopers,"CVE-2012-0158, CVE-2014-0502, CVE-2014-6332",,,apt10,CN,Espionage,,"AU, CN, GB, JP, KR, MM, MN, US, VN",TRUE,"Spear Phishing, Watering Hole, Exploit Vulnerability","ScanBox, Briba, Poison Ivy, Sakurel, DerUsbi","Government and Defense Agencies, Manufacturing, Media and Entertainment Companies, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2015-02-25,rpt-southeast-asia-threat-landscape,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.02.25.Southeast_Asia_Threat_Landscape/rpt-southeast-asia-threat-landscape.pdf,FireEye,,,,,,,,,,"Spear Phishing, Malicious Documents","Lecna, Gh0STRAT, Mirage, Downloader.Pnaip, CannonFodder, Leouncia, Kaba (aka SOGU), LV (aka NJRAT), Houdini, XtremeRAT, NetEagle, 1qaz, Asprox, Zeus, Kuluoz, Sality, ZeroAccess, Kelihos, Fareit, Conficker, Carberp, Necurs","Corporations and Businesses, Energy and Utilities, Critical Infrastructure",,, 2015-02-27,the-anthem-hack-all-roads-lead-to-china,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.02.27.The_Anthem_Hack_All_Roads_Lead_to_China/the-anthem-hack-all-roads-lead-to-china.pdf,"Defense Group, Inc. (DGI)",,,,spicy panda,CN,,,,,Spear Phishing,"Sakula, Derusbi, Scanbox Framework","Healthcare, Education and Research Institutions",2013-12-11,2015-02-04,420.0 2015-02-27,Anthem_hack_all_roads_lead_to_China,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.02.27.The_Anthem_Hack_All_Roads_Lead_to_China/Anthem_hack_all_roads_lead_to_China.pdf,ThreatConnect,,,,deep panda,CN,"Espionage, Information theft and espionage",2013,,,,"Derusbi backdoor subvariant named “InfoAdmin” / “Kakfum”, ScanBox framework, Sakula malware, HttpBrowser / HttpDump implant","Healthcare, Education and Research Institutions",,, 2015-03-05,casper-malware-babar-bunny-another-espionage-cartoon,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.03.05.Casper_Malware/casper-malware-babar-bunny-another-espionage-cartoon.pdf,Kaspersky,CVE-2014-0515,,,,,,,SY,TRUE,"Watering Hole, Exploit Vulnerability","Casper, Babar, Bunny, Adobe Flash (exploited)","Government and Defense Agencies, Individuals",,, 2015-03-06,Babar_or_Bunny,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.03.06.Babar_or_Bunny/Babar_or_Bunny.pdf,F-Secure,,,,,,,,,,,"Babar, Bunny, EvilBunny, Babar64, ntrass.exe",,,, 2015-03-06,Animals in the APT Farm,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.03.06.Animals_APT_Farm/Animals%20in%20the%20APT%20Farm.pdf,Kaspersky,,,,animal farm,FR,"Espionage, Information theft and espionage",2011,"AT, CN, DE, DZ, GB, IL, IQ, IR, MA, MY, NL, NZ, RU, SE, SY, TR, UA, US",TRUE,"Watering Hole, Malicious Documents","Dino, Babar, NBot, Tafacalou, Casper, Bunny","Government and Defense Agencies, Corporations and Businesses, Media and Entertainment Companies, Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",,, 2015-03-10,Tibetan-Uprising-Day-Malware-Attacks_websitepdf,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.03.10.Tibetan_Uprising/Tibetan-Uprising-Day-Malware-Attacks_websitepdf.pdf,Citizen Lab,CVE-2012-0158,,,,,,,CN,FALSE,"Spear Phishing, Malicious Documents","MsAttacker, ShadowNet, Windows Management Instrumentation (WMI)","Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",2015-03-05,2015-03-10,5.0 2015-03-11,Inside_EquationDrug_Espionage_Platform,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.03.11.EquationDrug/Inside_EquationDrug_Espionage_Platform.pdf,Kaspersky,,,,equation group,US,"Espionage, Sabotage and destruction, Information theft and espionage",2001,,,,,,,, 2015-03-19,wp-operation-woolen-goldfish,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.03.19.Goldfish_Phishing/wp-operation-woolen-goldfish.pdf,Trend Micro,,,,rocket kitten,IR,"Espionage, Information theft and espionage",2011,IL,,"Spear Phishing, Malicious Documents, Social Engineering","Wool3n.H4t, GHOLE","Government and Defense Agencies, Education and Research Institutions, Corporations and Businesses, Critical Infrastructure, Individuals",,, 2015-03-31,volatile-cedar-technical-report,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.03.31.Volatile_Cedar/volatile-cedar-technical-report.pdf,Check Point,,,"rule explosive_dll{\n \n \nmeta:\n \n \n \n \nauthor = \n“Check Point Software Technologies Inc.”\n \n \n \n \ninfo \n= \n“Explosive DLL”\n \n \ncondition:\n \n \n \n \npe.DLL\n \n \n \n \nand \n( \npe.exports(“PathProcess”) or \npe.exports(“_PathProcess@4”) ) \nand \npe.exports(“CON”)\n}, rule \nexplosive_exe\n{\n \n \nmeta:\n \n \n \n \nauthor = \n“Check Point Software Technologies Inc.”\n \n \n \n \ninfo \n= \n“Explosive EXE”\n \n \nstrings:\n \n \n \n \n$MZ \n= \n“MZ”\n \n \n \n \n$DLD_S = \n“DLD-S:”\n \n \n \n \n$DLD_E = \n“DLD-E:”\n \n \ncondition:\n \n \n \n \n$MZ \nat \n0 \nand \nall \nof \nthem\n}",volatile cedar,LB,Information theft and espionage,2012,"IL, LB",,Exploit Vulnerability,"Caterpillar web shell, AspxSpy web shell",Government and Defense Agencies,2012-11-15,2015-03-30,865.0 2015-04-07,Novetta_winntianalysis(04-07-2015),WINNTI Analysis,https://app.box.com/s/tv5rhy7awdq8ecfrugcrk1d4zcce3xnq,Novetta,,,"rule Winnti_engine {\n\t\nmeta:\n\t\n\t\ncopyright = “Novetta Solutions”\n\t\n\t\nauthor = “Novetta Advanced Research Group”\n\t\nstrings:\n\t\n\t\n$api1 = “SHCreateItemFromParsingName” $datfile = “otfkty.dat”\n\t\n\t\n$workstart = “work_start”\n\t\n\t\n$workend = “work_end”\n\t\ncondition:\n\t\n\t\n($api1 or $datfile) and ($workstart and $workend)\n}, rule Winnti_worker \n{\n\t\nmeta:\n\t\n\t\ncopyright = “Novetta Solutions”\n\t\n\t\nauthor = “Novetta Advanced Research Group”\n\t\nstrings:\n\t\n\t\n$pango = “pango-basic-win32.dll”\n\t\n\t\n$tango = “tango.dll”\n\t\n\t\n$dat = “%s\\\\%d%d.dat”\n\t\n\t\n$cryptobase = “%s\\\\sysprep\\\\cryptbase.dll”\n\t\ncondition:\n\t\n\t\n$pango and $tango and $dat and $cryptobase\n}, rule Winnti_Dropper \n{\n\t\nmeta:\n\t\n\t\ncopyright = “Novetta Solutions”\n\t\n\t\nauthor = “Novetta Advanced Research Group”\n\t\nstrings:\n\t\n\t\n$runner = “%s\\\\rundll32.exe \\”%s\\”, DlgProc %s” \n\t\n\t\n$inflate = “Copyright 1995-2005 Mark Adler”\n\t\ncondition:\n\t\n\t\n$runner and $inflate\n}, rule Winnti_service \n{\n\t\nmeta:\n\t\n\t\ncopyright = “Novetta Solutions”\n\t\n\t\nauthor = “Novetta Advanced Research Group”\n\t\nstrings:\n\t\n\t\n$newmem = “new memory failed!”\n\t\n\t\n$value = “can not find value %d\\n”\n\t\n\t\n$onevalue = “find one value %d\\n”\n\t\n\t\n$nofile = “Can not open the file (error %d)”\n\t\ncondition:\n\t\n\t\n3 of ($newmem, $value, $onevalue, $nofile)\n}",axiom,CN,"Espionage, Information theft and espionage",2009,,,,"Winnti, Hikit",,,, 2015-04-08,RSA-IR-Case-Study(Apr-8-15),RSA Incident Response: An APT Case Study,https://app.box.com/s/tjoi82cp4iq6xx561qcu3xjr2rmfgmo1,RSA,,,,,,,,,,,"Trojan.FF-RAT, Trojan.Derusbi, Trojan.SuperhardCorp, Trojan.Hikit",,,, 2015-04-15,The Chronicles of the Hellsing APT_ the Empire Strikes Back - Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.04.15.Hellsing_APT/The%20Chronicles%20of%20the%20Hellsing%20APT_%20the%20Empire%20Strikes%20Back%20-%20Securelist.pdf,Kaspersky,CVE-2012-0158,,,hellsing,CN,Espionage,,"ID, IN, MY, PH, US",FALSE,"Spear Phishing, Malicious Documents","Xweber, msger, xrat, clare, irene, xKat, test.exe, diskfilter.sys (internally named xrat.sys)",Government and Defense Agencies,,, 2015-04-15,Elite cyber crime group strikes back after attack by rival APT gang,,http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/,Ars Technica,,,,hellsing,CN,Espionage,,"ID, IN, MY, PH, US",,Spear Phishing,,Government and Defense Agencies,,, 2015-04-15,Indicators_of_Compormise_Hellsing,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.04.15.Hellsing_APT/Indicators_of_Compormise_Hellsing.pdf,Kaspersky,,,"rule apt_hellsing_xkat { \n \nmeta: \n \n \nversion = ""1.0"" \n \nfiletype = ""PE"" \n \nauthor = ""Costin Raiu, Kaspersky Lab"" \n \ncopyright = ""Kaspersky Lab"" \n \ndate = ""2015-04-07"" \n \ndescription = ""detection for Hellsing xKat tool"" \n \nstrings: \n \n $mz=""MZ"" \n \n \n$a1=""\\\\Dbgv.sys"" \n \n$a2=""XKAT_BIN"" \n \n$a3=""release sys file error."" \n \n$a4=""driver_load error. "" \n \n$a5=""driver_create error."" \n \n$a6=""delete file:%s error."" \n \n$a7=""delete file:%s ok."" \n \n$a8=""kill pid:%d error."" \n \n$a9=""kill pid:%d ok."" \n \n$a10=""-pid-delete"" \n \n$a11=""kill and delete pid:%d error."" \n \n$a12=""kill and delete pid:%d ok."" \n \ncondition: \n \n \n($mz at 0) and (6 of ($a*)) and filesize < 300000 \n \n}, rule apt_hellsing_proxytool { \n \nmeta: \n \n \nversion = ""1.0"" \n \nfiletype = ""PE"" \n \nauthor = ""Costin Raiu, Kaspersky Lab"" \n \ncopyright = ""Kaspersky Lab"" \n \ndate = ""2015-04-07"" \n \ndescription = ""detection for Hellsing proxy testing tool"" \n \nstrings: \n \n $mz=""MZ"" \n \n \n$a1=""PROXY_INFO: automatic proxy url => %s "" \n \n$a2=""PROXY_INFO: connection type => %d "" \n \n$a3=""PROXY_INFO: proxy server => %s "" \n \n$a4=""PROXY_INFO: bypass list => %s "" \n \n$a5=""InternetQueryOption failed with GetLastError() %d"" \n \n$a6=""D:\\\\Hellsing\\\\release\\\\exe\\\\exe\\\\"" nocase \n \n \ncondition: \n \n \n($mz at 0) and (2 of ($a*)) and filesize < 300000 \n}, rule apt_hellsing_msgertype2 { \n \nmeta: \n \n \nversion = ""1.0"" \n \nfiletype = ""PE"" \n \nauthor = ""Costin Raiu, Kaspersky Lab"" \n \ncopyright = ""Kaspersky Lab"" \n \ndate = ""2015-04-07"" \n \ndescription = ""detection for Hellsing msger type 2 implants"" \n \nstrings: \n \n $mz=""MZ"" \n \n \n$a1=""%s\\\\system\\\\%d.txt"" \n \n$a2=""_msger"" \n \n$a3=""http://%s/lib/common.asp?action=user_login&uid=%s&lan=%s&host=%s&os=%s&proxy\n=%s"" \n \n$a4=""http://%s/data/%s.1000001000"" \n \n$a5=""/lib/common.asp?action=user_upload&file="" \n \n$a6=""%02X-%02X-%02X-%02X-%02X-%02X"" \n \ncondition: \n \n \n($mz at 0) and (4 of ($a*)) and filesize < 500000 \n \n}, rules: \n \n \nrule apt_hellsing_implantstrings { \n \nmeta: \n \n \nversion = ""1.0"" \n \nfiletype = ""PE"" \n \nauthor = ""Costin Raiu, Kaspersky Lab"" \n \ncopyright = ""Kaspersky Lab"" \n \ndate = ""2015-04-07"" \n \ndescription = ""detection for Hellsing implants"" \n \nstrings: \n \n $mz=""MZ"" \n \n $a1=""the file uploaded failed !"" \n $a2=""ping 127.0.0.1"" \n \n $b1=""the file downloaded failed !"" \n $b2=""common.asp"" \n \n $c=""xweber_server.exe"" \n $d=""action="" \n \n \n$debugpath1=""d:\\\\Hellsing\\\\release\\\\msger\\\\"" nocase \n \n$debugpath2=""d:\\\\hellsing\\\\sys\\\\xrat\\\\"" nocase \n \n$debugpath3=""D:\\\\Hellsing\\\\release\\\\exe\\\\"" nocase \n \n$debugpath4=""d:\\\\hellsing\\\\sys\\\\xkat\\\\"" nocase \n \n$debugpath5=""e:\\\\Hellsing\\\\release\\\\clare"" nocase \n \n$debugpath6=""e:\\\\Hellsing\\\\release\\\\irene\\\\"" nocase \n \n$debugpath7=""d:\\\\hellsing\\\\sys\\\\irene\\\\"" nocase \n \n \n \n$e=""msger_server.dll"" \n \n$f=""ServiceMain"" \n \ncondition: \n \n \n($mz at 0) and (all of ($a*)) or (all of ($b*)) or ($c and $d) or (any of ($debugpath*)) or ($e and \n$f) and filesize < 500000 \n \n}, rule apt_hellsing_irene { \n \nmeta: \n \n \nversion = ""1.0"" \n \nfiletype = ""PE"" \n \nauthor = ""Costin Raiu, Kaspersky Lab"" \n \ncopyright = ""Kaspersky Lab"" \n \ndate = ""2015-04-07"" \n \ndescription = ""detection for Hellsing msger irene installer"" \n \nstrings: \n \n $mz=""MZ"" \n \n \n$a1=""\\\\Drivers\\\\usbmgr.tmp"" wide \n \n$a2=""\\\\Drivers\\\\usbmgr.sys"" wide \n \n$a3=""common_loadDriver CreateFile error! "" \n \n$a4=""common_loadDriver StartService error && GetLastError():%d! "" \n \n$a5=""irene"" wide \n \n$a6=""aPLib v0.43 - the smaller the better"" \n \ncondition: \n \n \n($mz at 0) and (4 of ($a*)) and filesize < 500000 \n \n}, rule apt_hellsing_installer { \n \nmeta: \n \n \nversion = ""1.0"" \n \nfiletype = ""PE"" \n \nauthor = ""Costin Raiu, Kaspersky Lab"" \n \ncopyright = ""Kaspersky Lab"" \n \ndate = ""2015-04-07"" \n \ndescription = ""detection for Hellsing xweber/msger installers"" \n \nstrings: \n \n $mz=""MZ"" \n \n \n$cmd=""cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \\""%s\\"""" \n \n \n$a1=""xweber_install_uac.exe"" \n \n$a2=""system32\\\\cmd.exe"" wide \n \n$a4=""S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y="" \n \n$a5=""S11SWFOrVwR9dnFTUgRUVlNHWVdXBFpTVgRdUlpWRVZZWARdUqhZVlpFR1kEUVNSXa\nhTVgRaU1YEUVNSXahTVl1SWwRZValdVFFZUqgQBF1SWlZFVllYBFRTVqg="" \n \n$a6=""7dqm2ODf5N/Y2N/m6+br3dnZpunl44g="" \n \n$a7=""vd/m7OXd2ai/5u7a59rr7Ki45drcqMPl5t/c5dqIZw=="" \n \n$a8=""vd/m7OXd2ai/usPl5qjY2uXp69nZqO7l2qjf5u7a59rr7Kjf5tzr2u7n6euo4+Xm39zl2qju5dqo\n4+Xm39zl2t/m7ajr19vf2OPr39rj5eaZmqbs5OSI Njl2tyI"" \n \n$a9=""C:\\\\Windows\\\\System32\\\\sysprep\\\\sysprep.exe"" wide \n \n$a10=""%SystemRoot%\\\\system32\\\\cmd.exe"" wide \n \n$a11=""msger_install.dll"" \n \n$a12={00 65 78 2E 64 6C 6C 00} \n \n \n \ncondition: \n \n \n($mz at 0) and ($cmd and (2 of ($a*))) and filesize < 500000 \n}",hellsing,CN,Espionage,,,,,"Hellsing implants, Hellsing proxy testing tool, Hellsing xKat tool",,,, 2015-04-18,Operation RussianDoll Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia's APT28 in Highly-Targeted Attack,,https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html,FireEye,"CVE-2014-0515, CVE-2015-1701, CVE-2015-3043",,,apt28,RU,"Espionage, Information theft and espionage",2004,,TRUE,"Exploit Vulnerability, Drive-by Download","CHOPSTICK, CORESHELL, Metasploit (specifically CVE-2014-0515 module)",Government and Defense Agencies,,, 2015-04-21,The CozyDuke APT - Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.04.21.CozyDuke_APT/The%20CozyDuke%20APT%20-%20Securelist.pdf,Kaspersky,,,,apt29,RU,"Espionage, Information theft and espionage",2008,,TRUE,"Spear Phishing, Watering Hole, Malicious Documents","CozyDuke, ChromeUpdate.ex_, cmd_task.dll, screenshot_task.dll, Monkeys.exe, player.exe, Trojan.Win32.CozyBear.v",Government and Defense Agencies,,, 2015-04-22,CozyDuke,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.04.22.CozyDuke/CozyDuke.pdf,F-Secure,,,,,,,,,,Spear Phishing,"CozyDuke, MiniDuke, OnionDuke",Government and Defense Agencies,,, 2015-04-27,Attacks against Israeli & Palestinian interests - Cyber security updates,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.04.27.Attacks_Israeli_Palestinian/Attacks%20against%20Israeli%20%26%20Palestinian%20interests%20-%20Cyber%20security%20updates.pdf,PricewaterhouseCoopers,,,,,,,,IL,,"Spear Phishing, Malicious Documents",DownExecute,Media and Entertainment Companies,,, 2015-05-05,1506306551185339,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.05.05.Targeted_attack_on_France_TV5Monde/1506306551185339.pdf,AhnLab,,,,cyber caliphate,,,,FR,,Social Engineering,"Njrat, Njworm",Media and Entertainment Companies,2015-04-08,2015-04-09,1.0 2015-05-07,Dissecting-the-Kraken,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.05.07.Kraken/Dissecting-the-Kraken.pdf,G DATA,CVE-2012-0158,,,,,,,"AE, PH",FALSE,"Spear Phishing, Exploit Vulnerability, Malicious Documents","Kraken HTTP, Exploit.CVE-2012-0158.AH","Energy and Utilities, Financial Institutions",,, 2015-05-10,APT28 Targets Financial Markets,,https://www.root9b.com/sites/default/files/whitepapers/R9b_FSOFACY_0.pdf,root9b,,,,,,,,,,,,"Corporations and Businesses, Financial Institutions, Healthcare, Energy and Utilities, Media and Entertainment Companies, Education and Research Institutions",,, 2015-05-12,R9b_FSOFACY_0,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.05.12.Sofacy_root9B/R9b_FSOFACY_0.pdf,root9B,,,,"sourface, apt28",NaN; RU,"NaN; Espionage, Information theft and espionage",NaN; 2004,,TRUE,Spear Phishing,,"Government and Defense Agencies, Financial Institutions, Media and Entertainment Companies",2014-06-15,2015-05-15,334.0 2015-05-13,Cylance SPEAR Team_ A Threat Actor Resurfaces,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.05.13.Spear_Threat/Cylance%20SPEAR%20Team_%20A%20Threat%20Actor%20Resurfaces.pdf,Cylance,CVE-2012-0158,,,,,,,"AU, NZ, US, VN",FALSE,Malicious Documents,"Dynamic DNS infrastructure, ChangeIP",Government and Defense Agencies,,, 2015-05-14,The Naikon APT,,https://securelist.com/analysis/publications/69953/the-naikon-apt/,Kaspersky,CVE-2012-0158,,,naikon,CN,"Espionage, Information theft and espionage",2005,"ID, JP, KH, MM, MY, PH",FALSE,"Spear Phishing, Malicious Documents","CVE-2012-0158 exploit, Naikon tool",Government and Defense Agencies,,, 2015-05-14,The Naikon APT - Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.05.14.Naikon_APT/The%20Naikon%20APT%20-%20Securelist.pdf,FireEye,CVE-2012-0158,,,naikon,CN,"Espionage, Information theft and espionage",2005,"CN, ID, KH, LA, MM, MY, NP, PH, SG, TH, VN",FALSE,"Spear Phishing, Malicious Documents, Exploit Vulnerability","XSControl, DevExpress",Government and Defense Agencies,,, 2015-05-18,CmstarDownloader_Lurid_Enfal_Cousin,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.05.18.Cmstar/CmstarDownloader_Lurid_Enfal_Cousin.pdf,Bluecoat,CVE-2012-0158,,"rule ce_enfal_cmstar_debug_msg\n{\nmeta:\nauthor = ""rfalcone""\ndescription = ""Detects the static debug strings within CMSTAR""\nreference = ""9b9cc7e2a2481b0472721e6b87f1eba4faf2d419d1e2c115a91ab7e7e6fc7f7c""\ndate = ""5/10/2015""\nstrings:\n$d1 = ""EEE\\x0d\\x0a"" fullword\n$d2 = ""TKE\\x0d\\x0a"" fullword\n$d3 = ""VPE\\x0d\\x0a"" fullword\n$d4 = ""VPS\\x0d\\x0a"" fullword\n$d5 = ""WFSE\\x0d\\x0a"" fullword\n$d6 = ""WFSS\\x0d\\x0a"" fullword\n$d7 = ""CM**\\x0d\\x0a"" fullword\ncondition:\nuint16(0) == 0x5a4d and all of ($d*)\n}",,,,,,,"Spear Phishing, Exploit Vulnerability, Malicious Documents","Cmstar downloader, Lurid downloader, Enfal, MNKit, Tran Duy Linh toolkit",,,, 2015-05-19,oil-tanker-en,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.05.19.Operation_Oil_Tanker/oil-tanker-en.pdf,Panda Security,,,,,,,,,FALSE,,,Energy and Utilities,2013-08-15,2014-02-15,184.0 2015-05-21,TheNaikonAPT-MsnMM2,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.05.21.Naikon_APT/TheNaikonAPT-MsnMM2.pdf,Kaspersky,"CVE-2010-3333, CVE-2012-0158, CVE-2012-1856",,,apt30,CN,Espionage,,"LA, MM, MY, PH, SG, US, VN",FALSE,"Spear Phishing, Exploit Vulnerability, Malicious Documents","sslMM, winMM, exe_exchange, wininetMM/sakto, inject, sys10, xsControl/naikon, rarstone, second stage tools, ftp.exe, systeminfo.exe, ipconfig, net view, ping, netstat -ano, net use, quser, tasklist, netsh interface ip, netsh interface show, netsh advfirewall firewall, reg export, AT, procmon.exe, tcpview.exe, procexep.exe, psexec, winscan.exe, rar.exe, procex.exe, nc.exe, xscan","Government and Defense Agencies, Energy and Utilities",,, 2015-05-26,Dissecting-LinuxMoose,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.05.26.LinuxMoose/Dissecting-LinuxMoose.pdf,FireEye,,,,,,,,,FALSE,Credential Reuse,Linux/Moose,"Cloud/IoT Services, Corporations and Businesses",,, 2015-05-27,BlackEnergy-CyberX-Report_27_May_2015_FINAL,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.05.27.BlackEnergy3/BlackEnergy-CyberX-Report_27_May_2015_FINAL.pdf,ICIT,CVE-2014-0751,,,,,,,,FALSE,Exploit Vulnerability,"BlackEnergy 3, BlackEnergy DDOS Bot",Critical Infrastructure,,, 2015-05-27,ANALYSIS-ON-APT-TO-BE-ATTACK-THAT-FOCUSING-ON-CHINAS-GOVERNMENT-AGENCY-,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.05.27.APT_to_be/ANALYSIS-ON-APT-TO-BE-ATTACK-THAT-FOCUSING-ON-CHINAS-GOVERNMENT-AGENCY-.pdf,Antiy Labs,,,,,,,,CN,,"Social Engineering, Exploit Vulnerability","PowerShell, Cobalt Strike, Metasploit",Government and Defense Agencies,,, 2015-05-28,Grabit,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.05.28.grabit-and-the-rats/Grabit.pdf,Kaspersky,,,,,,,,"IN, TH",FALSE,Malicious Documents,DarkComet,Corporations and Businesses,2015-02-15,2015-03-15,28.0 2015-05-29,OceanLotusReport,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.05.29.OceanLotus/OceanLotusReport.pdf,360,,,,oceanlotus,VN,"Espionage, Financial gain, Information theft and espionage",2012,CN,,"Spear Phishing, Watering Hole",,Government and Defense Agencies,,, 2015-06-03,Thamar-Reservoir,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.06.03.thamar-reservoir/Thamar-Reservoir.pdf,ClearSky,,,,gholee6,,,,,FALSE,"Spear Phishing, Social Engineering, Credential Reuse",,"Education and Research Institutions, Government and Defense Agencies, Media and Entertainment Companies, Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",,, 2015-06-09,OhFlorio-VB2015,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.06.09.Duqu_2.0_Win32k_Exploit_Analysis/OhFlorio-VB2015.pdf,Kaspersky,,,,,,,,,TRUE,,,,,, 2015-06-10,Duqu_2_Yara_rules,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.06.10.The_Mystery_of_Duqu_2_0/Duqu_2_Yara_rules.pdf,Kaspersky,,,"rule apt_duqu2_loaders { \n \nmeta: \n \n \ncopyright = ""Kaspersky Lab"" \n \ndescription = ""Rule to detect Duqu 2.0 samples"" \n \nlast_modified = ""2015-06-09"" \n \nversion = ""1.0"" \n \n \nstrings: \n \n \n$a1=""{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}"" wide \n \n$a2=""\\\\\\\\.\\\\pipe\\\\{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}"" wide \n \n$a4=""\\\\\\\\.\\\\pipe\\\\{AB6172ED-8105-4996-9D2A-597B5F827501}"" wide \n \n$a5=""Global\\\\{B54E3268-DE1E-4c1e-A667-2596751403AD}"" wide \n \n$a8=""SELECT `Data` FROM `Binary` WHERE `Name`=\%s%i\"" wide \n \n$a9=""SELECT `Data` FROM `Binary` WHERE `Name`=\CryptHash%i\"" wide \n \n$a7=""SELECT `%s` FROM `%s` WHERE `%s`=\CAData%i\"" wide \n \n \n \n$b1=""MSI.dll"" \n \n$b2=""msi.dll"" \n \n$b3=""StartAction"" \n \n \n$c1=""msisvc_32@"" wide \n \n$c2=""PROP="" wide \n \n$c3=""-Embedding"" wide \n \n$c4=""S:(ML;;NW;;;LW)"" wide \n \n \n$d1 = \n""NameTypeBinaryDataCustomActionActionSourceTargetInstallExecuteSequenceConditionSequenceProp\nertyValueMicrosoftManufacturer"" nocase \n \n$d2 = {2E 3F 41 56 3F 24 5F 42 69 6E 64 40 24 30 30 58 55 3F 24 5F 50 6D 66 5F 77 72 61 70 40 \n50 38 43 4C 52 ?? 40 40 41 45 58 58 5A 58 56 31 40 24 24 24 56 40 73 74 64 40 40 51 41 56 43 4C 52 ?? \n40 40 40 73 74 64 40 40} \n \ncondition: \n \n \n( (uint16(0) == 0x5a4d) and ( (any of ($a*)) or (all of ($b*)) or (all of ($c*)) ) and filesize < 100000 \n) \n \n \n \nor \n \n \n( (uint32(0) == 0xe011cfd0) and ( (any of ($a*)) or (all of ($b*)) or (all of ($c*)) or (any of ($d*)) ) \nand filesize < 20000000 ) \n \n \n}, rule apt_duqu2_drivers { \n \nmeta: \n \n \ncopyright = ""Kaspersky Lab"" \n \ndescription = ""Rule to detect Duqu 2.0 drivers"" \n \nlast_modified = ""2015-06-09"" \n \nversion = ""1.0"" \n \nstrings: \n \n \n \n \n$a1=""\\\\DosDevices\\\\port_optimizer"" wide nocase \n \n$a2=""romanian.antihacker"" \n \n$a3=""PortOptimizerTermSrv"" wide \n \n$a4=""ugly.gorilla1"" \n \n \n$b1=""NdisIMCopySendCompletePerPacketInfo"" \n \n$b2=""NdisReEnumerateProtocolBindings"" \n \n$b3=""NdisOpenProtocolConfiguration"" \n \ncondition: \n \n \nuint16(0) == 0x5A4D and (any of ($a*) ) and (2 of ($b*)) and filesize < 100000 \n \n}",,,,,,,,,,,, 2015-06-10,duqu2_crysys,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.06.10.Duqu_2.0/duqu2_crysys.pdf,CrySyS Lab,,,rule duqu2 \n{ \n \nstrings: \n$a = { 0F B6 C8 8B C1 0F AF C9 83 E0 ?? C1 E0 ?? 05 ?? ?? ?? ?? 0F \nAF D8 8B ?? ?? ?? 33 D9 } \n$b = { 0F 84 ?? ?? ?? ?? 0F B7 06 B9 ?? ?? ?? ?? 33 C1 3D ?? ?? ?? \n?? 0F 85 ?? ?? ?? ?? 8B } \n \ncondition: \nany of them \n \n},,,,,,TRUE,,"Stuxnet, Duqu, Duqu 2.0",Critical Infrastructure,,, 2015-06-10,Symantec_Duqu2-Reemergence-aggressive-cyberespionage-threat(06-10-2015),Duqu 2.0: Reemergence of an aggressive cyberespionage threat,https://app.box.com/s/amixilnvbz29s9122fe9hfg00srndw70,Symantec,,,,,,,,"GB, HK, IN, IR, SE, US",,,"Duqu 2.0, W32.Duqu.B","Corporations and Businesses, Manufacturing",,, 2015-06-10,The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.06.10.The_Mystery_of_Duqu_2_0/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf,Kaspersky,"CVE-2011-3402, CVE-2014-4148, CVE-2014-6324, CVE-2015-2360",,,duqu,IL,Espionage,,,TRUE,"Spear Phishing, Exploit Vulnerability, Malicious Documents","NBNS (NetBIOS protocol), Camellia cypher, WPAD, MSI VFSes, “d3dx9_27.dll”","Critical Infrastructure, Government and Defense Agencies",,, 2015-06-12,Afghan Government Compromise_ Browser Beware _ Volexity Blog,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.06.12.Afghan_Government_Compromise/Afghan%20Government%20Compromise_%20Browser%20Beware%20_%20Volexity%20Blog.pdf,Volexity,CVE-2015-5119,,,,,,,AF,FALSE,Watering Hole,Dean Edwards Packer,Government and Defense Agencies,,, 2015-06-15,Targeted-Attacks-against-Tibetan-and-Hong-Kong-Groups-Exploiting-CVE-2014-4114,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.06.15.Targeted-Attacks-against-Tibetan-and-Hong-Kong-Groups/Targeted-Attacks-against-Tibetan-and-Hong-Kong-Groups-Exploiting-CVE-2014-4114.pdf,Citizen Lab,"CVE-2010-3333, CVE-2012-0158, CVE-2014-4114",,,valkyrie-x security research group,,,,"CN, HK",FALSE,"Spear Phishing, Social Engineering, Malicious Documents","PlugX, Surtr, Wofeksad, Poison Ivy",Non-Governmental Organizations (NGOs) and Nonprofits,,, 2015-06-16,unit42-operation-lotus-blossom,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.06.16.operation-lotus-blossom/unit42-operation-lotus-blossom.pdf,Palo Alto,CVE-2012-0158,,,lotus blossom,CN,"Espionage, Information theft and espionage",2012,"HK, TW, VN",,"Spear Phishing, Malicious Documents","Elise, LStudio, Evora, AutoFocus, WildFire","Government and Defense Agencies, Education and Research Institutions",,, 2015-06-22,winnti_pharmaceutical,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.06.22.Winnti_targeting_pharmaceutical_companies/winnti_pharmaceutical.pdf,Kaspersky,,,,axiom,CN,"Espionage, Information theft and espionage",2009,,,,"Backdoor.Win64.Winnti.gy, Backdoor.Win64.Winnti.gf, Rootkit.Win64.Winnti.ai","Corporations and Businesses, Media and Entertainment Companies, Manufacturing, Healthcare",2014-08-22,2014-09-04,13.0 2015-06-24,UnFIN4ished_Business_pwd,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.06.24.unfin4ished-business/UnFIN4ished_Business_pwd.pdf,FireEye,,,,fin4,RO,Financial crime,2013,,,"Malicious Documents, Phishing",UpDocX Malware,"Corporations and Businesses, Financial Institutions, Healthcare",,, 2015-06-26,Operation Clandestine Wolf,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.06.26.operation-clandestine-wolf/Operation%20Clandestine%20Wolf.pdf,FireEye,CVE-2015-3113,,,apt3,CN,"Espionage, Information theft and espionage",2007,,TRUE,Phishing,"SHOTPUT, Backdoor.APT.CookieCutter, Adobe Flash Player SWF file, FLV file.",Corporations and Businesses,,, 2015-06-30,Dino - the latest spying malware from an allegedly French espionage group analyzed,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.06.30.dino-spying-malware-analyzed/Dino%20%E2%80%93%20the%20latest%20spying%20malware%20from%20an%20allegedly%20French%20espionage%20group%20analyzed.pdf,ESET,,,,animal farm,FR,"Espionage, Information theft and espionage",2011,IR,,,"Casper, Bunny, Babar, Dino",,,, 2015-07-08,Animal Farm APT and the Shadow of French Intelligence,,https://resources.infosecinstitute.com/animal-farm-apt-and-the-shadow-of-france-intelligence/,Infosec,"CVE-2011-4369, CVE-2014-0515",,,animal farm,FR,"Espionage, Information theft and espionage",2011,"CA, CI, DZ, ES, GR, IR, NO",TRUE,"Exploit Vulnerability, Watering Hole","Casper, Dino, Babar, include.swf",Education and Research Institutions,,, 2015-07-08,WildNeutron_Economic_espionage,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.07.08.Wild_Neutron/WildNeutron_Economic_espionage.pdf,Kaspersky,CVE-2012-3213,,,wild neutron,,Information theft and espionage,2013,"AE, AT, CH, DE, DZ, FR, KZ, PS, RU, SI, US",TRUE,"Watering Hole, Exploit Vulnerability","Password harvesting trojan, Reverse-shell backdoor, Customized implementations of OpenSSH, WMIC, SMB, Perl reverse shell, Metasploit tools, OpenSSH-based Win32 tunnel backdoors (updt.dat), Cygwin API DLL, CryptProtectData API","Corporations and Businesses, Cloud/IoT Services, Financial Institutions, Healthcare, Individuals",,, 2015-07-09,butterfly-corporate-spies-out-for-financial-gain,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.07.09.Butterfly/butterfly-corporate-spies-out-for-financial-gain.pdf,Symantec,CVE-2013-0422,,"rule Eventlog\n{\n meta:\n author = “Symantec Security Response”\n date = “2015-07-01”\n description = “Butterfly Eventlog hacktool”\n strings:\n $str _ 1 = “wevtsvc.dll”\n $str _ 2 = “Stealing %S.evtx handle ...” \n $str _ 3 = “ElfChnk”\nPage 25\nButterfly: Corporate spies out for financial gain\n $str _ 4 = “-Dr Dump all logs from a channel or .evtx file (raw”\n condition:\n all of them\n}, rule Hacktool\n{\n meta:\n author = “Symantec Security Response”\n date = “2015-07-01”\n description = “Butterfly hacktool”\n \n strings:\n $str _ 1 = “\\\n\\\n\\\n\\.\n\\\n\\pipe\\\n\\winsession” wide\n $str _ 2 = “WsiSvc” wide\n $str _ 3 = “ConnectNamedPipe”\n $str _ 4 = “CreateNamedPipeW”\n $str _ 5 = “CreateProcessAsUserW”\n condition:\n all of them\n}, rule Multipurpose\n{\n meta:\n author = “Symantec Security Response”\n date = “2015-07-01”\n description = “Butterfly Multipurpose hacktool”\n \n strings:\n $str _ 1 = “dump %d|%d|%d|%d|%d|%d|%s|%d”\n $str _ 2 = “kerberos%d.dll”\n $str _ 3 = “\\\n\\\n\\\n\\.\n\\\n\\pipe\\\n\\lsassp”\n $str _ 4 = “pth : change”\n condition:\n all of them\n}, rule Bannerjack\n{\n meta:\n author = “Symantec Security Response”\n date = “2015-07-01”\n description = “Butterfly BannerJack hacktool”\n strings:\n $str _ 1 = “Usage: ./banner-jack options”\n $str _ 2 = “-f: file.csv” \n $str _ 3 = “-s: ip start”\n $str _ 4 = “-R: timeout read (optional, default %d secs)”\n condition:\n all of them\n}, rule Securetunnel\n{\n meta:\n author = “Symantec Security Response”\n date = “2015-07-01”\n description = “Butterfly Securetunnel hacktool”\n strings:\n $str _ 1 = “KRB5CCNAME”\n $str _ 2 = “SSH _ AUTH _ SOCK”\n $str _ 3 = “f:l:u:cehR”\n $str _ 4 = “.o+=*BOX@%&#/^SE”\n condition:\n all of them\n}",butterfly,,Information theft and espionage,2013,"AE, BR, CN, HK, IL, IN, JP, KR, KZ, MA, MY, NG, TH, TW",TRUE,Exploit Vulnerability,"Banner Jack (bj.dat), Backdoor.Jiripbot, Hacktool.Multipurpose, Hacktool.Eventlog, Hacktool.Proxy.A, GNU Shred tool","Corporations and Businesses, Energy and Utilities, Education and Research Institutions",,, 2015-07-10,apt.group.ups,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.07.10.APT_Group_UPS_Targets_US_Government/apt.group.ups.pdf,Palo Alto,"CVE-2015-3113, CVE-2015-5119",,,apt3,CN,"Espionage, Information theft and espionage",2007,,TRUE,"Spear Phishing, Exploit Vulnerability",,Government and Defense Agencies,,, 2015-07-10,Sednit APT Group Meets Hacking Team,,http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/,ESET,CVE-2015-5119,,,apt28,RU,"Espionage, Information theft and espionage",2004,,TRUE,Spear Phishing,"Flash exploit, Metasploit module, Windows local privilege escalation exploit, First-stage backdoor, Scheduled task, fvecer.bat (Payload persistence script), api-ms-win-downlevel-profile-l1-1-0.dll (Payload file)",Education and Research Institutions,,, 2015-07-13,Forkmeiamfamous_SeaDuke,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.07.13.Forkmeiamfamous/Forkmeiamfamous_SeaDuke.pdf,Symantec,,,,apt29,RU,"Espionage, Information theft and espionage",2008,US,,"Spear Phishing, Malicious Documents","Seaduke, Cozyduke, Backdoor.Miniduke, Trojan.Seaduke, Backdoor.Tinybaron (aka Cosmicduke)","Government and Defense Agencies, Education and Research Institutions",,, 2015-07-14,MiniDionis_CozyCar_Seaduke,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.07.14.tracking-minidionis-cozycars/MiniDionis_CozyCar_Seaduke.pdf,Symantec,,,,apt29,RU,"Espionage, Information theft and espionage",2008,,,Spear Phishing,"miniDionis, CozyCar, WildFire","Government and Defense Agencies, Education and Research Institutions",,, 2015-07-14,an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.07.14.How_Pawn_Storm_Java_Zero-Day_Was_Used/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used.pdf,Trend Micro,CVE-2015-2590,,,apt28,RU,"Espionage, Information theft and espionage",2004,"CA, US",TRUE,"Spear Phishing, Exploit Vulnerability","JAVA_DLOADR.EFD, TROJ_DROPPR.CXC, TSPY_SEDNIT.C, HTML_JNLPER.HAQ",Government and Defense Agencies,,, 2015-07-20,China_Peace_Palace,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.07.20.China_Peace_Palace/China_Peace_Palace.pdf,ThreatConnect,CVE-2015-5119,,,,,,,,TRUE,"Watering Hole, Exploit Vulnerability","Rdws.exe, LMS.exe, dbghelp.dll, ticrf.rat","Government and Defense Agencies, Education and Research Institutions",2015-07-09,2015-07-15,6.0 2015-07-20,WateringHole_Aerospace_CVE-2015-5122_IsSpace,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.07.20.IsSpace_Backdoor/WateringHole_Aerospace_CVE-2015-5122_IsSpace.pdf,Palo Alto,CVE-2015-5122,,,dragonok,CN,"Espionage, Information theft and espionage",2014,,TRUE,"Watering Hole, Exploit Vulnerability","IsSpace, NFlog, Palo Alto Networks WildFire, Traps",Corporations and Businesses,2014-11-14,2015-07-17,245.0 2015-07-22,Duke_cloud_Linux,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.07.22.Duke_APT_groups_latest_tools/Duke_cloud_Linux.pdf,Kaspersky,,,,apt29,RU,"Espionage, Information theft and espionage",2008,,,Spear Phishing,"MiniDionis, CloudLook, CloudDuke, DropperSolution, BastionSolution, OneDriveSolution, SeaDuke",,,, 2015-07-27,apt29-hammertoss-stealthy-tactics-define-a,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.07.27.HAMMERTOSS/apt29-hammertoss-stealthy-tactics-define-a.pdf,FireEye,,,,apt29,RU,"Espionage, Information theft and espionage",2008,,,,"HAMMERTOSS, tDiscoverer, Uploader",,,, 2015-07-28,the-black-vine-cyberespionage-group,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.07.28.Black_Vine/the-black-vine-cyberespionage-group.pdf,Symantec,"CVE-2012-4792, CVE-2014-0322",,,black vine,CN,"Espionage, Information theft and espionage",2013,"CA, CN, DK, IN, IT, US",TRUE,"Watering Hole, Exploit Vulnerability","Hurix, Sakurel (Trojan.Sakurel), Mivast (Backdoor.Mivast), Bifrose, Backdoor.Moudoor, Elderwood framework","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Healthcare, Energy and Utilities, Manufacturing",,, 2015-07-30,Operation-Potao-Express_final_v2,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.07.30.Operation-Potao-Express/Operation-Potao-Express_final_v2.pdf,ESET,"CVE-2014-1761, CVE-2014-4114",,,,,,,"GE, RU, UA",FALSE,"Spear Phishing, Malicious Documents, Removable Media, Website Equipping","Win32/Potao, Win32/FakeTC, TrueCrypt, TeamViewer","Government and Defense Agencies, Media and Entertainment Companies",,, 2015-08-04,Terracotta-VPN-Report-Final-8-3,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.08.04.Terracotta_VPN/Terracotta-VPN-Report-Final-8-3.pdf,RSA,,,,shell crew,CN,"Financial crime, Information theft and espionage",2010,,TRUE,Spear Phishing,"GDS520 Gh0st RAT, Win64.exe, Mitozhan Trojan, Gh0st Remote Administration Tool (RAT), Windows backdoor shell daemon","Government and Defense Agencies, Corporations and Businesses, Education and Research Institutions, Healthcare",,, 2015-08-08,Threat Analysis_ Poison Ivy and Links to an Extended PlugX Campaign - CYINT Analysis,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.08.08.Poison_Ivy_and_Links_to_an_Extended_PlugX_Campaign/Threat%20Analysis_%20Poison%20Ivy%20and%20Links%20to%20an%20Extended%20PlugX%20Campaign%20%E2%80%93%20CYINT%20Analysis.pdf,CYINT Analysis,CVE-2012-0158,,,,,,,IN,,"Malicious Documents, Exploit Vulnerability","Poison Ivy, PlugX","Government and Defense Agencies, Non-Governmental Organizations (NGOs) and Nonprofits",2014-09-15,2015-01-19,126.0 2015-08-10,Kaspersky_Report_Darkhotel_2015(08-10-2015),Darkhotel's attacks in 2015,https://app.box.com/s/fu1lu7lza8h4znv76a5dqlrjubapxw92,Kaspersky,CVE-2014-0497,,,darkhotel,KR,"Espionage, Information theft and espionage",2007,"BD, DE, IN, JP, KP, KR, MZ, RU, TH",TRUE,"Spear Phishing, Exploit Vulnerability, Malicious Documents",".hta files, icon.swf, icon.jpg, %temp%\RealTemp.exe","Government and Defense Agencies, Corporations and Businesses",,, 2015-08-10,HTExploitTelemetry,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.08.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf,FireEye,"CVE-2015-5119, CVE-2015-5122",T5000:N/A,,apt20,CN,Information theft and espionage,2014,,TRUE,Watering Hole,"Angler (crimeware kit), Yara (signature framework), Metasploit (software framework), VirusTotal (repository), Shadowserver (repository)",,,, 2015-08-19,New Internet Explorer zero-day exploited in Hong Kong attacks,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.08.19.new-internet-explorer-zero-day-exploited-hong-kong-attacks/New%20Internet%20Explorer%20zero-day%20exploited%20in%20Hong%20Kong%20attacks.pdf,Symantec,CVE-2015-2502,,,,,,,,TRUE,"Watering Hole, Exploit Vulnerability","Korplug, Backdoor.Korplug, Trojan.Gen.2, Hacktool, Trojan.Malscript",,,, 2015-08-20,ASERT Threat Intelligence Brief 2015-05 PlugX Threat Activity in Myanmar,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.08.20.PlugX_Threat_Activity_in_Myanmar/ASERT%20Threat%20Intelligence%20Brief%202015-05%20PlugX%20Threat%20Activity%20in%20Myanmar.pdf,Arbor Networks,,,,,,,,"CN, US",,Watering Hole,"Evilgrab malware, 9002 RAT, PlugX malware, Korplug","Government and Defense Agencies, Media and Entertainment Companies",,, 2015-08-20,new-activity-of-the-blue-termite-apt,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.08.20.new-activity-of-the-blue-termite-apt/new-activity-of-the-blue-termite-apt.pdf,Kaspersky,CVE-2015-5119,,,blue termite,CN,"Espionage, Information theft and espionage",2013,JP,TRUE,"Spear Phishing, Drive-by Download, Watering Hole","emdivi t17, emdivi t20, HEUR:Exploit.SWF.Agent.gen, HEUR:Trojan.Win32.Generic, Trojan-Downloader.Win32.Agent.*, Trojan-Dropper.Win32.Agent.*","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Healthcare, Energy and Utilities, Manufacturing, Education and Research Institutions, Media and Entertainment Companies",2013-11-15,2015-07-15,607.0 2015-09-01,wp-the-spy-kittens-are-back,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.09.01.Rocket_Kitten_2/wp-the-spy-kittens-are-back.pdf,Trend Micro,,,,rocket kitten,IR,"Espionage, Information theft and espionage",2011,,FALSE,"Spear Phishing, Social Engineering","TSPY_WOOLERG, CWoolger, X2KM_MDROP.A, Core Impact Pro","Government and Defense Agencies, Education and Research Institutions, Media and Entertainment Companies, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2015-09-08,ESET_Carbanak-packing-new-guns(09-08-2015),Carbanak is packing new guns,https://app.box.com/s/h1dn7d6ptcpwjbcfj468fy5201ev4bbz,ESET,"CVE-2015-1770, CVE-2015-2426",,,fin7,RU,"Financial gain, Financial crime",2013,"AE, DE, RU, UA, US",TRUE,"Spear Phishing, Malicious Documents","Tiny Meterpreter, Win32/Spy.Sekur, Win32/Wemosis, Win32/Spy.Agent.ORM","Financial Institutions, Media and Entertainment Companies",,, 2015-09-08,musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.09.08.Musical_Chairs_Gh0st_Malware/musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware.pdf,Palo Alto,,,,,,,,US,FALSE,"Phishing, Social Engineering","Gh0stRat, Gh0st",,,, 2015-09-08,PaloAlto.musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.09.08.musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware/PaloAlto.musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware.pdf,Palo Alto,,,,,,,,US,FALSE,Phishing,"Gh0st, Palo Alto Networks AutoFocus, Palo Alto Networks WildFire",,,, 2015-09-09,"Shadow Force Uses DLL Hijacking, Targets South Korean Company",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.09.09.Shadow_Force/Shadow%20Force%20Uses%20DLL%20Hijacking%2C%20Targets%20South%20Korean%20Company.pdf,Trend Micro,,,,shadow force,CN,,,KR,,Exploit Vulnerability,"fileh.exe, latinfect.exe, aio.exe, autorun.exe, install.exe, SuperBot.exe, SuperBotx64.exe, npf.sys",Media and Entertainment Companies,,, 2015-09-09,Satellite Turla_ APT Command and Control in the Sky - Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.09.09.satellite-turla-apt/Satellite%20Turla_%20APT%20Command%20and%20Control%20in%20the%20Sky%20-%20Securelist.pdf,Kaspersky,,,,turla,RU,"Espionage, Information theft and espionage",1996,"AE, DK, LB, NG",,Watering Hole,"Uroboros rootkit, aka “Snake”, Trojan.Win32.Agent.dne, Backdoor.Win32.Turla.cd, Backdoor.Win32.Turla.ce, Backdoor.Win32.Turla.cl, Backdoor.Win32.Turla.ch, Backdoor.Win32.Turla.cj, Backdoor.Win32.Turla.ck",,,, 2015-09-15,In Pursuit of Optical Fibers and Troop Intel_ Targeted Attack Distributes PlugX in Russia _ Proofpoint,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.09.15.PlugX_in_Russia/In%20Pursuit%20of%20Optical%20Fibers%20and%20Troop%20Intel_%20Targeted%20Attack%20Distributes%20PlugX%20in%20Russia%20_%20Proofpoint.pdf,Proofpoint,CVE-2012-0158,,,ta459,CN,Information theft and espionage,2017,RU,FALSE,"Spear Phishing, Malicious Documents","PlugX, Saker, Netbot, DarkStRat, TornRat","Government and Defense Agencies, Manufacturing, Healthcare",,, 2015-09-16,The-Shadow-Knows,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.09.16.The-Shadow-Knows/The-Shadow-Knows.pdf,Proofpoint,,,,,,,,,FALSE,Drive-by Download,"Angler EK, Bedep, Fileless Ursnif, Ramnit, Blowcrypt, Vawtrak (campaigns 13 and 60), Reactor Bot","Corporations and Businesses, Financial Institutions, Media and Entertainment Companies",,, 2015-09-17,Operation Iron Tiger Appendix,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.09.17.Operation_Iron_Tiger/Operation%20Iron%20Tiger%20Appendix.pdf,Trend Micro,,,"rule IronTiger_wmiexec \n{ \nmeta: \nTrend Micro | Shadow Force Technical Brief \nauthor=""Cyber Safety Solutions, Trend Micro"" \n \ncomment=""wmi.vbs detection"" \n \nstrings: \n$str1=""Temp Result File , Change it to where you like"" nocase wide ascii \n$str2=""wmiexec"" nocase wide ascii \n$str3=""By. Twi1ight"" nocase wide ascii \n \n$str4=""both mode ,delay TIME to read result"" nocase wide ascii \n \n$str5=""such as nc.exe or Trojan"" nocase wide ascii \n \n$str6=""+++shell mode+++"" nocase wide ascii \n \n$str7=""win2008 fso has no privilege to delete file"" nocase wide ascii \n \ncondition: \n2 of ($str*) \n}, rule IronTiger_ReadPWD86 \n{ \nTrend Micro | Shadow Force Technical Brief \n \nmeta: \n \n \nauthor=""Cyber Safety Solutions, Trend Micro"" \n \n \n \n \nstrings: \n \n \n$mz=""MZ"" \n \n \n \n$str1=""Fail To Load LSASRV"" nocase wide ascii \n \n \n$str2=""Fail To Search LSASS Data"" nocase wide ascii \n \n \n$str3=""User Principal"" nocase wide ascii \n \n \ncondition: \n \n \n$mz at 0 and (all of ($str*)) \n}, rule IronTiger_PlugX_DosEmulator \n{ \n \nmeta: \n \n \nauthor=""Cyber Safety Solutions, Trend Micro"" \n \n \n \n \nstrings: \n \n \n$mz=""MZ"" \n \n \n \n$str1=""Dos Emluator Ver"" nocase wide ascii \n \n \n$str2=""\\\\PIPE\\\\FASTDOS"" nocase wide ascii \n \n \n$str3=""FastDos.cpp"" nocase wide ascii \n \n \n$str4=""fail,error code = %d."" nocase wide ascii \n \n \ncondition: \n \n \n$mz at 0 and (any of ($str*)) \n}, rule IronTiger_GTalk_Trojan \n{ \n \nmeta: \n \n \nauthor=""Cyber Safety Solutions, Trend Micro"" \n \n \n \n \nstrings: \n \n \n$mz=""MZ"" \n \n \n \n$str1=""gtalklite.com"" nocase wide ascii \n \n \n$str2=""computer=%s&lanip=%s&uid=%s&os=%s&data=%s"" nocase wide ascii \n \n \n$str3=""D13idmAdm"" nocase wide ascii \n \n \n$str4=""Error: PeekNamedPipe failed with %i"" nocase wide ascii \n \n \ncondition: \n \n \n$mz at 0 and (2 of ($str*)) \n}, rule IronTiger_dllshellexc2010 \n{ \n \nmeta: \n \n \nauthor=""Cyber Safety Solutions, Trend Micro"" \n \n \ncomment=""dllshellexc2010 Exchange backdoor + remote shell"" \n \n \nstrings: \n \n \n$mz=""MZ"" \n \n \n \n$str1=""Microsoft.Exchange.Clients.Auth.dll"" nocase ascii wide \n$str2=""Dllshellexc2010"" nocase wide ascii \n \n \n$str3=""Users\\\\ljw\\\\Documents"" nocase wide ascii \n \n$bla1=""please input path"" nocase wide ascii \n$bla2=""auth.owa"" nocase wide ascii \n \n \ncondition: \n \n \n($mz at 0) and ((any of ($str*)) or (all of ($bla*))) \n}, rule IronTiger_dnstunnel \n{ \nmeta: \nauthor=""Cyber Safety Solutions, Trend Micro"" \ncomment=""This rule detects a dns tunnel tool used in Operation Iron Tiger"" \n \nstrings: \n$mz=""MZ"" \nTrend Micro | Shadow Force Technical Brief \n \n$str1=""\\\\DnsTunClient\\\\"" nocase wide ascii \n$str2=""\\\\t-DNSTunnel\\\\"" nocase wide ascii \n$str3=""xssok.blogspot"" nocase wide ascii \n$str4=""dnstunclient"" nocase wide ascii \n \n$mistake1=""because of error, can not analysis"" nocase wide ascii \n$mistake2=""can not deal witn the error"" nocase wide ascii \n$mistake3=""the other retun one RST"" nocase wide ascii \n$mistake4=""Coversation produce one error"" nocase wide ascii \n$mistake5=""Program try to use the have deleted the buffer"" nocase wide ascii \n \ncondition: \n($mz at 0) and ((any of ($str*)) or (any of ($mistake*))) \n}, rule IronTiger_ChangePort_Toolkit_ChangePortExe \n{ \n \nmeta: \n \n \nauthor=""Cyber Safety Solutions, Trend Micro"" \n \n \n \n \nstrings: \n \n \n$mz=""MZ"" \n \n \n \n$str1=""Unable to alloc the adapter!"" nocase wide ascii \nTrend Micro | Shadow Force Technical Brief \n \n \n$str2=""Wait for master fuck"" nocase wide ascii \n \n \n$str3=""xx.exe "" nocase wide ascii \n \n \n$str4=""chkroot2007"" nocase wide ascii \n \n \n$str5=""Door is bind on %s"" nocase wide ascii \n \n \ncondition: \n \n \n$mz at 0 and (2 of ($str*)) \n}, rule IronTiger_HTTP_SOCKS_Proxy_soexe \n{ \n \nmeta: \n \n \nauthor=""Cyber Safety Solutions, Trend Micro"" \n \n \n \n \nstrings: \n \n \n$mz=""MZ"" \n \n \n \n$str1=""listen SOCKET error."" nocase wide ascii \n \n \n$str2=""WSAAsyncSelect SOCKET error."" nocase wide ascii \n \n \n$str3=""new SOCKETINFO error!"" nocase wide ascii \n \n \n$str4=""Http/1.1 403 Forbidden"" nocase wide ascii \n \n \n$str5=""Create SOCKET error."" nocase wide ascii \n \n \ncondition: \n \n \n$mz at 0 and (3 of ($str*)) \n}, rule IronTiger_HTTPBrowser_Dropper \n{ \n \nmeta: \n \n \nauthor=""Cyber Safety Solutions, Trend Micro"" \n \n \n \nTrend Micro | Shadow Force Technical Brief \n \nstrings: \n \n \n$mz=""MZ"" \n \n \n \n$str1="".dllUT"" nocase wide ascii \n \n \n$str2="".exeUT"" nocase wide ascii \n \n \n$str3="".urlUT"" nocase wide ascii \n \n \ncondition: \n \n \n$mz at 0 and (2 of ($str*)) \n}, rule IronTiger_GetUserInfo \n{ \n \nmeta: \n \n \nauthor=""Cyber Safety Solutions, Trend Micro"" \n \n \n \n \nstrings: \n \n \n$mz=""MZ"" \n \n \n \n$str1=""getuserinfo username"" nocase wide ascii \n \n \n$str2=""joe@joeware.net"" nocase wide ascii \n \n \n$str3=""If . specified for userid,"" nocase wide ascii \n \n \ncondition: \n \n \n$mz at 0 and (any of ($str*)) \n}, rule IronTiger_NBDDos_Gh0stvariant_dropper \n{ \n \nmeta: \n \n \nauthor=""Cyber Safety Solutions, Trend Micro"" \n \n \n \n \nstrings: \n \n \n$mz=""MZ"" \nTrend Micro | Shadow Force Technical Brief \n \n \n \n$str1=""This service can\t be stoped."" nocase wide ascii \n \n \n$str2=""Provides support for media palyer"" nocase wide ascii \n \n \n$str4=""CreaetProcess Error"" nocase wide ascii \n \n \n \n$bla1=""Kill You"" nocase wide ascii \n \n \n$bla2=""%4.2f GB"" nocase wide ascii \n \n \ncondition: \n \n \n$mz at 0 and ((any of ($str*)) or (all of ($bla*))) \n}, rule IronTiger_Gh0stRAT_variant \n{ \n \nmeta: \n \n \nauthor=""Cyber Safety Solutions, Trend Micro"" \nTrend Micro | Shadow Force Technical Brief \n \n \ncomment=""This is a detection for a s.exe variant seen in Op. Iron Tiger"" \n \n \n \n \nstrings: \n \n \n$mz=""MZ"" \n \n \n \n$str1=""Game Over Good Luck By Wind"" nocase wide ascii \n \n \n$str2=""ReleiceName"" nocase wide ascii \n \n \n$str3=""jingtisanmenxiachuanxiao.vbs"" nocase wide ascii \n \n \n$str4=""Winds Update"" nocase wide ascii \n \n \ncondition: \n \n \n$mz at 0 and (any of ($str*)) \n}, rule IronTiger_Ring_Gh0stvariant \n{ \n \nmeta: \n \n \nauthor=""Cyber Safety Solutions, Trend Micro"" \n \n \n \n \nstrings: \n \n \n$mz=""MZ"" \n \n \n \n$str1=""RING RAT Exception"" nocase wide ascii \n \n \n$str2=""(can not update server recently)!"" nocase wide ascii \n \n \n$str4=""CreaetProcess Error"" nocase wide ascii \n \n \n \n$bla1=""Sucess!"" nocase wide ascii \n \n \n$bla2=""user canceled!"" nocase wide ascii \n \n \ncondition: \n \n \n$mz at 0 and ((any of ($str*)) or (all of ($bla*))) \n}, rule IronTiger_PlugX_FastProxy \n{ \n \nmeta: \n \n \nauthor=""Cyber Safety Solutions, Trend Micro"" \n \n \nstrings: \n \n \n$mz=""MZ"" \n \nTrend Micro | Shadow Force Technical Brief \n \n \n$str1=""SAFEPROXY HTServerTimer Quit!"" nocase wide ascii \n \n \n$str2=""Useage: %s pid"" nocase wide ascii \n \n \n$str3=""%s PORT%d TO PORT%d SUCCESS!"" nocase wide ascii \n \n \n$str4=""p0: port for listener"" nocase wide ascii \n \n \n$str5=""\\\\users\\\\whg\\\\desktop\\\\plug\\\\"" nocase wide ascii \n \n \n$str6=""+Y cwnd : %3d, fligth:"" nocase wide ascii \n \n \ncondition: \n \n \n$mz at 0 and (any of ($str*)) \n}, rule IronTiger_GetPassword_x64 \n{ \n \nmeta: \n \n \nauthor=""Cyber Safety Solutions, Trend Micro"" \n \n \n \nTrend Micro | Shadow Force Technical Brief \n \nstrings: \n \n \n$mz=""MZ"" \n \n \n \n$str1=""(LUID ERROR)"" nocase wide ascii \n \n \n$str2=""Users\\\\K8team\\\\Desktop\\\\GetPassword"" nocase wide ascii \n \n \n$str3=""Debug x64\\\\GetPassword.pdb"" nocase wide ascii \n \n \n \n$bla1=""Authentication Package:"" nocase wide ascii \n \n \n$bla2=""Authentication Domain:"" nocase wide ascii \n \n \n$bla3=""* Password:"" nocase wide ascii \n \n \n$bla4=""Primary User:"" nocase wide ascii \n \n \ncondition: \n \n \n$mz at 0 and ((any of ($str*)) or (all of ($bla*))) \n}, rule IronTiger_ASPXSpy \n{ \nmeta: \nauthor=""Cyber Safety Solutions, Trend Micro"" \n \ncomment=""ASPXSpy detection. It might be used by other fraudsters"" \nTrend Micro | Shadow Force Technical Brief \n \nstrings: \n$str1=""ASPXSpy"" nocase wide ascii \n$str2=""IIS Spy"" nocase wide ascii \n$str3=""protected void DGCoW(object sender,EventArgs e)"" nocase wide ascii \n \ncondition: \nany of ($str*) \n}, rule IronTiger_PlugX_Server \n{ \n \nmeta: \n \n \nauthor=""Cyber Safety Solutions, Trend Micro"" \n \n \n \n \nstrings: \n \n \n$mz=""MZ"" \n \n \n \n$str1=""\\\\UnitFrmManagerKeyLog.pas"" nocase wide ascii \n \n \n$str2=""\\\\UnitFrmManagerRegister.pas"" nocase wide ascii \n \n \n$str3=""Input Name..."" nocase wide ascii \n \n \n$str4=""New Value#"" nocase wide ascii \n \n \n$str5=""TThreadRControl.Execute SEH!!!"" nocase wide ascii \n \n \n$str6=""\\\\UnitFrmRControl.pas"" nocase wide ascii \n \n \n$str7=""OnSocket(event is error)!"" nocase wide ascii \n \n \n$str8=""Make 3F Version Ok!!!"" nocase wide ascii \n \n \n$str9=""PELEASE DO NOT CHANGE THE DOCAMENT"" nocase wide ascii \n \n \n$str10=""Press Ok Continue Run, Press Cancel Exit"" nocase wide ascii \n \n \ncondition: \n \n \n$mz at 0 and (2 of ($str*)) \n}, rule IronTiger_ChangePort_Toolkit_driversinstall \n{ \n \nmeta: \n \n \nauthor=""Cyber Safety Solutions, Trend Micro"" \n \n \n \n \nstrings: \n \n \n$mz=""MZ"" \n \n \n \n$str1=""openmydoor"" nocase wide ascii \n \n \n$str2=""Install service error"" nocase wide ascii \n \n \n$str3=""start remove service"" nocase wide ascii \n \n \n$str4=""NdisVersion"" nocase wide ascii \n \n \ncondition: \n \n \n$mz at 0 and (2 of ($str*)) \n}, rule IronTiger_EFH3_encoder \n{ \n \nmeta: \n \n \nauthor=""Cyber Safety Solutions, Trend Micro"" \n \n \n \n \nstrings: \n \n \n$mz=""MZ"" \n \n \n \n$str1=""EFH3 HEX SRCFILE DSTFILE"" nocase wide ascii \n \n \n$str2=""123.EXE 123.EFH"" nocase wide ascii \n \n \n$str3=""ENCODER: bi:="" nocase wide ascii \n \n \ncondition: \n \n \n$mz at 0 and (any of ($str*)) \n}",shadow force,CN,,,US,,,"TROJ_PLUGEX.B, HKTL_PWDUMP, BKDR_MECA.A, HKTL_ExPlug, HTML_ASPSPY.A, HKTL_DOSEMU, HKTL_ASPXSPY, VBS_WIMXEC.A, HKTL_IISEXPLOIT, HKTL_NBTSCAN, HKTL_PORTCON",Government and Defense Agencies,,, 2015-09-17,wp-operation-iron-tiger,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.09.17.Operation_Iron_Tiger/wp-operation-iron-tiger.pdf,Trend Micro,CVE-2008-1436,,,tg-3390,CN,"Espionage, Information theft and espionage",2010,"CN, HK, PH, US",,Spear Phishing,"Dnstunclient, dnstunserver, PlugX, Gh0st, WebShellKill, KorPlug RAT","Government and Defense Agencies, Energy and Utilities, Critical Infrastructure",,, 2015-09-23,Project_CAMERASHY_ThreatConnect_Copyright_2015,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.09.23.CAMERASHY_ThreatConnect/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf,ThreatConnect,"CVE-2012-015, CVE-2012-0158",,,naikon,CN,"Espionage, Information theft and espionage",2005,"ID, KH, LA, MM, MY, NP, PH, SG, TH, VN",FALSE,"Spear Phishing, Malicious Documents","WinMM, Wmi Inject, SslMM, Self-Extracting Executables, Right-to-Left Character Override, Spear Phishing, CVE-2012-015",,,, 2015-10-03,Cybereason-Labs-Analysis-Webmail-Sever-APT,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.10.03.Webmail_Server_APT/Cybereason-Labs-Analysis-Webmail-Sever-APT.pdf,Cybereason,,,,,,,,,,Exploit Vulnerability,,Corporations and Businesses,,, 2015-10-05,threat-identification,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.10.05.Proactive_Threat_Identification/threat-identification.pdf,Recorded Future,,,,,,,,,,,"njRAT, Dark Comet, Poison Ivy","Corporations and Businesses, Individuals",,, 2015-10-07,Secureworks_HackerGroup-Creates-Network-Fake-LinkedIn-Profiles(10-07-2015),Hacker Group Creates Network of Fake LinkedIn Profiles,https://app.box.com/s/w32vcrjpq3fj0fg0t8c5gwmy0olwnmnd,SecureWorks,,,,tg-2889,IR,"Espionage, Information theft and espionage",2012,,FALSE,"Spear Phishing, Social Engineering",,"Government and Defense Agencies, Corporations and Businesses",,, 2015-10-15,Mapping FinFisher's Continuing Proliferation,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.10.15.FinFisher_Continuing/Mapping%20FinFisher%E2%80%99s%20Continuing%20Proliferation.pdf,Citizen Lab,,,,molerats,PS,Information theft and espionage,2012,"AO, EG, ES, GA, JO, KE, KZ, LB, MA, OM, PY, SA, SI, TR, TW, VE",,Malicious Documents,"FinFisher, FinFly Web",Government and Defense Agencies,,, 2015-10-16,2015.10.targeted-attacks-ngo-burma,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.10.16.NGO_Burmese_Government/2015.10.targeted-attacks-ngo-burma.pdf,RSA,,,,,,,,MM,,Spear Phishing,"9002 malware family, PlugX, EvilGrab","Non-Governmental Organizations (NGOs) and Nonprofits, Government and Defense Agencies",,, 2015-11-04,cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.11.04_Evolving_Threats/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf,RSA,"CVE-2014-6324, CVE-2015-1701, CVE-2015-2424",,,apt28,RU,"Espionage, Information theft and espionage",2004,GB,FALSE,"Spear Phishing, Exploit Vulnerability, Malicious Documents","CORESHELL, EVILTOSS, CHOPSTICK, MIMIKATZ",Government and Defense Agencies,2014-10-15,2015-09-15,335.0 2015-11-05,Sphinx Moth Expanding our knowledge of the 'Wild Neutron' 'Morpho' APT,,https://research.kudelskisecurity.com/2015/11/05/sphinx-moth-expanding-our-knowledge-of-the-wild-neutron-morpho-apt/,Kudelski Security,,,,sphinx moth,,Information theft and espionage,2013,,,,,,,, 2015-11-10,bookworm-trojan-a-model-of-modular-architecture,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.11.10.bookworm-trojan-a-model-of-modular-architecture/bookworm-trojan-a-model-of-modular-architecture.pdf,Palo Alto,,,,,,,,TH,,Malicious Documents,"Bookworm, Smart Installer Maker, Loader.dll",,,, 2015-11-16,Microsoft_Security_Intelligence_Report_Volume_19_English(11-16-2015),Microsoft Security Intelligence Report (Volume 19),https://app.box.com/s/qjvx7sdbo7cufb5b8putfyqn8ku82xq2,Microsoft,"CVE-2006-6456, CVE-2009-0075, CVE-2010-0188, CVE-2010-0840, CVE-2010-2568, CVE-2010-3336, CVE-2011-1823, CVE-2011-3874, CVE-2012-0158, CVE-2012-0507, CVE-2012-1723, CVE-2012-1889, CVE-2013-0074, CVE-2013-0422, CVE-2013-2460, CVE-2013-2551, CVE-2013-7331, CVE-2014-0322, CVE-2014-0497, CVE-2014-0515, CVE-2014-1776, CVE-2014-3897, CVE-2014-6332, CVE-2014-8439, CVE-2015-0097, CVE-2015-0310, CVE-2015-0311, CVE-2015-0313, CVE-2015-0336, CVE-2015-0359, CVE-2015-1641, CVE-2015-1701, CVE-2015-1769, CVE-2015-1770, CVE-2015-2360, CVE-2015-2387, CVE-2015-2424, CVE-2015-2590, CVE-2015-3043, CVE-2015-3090, CVE-2015-3104, CVE-2015-3105, CVE-2015-3113, CVE-2015-4902, CVE-2015-5119, CVE-2015-7645",,,apt28,RU,"Espionage, Information theft and espionage",2004,"FR, GB, TR, US",TRUE,"Spear Phishing, Social Engineering, Exploit Vulnerability","runrun.exe, vmware-manager.exe, ctf.exe, MicrosoftSup.dll, mshelpc.dll, winsys.dll, run_x86.exe, run_x64.exe, SupUpNvidia.exe, advstorshell.exe, credssp.dll, mfxscom.dll, api-ms-win-[random].dll, psw.exe, svchosl.exe, svehost.exe, servicehost.exe",Government and Defense Agencies,,, 2015-11-17,rpt-witchcoven,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.11.17.Pinpointing_Targets_Exploiting_Web_Analytics_to_Ensnare_Victims/rpt-witchcoven.pdf,FireEye,,,,apt28,RU,"Espionage, Information theft and espionage",2004,"AM, AT, AU, AZ, BE, BO, BW, CH, CL, DE, DK, EC, EE, ES, FI, FR, GB, GE, GW, HK, HU, ID, IN, JM, KW, KZ, RO, RS, TM, UA, US, UY, ZA",TRUE,"Spear Phishing, Watering Hole","Wipbot, Turla, Browser Exploitation Framework, PluginDetect","Government and Defense Agencies, Corporations and Businesses, Energy and Utilities, Education and Research Institutions, Media and Entertainment Companies, Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",,, 2015-11-18,Russian financial cybercrime_ how it works - Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.11.18.Russian_financial_cybercrime_how_it_works/Russian%20financial%20cybercrime_%20how%20it%20works%20-%20Securelist.pdf,Kaspersky,,,,fin7,RU,"Financial gain, Financial crime",2013,"GB, US",FALSE,"Spear Phishing, Phishing, Drive-by Download, Watering Hole","Trojans, exploits, packers",Financial Institutions,,, 2015-11-18,tdrop2-attacks-suggest-dark-seoul-attackers-return,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.11.18.tdrop2/tdrop2-attacks-suggest-dark-seoul-attackers-return.pdf,Palo Alto,,,,whois team,KP,,,KR,FALSE,Spear Phishing,"Troy, [redacted]Player_full.exe, [redacted]Player_light.exe","Corporations and Businesses, Critical Infrastructure",,, 2015-11-18,amballa-discovers-new-toolset-linked-to-destover-attackers-arsenal-helps-them-to-broaden-attack-surface,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.11.18.Destover/amballa-discovers-new-toolset-linked-to-destover-attackers-arsenal-helps-them-to-broaden-attack-surface.pdf,Damballa Inc.,,S\n2015:N/A,"rule Destover\n{\nTools\nVulns, Exploits,\nSteps\nFoothold\nTools\nafset, setMFT, RATs, credential theft\nSteps\nMove laterally\nTools\nStolen administrative credentials and RATs\nSteps\nExfiltrate\x00Tools\nVPN accounts, RATs, out of band comms\nSteps\nDelete tracks\nTools\nafset, setMFT, Destover / Shamoon\nSteps\nExit\nTools\nPublish stolen data, clean with Destover / Shamoon\nShare this:\n{\nmeta:\ndescription = “Rule to detect Destover trojan and associated tools by license key”\nauthor = “Willis McDonald”\ncompany = “Damballa Inc.”\nreference = “not set”\ndate = “2015/10/30”\nstrings:\n$key = “99E2428CCA4309C68AAF8C616EF3306582A64513E55C786A864BC83DAFE0C\n78585B692047273B0E55275102C664C5217E76B8E67F35FCE385E4328EE1AD139EA6AA2634\n5C4F93000DBBC7EF1579D4F”\n$MZ = “MZ”\ncondition:\n$key and $MZ at 0\n}",destover,,,,"SA, US",FALSE,Exploit Vulnerability,"Destover, afset, setMFT, RATs, VPN accounts, out of band comms, Shamoon",Energy and Utilities,,, 2015-11-19,ecrypting-strings-in-emdivi,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.11.19.decrypting-strings-in-emdivi/ecrypting-strings-in-emdivi.pdf,JPCERT,,,,blue termit,CN,"Espionage, Information theft and espionage",2013,JP,,"Watering Hole, Exploit Vulnerability","Scanbox, PoisonIvy, Fiddler Core, Emdivi",,,, 2015-11-19,20151028_codeblue_apt-en,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.11.19.decrypting-strings-in-emdivi/20151028_codeblue_apt-en.pdf,JPCERT,"CVE-2013-3893, CVE-2013-3918, CVE-2014-0324, CVE-2014-4113, CVE-2014-6324, CVE-2014-7247, CVE-2015-5119, CVE-2015-5122",,,apt17,CN,"Espionage, Information theft and espionage",2009,JP,TRUE,"Exploit Vulnerability, Drive-by Download, Watering Hole","Emdivi, BeginX, GStatus","Corporations and Businesses, Healthcare",,, 2015-11-23,Prototype Nation_ The Chinese Cybercriminal Underground in 2015 - Security News - Trend Micro USA,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.11.23.Prototype_Nation_The_Chinese_Cybercriminal_Underground_in_2015/Prototype%20Nation_%20The%20Chinese%20Cybercriminal%20Underground%20in%202015%20-%20Security%20News%20-%20Trend%20Micro%20USA.pdf,Trend Micro,,,,,,,,,,Social Engineering,,"Financial Institutions, Individuals",,, 2015-11-23,RSA_Peering-Into-GlassRAT-final(Nov-23-15),PEERING INTO GLASSRAT: A Zero Detection Trojan from China,https://app.box.com/s/3jg797vagekvf1xjyz1j49esdhm4fmjs,RSA,,,,,,,,CN,FALSE,,"Taidoor, Taleret, GlassRAT, PlugX, Mirage, MagicFire","Government and Defense Agencies, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2015-11-23,wp-prototype-nation,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.11.23.Prototype_Nation_The_Chinese_Cybercriminal_Underground_in_2015/wp-prototype-nation.pdf,Trend Micro,,,,,,,,"CN, JP, US",,"Phishing, Social Engineering, Exploit Vulnerability","Social Engineering Master, Exploit kits, Phishing websites, Trojan downloaders",Individuals,,, 2015-11-24,attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.11.24.Attack_Campaign_on_the_Government_of_Thailand_Delivers_Bookworm_Trojan/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan.pdf,Palo Alto,,,,,,,,TH,,"Spear Phishing, Social Engineering, Website Equipping","Poison Ivy, PlugX, FFRAT, Scieron, Bookworm Trojan",Government and Defense Agencies,,, 2015-11-30,foxit-whitepaper_ponmocup_1_1,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.11.30.Ponmocup/foxit-whitepaper_ponmocup_1_1.pdf,fox-it,,,"rule Ponmocup : plugins\n{\n meta:\n description = ""Ponmocup plugin detection (memory)""\n author = ""Danny Heppener, Fox-IT""\n strings:\n $1100 = {4D 5A 90 29 4C 04}\n $1201 = {4D 5A 90 29 B1 04}\n $1300 = {4D 5A 90 29 14 05}\n $1350 = {4D 5A 90 29 46 05}\n $1400 = {4D 5A 90 29 78 05}\n $1402 = {4D 5A 90 29 7A 05}\n $1403 = {4D 5A 90 29 7B 05}\n $1404 = {4D 5A 90 29 7C 05}\n $1405 = {4D 5A 90 29 7D 05}\n $1406 = {4D 5A 90 29 7E 05}\n $1500 = {4D 5A 90 29 DC 05}\n $1501 = {4D 5A 90 29 DD 05}\n $1502 = {4D 5A 90 29 DE 05}\n $1505 = {4D 5A 90 29 E1 05}\n $1506 = {4D 5A 90 29 E2 05}\n $1507 = {4D 5A 90 29 E3 05}\n $1508 = {4D 5A 90 29 E4 05}\n $1509 = {4D 5A 90 29 E5 05}\n $1510 = {4D 5A 90 29 E6 05}\n $1511 = {4D 5A 90 29 E7 05}\n $1512 = {4D 5A 90 29 E8 05}\n $1600 = {4D 5A 90 29 40 06}\n $1601 = {4D 5A 90 29 41 06}\n $1700 = {4D 5A 90 29 A4 06}\n $1800 = {4D 5A 90 29 08 07}\n $1801 = {4D 5A 90 29 09 07}\n $1802 = {4D 5A 90 29 0A 07}\n $1803 = {4D 5A 90 29 0B 07}\n $2001 = {4D 5A 90 29 D1 07}\n $2002 = {4D 5A 90 29 D2 07}\n $2003 = {4D 5A 90 29 D3 07}\n $2004 = {4D 5A 90 29 D4 07}\n $2500 = {4D 5A 90 29 C4 09}\n $2501 = {4D 5A 90 29 C5 09}\n $2550 = {4D 5A 90 29 F6 09}\n $2600 = {4D 5A 90 29 28 0A}\n $2610 = {4D 5A 90 29 32 0A}\n $2700 = {4D 5A 90 29 8C 0A}\n $2701 = {4D 5A 90 29 8D 0A}\n $2750 = {4D 5A 90 29 BE 0A}\n $2760 = {4D 5A 90 29 C8 0A}\n $2810 = {4D 5A 90 29 FA 0A}\n condition:\n any of ($1100,$1201,$1300,$1350,$1400,$1402,$1403,$1404,$1405,$1406, \n$1500,$1501,$1502,$1505,$1506,$1507\n,$1508,$1509,$1510,$1511,$1512,$1600,$1601,$1700,$1800,$1801, \n$1802,$1803,$2001,$2002,$2003,$2004,$2500,$2501,$2550,$2600,$2610,$2700,$2701,$2750,$2760,$2810)\n}",,,,,"AU, BE, CA, CH, DE, DK, EE, FR, GB, MX, NL, NO, NZ, PT, SE, US",TRUE,"Drive-by Download, Exploit Vulnerability",Ponmocup,"Financial Institutions, Education and Research Institutions, Individuals",,, 2015-12-01,china.based.threat,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.12.01.China-based_Cyber_Threat_Group_Uses_Dropbox_for_Malware_Communications_and_Targets_Hong_Kong_Media_Outlets/china.based.threat.pdf,FireEye,CVE-2012-0158,,,admin@338,CN,"Espionage, Information theft and espionage",2014,HK,FALSE,Spear Phishing,"Poison Ivy, LOWBALL, upload.bat, upload.rar, rar.exe, time.exe","Media and Entertainment Companies, Financial Institutions",,, 2015-12-07,Symantec_CadelSpy-Remexi-IOC(12-07-2015),Backdoor.Cadelspy and Backdoor.Remexi indicators of compromise,https://app.box.com/s/k351gsuaj647jtmwmukmtem31oszg1tv,Symantec,,,"rule Cadelle_1 \n{ \n strings: \n \n$s1 = { \n \n \n \n 56 57 8B F8 8B F1 33 C0 3B F0 74 22 39 44 24 0C \n \n \n \n 74 18 0F B7 0F 66 3B C8 74 10 66 89 0A 42 42 47 \n \n \n \n 47 4E FF 4C 24 0C 3B F0 75 E2 3B F0 75 07 4A 4A \n \n \n \n B8 7A 00 07 80 33 C9 5F 66 89 0A 5E C2 04 00 \n \n \n } \n \n \n$s2 = ""ntsvc32"" \n \n$s3 = ""ntbind32"" \n \n \n condition: \n $s1 and ($s2 or $s3) \n}, rule Cadelle_4 \n{ \n strings: \n \n$s1 = ""AppInit_DLLs"" wide ascii \n \n$s2 = { 5C 00 62 00 61 00 63 00 6B 00 75 00 70 00 00 } \n \n$s3 = { 5C 00 75 00 70 00 64 00 61 00 74 00 65 00 00 } \n \n$s4 = ""\\\\cmd.exe"" wide ascii \n \n \n condition: \n all of them \n}, rule Cadelle_2 \n{ \n strings: \n \n$s1 = ""EXECUTE"" wide ascii \n \n$s2 = ""WebCamCapture"" wide ascii \n \n$s3 = """" wide ascii \n \n$s4 = """" wide ascii \n \n$s5 = """" wide ascii \n \n$s6 = """" wide ascii \n \n$s7 = ""Can\t open file for reading :"" wide ascii \n \n$s8 = """" wide ascii \n \n$s9 = """" wide ascii \n \n$s10 = ""JpegFile :"" wide ascii \n \n$s12 = ""SCROLL"" wide ascii \n \n$s13 = """" wide ascii \n \n$s14 = ""CURRENT DATE"" wide ascii \n \n \nSecurity Response — Dec 7, 2015 — Copyright © 2015 Symantec \nPage 7 \nBackdoor.Cadelspy and Backdoor.Remexi \n \n$s15 = """" wide ascii \n \n$s16 = """" wide ascii \n \n$s17 = """" wide ascii \n \n$s18 = """" wide ascii \n \n$s19 = """" wide ascii \n \n$s20 = """" wide ascii \n \n$s21 = ""FlashMemory"" wide ascii \n \n \n condition: \n 12 of them \n}, rule Cadelle_3 \n{ \n strings: \n \n$s1 = ""SOFTWARE\\\\ntsvc32\\\\HDD"" wide ascii \n \n$s2 = ""SOFTWARE\\\\ntsvc32\\\\ROU"" wide ascii \n $s3 = ""SOFTWARE\\\\ntsvc32\\\\HST"" wide ascii \n $s4 = ""SOFTWARE\\\\ntsvc32\\\\FLS"" wide ascii \n \n$s5 = ""ntsvc32"" wide ascii \n \n$s6 = "".Win$py."" wide ascii \n \n$s7 = ""C:\\\\users\\\\"" wide ascii \n \n$s8 = ""%system32%"" wide ascii \n \n$s9 = ""\\\\Local Settings\\\\Temp"" wide ascii \n \n$s10 = ""SVWATAUAVAW"" wide ascii \n \n$s11 = ""\\\\AppData\\\\Local"" wide ascii \n \n$s12 = ""\\\\AppData"" wide ascii \n \n \n condition: \n 6 of them \n}, rule Remexi \n{ \n \nstrings: \n \n \n $c1 = { 00 3C 65 78 69 74 3E 00 } \n/* */ \n \n \n$c2 = { 00 3C 69 64 3E 00 } \n/* */ \n \n \n$c3 = { 00 3C 72 65 6D 3E 00 } \n/* */ \n \n \n$c4 = { 00 3C 63 6C 6F 73 65 3E 00} \n/* */ \n \n \n$c5 = { 00 57 49 4E 00 } \n \n/* WIN */ \n \n \n$c6 = { 00 63 6D 64 2E 65 78 65 00 } /* cmd.exe */ \n \n \n$c7 = { 00 49 44 00 } \n \n \n/* ID */ \n \n \n$c8 = { 00 72 65 6D 00 } /* rem */ \n \n \n \n \n \n$d1 = ""\\\\SEA.pdb"" \n \n \n$d2 = ""\\\\mas.pdb"" \n \n \n \n$s1 = ""Connecting to the server..."" \n \n \n$s2 = ""cmd.exe /c sc stop sea & sc start sea"" \n \n \n$s3 = ""SYSTEM\\\\CurrentControlSet\\\\services\\\\SEA\\\\Parameters"" \n \n \n$s4 = ""RecvWrit()-Read_Sock-Failed"" \n \n \n$s5 = ""ReadPipeSendSock()"" \n \n \n \n \n \n \ncondition: \n \n \n(4 of ($c*) and (2 of ($s*) or any of ($d*))) or (5 of ($c*) and \nany of ($s*)) \n}",,,,,,,,"Backdoor.Cadelspy, Backdoor.Remexi",,,, 2015-12-07,fin1-targets-boot-record,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.12.07.Thriving_Beyond_The_Operating_System/fin1-targets-boot-record.pdf,FireEye,,,,fin1,RU,,,,,,"BOOTRASH dropper, TDL4 (Olmarik), Necurs, Rovnix, KINS, Carberp, ROCKBOOT",Financial Institutions,,, 2015-12-08,Packrat_ Seven Years of a South American Threat Actor,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.12.08.Packrat/Packrat_%20Seven%20Years%20of%20a%20South%20American%20Threat%20Actor.pdf,Citizen Lab,,,,packrat,,Information theft and espionage,2008,"AR, BR, EC, VE",FALSE,"Spear Phishing, Social Engineering, Malicious Documents, Watering Hole","Adzok, AlienSpy","Government and Defense Agencies, Media and Entertainment Companies, Individuals",,, 2015-12-10,Kaspersky_Evolution-of-Cyber-Threats-in-the-Corporate-Sector(Dec-10-2015),Evolution of Cyber Threats in the Corporate Sector,https://app.box.com/s/ql84nxbrheluzhi3bt7k48damnuz00u5,Kaspersky,,,,desert falcons,,,,"AE, AT, CH, DE, DZ, FR, JP, KZ, PS, RU, SI, US",TRUE,"Spear Phishing, Watering Hole, Exploit Vulnerability","Winnti rootkit, Carbanak, Wild Neutron, DarkHotel, Desert Falcons, Blue Termite, Grabit","Corporations and Businesses, Financial Institutions",,, 2015-12-13,elise-security-through-obesity.html,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.12.13.ELISE/elise-security-through-obesity.html.pdf,PricewaterhouseCoopers,"CVE-2014-4114, CVE-2015-3113",,"rule Lightserver_variant_B : Red_Salamander\n{\n meta:\n description = ""Elise lightserver variant.""\n author = ""PwC Cyber Threat Operations :: @michael_yip""\n version = ""1.0""\n created = ""2015-12-16""\n exemplar_md5 = ""c205fc5ab1c722bbe66a4cb6aff41190""\n strings:\n $json = /\\{\\""r\\"":\\""0-9{12}\\"",\\""l\\"":\\""0-9{12}\\"",\\""u\\"":\\""0-9\n{7}\\"",\\""m\\"":\\""0-9{12}\\""\\}/\n $mutant1 = ""Global\\\\{7BDACDEE-8BF6-4664-B946-D00FCFF1FFBA}""\n $mutant2 = ""{5947BACD-63BF-4e73-95D7-0C8A98AB95F2}""\n $serv1 = ""Server1=%s""\n $serv2 = ""Server2=%s""\n $serv3 = ""Server3=%s""\n condition:\n uint16(0) == 0x5A4D and ($json or $mutant1 or $mutant2 or all of ($serv*))\n}, rule Elise_lstudio_variant_B_resource\n{\nmeta:\ndescription = ""Elise lightserver variant.""\nauthor = ""PwC Cyber Threat Operations :: @michael_yip""\nversion = ""1.0""\ncreated = ""2015-12-16""\nexemplar_md5 = ""c205fc5ab1c722bbe66a4cb6aff41190""\n \ncondition:\nuint16(0) == 0x5A4D and for any i in (0..pe.number_of_resources - 1) :\n(pe.resourcesi.type_string ==\n""A\\x00S\\x00D\\x00A\\x00S\\x00D\\x00A\\x00S\\x00D\\x00A\\x00S\\x00D\\x00S\\x00A\\x00D\\x00"")\n}",lotus blossom,CN,"Espionage, Information theft and espionage",2012,TW,FALSE,"Spear Phishing, Malicious Documents","Microsoft Office, Elise variant, hlwyss.inf, WEB2013BW6.DAT, 60HGBC00.DAT","Education and Research Institutions, Individuals",,, 2015-12-15,Newcomers-in-the-Derusbi-family,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.12.15.Newcomers_in_the_Derusbi_family/Newcomers-in-the-Derusbi-family.pdf,Airbus Defence and Space Cybersecurity CSIRT,,,"rule derusbi_kernel\n{\n meta:\n description = ""Derusbi Driver version""\n date = ""2015-12-09""\n author = ""Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud""\n strings:\n $token1 = ""$$$--Hello"" \n $token2 = ""Wrod--$$$"" \n $cfg = ""XXXXXXXXXXXXXXX""\n $class = "".?AVPCC_BASEMOD@@""\n $MZ = ""MZ""\n condition:\n $MZ at 0 and $token1 and $token2 and $cfg and $class\n}, rule derusbi_linux\n{\n meta:\n description = ""Derusbi Server Linux version""\n date = ""2015-12-09""\n author = ""Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud""\n strings:\n $PS1 = ""PS1=RK# \\\\u@\\\\h:\\\\w \\\\$""\n $cmd = ""unset LS_OPTIONS;uname -a""\n $pname = ""diskio""\n $rkfile = ""/tmp/.secure""\n $ELF = ""\\x7fELF""\n condition:\n $ELF at 0 and $PS1 and $cmd and $pname and $rkfile\n}",,,,,,,,"Derusbi, GoodFET, Z-Wave, Sakula, BlackVine, PlugX",,,, 2015-12-16,Operation Black Atlas_Indicators_of_Compromise,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.12.16.Operation_Black_Atlas/Operation%20Black%20Atlas_Indicators_of_Compromise.pdf,Trend Micro,,,,,,,,,,,"Gorynych / Diamond Fox, NewPOSThings, PosHook, Kasidet, Spygate, BlackPOS, fgdump, PwnPOS, Alina (Spark), Alina (Joker), Alina (Katrina), Cardholder Data Discovery Tool, Spynet, CenterPOS, Kronos",,,, 2015-12-16,operation-black-atlas-part-2-tools-and-malware-used-and-how-to-detect-them,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.12.16.Operation_Black_Atlas/operation-black-atlas-part-2-tools-and-malware-used-and-how-to-detect-them.pdf,Trend Micro,,,,,,,,,FALSE,Exploit Vulnerability,"Gorynych/Diamond Fox botnet, NewPOSThings, Neutrino, Kasidet, BlackPOS, CenterPOS, Project Hook, PwnPOS","Healthcare, Manufacturing, Corporations and Businesses",,, 2015-12-16,Operation_Black Atlas_Technical_Brief,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.12.16.Operation_Black_Atlas/Operation_Black%20Atlas_Technical_Brief.pdf,Trend Micro,,,,,,,,"AU, CH, CL, DE, GB, IN, TW, US",FALSE,Credential Reuse,"CRCK_PATCH, HKTL_RDPPatcher, Gorynych, BlackPOS, Medusa Parallel Network Login Auditor, Simple SMTP Scanner, Fast SYN Scanner, nVNC Scanner","Corporations and Businesses, Healthcare, Manufacturing",,, 2015-12-16,Fidelis_FTA_1020_Fidelis_Inocnation_FINAL(Dec-16-15),Dissecting the Malware Involved in the INOCNATION Campaign,https://app.box.com/s/dl6izicyky1x946ueo77nn2w8c5jxgm3,Fidelis Cybersecurity,,,"rule apt_win32_dll_rat_1a53b0cp32e46g0qio7\n{\n\t\nmeta:\n\t\n\t\nhash1 = “75d3d1f23628122a64a2f1b7ef33f5cf”\n\t\n\t\nhash2 = “d9821468315ccd3b9ea03161566ef18e”\n\t\n\t\nhash3 = “b9af5f5fd434a65d7aa1b55f5441c90a”\n\t\nstrings:\n\t\n\t\n// Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0;rv:11.0) like Gecko\n\t\n\t\n$ = { c7 2 64 00 63 00 c7 2 69 00 62 00 c7 2 7a 00 7e 00 c7 2 2d 00 43 00 c7 2 59 \n\n\t\n00 2d 00 c7 2 3b 00 23 00 c7 2 3e 00 36 00 c7 2 2d 00 5a 00 c7 2 42 00 5a 00 c7 2 3b 00 \t\n\t\n39 00 c7 2 36 00 2d 00 c7 2 59 00 7f 00 c7 2 64 00 69 00 c7 2 68 00 63 00 c7 2 79 00 22 \n\n\t\n00 c7 2 3a 00 23 00 c7 2 3d 00 36 00 c7 2 2d 00 7f 00 c7 2 7b 00 37 00 c7 2 3c 00 3c 00 \n\n\t\nc7 2 23 00 3d 00 c7 2 24 00 2d 00 c7 2 61 00 64 00 c7 2 66 00 68 00 c7 2 2d 00 4a 00 c7 \n\n\t\n2 68 00 6e 00 c7 2 66 00 62 00 } // offset 10001566\n\t\n\t\n// Software\\Microsoft\\Windows\\CurrentVersion\\Run\n\t\n\t\n$ = { c7 2 23 00 24 00 c7 2 24 00 33 00 c7 2 38 00 22 00 c7 2 00 00 33 00 c7 2 24 \n\n\t\n00 25 00 c7 2 3f 00 39 00 c7 2 38 00 0a 00 c7 2 04 00 23 00 c7 2 38 00 00 00 c7 2 43 00 \n\n\t\n66 00 c7 2 6d 00 60 00 c7 2 67 00 52 00 c7 2 6e 00 63 00 c7 2 7b 00 67 00 c7 2 70 00 00 \n\n\t\n00 c7 2 43 00 4d 00 c7 2 44 00 00 00 c7 2 0f 00 43 00 c7 2 00 00 50 00 c7 2 49 00 4e 00 \n\n\t\nc7 2 47 00 00 00 c7 2 11 00 12 00 c7 2 17 00 0e 00 c7 2 10 00 0e 00 c7 2 10 00 0e 00 c7 \n\n\t\n2 11 00 06 00 c7 2 44 00 45 00 c7 2 4c 00 00 00 } // 10003D09\t\n\n\t\n\t\n$ = { 66 4-7 0d 40 83 f8 44 7c ?? }\n\t\n\t\n// xor\t\n\t\nword ptr ebp+eax*2+var_5C, 14h\n\t\n\t\n// inc\t\n\t\neax\n\t\n\t\n// cmp \t\neax, 14h\n\t\n\t\n// Loop to decode a static string. It reveals the “1a53b0cp32e46g0qio9” static string sent \nin the beacon\n\t\n\t\n$ = { 66 4-7 14 40 83 f8 14 7c ?? } // 100017F0\n\t\n\t\n$ = { 66 4-7 56 40 83 f8 2d 7c ?? } // 10003621\n\t\n\t\n$ = { 66 4-7 20 40 83 f8 1a 7c ?? } // 10003640\n\t\n\t\n$ = { 80 2-7 2e 40 3d 50 02 00 00 72 ?? } // 10003930\n\t\n\t\n$ = “%08x%08x%08x%08x” wide ascii\n\t\n\t\n$ = “WinHttpGetIEProxyConfigForCurrentUser” wide ascii\n\t\ncondition:\n\t\n(uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) and (all of them)\n}",,,,,,FALSE,Malicious Documents,"Cisco AnyConnect (used as a lure), Remote Access Tool (RAT)",Corporations and Businesses,,, 2015-12-17,APT28 Under the Scope A Journey into Exfiltrating Intelligence and Government Information,,https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf,Bitdefender,CVE-2014-4076,,,apt28,RU,"Espionage, Information theft and espionage",2004,"BG, CA, ES, GB, IT, MX, PT, RO, RU, UA, US",FALSE,,"run.exe, xp.exe, svehost.exe, pr.dll, runrun.exe, api-ms-win-downlevel-profile-l1-1-0.dll","Government and Defense Agencies, Corporations and Businesses, Education and Research Institutions",,, 2015-12-18,attack-on-french-diplomat-linked-to-operation-lotus-blossom,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.12.18.Attack_on_Frence_Diplomat_Linked_To_Operation_Lotus_Blossom/attack-on-french-diplomat-linked-to-operation-lotus-blossom.pdf,Palo Alto,CVE-2014-6332,,,,,,,"FR, TW",FALSE,"Spear Phishing, Malicious Documents, Exploit Vulnerability","Emissary Trojan, Elise backdoor, LStudio",Government and Defense Agencies,,, 2015-12-20,The_EPS_Awakens_Part_2,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.12.20.EPS_Awakens_Part_II/The_EPS_Awakens_Part_2.pdf,FireEye,CVE-2015-1701,,,apt16,CN,"Espionage, Information theft and espionage",2015,"JP, TW",TRUE,"Spear Phishing, Malicious Documents","IRONHALO, ELMER, DOORJAMB, LOWBALL","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Media and Entertainment Companies",2015-11-26,2015-12-01,5.0 2015-12-22,bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2015/2015.12.22.BBSRAT_Roaming_Tiger/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger.pdf,Palo Alto,CVE-2012-0158,,"rule bbsrat {\n meta:\n author = ""Tyler Halfpop""\n company = ""Palo Alto Networks""\n last_updated = ""12-16-15""\n \n strings:\n $sa0 = ""%ALLUSERSPROFILE%\\\\SSONSVR"" fullword wide\n $sa1 = ""%ALLUSERSPROFILE%\\\\Application Data\\\\SSONSVR"" fullword wide\n $sa2 = ""\\\\ssonsvr.exe"" fullword wide\n $oa0 = { 83 E8 01 88 0C 04 75 F8 8B 44 24 40 89 4C 24 18 89 4C 24 1C\n $oa1 = { 75 11 5F 5E B8 0D 00 00 00 5B 81 C4 ?? 07 00 00 C2 10 00 53\n $sb0 = ""%systemroot%\\\\Web\\\\""\n $sb1 = ""srvcl32.dll""\n $ob0 = { B8 67 66 66 66 F7 E9 D1 FA 8B C2 C1 E8 1F 03 C2 8D 04 80 \n $ob1 = { 8D 84 24 18 02 00 00 50 C7 84 24 1C 02 00 00 94 00 00 00 FF\n \n condition:\n uint16(0) == 0x5a4d and filesize < 300KB and (all of ($sa*) or all \n}",,,,,RU,FALSE,"Spear Phishing, Malicious Documents, Exploit Vulnerability","BBSRAT, PlugX",Government and Defense Agencies,,, 2015-12-31,Overseas Dark Inn organization launched an APT attack on executives of domestic enterprises,,https://web.archive.org/web/20160104165148/http://drops.wooyun.org/tips/11726,ThreatBook,CVE-2015-8651,,,darkhotel,KR,"Espionage, Information theft and espionage",2007,,TRUE,Exploit Vulnerability,"Update.exe, Trojan Downloader, mshta.exe, OpenSSL, SSH, Adobe Flash, RC4",Corporations and Businesses,,, 2016-01-03,ESET_BlackEnergy-by-the-SSHBearDoor(Jan-3-16),BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry,https://app.box.com/s/uo31npu9sese34f1ppggmrug48x7rlqp,ESET,,,,,,,,"PL, UA",,,"BlackEnergy, KillDisk, Dropbear SSH, VBS/Agent.AD trojan, Win32/SSHBearDoor.A trojan","Energy and Utilities, Media and Entertainment Companies",,, 2016-01-06,potential-sample-of-malware-from-the-ukrainian-cyber-attack-uncovered,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.01.03.BlackEnergy_Ukrainian/Reference/potential-sample-of-malware-from-the-ukrainian-cyber-attack-uncovered.pdf,Dragos Security,,,,,,,,,,,BlackEnergy2,"Energy and Utilities, Critical Infrastructure",,, 2016-01-06,LM3-LipovskyCherepanov.xml,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.01.03.BlackEnergy_Ukrainian/Reference/LM3-LipovskyCherepanov.xml.pdf,ESET,CVE-2014-1761,,,,,,,"PL, UA",FALSE,"Spear Phishing, Exploit Vulnerability, Malicious Documents",BlackEnergy,"Corporations and Businesses, Government and Defense Agencies",,, 2016-01-06,blackenergy-trojan-strikes-again-attacks-ukrainian-electric-power-industry,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.01.03.BlackEnergy_Ukrainian/Reference/blackenergy-trojan-strikes-again-attacks-ukrainian-electric-power-industry.pdf,ESET,CVE-2014-4114,,,blackenergy gang,RU,,,UA,TRUE,"Spear Phishing, Social Engineering, Malicious Documents","BlackEnergy, KillDisk, SSHBearDoor, PowerPoint 0-day CVE-2014-4114","Energy and Utilities, Media and Entertainment Companies, Government and Defense Agencies",,, 2016-01-06,uisgcon11_2015#pic-5,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.01.03.BlackEnergy_Ukrainian/Reference/uisgcon11_2015%23pic-5.pdf,CyS Centrum LLC,,,,apt28,RU,"Espionage, Information theft and espionage",2004,"GB, UA, US",,"Watering Hole, Removable Media","Potao, Armageddon (based on RAT/RMS/UltraVNC)","Government and Defense Agencies, Financial Institutions, Critical Infrastructure",,, 2016-01-07,Clearsky_Operation-DustySky_TLP_WHITE(Jan-7-2016),Operation Dusty Sky,https://app.box.com/s/cydpeasz6l8cv9oo99o4tpazd5tq4xkm,ClearSky,,,,dustysky,PS,Information theft and espionage,2012,"AE, EG, IL, IQ, SA, US",FALSE,"Phishing, Malicious Documents",DustySky,"Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Media and Entertainment Companies",2015-09-15,2015-12-29,105.0 2016-01-07,rigging-compromise.html,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.01.07.rigging-compromise/rigging-compromise.html.pdf,Cisco,CVE-2015-5119,,,,,,,,FALSE,Drive-by Download,"RIG exploit kit, CVE-2015-5119, defsrag.exe, dissdkchk.exe, systemrestore.exe",,,, 2016-01-07,operation-dustysky-notes,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.01.07.Operation_DustySky/operation-dustysky-notes.pdf,Kaspersky,,,,gaza cybergang,PS,Information theft and espionage,2012,,,,"xtremeRAT, Poison Ivy",,,, 2016-01-11,Arbor_Uncovering-the-Seven-Pointed-Dagger(Jan-11-16),Uncovering the Seven Pointed Dagger,https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn,Arbor Networks,,,"rule evilgrab \n{ \n \n strings: \n $str1 = ""%cload crypt32.dll error"" \n $str2 = ""Outlook2003_HTTP"" \n $str3 = ""Outlook2002_HTTP"" \nASERT Threat Intelligence Report – Uncovering the Seven Pointed Dagger \n16 \nProprietary and Confidential Information of Arbor Networks, Inc. \n \n $str4 = ""HTTP Server URL"" \n $str5 = ""Outlook2003_IMAP"" \n $str6 = ""Outlook2002_IMAP"" \n $str7 = ""%cget %s \s password error!"" \n $str8 = ""GetTcpTable failed with %d"" \n $str9 = """" \n $str10 = """" \n $str11 = ""%USERPROFILE%\\users.bin"" \n $str12 = ""%c%s|(%s)|%d|%s|%s|%s|%s|%s|%s|%s|%d|%d|%x|%x|%s|"" \n \n condition: \n 8 of them \n}, rule servantshell { \n \n strings: \n \n $string1 = ""SelfDestruction.cpp"" \n $string2 = ""SvtShell.cpp"" \n $string3 = ""InitServant"" \n $string4 = ""DeinitServant"" \n $string5 = ""CheckDT"" \n \n condition: all of them \n }",apt27,CN,"Espionage, Information theft and espionage",2010,MM,,Malicious Documents,"PowerShell, 9002 RAT",Non-Governmental Organizations (NGOs) and Nonprofits,2015-08-17,2015-12-10,115.0 2016-01-20,ESET_Cyberattacks-Ukrainian-power-industry(01-20-2016),New wave of cyberattacks against Ukrainian power industry,https://app.box.com/s/9wmebk32ymd1d6ryvl84wlqbpsi8rw5e,ESET,,,,blackenergy,RU,,,UA,FALSE,"Spear Phishing, Malicious Documents, Social Engineering","BlackEnergy malware, GCat backdoor, PyInstaller program, Python, VBA/TrojanDropper.Agent.EY, Win32/TrojanDownloader.Agent.CBC, Python/Agent.N",Energy and Utilities,2015-12-15,2016-01-19,35.0 2016-01-21,NetTraveler Spear-Phishing Email Targets Diplomat of Uzbekistan - Palo Alto Networks BlogPalo Alto Networks Blog,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.01.21.NetTraveler_Uzbekistan/NetTraveler%20Spear-Phishing%20Email%20Targets%20Diplomat%20of%20Uzbekistan%20-%20Palo%20Alto%20Networks%20BlogPalo%20Alto%20Networks%20Blog.pdf,Palo Alto,CVE-2012-0158,,,,,,,UZ,FALSE,"Spear Phishing, Exploit Vulnerability, Malicious Documents",NetTraveler Trojan,Government and Defense Agencies,,, 2016-01-24,PaloAlto_Scarlet-Mimic(Jan-24-16),Scarlet Mimic,https://app.box.com/s/zhour42vz6sxf7aws3oj70i1rd5ib8kx,Palo Alto,"CVE-2009-3129, CVE-2010-2572, CVE-2010-2883, CVE-2010-3333, CVE-2012-0158",,,scarlet mimic,CN,Information theft and espionage,2015,"CN, IN, RU",FALSE,"Spear Phishing, Watering Hole, Malicious Documents",,"Government and Defense Agencies, Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",,, 2016-01-27,introducing-hi-zor-rat.html,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.01.27.Hi-Zor.RAT/introducing-hi-zor-rat.html.pdf,Fidelis Cybersecurity,,,,,,,,,FALSE,,"Hi-Zor RAT, Sakula Malware Family",,,, 2016-01-28,Kaspersky_BlackEnergy-APT-Attacks-in-Ukraine-employ-spearphishing-with-Word-documents(Jan-28-16),BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents,https://app.box.com/s/igygz8ihex1hok5r1dp215ui0gz1ghwr,Kaspersky,,,,blackenergy,RU,,,UA,,"Spear Phishing, Malicious Documents",BlackEnergy Trojans,"Government and Defense Agencies, Energy and Utilities, Media and Entertainment Companies, Critical Infrastructure",,, 2016-01-29,ICS-ALERT-14-281-01B,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.01.28.BlackEnergy_APT/reference/ICS-ALERT-14-281-01B.pdf,ICS-CERT,"CVE-2014-0751, CVE-2014-4114",,,sandworm,RU,"Espionage, Sabotage and destruction",2015,,TRUE,"Spear Phishing, Exploit Vulnerability","BlackEnergy, BE3, BE2",Critical Infrastructure,,, 2016-01-29,malicious-office-files-dropping-kasidet.html,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.01.29.Malicious_Office_files_dropping_Kasidet_and_Dridex/malicious-office-files-dropping-kasidet.html.pdf,Zscaler,"CVE-2013-0074, CVE-2013-2460, CVE-2013-2551, CVE-2013-3896, CVE-2014-0515, CVE-2014-4130, CVE-2014-6271, CVE-2014-6332, CVE-2015-0311, CVE-2015-0313, CVE-2015-0336, CVE-2015-310, CVE-2015-311, CVE-2015-5119, CVE-2015-5122, CVE-2015-5123",,,emissary panda,CN,"Espionage, Information theft and espionage",2010,,,Malicious Documents,"Dridex, Kasidet",Financial Institutions,,, 2016-01-29,Right_Sector,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.01.28.BlackEnergy_APT/reference/Right_Sector.pdf,RSA,,,,right sector,,,,,,,,Government and Defense Agencies,,, 2016-01-29,RFBU,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.01.28.BlackEnergy_APT/reference/RFBU.pdf,SecureWorks,,,,,,,,"EE, GE",,,Black Energy,"Financial Institutions, Government and Defense Agencies",,, 2016-01-29,F5SOC_Tinbapore_Attack_January2016_29,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.01.29.Tinbapore_Attack/F5SOC_Tinbapore_Attack_January2016_29.pdf,Microsoft,,,,,,,,"ID, SG",,Website Equipping,"Tinbapore, IceSword",Financial Institutions,,, 2016-01-29,black-ddos,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.01.28.BlackEnergy_APT/reference/black-ddos.pdf,Kaspersky,,,,,,,,,,,Black Energy 2,,,, 2016-02-01,organized-cybercrime-big-in-japan-urlzone-now-on-the-scene,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.02.01.URLzone_Team/organized-cybercrime-big-in-japan-urlzone-now-on-the-scene.pdf,IBM,,,,urlzone,,,,JP,FALSE,"Phishing, Malicious Documents","Shifu, Rovnix, Dridex, Neverquest, URLZone",Financial Institutions,2015-12-15,2016-01-15,31.0 2016-02-01,massive-admedia-iframe-javascript-infection.html,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.02.01.Massive_Admedia_Adverting_iFrame_Infection/massive-admedia-iframe-javascript-infection.html.pdf,Sucuri Inc.,,,,,,,,,FALSE,"Drive-by Download, Website Equipping",,Corporations and Businesses,2015-12-22,2016-02-01,41.0 2016-02-03,PaloAlto_Emissary-Trojan-Changelog-Did-Operation-Lotus-Blossom-Cause-It-to-Evolve(Feb-03-16),Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It To Evolve,https://app.box.com/s/oyqcfzoa1hfq5evuymj5bqfitkqlfp4v,Palo Alto,,,,,,,,"HK, TW",,"Spear Phishing, Watering Hole",Emissary Trojan,"Government and Defense Agencies, Education and Research Institutions, Corporations and Businesses",,, 2016-02-04,PaloAlto_T9000-Advanced-Modular-Backdoor-Uses-Complex-Anti-Analysis-Techniques(Feb-04-16),T9000: Advanced Modular Backdoor Uses Complex Anti Analysis Techniques,https://app.box.com/s/u9eldsgol20dmuw0nljeqo9nlw4r9ms7,Palo Alto,"CVE-2012-1856, CVE-2015-1641","T9000:N/A, T5000:N/A",,grand theft auto panda,,,,US,FALSE,"Exploit Vulnerability, Malicious Documents","T9000, T5000, WildFire, Traps, AutoFocus",Corporations and Businesses,,, 2016-02-04,PaloAlto_t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques.2016.02.04,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.02.04_PaloAlto_T9000-Advanced-Modular-Backdoor/PaloAlto_t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques.2016.02.04.pdf,Palo Alto,"CVE-2012-1856, CVE-2015-1641","T9000:N/A, T5000:N/A",,grand theft auto panda,,,,US,FALSE,"Exploit Vulnerability, Malicious Documents",", T9000, T5000, RTF File, QQMGr.dll, QQMGR.inf, ResN32.dat, ResN32.dll",Corporations and Businesses,,, 2016-02-09,poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.02.09_Poseidon_APT_Boutique/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage.pdf,Kaspersky,,,,poseidon group,BR,Information theft and espionage,2005,"AE, BR, FR, IN, KZ, RU, US",FALSE,"Spear Phishing, Malicious Documents","Poseidon, IGT (Information Gathering toolkit)","Corporations and Businesses, Financial Institutions, Energy and Utilities, Manufacturing, Media and Entertainment Companies, Government and Defense Agencies",,, 2016-02-12,a-look-into-fysbis-sofacys-linux-backdoor,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.02.12.Fysbis_Sofacy_Linux_Backdoor/a-look-into-fysbis-sofacys-linux-backdoor.pdf,Palo Alto,CVE-2016-0728,,,apt28,RU,"Espionage, Information theft and espionage",2004,,TRUE,"Spear Phishing, Watering Hole, Exploit Vulnerability","Fysbis, CHOPSTICK","Corporations and Businesses, Cloud/IoT Services",,, 2016-02-23,Cylance_Op_Dust_Storm_Report(Feb-23-2016),Operation Duststorm,https://app.box.com/s/dt9mscechq7heg83z7vgujp5ujjzd97c,Cylance,"CVE-2011-0611, CVE-2011-1255, CVE-2014-0322",,,,,,,"JP, KR",TRUE,"Spear Phishing, Exploit Vulnerability, Malicious Documents","Misdat, S-Type backdoor",Critical Infrastructure,,, 2016-02-23,Dust_Storm_Infographic_v4,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.02.23.Operation_Dust_Storm/Dust_Storm_Infographic_v4.pdf,"Cylance, Inc.",,,,,,,,"JP, KR",TRUE,"Watering Hole, Phishing, Exploit Vulnerability","S-Type backdoor, Android backdoors","Corporations and Businesses, Financial Institutions, Energy and Utilities, Critical Infrastructure",,, 2016-02-24,Operation-Blockbuster-RAT-and-Staging-Report,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.02.24.Operation_Blockbuster/Operation-Blockbuster-RAT-and-Staging-Report.pdf,Novetta,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,,FALSE,"Credential Reuse, Exploit Vulnerability","Romeo-CoreOne, SierraJuliett-MikeOne (SJM1)",,,, 2016-02-24,Novetta_Operation-Blockbuster-Report(Feb-24-2016),Operation Blockbuster,https://app.box.com/s/rhn69xecfqe8k2abwmn43ilmd59y1we0,Novetta,CVE-2015-6585,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,"CN, IN, JP, KR, TW, US",TRUE,Spear Phishing,,"Government and Defense Agencies, Financial Institutions, Media and Entertainment Companies, Critical Infrastructure",,, 2016-02-24,Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.02.24.Operation_Blockbuster/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf,Novetta,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,KR,,Spear Phishing,,Government and Defense Agencies,,, 2016-02-24,Operation-Blockbuster-Tools-Report,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.02.24.Operation_Blockbuster/Operation-Blockbuster-Tools-Report.pdf,Novetta,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,,,,"KiloAlfa, PapaAlfa, TangoAlfa, TangoBravo, TangoCharlie, TangoDelta, Uniform Uninstaller, Whiskey Destructive Malware (Wiper)",,,, 2016-02-24,Operation-Blockbuster-Destructive-Malware-Report,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.02.24.Operation_Blockbuster/Operation-Blockbuster-Destructive-Malware-Report.pdf,Novetta,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,IN,,,"Whiskey, Delta, DNS, UDP, ICMP, HTTP",,,, 2016-02-24,Operation-Blockbuster-Ex-Summary,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.02.24.Operation_Blockbuster/Operation-Blockbuster-Ex-Summary.pdf,Novetta,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,"KR, US",,,"DELTA DDoS, HOTEL HTTP Server, INDIA Installer, KILO Keylogger, PAPA Proxy, ROMEO RAT, SIERRA Spreader, TANGO Tool (Non-classed), LIMA Loader, UNIFORM Uninstaller, WHISKEY Destructive Malware (”Wiper”)","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Media and Entertainment Companies, Critical Infrastructure",,, 2016-02-29,TA_Fidelis_Turbo_1602_0,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.02.29.Turbo_Campaign_Derusbi/TA_Fidelis_Turbo_1602_0.pdf,Fidelis Cybersecurity,,,,shell crew,CN,"Financial crime, Information theft and espionage",2010,US,,,"Derusbi, wget, PlugX",Education and Research Institutions,,, 2016-03-01,Proofpoint_operation-transparent-tribe-threat-insight-en(Mar-01-16),Operation Transparent Tribe,https://app.box.com/s/2terwf3c3e8iunw8v7kj83p2zw44nns2,Proofpoint,CVE-2012-0158,,,,,,,IN,FALSE,"Spear Phishing, Watering Hole, Malicious Documents","MSIL/Crimson, Crimson RAT",Government and Defense Agencies,,, 2016-03-03,blackenergy-malware-analysis,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.03.03.Shedding_Light_BlackEnergy/blackenergy-malware-analysis.pdf,RecordedFuture,,,,,,,,,,,,,,, 2016-03-08,onion-dog-a-3-year-old-apt,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.03.08.OnionDog/onion-dog-a-3-year-old-apt.pdf,360,,,,oniondog,KP,"Espionage, Information theft and espionage",2013,"KP, KR",FALSE,"Spear Phishing, Exploit Vulnerability, Removable Media","USB disk, USB worm, Spear mail file, OnionDog Trojan, Hangul office software","Energy and Utilities, Critical Infrastructure",2013-10-15,2015-08-27,681.0 2016-03-08,APT-C-03-en,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.03.08.OnionDog/APT-C-03-en.pdf,Novetta,,,,"oniondog, lazarus group",KP; KP,"Espionage, Information theft and espionage; Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2013; 2014,KR,FALSE,"Exploit Vulnerability, Malicious Documents, Spear Phishing","HWP exploit file, Trojan, Onion.City Trojan, Test Trojan, Stuxnet, Black Energy, Lazarus Group, Operation OnionDog, USB Worm","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Energy and Utilities, Media and Entertainment Companies, Critical Infrastructure",,, 2016-03-09,wp-mandiant-matryoshka-mining,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.03.09.Operation_RussianDoll/wp-mandiant-matryoshka-mining.pdf,FireEye,CVE-2015-1701,,,,,,,,FALSE,,RussianDoll payload,Corporations and Businesses,,, 2016-03-09,Korean Energy and Transportation Targets Attacked by OnionDog APT,,http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml,SOFTPEDIA® NEWS,,,,oniondog,KP,"Espionage, Information theft and espionage",2013,"KP, KR",FALSE,"Spear Phishing, Exploit Vulnerability","Trojan, USB worm, Hangul Word processing software","Energy and Utilities, Critical Infrastructure",,, 2016-03-10,shifting-tactics,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.03.10.shifting-tactics/shifting-tactics.pdf,Kaspersky,"CVE-2010-3333, CVE-2012-0158, CVE-2012-4969",,,scarlet mimic,CN,Information theft and espionage,2015,"CN, IN, RU",FALSE,"Spear Phishing, Exploit Vulnerability, Malicious Documents, Watering Hole","FakeM Custom SSL variant, Internet Explorer (CVE-2012-4969 vulnerability exploited)","Non-Governmental Organizations (NGOs) and Nonprofits, Government and Defense Agencies",,, 2016-03-14,proofpoint-threat-insight-carbanak-group-en,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.03.14.Carbanak_cybercrime_group/proofpoint-threat-insight-carbanak-group-en.pdf,Proofpoint,"CVE-2014-6352, CVE-2015-1641, CVE-2015-1701, CVE-2015-1770, CVE-2015-2545",,,fin7,RU,"Financial gain, Financial crime",2013,"AE, KW, LB, OM, US, YE",TRUE,"Spear Phishing, Malicious Documents, Exploit Vulnerability","Netwire, Spy.Sekur, jRAT, Toshliph, CyberGate, Locky, TeslaCrypt, CryptoWall, Raas, Critroni, Neurevt, Luminosity Link RAT","Financial Institutions, Media and Entertainment Companies, Critical Infrastructure",,, 2016-03-15,suckfly-revealing-secret-life-your-code-signing-certificates,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.03.15.Suckfly/suckfly-revealing-secret-life-your-code-signing-certificates.pdf,Symantec,CVE-2014-6332,,,suckfly,CN,Information theft and espionage,2014,"IN, KR",FALSE,Credential Reuse,"Nidiran, OLEVIEW.EXE, iviewers.dll, Korplug/Plug-x, Stuxnet","Government and Defense Agencies, Corporations and Businesses, Healthcare",,, 2016-03-17,PWC_Taiwan-Presidential-Election-A-Case-Study-on-Thematic-Targeting(Mar-17-2016),,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.03.17.Taiwan-election-targetting/PWC_Taiwan-Presidential-Election-A-Case-Study-on-Thematic-Targeting%28Mar-17-2016%29.pdf,PricewaterhouseCoopers,,,,sunorcal,,,,"CN, HK, TW",FALSE,"Spear Phishing, Malicious Documents","wget, iuso.exe, wthk.exe, SunOrcal malware, Surtr malware","Government and Defense Agencies, Education and Research Institutions",,, 2016-03-18,E-ISAC_SANS_Ukraine_DUC_5,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.03.18.Analysis_of_the_Cyber_Attack_on_the_Ukrainian_Power_Grid/E-ISAC_SANS_Ukraine_DUC_5.pdf,Kaspersky,,,,,,,,UA,FALSE,"Spear Phishing, Malicious Documents","BlackEnergy 3, Microsoft Office documents (Excel and Word), Virtual Private Networks (VPNs), Existing remote access tools, Serial-to-Ethernet communications devices, Modified KillDisk, UPS systems","Energy and Utilities, Critical Infrastructure",2015-03-20,2015-12-23,278.0 2016-03-23,Indian-military-personnel-targeted-by-information-theft-campaign-cmajor,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.03.23.Operation_C_Major/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf,Trend Micro,,,,,,,,IN,FALSE,Spear Phishing,"Visual Studio, VB#, .NET, securescan.exe, wservices.exe",Government and Defense Agencies,,, 2016-03-25,unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.03.25.ProjectM/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe.pdf,Palo Alto,"CVE-2010-3333, CVE-2012-0158",,,projectm,PK,Information theft and espionage,2013,IN,,"Spear Phishing, Watering Hole, Exploit Vulnerability, Malicious Documents","Crimson, Peppy, DarkComet, Bozok, Andromeda Trojan",Government and Defense Agencies,,, 2016-03-29,Symantec_Taiwan-targeted-cyberespionage-Trojan(03-29-2016),Taiwan targeted with new cyberespionage back door Trojan,https://app.box.com/s/xqh458fe1url7mgl072hhd0yxqw3x0jm,Symantec,,,,budminer,CN,Information theft and espionage,2008,"BR, TW, US",,Spear Phishing,"Dripion, Downloader.Blugger, Trojan.Taidoor",,,, 2016-04-07,"FBI Quietly Admits to Multi-Year APT Attack, Sensitive Data Stolen",,https://threatpost.com/fbi-quietly-admits-to-multi-year-apt-attack-sensitive-data-stolen/117267/,Threatpost,,,,apt6,CN,,,"CN, US",,"Spear Phishing, Malicious Documents","Poison Ivy remote access tool/Trojan, Customized malicious software","Government and Defense Agencies, Corporations and Businesses, Critical Infrastructure",,, 2016-04-12,Platinum feature article - Targeted attacks in South and Southeast Asia April 2016,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.04.12.PLATINUM_Targeted_attacks_in_South_and_Southeast_Asia/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf,Microsoft,"CVE-2013-1331, CVE-2013-7331, CVE-2015-2545, CVE-2015-2546",,"rule Trojan_Win32_Plakpeer : Platinum \n{ \n meta: \n author = ""Microsoft"" \n description = ""Zc tool v2"" \n original_sample_sha1 = ""2155c20483528377b5e3fde004bb604198463d29"" \n unpacked_sample_sha1 = ""dc991ef598825daabd9e70bac92c79154363bab2"" \n activity_group = ""Platinum"" \n version = ""1.0"" \n last_modified = ""2016-04-12"" \n strings: \n $str1 = ""@@E0020(%d)"" wide \n $str2 = /exit.{0,3}@exit.{0,3}new.{0,3}query.{0,3}rcz.{0,3}scz/ wide \n $str3 = ""---###---"" wide \n $str4 = ""---@@@---"" wide \n \n \n condition: \n $str1 and $str2 and $str3 and $str4 \n}, rule Trojan_Win32_Placisc4 : Platinum \n{ \n meta: \n author = ""Microsoft"" \n description = ""Installer for Dipsind variant"" \n original_sample_sha1 = ""3d17828632e8ff1560f6094703ece5433bc69586"" \n unpacked_sample_sha1 = ""2abb8e1e9cac24be474e4955c63108ff86d1a034"" \n activity_group = ""Platinum"" \n version = ""1.0"" \n last_modified = ""2016-04-12"" \n strings: \n $str1 = {8D 71 01 8B C6 99 BB 0A 00 00 00 F7 FB 0F BE D2 0F BE 04 39 2B C2 88 04 \n39 84 C0 74 0A} \n $str2 = {6A 04 68 00 20 00 00 68 00 00 40 00 6A 00 FF D5} \n $str3 = {C6 44 24 ?? 64 C6 44 24 ?? 6F C6 44 24 ?? 67 C6 44 24 ?? 32 C6 44 24 ?? \n6A} \n \n condition: \n $str1 and $str2 and $str3 \n}, rule Trojan_Win32_Plagicom : Platinum \n{ \n meta: \n author = ""Microsoft"" \n description = ""Installer component"" \n original_sample_sha1 = ""99dcb148b053f4cef6df5fa1ec5d33971a58bd1e"" \n unpacked_sample_sha1 = ""c1c950bc6a2ad67488e675da4dfc8916831239a7"" \n activity_group = ""Platinum"" \n version = ""1.0"" \n last_modified = ""2016-04-12"" \n strings: \n $str1 = {C6 44 24 ?? 68 C6 44 24 ?? 4D C6 44 24 ?? 53 C6 44 24 ?? 56 C6 44 24 ?? \n00} \n $str2 = ""OUEMM/EMM"" \n $str3 = {85 C9 7E 08 FE 0C 10 40 3B C1 7C F8 C3} \n \n condition: \n $str1 and $str2 and $str3 \n}, rule Trojan_Win32_Plakpers : Platinum \n{ \n meta: \n author = ""Microsoft"" \n description = ""Injector / loader component"" \n original_sample_sha1 = ""fa083d744d278c6f4865f095cfd2feabee558056"" \n unpacked_sample_sha1 = ""3a678b5c9c46b5b87bfcb18306ed50fadfc6372e"" \n activity_group = ""Platinum"" \n version = ""1.0"" \n last_modified = ""2016-04-12"" \n strings: \n $str1 = ""MyFileMappingObject"" \n $str2 = ""%.3u %s %s %s %s:"" wide \n $str3 = ""%s\\\\{%s}\\\\%s"" wide \n \n condition: \n $str1 and $str2 and $str3 \n}, rule Trojan_Win32_Placisc2 : Platinum \n{ \n meta: \n author = ""Microsoft"" \n description = ""Dipsind variant"" \n original_sample_sha1 = ""bf944eb70a382bd77ee5b47548ea9a4969de0527"" \n unpacked_sample_sha1 = ""d807648ddecc4572c7b04405f496d25700e0be6e"" \n activity_group = ""Platinum"" \n version = ""1.0"" \n last_modified = ""2016-04-12"" \n strings: \n $str1 = {76 16 8B D0 83 E2 07 8A 4C 14 24 8A 14 18 32 D1 88 14 18 40 3B C7 72 EA \n} \n $str2 = ""VPLRXZHTU"" \n $str3 = ""%d) Command:%s"" \n $str4 = {0D 0A 2D 2D 2D 2D 2D 09 2D 2D 2D 2D 2D 2D 0D 0A} \n \n condition: \n $str1 and $str2 and $str3 and $str4 \n}, rule Trojan_Win32_PlaKeylog_B : Platinum \n{ \n meta: \n author = ""Microsoft"" \n description = ""Keylogger component"" \n original_sample_sha1 = ""0096a3e0c97b85ca75164f48230ae530c94a2b77"" \n unpacked_sample_sha1 = ""6a1412daaa9bdc553689537df0a004d44f8a45fd"" \n activity_group = ""Platinum"" \n version = ""1.0"" \n last_modified = ""2016-04-12"" \n strings: \n $hook = {C6 06 FF 46 C6 06 25} \n $dasm_engine = {80 C9 10 88 0E 8A CA 80 E1 07 43 88 56 03 80 F9 05} \n \n condition: \n $hook and $dasm_engine \n}, rule Trojan_Win32_Plakelog : Platinum \n{ \n meta: \n author = ""Microsoft"" \n description = ""Raw-input based keylogger"" \n original_sample_sha1 = ""3907a9e41df805f912f821a47031164b6636bd04"" \n unpacked_sample_sha1 = ""960feeb15a0939ec0b53dcb6815adbf7ac1e7bb2"" \n activity_group = ""Platinum"" \n version = ""1.0"" \n last_modified = ""2016-04-12"" \n \n strings: \n $str1 = ""<0x02>"" wide \n $str2 = ""CTR-BRK"" wide \n $str3 = ""/WIN"" wide \n $str4 = {8A 16 8A 18 32 DA 46 88 18 8B 15 08 E6 42 00 40 41 3B CA 72 EB 5E 5B} \n \n condition: \n $str1 and $str2 and $str3 and $str4 \n}, rule Trojan_Win32_Placisc3 : Platinum \n{ \n meta: \n author = ""Microsoft"" \n description = ""Dipsind variant"" \n original_sample_sha1 = ""1b542dd0dacfcd4200879221709f5fa9683cdcda"" \n unpacked_sample_sha1 = ""bbd4992ee3f3a3267732151636359cf94fb4575d"" \n activity_group = ""Platinum"" \n version = ""1.0"" \n last_modified = ""2016-04-12"" \n strings: \n $str1 = {BA 6E 00 00 00 66 89 95 ?? ?? FF FF B8 73 00 00 00 66 89 85 ?? ?? FF FF \nB9 64 00 00 00 66 89 8D ?? ?? FF FF BA 65 00 00 00 66 89 95 ?? ?? FF FF B8 6C 00 00 \n00} \n $str2 = ""VPLRXZHTU"" \n $str3 = {8B 44 24 ?? 8A 04 01 41 32 C2 3B CF 7C F2 88 03} \n \n condition: \n $str1 and $str2 and $str3 \n}, rule Trojan_Win32_Plabit : Platinum \n{ \n meta: \n author = ""Microsoft""Installer component"" \n sample_sha1 = ""6d1169775a552230302131f9385135d385efd166"" \n activity_group = ""Platinum"" \n version = ""1.0"" \n last_modified = ""2016-04-12"" \n strings: \n $str1 = {4b D3 91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97} \n $str2 = ""GetInstanceW"" \n $str3 = {8B D0 83 E2 1F 8A 14 0A 30 14 30 40 3B 44 24 04 72 EE} \n \n condition: \n $str1 and $str2 and $str3 \n}, rule Trojan_Win32_Plaklog : Platinum \n{ \n meta: \n author = ""Microsoft"" \n description = ""Hook-based keylogger"" \n original_sample_sha1 = ""831a5a29d47ab85ee3216d4e75f18d93641a9819"" \n unpacked_sample_sha1 = ""e18750207ddbd939975466a0e01bd84e75327dda"" \n activity_group = ""Platinum"" \n version = ""1.0"" \n last_modified = ""2016-04-12"" \n \n strings: \n $str1 = ""++%s^^unknown^^%s++"" \n $str2 = ""vtfs43/emm"" \n $str3 = {33 C9 39 4C 24 08 7E 10 8B 44 24 04 03 C1 80 00 08 41 3B 4C 24 08 7C F0 \nC3} \n \n condition: \n $str1 and $str2 and $str3 \n}, rule Trojan_Win32_Plainst2 : Platinum \n{ \n meta: \n author = ""Microsoft"" \n description = ""Zc tool"" \n original_sample_sha1 = ""3f2ce812c38ff5ac3d813394291a5867e2cddcf2"" \n unpacked_sample_sha1 = ""88ff852b1b8077ad5a19cc438afb2402462fbd1a"" \n activity_group = ""Platinum"" \n version = ""1.0"" \n last_modified = ""2016-04-12"" \n strings: \n $str1 = ""Connected %s:%d..."" \n $str2 = ""reuse possible: %c"" \n $str3 = "" => %d%%\\x0a"" \n \n \n condition: \n $str1 and $str2 and $str3 \n}, rule Trojan_Win32_PlaLsaLog : Platinum \n{ \n meta: \n author = ""Microsoft"" \n description = ""Loader / possible incomplete LSA Password Filter"" \n original_sample_sha1 = ""fa087986697e4117c394c9a58cb9f316b2d9f7d8"" \n unpacked_sample_sha1 = ""29cb81dbe491143b2f8b67beaeae6557d8944ab4"" \n activity_group = ""Platinum"" \n version = ""1.0"" \n last_modified = ""2016-04-12"" \n strings: \n $str1 = {8A 1C 01 32 DA 88 1C 01 8B 74 24 0C 41 3B CE 7C EF 5B 5F C6 04 01 00 5E \n81 C4 04 01 00 00 C3} \n $str2 = ""PasswordChangeNotify"" \n \n condition: \n $str1 and $str2 \n}, rule Trojan_Win32_Plagon : Platinum \n{ \n meta: \n author = ""Microsoft"" \n description = ""Dipsind variant"" \n original_sample_sha1 = ""48b89f61d58b57dba6a0ca857bce97bab636af65"" \n unpacked_sample_sha1 = ""6dccf88d89ad7b8611b1bc2e9fb8baea41bdb65a"" \n activity_group = ""Platinum"" \n version = ""1.0"" \n last_modified = ""2016-04-12"" \n \n strings: \n $str1 = ""VPLRXZHTU"" \n $str2 = {64 6F 67 32 6A 7E 6C} \n $str3 = ""Dqpqftk(Wou\\""Isztk)"" \n $str4 = ""StartThreadAtWinLogon"" \n \n \n condition: \n $str1 and $str2 and $str3 and $str4 \n}, rule Trojan_Win32_Platual : Platinum \n{ \n meta: \n author = ""Microsoft"" \n description = ""Installer component"" \n original_sample_sha1 = ""e0ac2ae221328313a7eee33e9be0924c46e2beb9"" \n unpacked_sample_sha1 = ""ccaf36c2d02c3c5ca24eeeb7b1eae7742a23a86a"" \n activity_group = ""Platinum"" \n version = ""1.0"" \n last_modified = ""2016-04-12"" \n strings: \n $class_name = ""AVCObfuscation"" \n $scrambled_dir = { A8 8B B8 E3 B1 D7 FE 85 51 32 3E C0 F1 B7 73 99 } \n \n condition: \n $class_name and $scrambled_dir \n}, rule Trojan_Win32_PlaSrv : Platinum \n{ \n meta: \n author = ""Microsoft"" \n description = ""Hotpatching Injector"" \n original_sample_sha1 = ""ff7f949da665ba8ce9fb01da357b51415634eaad"" \n unpacked_sample_sha1 = ""dff2fee984ba9f5a8f5d97582c83fca4fa1fe131"" \n activity_group = ""Platinum"" \n version = ""1.0"" \n last_modified = ""2016-04-12"" \nApply all security \nupdates as soon as \nthey become \navailable. \n strings: \n $Section_name = "".hotp1"" \n $offset_x59 = { C7 80 64 01 00 00 00 00 01 00 } \n \n condition: \n $Section_name and $offset_x59 \n}, rule Trojan_Win32_Plainst : Platinum \n{ \n meta: \n author = ""Microsoft"" \n description = ""Installer component"" \n original_sample_sha1 = ""99c08d31af211a0e17f92dd312ec7ca2b9469ecb"" \n unpacked_sample_sha1 = ""dcb6cf7cf7c8fdfc89656a042f81136bda354ba6"" \n activity_group = ""Platinum"" \n version = ""1.0"" \n last_modified = ""2016-04-12"" \n strings: \n $str1 = {66 8B 14 4D 18 50 01 10 8B 45 08 66 33 14 70 46 66 89 54 77 FE 66 83 7C \n77 FE 00 75 B7 8B 4D FC 89 41 08 8D 04 36 89 41 0C 89 79 04} \n $str2 = {4b D3 91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97} \n \n condition: \n $str1 and $str2 \n}, rule Trojan_Win32_Dipsind_B : Platinum \n{ \n meta: \n author = ""Microsoft"" \n description = ""Dipsind Family"" \n sample_sha1 = ""09e0dfbb5543c708c0dd6a89fd22bbb96dc4ca1c"" \n activity_group = ""Platinum"" \n version = ""1.0"" \n last_modified = ""2016-04-12"" \n strings: \n $frg1 = {8D 90 04 01 00 00 33 C0 F2 AE F7 D1 2B F9 8B C1 8B F7 8B FA C1 E9 02 F3 \nA5 8B C8 83 E1 03 F3 A4 8B 4D EC 8B 15 ?? ?? ?? ?? 89 91 ?? 07 00 00 } \n $frg2 = {68 A1 86 01 00 C1 E9 02 F3 AB 8B CA 83 E1 03 F3 AA} \n $frg3 = {C0 E8 07 D0 E1 0A C1 8A C8 32 D0 C0 E9 07 D0 E0 0A C8 32 CA 80 F1 63} \n \n condition: \n $frg1 and $frg2 and $frg3 \n}, rule Trojan_Win32_Plaplex : Platinum \n{ \n meta: \n author = ""Microsoft"" \n description = ""Variant of the JPin backdoor"" \n original_sample_sha1 = ""ca3bda30a3cdc15afb78e54fa1bbb9300d268d66"" \n unpacked_sample_sha1 = ""2fe3c80e98bbb0cf5a0c4da286cd48ec78130a24"" \n activity_group = ""Platinum"" \n version = ""1.0"" \n last_modified = ""2016-04-12"" \n strings: \n $class_name1 = ""AVCObfuscation"" \n $class_name2 = ""AVCSetiriControl"" \n \n condition: \n $class_name1 and $class_name2 \n}, rule Trojan_Win32_Adupib : Platinum \n{ \n meta: \n author = ""Microsoft"" \n description = ""Adupib SSL Backdoor"" \n original_sample_sha1 = ""d3ad0933e1b114b14c2b3a2c59d7f8a95ea0bcbd"" \n unpacked_sample_sha1 = ""a80051d5ae124fd9e5cc03e699dd91c2b373978b"" \n activity_group = ""Platinum"" \n version = ""1.0"" \n last_modified = ""2016-04-12"" \n strings: \n $str1 = ""POLL_RATE"" \n $str2 = ""OP_TIME(end hour)"" \n $str3 = ""%d:TCP:*:Enabled"" \n $str4 = ""%sPwFF_cfg%d"" \n $str5 = ""Fake_GetDlgItemTextW: ***value***="" \n \n condition: \n $str1 and $str2 and $str3 and $str4 and $str5 \n}, rule Trojan_Win32_Plapiio : Platinum \n{ \n meta: \n author = ""Microsoft"" \n description = ""JPin backdoor"" \n original_sample_sha1 = ""3119de80088c52bd8097394092847cd984606c88"" \n unpacked_sample_sha1 = ""3acb8fe2a5eb3478b4553907a571b6614eb5455c"" \n activity_group = ""Platinum"" \n version = ""1.0"" \n last_modified = ""2016-04-12"" \n strings: \n $str1 = ""ServiceMain"" \n $str2 = ""Startup"" \n $str3 = {C6 45 ?? 68 C6 45 ?? 4D C6 45 ?? 53 C6 45 ?? 56 C6 45 ?? 6D C6 45 ?? 6D} \n \n condition: \n $str1 and $str2 and $str3 \n}",platinum,,Information theft and espionage,2009,"CN, ID, IN, MY, SG, TH",TRUE,"Spear Phishing, Drive-by Download, Malicious Documents, Exploit Vulnerability","Dipsind, port-knocking backdoor",Government and Defense Agencies,,, 2016-04-15,Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.04.15.pandas_and_bears/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf,CrowdStrike,,,,eloquent panda,CN,,,,,Spear Phishing,,"Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Energy and Utilities",,, 2016-04-18,between-hong-kong-and-burma,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.04.18.UP007/between-hong-kong-and-burma.pdf,Citizen Lab,,,,,,,,"CN, HK, MM, TH",,"Spear Phishing, Malicious Documents","UP007, SLServer, Trochilus RAT, Security-Patch-Update.exe, fzyy.exe, runas.exe, nvsvc.exe","Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",,, 2016-04-21,teaching-an-old-rat-new-tricks,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.04.21.Teaching_an_old_RAT_new_tricks/teaching-an-old-rat-new-tricks.pdf,SentinelOne,,,,,,,,,FALSE,"Malicious Documents, Drive-by Download","RATs (Remote Access Trojans), SentinelOne EPP, Benchmark .NET DLL, PerfWatson.exe, System.Reflection.Assembly.Load(byte[])",,,, 2016-04-21,unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.04.21.New_Poison_Ivy_RAT_Variant_Targets_Hong_Kong/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists.pdf,Palo Alto,"CVE-2014-4114, CVE-2015-2545",,,apt18,CN,"Espionage, Information theft and espionage",2009,"HK, MM",FALSE,"Spear Phishing, Malicious Documents","Poison Ivy RAT, RasTls.exe, ssMUIDLL.dll, SPIVY","Media and Entertainment Companies, Education and Research Institutions, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2016-04-21,TrendMicro_NetherlandsCyberAttack_Appendix(04-21-2016),Looking Into a Cyber-Attack Facilitator in the Netherlands (Appendix),https://app.box.com/s/1vjcdqrpcvtb5fqfehk3ehxj6qh8eaf0,Trend Micro,,,,apt28,RU,"Espionage, Information theft and espionage",2004,"AE, BG, EE, IT, KW, ME, NL, PL, QA, RU, SA, TR, US",FALSE,"Exploit Vulnerability, Spear Phishing, Phishing",,"Government and Defense Agencies, Corporations and Businesses",,, 2016-04-21,TrendMicro_NetherlandsCyberAttack(04-21-2016),Looking Into a Cyber-Attack Facilitator in the Netherlands,https://app.box.com/s/ub5txv2ky12s7kuuv7d1vzqvkympepaq,Trend Micro,,,,apt28,RU,"Espionage, Information theft and espionage",2004,"AE, BG, EG, GR, IL, ME, MY, PL, QA, RO, SA, TR, UA",,"Phishing, Spear Phishing, Exploit Vulnerability",,"Government and Defense Agencies, Financial Institutions",,, 2016-04-22,Cylance_The_Ghost_Dragon(04-22-2016),The Ghost Dragon,https://app.box.com/s/xr1ykgout1c9ho5rotpop09smkawg5me,Cylance,,,,ghost dragon,,,,"CN, RU",,Malicious Documents,"Gh0st RAT variant, Downloader",,,, 2016-04-25,BAESystems_SSA-Two-bytes-to-951m(04-25-2016),Two Bytes to $951M,https://app.box.com/s/49t6zpzjln2vvm2npdnzwtr0hkrxq37v,BAE Systems,,,,,,,,,FALSE,,"evtdiag.exe, evtsys.exe, nroff_b.exe, gpca.dat, SWIFT Alliance Access, Oracle Database, nroff.exe, Printer Command Language (PCL), HP LaserJet 400 M401",Financial Institutions,2016-02-04,2016-02-06,2.0 2016-04-26,Cyber warfare_ Iran opens a new front - FT,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.04.26.Iran_Opens_a_New_Front/Cyber%20warfare_%20Iran%20opens%20a%20new%20front%20-%20FT.pdf,Financial Times (FT),,,,rocket kitten,IR,"Espionage, Information theft and espionage",2011,"CA, IL, IR, KR, SA, US",,Spear Phishing,"Oyun, Custom-built malware","Government and Defense Agencies, Critical Infrastructure, Energy and Utilities",,, 2016-04-26,"New Poison Ivy Activity Targeting Myanmar, Asian Countries",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf,Arbor Networks,,,,black peace,,,,MM,FALSE,,"PIVY, ActiveUpdate.dll, Active.dat, rundll32.exe, Win32/Korplug.I[F-I] variant.",Government and Defense Agencies,,, 2016-04-27,Freezer Paper around Free Meat - Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.04.27.Repackaging_Open_Source_BeEF/Freezer%20Paper%20around%20Free%20Meat%20-%20Securelist.pdf,Kaspersky,,,,newsbeef,IR,Espionage,,"BR, CN, DE, DZ, GB, IN, JP, KZ, RO, RU, TR, UA",,"Watering Hole, Exploit Vulnerability","Metasploit, PowerSploit, BeEF (Browser Exploitation Framework), Evercookie","Government and Defense Agencies, Corporations and Businesses, Education and Research Institutions, Media and Entertainment Companies",,, 2016-05-02,Fidelis_Turbo-Twist-Two-64-bit-Derusbi-Strains-Converge(May-2-16),Turbo Twist: Two 64-bit Derusbi Strains Converge,https://app.box.com/s/ex6wh2qsg1c29sob6f70x1q6eoe3v64w,Fidelis Cybersecurity,,,,sunshop group,CN,"Espionage, Information theft and espionage",2013,,,,"Derusbi, Bergard APT malware","Government and Defense Agencies, Corporations and Businesses, Healthcare, Media and Entertainment Companies",,, 2016-05-02,PaloAlto_PrinceofPersiaInfyMalware(05-02-2016),Prince of Persia: Infy Malware Active In Decade of Targeted Attacks,https://app.box.com/s/zkjmru7uknf1p90mqn81ycf867le78tn,Palo Alto,,,,,,,,"DK, IR",FALSE,"Spear Phishing, Malicious Documents, Social Engineering","Win32/Tuax.A, W32/ADOKOOB, Win32/Cloptern.A & B, TR/Graftor.106254, TR/Spy.Arpnatis.A, Win32/Skeeyah.A!bit, Infy, Maltego","Government and Defense Agencies, Corporations and Businesses, Individuals",,, 2016-05-02,goznym-malware,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.05.02.GOZNYM_MALWARE/goznym-malware.pdf,Team Cymru,,,,goznym,,,,,,"Phishing, Malicious Documents",GOZNYM,Financial Institutions,,, 2016-05-06,exploring-cve-2015-2545-and-its-users.html,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.05.06_Exploring_CVE-2015-2545/exploring-cve-2015-2545-and-its-users.html.pdf,PricewaterhouseCoopers,CVE-2015-2545,,,,,,,,TRUE,"Malicious Documents, Exploit Vulnerability",,"Education and Research Institutions, Government and Defense Agencies",,, 2016-05-06,PwC_Exploring_CVE-2015-2545(05-06-2016),Exploring CVE-2015-2545 and its users,https://app.box.com/s/g9pew9ajkp259c2t99mh4xspsev61hgm,PricewaterhouseCoopers,CVE-2015-2545,,,,,,,,TRUE,Malicious Documents,,,,, 2016-05-09,2016_005_001_454247,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.05.09_ICS_Threat_Analysis/2016_005_001_454247.pdf,Software Engineering Institute,"CVE-2012-1823, CVE-2012-2336, CVE-2013-5122, CVE-2014-6271",,,,,,,,FALSE,Exploit Vulnerability,Bookworm Trojan,Critical Infrastructure,,, 2016-05-10,tinyPOS_tinyloader,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.05.10.tinyPOS_tinyloader/tinyPOS_tinyloader.pdf,Trend Micro,"CVE-2016-0128, CVE-2016-2118",,,,,,,US,,Exploit Vulnerability,"TinyLoader, AbaddonPOS, TinyPOS, Locky Ransomware, DRIDEX, QAKBOT, BlackEnergy, KillDisk","Corporations and Businesses, Financial Institutions, Critical Infrastructure",,, 2016-05-10,tinypos-abaddonpos-ties-to-tinyloader,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.05.10.tinyPOS_tinyloader/tinypos-abaddonpos-ties-to-tinyloader.pdf,Trend Micro,,,,,,,,US,,,"TinyLoader, AbaddonPOS, TinyPOS, MalumPOS, RawPOS","Corporations and Businesses, Healthcare, Manufacturing, Education and Research Institutions, Government and Defense Agencies",,, 2016-05-17,Symantec_Indian-organizations-targeted-in-Suckfly-attacks(5-17-16),Indian organizations targeted in Suckfly attacks,https://app.box.com/s/nekeu5y0v2yk4rdwpuq8y1ahyyuaduen,Symantec,CVE-2014-6332,,,suckfly,CN,Information theft and espionage,2014,"IN, SA",FALSE,Exploit Vulnerability,"Nidiran back door, Custom dropper, Signed credential-dumping tool, Hacktools","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Healthcare",,, 2016-05-17,indian-organizations-targeted-suckfly-attacks,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.05.17.Indian_organizations_targeted_in_Suckfly_attacks/indian-organizations-targeted-suckfly-attacks.pdf,Symantec,CVE-2014-6332,,,suckfly,CN,Information theft and espionage,2014,"IN, SA",FALSE,Exploit Vulnerability,"Nidiran back door, dllhost.exe, iviewers.dll, msfled","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Healthcare",,, 2016-05-17,fox-it_mofang_threatreport_tlp-white,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.05.17.Mofang/fox-it_mofang_threatreport_tlp-white.pdf,fox-it,,,"rule shimratreporter\n{\n meta:\n description = ""Detects ShimRatReporter""\n author = ""Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)""\n date = ""20/11/2015""\n strings:\n $IpInfo = ""IP-INFO""\n $NetworkInfo = ""Network-INFO""\n $OsInfo = ""OS-INFO""\n $ProcessInfo = ""Process-INFO""\n $BrowserInfo = ""Browser-INFO""\n $QueryUserInfo = ""QueryUser-INFO""\n $UsersInfo = ""Users-INFO""\n $SoftwareInfo = ""Software-INFO""\n $AddressFormat = ""%02X-%02X-%02X-%02X-%02X-%02X""\n $proxy_str = ""(from environment) = %s""\n $netuserfun = ""NetUserEnum""\n $networkparams = ""GetNetworkParams""\n condition:\n all of them\n}, rule shimrat\n{\n meta:\n description = ""Detects ShimRat and the ShimRat loader""\n author = ""Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)""\n date = ""20/11/2015""\n \n strings:\n $dll = ""\n.dll""\n $dat = ""\n.dat""\n $headersig = ""QWERTYUIOPLKJHG""\n $datasig = ""MNBVCXZLKJHGFDS""\n $datamarker1 = ""Data$$00""\n $datamarker2 = ""Data$$01%c%sData""\n $cmdlineformat = ""ping localhost -n 9 /c %s > nul""\n $demoproject_keyword1 = ""Demo""\n $demoproject_keyword2 = ""Win32App""\n $comspec = ""COMSPEC""\n $shim_func1 = ""ShimMain""\n $shim_func2 = ""NotifyShims""\n $shim_func3 = ""GetHookAPIs""\n condition:\n ($dll and $dat and $headersig and $datasig) or ($datamarker1 and $datamarker2) or \n($cmdlineformat and $demoproject_keyword1 and $demoproject_keyword2 and $comspec) or ($dll \nand $dat and $shim_func1 and $shim_func2 and $shim_func3)\n}",mofang,CN,Espionage,,"CA, DE, IN, KR, MM, SG, US",FALSE,"Spear Phishing, Social Engineering","ShimRat, ShimRatReporter","Government and Defense Agencies, Corporations and Businesses, Critical Infrastructure, Manufacturing",,, 2016-05-17,ESET_Operation-Groundbait(5-17-16),Operation Groundbait:Analysis of a surveillance toolkit,https://app.box.com/s/hq5t0xjxxbkeulf942ufeiyf3k4zq9b6,ESET,,,,,,,,"BE, RU, TJ, UA",FALSE,"Spear Phishing, Malicious Documents","Prikormka, Win32/Prikormka, Win64/Prikormka",Government and Defense Agencies,,, 2016-05-22,targeted_attacksaga.html,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.05.22.Targeted_Attacks_Against_Banks_in_Middle_East/targeted_attacksaga.html.pdf,FireEye,,,,,,,,,FALSE,"Spear Phishing, Malicious Documents",,Financial Institutions,,, 2016-05-22,operation-ke3chang-resurfaces-with-new-tidepool-malware,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.05.22.Operation_Ke3chang_Resurfaces_With_New_TidePool_Malware/operation-ke3chang-resurfaces-with-new-tidepool-malware.pdf,Palo Alto,CVE-2015-2545,,,ke3chang,CN,"Espionage, Information theft and espionage",2010,IN,FALSE,"Spear Phishing, Exploit Vulnerability, Malicious Documents","TidePool, Danti Downloader, BS2005",Government and Defense Agencies,,, 2016-05-23,GovCERTch_Report_Ruag_Espionage_Case(5-23-16),APT Case RUAG Technical Report,https://app.box.com/s/rabwkf8pmoxndj0n0nlktvc2eti2381k,GovCERT.ch,,,,turla,RU,"Espionage, Information theft and espionage",1996,,,"Watering Hole, Spear Phishing, Social Engineering, Exploit Vulnerability",Turla family,"Government and Defense Agencies, Corporations and Businesses",,, 2016-05-23,APT Case RUAG - Technical Report,,https://www.govcert.ch/downloads/whitepapers/Report_Ruag-Espionage-Case.pdf,MELANI GovCERT,,,,,,,,,,,,"Critical Infrastructure, Government and Defense Agencies",,, 2016-05-24,PaloAlto_New- Wekby-Attacks-Use- DNS-Requests- As- Command-and- Control- Mechanism(5-24-16),New Wekby Attacks Use DNS Requests As Command and Control Mechanism,https://app.box.com/s/5dcx9g1lrt3m9y2wgmxpyiv4malmdnpp,Palo Alto,,,,wekby,CN,"Espionage, Information theft and espionage",2009,,,Exploit Vulnerability,"pisloader, HTTPBrowser","Healthcare, Critical Infrastructure, Manufacturing, Government and Defense Agencies, Cloud/IoT Services",,, 2016-05-25,Kaspersky_CVE-2015-2545_overview-of-current-threats(5-25-16),CVE-2015-2545: overview of current threats,https://app.box.com/s/ztb6a52hkbenfurrecc3jifk9b67ie79,Kaspersky,"CVE-2015-1701, CVE-2015-2545",,,danti,,,,"IN, KG, KZ, TJ, TM, UZ",TRUE,"Spear Phishing, Malicious Documents, Exploit Vulnerability","PoisonIvy, Danti Trojans",Government and Defense Agencies,,, 2016-05-26,Symantec_SWIFT-malware-linked-financial-attacks(05-26-2016),SWIFT attackers' malware linked to more financial attacks,https://app.box.com/s/hg658zohnowfcj62ofyt4av99xucdq0q,Symantec,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,"EC, KR, US",,,"Backdoor.Fimlis, Backdoor.Fimlis.B, Backdoor.Contopee, Trojan.Banswift, msoutc.exe, Backdoor.Destover","Financial Institutions, Media and Entertainment Companies",,, 2016-05-26,the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.05.26.OilRig_Campaign/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor.pdf,Palo Alto,CVE-2015-7547,,,,,,,SA,FALSE,"Spear Phishing, Social Engineering, Malicious Documents","Helminth, Clayslide, VBScript, PowerShell","Financial Institutions, Corporations and Businesses, Government and Defense Agencies",,, 2016-05-27,ixeshe-derivative-iheate-targets-users-america,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.05.27.IXESHE_Derivative_IHEATE_Targets_Users_in_America/ixeshe-derivative-iheate-targets-users-america.pdf,Trend Micro,,,,,,,,"DE, US",,Malicious Documents,"IHEATE, IXESHE","Corporations and Businesses, Government and Defense Agencies, Media and Entertainment Companies",,, 2016-05-27,TrendMicro_IXESHE_IHEATE(05-27-2016),IXESHE Derivative IHEATE Targets Users in America,https://app.box.com/s/8glps1qnq0glc2c2b2wsmeb4019f9wpd,Trend Micro,,,,,,,,"DE, US",FALSE,Malicious Documents,BKDR_IHEATE,"Government and Defense Agencies, Corporations and Businesses, Manufacturing, Media and Entertainment Companies",,, 2016-05-29,CitizenLab-Stealth_Falcon(05-29-2016),Stealth Falcon,https://app.box.com/s/is08b06f6fj6a9z6wymf4u5y5xjm6opr,Citizen Lab,,,,stealth falcon,AE,"Espionage, Information theft and espionage",2012,AE,,"Social Engineering, Spear Phishing","QuasarRAT, OracleJavaUpdater.ps1","Non-Governmental Organizations (NGOs) and Nonprofits, Individuals, Media and Entertainment Companies",2015-11-15,2016-05-15,182.0 2016-06-02,Suckfly APT,,https://exchange.xforce.ibmcloud.com/collection/Suckfly-APT-aa8af56fd12d25c98fc49ca5341160ab,IBM Security,,,,,,,,,,,,,,, 2016-06-02,fastPOS-quick-and-easy-credit-card-theft (1),,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.06.02.fastpos-quick-and-easy-credit-card-theft/fastPOS-quick-and-easy-credit-card-theft%20%281%29.pdf,Trend Micro,,,"rule PoS_Malware_fastpos : FastPOS \n{ \nmeta: \n author = ""Trend Micro, Inc."" \n date = ""2016-05-18"" \n description = ""Used to detect FastPOS keyloggger + scraper"" \n sample_filetype = ""exe"" \nstrings: \n $string1 = ""uniqyeidclaxemain"" \n $string2 = ""http://%s/cdosys.php"" \n $string3 = ""SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion"" \n $string4 = ""\\\\The Hook\\\\Release\\\\The Hook.pdb"" nocase \ncondition: \n all of ($string*) \n}",,,,,"BR, FR, GB, JP, KR, PH, US",FALSE,"Watering Hole, Credential Reuse","FastPOS, TSPY_FASTPOS.SMZTDA","Corporations and Businesses, Critical Infrastructure",2015-09-27,2016-03-13,168.0 2016-06-02,FireEye_IRONGATE_ICS(06-02-2016),IRONGATE ICS Malware: Nothing to See Here...Masking Malicious Activity on SCADA Systems,https://app.box.com/s/6s871m2xa63x4ru8glto9crcv6kk8jor,FireEye,,,,,,,,,FALSE,,"IRONGATE, NirSoft NetResView version 1.27, PyInstaller, Siemens PLCSIM, S7ProSim",Critical Infrastructure,,, 2016-06-03,Fireeye_Spear-Phishing-Indian-Government-Officials(06-03-2016),Apt Group Sends Spear Phishing Emails To Indian Government Officials,https://app.box.com/s/5hn3fparz8n2bmjpwzvxbds7gcnb7kum,FireEye,CVE-2012-0158,,,transparent tribe,PK,Information theft and espionage,2013,IN,FALSE,"Spear Phishing, Malicious Documents","Breach Remote Administration Tool (BreachRAT), DarkComet, NJRAT",Government and Defense Agencies,2016-02-15,2016-05-18,93.0 2016-06-04,CrowdStrike_BearsintheMidst_DNC(06-04-2016),Bears in the Midst: Intrusion into the Democratic National Committee,https://app.box.com/s/x5sz7dw4as54b1rif3mdtqwzzj2aek68,CrowdStrike,,,,"apt29, apt28",RU; RU,"Espionage, Information theft and espionage; Espionage, Information theft and espionage",2008; 2004,"BR, CA, CN, GE, IR, JP, KG, KR, KZ, MX, MY, NZ, TJ, TM, TR, US, UZ",,Spear Phishing,"MimiKatz, X-Agent, X-Tunnel, RemCOM, wevtutil, MiniDionis, SeaDaddy, py2exe, Powershell backdoor, Windows Management Instrumentation (WMI)","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Energy and Utilities, Manufacturing, Education and Research Institutions, Media and Entertainment Companies",,, 2016-06-09,Microsoft_DUBNIUM(06-09-2016),Reverse-engineering DUBNIUM,https://app.box.com/s/f0xelxxs6ey9nms9fox1uugy8nuof40t,Microsoft,,,,dubnium,KR,"Espionage, Information theft and espionage",2007,CN,TRUE,"Spear Phishing, Social Engineering, Exploit Vulnerability","DUBNIUM, VMware, Virtualbox, Cuckoo Sandbox, PIN tool, DynamoRIO",,,, 2016-06-09,Operation-DustySky2_-6.2016_TLP_White,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.06.09.Operation_DustySky_II/Operation-DustySky2_-6.2016_TLP_White.pdf,C. S. Consultings Ltd,,,,,,,,"AE, EG, IL, PS, SA, US",FALSE,"Spear Phishing, Social Engineering, Malicious Documents","DustySky, Poison ivy, Nano Core, XtremeRAT, DarkComet, Spy-Net","Government and Defense Agencies, Corporations and Businesses, Education and Research Institutions, Individuals",2016-04-15,2016-04-23,8.0 2016-06-14,PaloAlto_SofacyUSGov(06-14-2016),New Sofacy Attacks Against US Government Agency,https://app.box.com/s/49rs6u4cyq43khamdah90y9zyacjzmbr,Palo Alto,CVE-2015-1641,,,apt28,RU,"Espionage, Information theft and espionage",2004,"GE, PL, US",,"Spear Phishing, Malicious Documents",,Government and Defense Agencies,,, 2016-06-16,bears-midst-intrusion-democratic-national-committee,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.06.16.DNC/bears-midst-intrusion-democratic-national-committee.pdf,CrowdStrike,,,,,,,,,,,,Government and Defense Agencies,,, 2016-06-16,Secureworks_TG-4127Clinton(06-16-2016),Threat Group-4127 Targets Hillary Clinton Presidential Campaign,https://app.box.com/s/uy6iv3fj7akwzrj9zq1gv403b35twaoy,SecureWorks,,,,apt28,RU,"Espionage, Information theft and espionage",2004,"RU, US",,Spear Phishing,,"Government and Defense Agencies, Individuals, Non-Governmental Organizations (NGOs) and Nonprofits",2016-03-15,2016-05-15,61.0 2016-06-17,Operation Daybreak,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.06.17.Operation_Daybreak/Operation%20Daybreak.pdf,Kaspersky,"CVE-2016-0147, CVE-2016-1010, CVE-2016-4117, CVE-2016-4171",,,scarcruft,KP,Information theft and espionage,2012,,TRUE,"Watering Hole, Spear Phishing","Adobe Flash Player exploit, Microsoft Internet Explorer exploit, CVE-2016-0147, CVE-2016-4117, HEUR:Exploit.SWF.Agent.gen, HEUR:Trojan.Win32.ScarCruft.gen, cfgifut.dll, cldbct.dll, cryptbase.dll, msfte.dll","Government and Defense Agencies, Corporations and Businesses, Media and Entertainment Companies, Individuals",2016-03-15,2016-06-15,92.0 2016-06-20,Microsoft_RE-DUBNIUM-FlashExploit(06-20-2016),Reverse-engineering DUBNIUM's Flash-targeting exploit,https://app.box.com/s/rsvvnrm7ct991olqsvbqrie614xt9f3b,Microsoft,"CVE-2013-5330, CVE-2014-0497, CVE-2015-8651",,,dubnium,KR,"Espionage, Information theft and espionage",2007,,TRUE,Exploit Vulnerability,,,,, 2016-06-20,Fireeye-rpt-china-espionage(06-20-2016),Red Line Drawn: China Recalculates Its Use Of Cyber Espionage,https://app.box.com/s/jdk38pbsyaa19vb91uffmprn9oz4a2vr,FireEye,,,,,,,,"AU, BR, CA, CH, CN, CO, DE, DK, EG, FR, GB, HK, IL, IN, IT, JP, KR, NL, NO, PH, SA, SE, SG, TN, TW",,Spear Phishing,,"Government and Defense Agencies, Corporations and Businesses, Healthcare",,, 2016-06-21,ESET-Visiting_The_Bear_Den(6-21-2016),Visiting The Bear Den A Journey in the Land of (Cyber-)Espionage,https://app.box.com/s/ifsplrz92ssuo3mhgwadkgoc19e5y56e,ESET,"CVE-2013-1347, CVE-2013-3897, CVE-2014-1510, CVE-2014-1511, CVE-2014-1776, CVE-2014-4076, CVE-2014-6332, CVE-2015-1701, CVE-2015-2387, CVE-2015-2424, CVE-2015-2590, CVE-2015-3043, CVE-2015-4902, CVE-2015-5119, CVE-2015-7645",,,apt28,RU,"Espionage, Information theft and espionage",2004,,TRUE,"Phishing, Drive-by Download",,"Government and Defense Agencies, Education and Research Institutions, Individuals",,, 2016-06-21,the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.06.21.Unknown_Trojan_Targeting_German_Speaking_Users/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.pdf,Fortinet,,,,aleksandr,,,,"AT, DE",,Malicious Documents,"DELoader, Zeus",Financial Institutions,,, 2016-06-23,PaloAlto_TrackingElirksJapanSimilaritiesPreviousAttacks(06-23-2016),Tracking Elirks Variants in Japan: Similarities to Previous Attacks,https://app.box.com/s/ki60vxvdi2wzqrsrqik0yvg4sdwsbbal,Palo Alto,CVE-2011-0611,,,,,,,"JP, TW",FALSE,"Spear Phishing, Malicious Documents, Exploit Vulnerability","PlugX, Elirks, WildFire, PAN-DB, AutoFocus, FakeM","Government and Defense Agencies, Corporations and Businesses, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2016-06-26,threat-update-nigerian-cybercriminals-target-high-impact-indian-industries-via-pony,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.06.26.Nigerian_Cybercriminals_Target_High_Impact_Industries_in_India/threat-update-nigerian-cybercriminals-target-high-impact-indian-industries-via-pony.pdf,Cylance,,,,,,,,IN,,"Spear Phishing, Malicious Documents","Pony Loader 2.2, Hawkeye, Zeus","Corporations and Businesses, Manufacturing",2015-10-15,2016-06-15,244.0 2016-06-26,the-state-of-the-esilelotus-blossom-campaign,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.06.26.The_State_of_the_ESILE_Lotus_Blossom_Campaign/the-state-of-the-esilelotus-blossom-campaign.pdf,Trend Micro,"CVE-2016-2776, CVE-2016-6662",,,,,,,,FALSE,"Spear Phishing, Malicious Documents",BKDR_ESILE,Government and Defense Agencies,,, 2016-06-28,20160628ac-ir_research,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.06.28.Attack_Tool_Investigation/20160628ac-ir_research.pdf,JPCERT,,,,,,,,,FALSE,,"PsExec, wmic, PowerShell, wmiexec.vbs, BeginX, winrm, winrs, BITS, PWDump7, PWDumpX, Quarks PwDump, Mimikatz, WCE, gsecdump, lslsass, Find-GPOPasswords.ps1, Mail PassView, WebBrowserPassView, Remote Desktop PassView, Htran, Fake wpad, MS14-058 Exploit, MS15-078 Exploit, SDB UAC Bypass, MS14-068 Exploit, ntdsutil, vssadmin, net user, net use, net share, icacls, sdelete, timestomp, csvde, ldifde, ds",,,, 2016-06-28,ref_researchers-disrupt-iranian-cyberespionage-campaign,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.06.28.prince-of-persia-game-over/ref_researchers-disrupt-iranian-cyberespionage-campaign.pdf,Palo Alto,,,,,,,,AU,,,"Infy, Infy M","Healthcare, Corporations and Businesses, Individuals",,, 2016-06-28,unit42-prince-of-persia-game-over,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.06.28.prince-of-persia-game-over/unit42-prince-of-persia-game-over.pdf,Kaspersky,,,,,,,,"CA, IR",,,"Macromedia v4, Kaspersky Labs, Avast, Trend Micro",,,, 2016-06-30,JPCERT_AsruexShortcutFiles(06-30-2016),Asruex: Malware Infecting through Shortcut Files,https://app.box.com/s/mxvgs6dx4kixjv5s29yc6m81kii8opbw,JPCERT,,,,darkhotel,KR,"Espionage, Information theft and espionage",2007,,,Spear Phishing,"Asruex, AdvProv.dll",Corporations and Businesses,,, 2016-07-01,ESET_targeting-Central-and-EasternEurope(07-01-2016),Espionage toolkit targeting Central and Eastern Europe uncovered,https://app.box.com/s/kmb22xnoniwxfkhsw8r3tkpo5rko0w1a,ESET,,,,,,,,,FALSE,"Phishing, Malicious Documents",SBDH toolkit,Government and Defense Agencies,,, 2016-07-01,Bitdefender-Whitepaper-PAC-A4-en-EN1,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.07.01.Bitdefender_Pacifier_APT/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf,Bitdefender,,,,turla,RU,"Espionage, Information theft and espionage",1996,"HU, IN, IR, LT, PH, RO, RU, TH, VN",,"Spear Phishing, Malicious Documents",,"Government and Defense Agencies, Education and Research Institutions",,, 2016-07-01,espionage-toolkit-targeting-central-eastern-europe-uncovered,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.07.01.SBDH_toolkit_targeting_Central_and_Eastern_Europe/espionage-toolkit-targeting-central-eastern-europe-uncovered.pdf,ESET,,,,,,,,,,Malicious Documents,"SBDH toolkit, backdoor, data stealer","Government and Defense Agencies, Education and Research Institutions",,, 2016-07-03,HummingBad-Research-report_FINAL-62916,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.07.03_From_HummingBad_to_Worse/HummingBad-Research-report_FINAL-62916.pdf,Check Point,,,,yingmob,CN,,,"BD, BR, CN, CO, DZ, EG, ID, IN, MX, MY, NP, PH, PK, RO, RU, TH, TR, UA, US, VN",,Drive-by Download,", HummingBad, rootkit, UI automation application program interface (API), ""input tap X Y"" utility","Government and Defense Agencies, Corporations and Businesses, Individuals",2015-08-15,2016-05-22,281.0 2016-07-07,Cymmetria_Unveiling-Patchwork(Jul-7-16),Unveiling Patchwork the Copy Paste APT,https://app.box.com/s/r9pw9xbcy2fz2ssewg5p7lqyvtn1b6jc,Cymmetria,CVE-2014-4114,,,patchwork,IN,"Espionage, Information theft and espionage",2013,"HK, ID, MY, PH, TW",FALSE,"Spear Phishing, Malicious Documents, Exploit Vulnerability","PowerSploit, Meterpreter, MetaSploit",Government and Defense Agencies,,, 2016-07-07,Proofpoint_NetTraveler-TargetsRussianEuropean(07-07-2016),"NetTraveler APT Targets Russian, European Interests",https://app.box.com/s/u16hs4trjkamdxkb8xth6e5ugckr3230,Proofpoint,CVE-2012-0158,,,,,,,"BY, MN, RU",FALSE,Spear Phishing,"PlugX, NetTraveler, Saker, Netbot, DarkStRat, LURK0 Gh0st","Government and Defense Agencies, Energy and Utilities, Critical Infrastructure",,, 2016-07-08,The Dropping Elephant actor - Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.07.08.The_Dropping_Elephant/The%20Dropping%20Elephant%20actor%20-%20Securelist.pdf,Kaspersky,"CVE-2012-0158, CVE-2014-1761, CVE-2014-6352, CVE-2016-4171",,,dropping elephant,IN,"Espionage, Information theft and espionage",2013,,FALSE,"Spear Phishing, Watering Hole","UPX, AutoIT, PowerShell-based malware, Meterpreter, BeEF","Government and Defense Agencies, Education and Research Institutions",,, 2016-07-12,nanhaishu_whitepaper,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.07.12.NanHaiShu_RATing_the_South_China_Sea/nanhaishu_whitepaper.pdf,F-Secure,,,,,,,,PH,FALSE,"Spear Phishing, Social Engineering, Malicious Documents",NanHaiShu,"Government and Defense Agencies, Corporations and Businesses",2015-01-13,2016-03-15,427.0 2016-07-13,SFG_ Furtim's Parent,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.07.13.State-Sponsored_SCADA_Malware_targeting_European_Energy_Companies/SFG_%20Furtim%27s%20Parent.pdf,SentinelOne,,"T7700:N/A, T2600:N/A",,,,,,"CN, CZ, DE, PL, SK",,,"VMware, XenVMM, KVM, prl hyperv, Microsoft Hv, Cuckoo, SysAnalyzer, odbg110, BDCore_U.dll, snxcmd.exe, decodezeus, VmRemoteGuest.exe, rdpinst.exe, Raptorclient.exe",,,, 2016-07-13,Furtim_ The Ultra-Cautious Malware,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.07.13.State-Sponsored_SCADA_Malware_targeting_European_Energy_Companies/Furtim_%20The%20Ultra-Cautious%20Malware.pdf,enSilo,,,,,,,,,,,"Furtim, Pony Stealer",,,, 2016-07-13,sfg-furtims-parent,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.07.13.State-Sponsored_SCADA_Malware_targeting_European_Energy_Companies/sfg-furtims-parent.pdf,Microsoft,,"T7700:N/A, T2600:N/A",,,,,,,,,"malware.exe, mlwr_smpl.exe, dir_watch.dll, tracer.dll, SbieDll.dll, APIOverride.dll, NtHookEngine.dll, api_log.dll, LOG_API.DLL, LOG_API32.DLL",,,, 2016-07-21,(Chinese)rmshixdAPT-C-15-20160630,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.07.21.Sphinx_Targeted_cyber-attack_in_the_Middle_East/%28Chinese%29rmshixdAPT-C-15-20160630.pdf,F-Secure,,,,oceanlotus,VN,"Espionage, Financial gain, Information theft and espionage",2012,"EG, IL",FALSE,"Watering Hole, Malicious Documents",,Government and Defense Agencies,,, 2016-07-21,tta1-f04_hide-and-seek-how-threat-actors-respond-in-the-face-of-public-exposure,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.07.21.Hide_and_Seek/tta1-f04_hide-and-seek-how-threat-actors-respond-in-the-face-of-public-exposure.pdf,FireEye and Microsoft,"CVE-2015-1701, CVE-2015-2424, CVE-2015-2590, CVE-2015-3043, CVE-2015-7645",,,punchbuggy,,,,"AU, DE, EG, GB, IN, JP, KR, NL, TN, TW, US",TRUE,Spear Phishing,"HIKIT, BLACKCOFFEE aka ZoxPNG, LONEAGENT aka Fexel, PHOTO aka Derusbi, SOGU aka PlugX, KabasHIGHNOON aka Winnti, RAYGUN, MUGBRAIN, SIDEWINDER, SCARYMOVIE","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Energy and Utilities, Media and Entertainment Companies, Critical Infrastructure",,, 2016-07-21,rmsxden20160721,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.07.21.Sphinx_Targeted_cyber-attack_in_the_Middle_East/rmsxden20160721.pdf,Kaspersky,,,,apt-c-15,,,,"EG, IL",,Watering Hole,"ROCK Trojan, njRAT",Government and Defense Agencies,2011-12-15,2015-11-15,1431.0 2016-07-25,Symantec_Patchwork-expands-to-industries(07-25-2016),Patchwork cyberespionage group expands targets from governments to wide range of industries,https://app.box.com/s/8k4ikxiyz3od5bg6juqpjf99dcfdba4l,Symantec,"CVE-2012-0158, CVE-2014-4114, CVE-2015-1641",,,patchwork,IN,"Espionage, Information theft and espionage",2013,"CN, GB, JP, US",FALSE,"Spear Phishing, Watering Hole, Malicious Documents","Backdoor.Enfourks, Backdoor.Steladok, Trojan.PPDropper, Infostealer","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Energy and Utilities, Non-Governmental Organizations (NGOs) and Nonprofits, Healthcare, Media and Entertainment Companies",,, 2016-07-28,ICIT-Brief-China-Espionage-Dynasty,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.07.28.China_Espionage_Dynasty/ICIT-Brief-China-Espionage-Dynasty.pdf,Kaspersky,CVE-2012-0158,,,apt3,CN,"Espionage, Information theft and espionage",2007,"JP, KR, TW, US",TRUE,"Spear Phishing, Watering Hole, Exploit Vulnerability","ZoxRPC, test.exe, xkat.exe, Dbgv.sys","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Healthcare, Energy and Utilities",,, 2016-08-02,Group5_ Syria and the Iranian Connection - The Citizen Lab,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.08.02.group5-syria/Group5_%20Syria%20and%20the%20Iranian%20Connection%20-%20The%20Citizen%20Lab.pdf,Citizen Lab,CVE-2014-4114,,,group5,,Information theft and espionage,2015,SY,FALSE,"Spear Phishing, Social Engineering, Malicious Documents, Exploit Vulnerability","njRAT, NanoCore RAT, PAC Crypt",Non-Governmental Organizations (NGOs) and Nonprofits,,, 2016-08-03,EFF_OperationManul(08-03-2016),Operation Manul,https://app.box.com/s/0dhelcscwtesl3biuldgrbeddaffwneu,EFF,,,,appin security group,,,,,FALSE,,"Bandook Trojan, HackBack Trojan, Android RAT","Individuals, Non-Governmental Organizations (NGOs) and Nonprofits, Media and Entertainment Companies",,, 2016-08-07,Symantec_Strider-group-turns-eye-targets(08-07-2016),Strider: Cyberespionage group turns eye of Sauron on targets,https://app.box.com/s/l6i8z1vz83uwzf2ycl94xnel5voddt5v,Symantec,,,,strider,US,"Espionage, Information theft and espionage",2011,"BE, CN, RU, SE",,,"Remsec, Backdoor.Remsec, Basic pipe back door, Advanced pipe back door, HTTP back door","Government and Defense Agencies, Corporations and Businesses, Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",,, 2016-08-07,Symantec_Remsec_IOCs,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.08.07.Strider_Cyberespionage_group_turns_eye_of_Sauron_on_targets/Symantec_Remsec_IOCs.pdf,Symantec,,,"rule remsec_encrypted_api \n{ \n meta: \n copyright = ""Symantec"" \n \n strings: \n $open_process = \n /* \n ""OpenProcess\\x00"" in encrypted form \n */ \n { 91 9A 8F B0 9C 90 8D AF 8C 8C 9A FF } \n condition: \n all of them \n}, rule remsec_executable_blob_parser \n{ \n meta: \n copyright = ""Symantec"" \n \n strings: \n $code = \n /* \n 0F 82 ?? ?? 00 00 jb l_0 \n 80 7? 04 02 cmp byte ptr r0+4, 2 \n 0F 85 ?? ?? 00 00 jnz l_0 \n 81 3? 02 AA 02 C1 cmp dword ptr r0, \n0C102AA02h \n 0F 85 ?? ?? 00 00 jnz l_0 \n 8B ?? 06 mov r1, r0+6 \n */ \n { \n ( 0F 82 ?? ?? 00 00 | 72 ?? ) \n ( 80 | 41 80 ) ( 7? | 7C 24 ) 04 02 \n ( 0F 85 ?? ?? 00 00 | 75 ?? ) \n ( 81 | 41 81 ) ( 3? | 3C 24 | 7D 00 ) 02 AA 02 C1 \n ( 0F 85 ?? ?? 00 00 | 75 ?? ) \n ( 8B | 41 8B | 44 8B | 45 8B ) ( 4? | 5? | 6? | 7? | ?4 24 | \n?C 24 ) 06 \n } \n \n \nSecurity Response — August 8, 2016 — Copyright © 2016 Symantec \nPage 11 \nBackdoor.Remsec indicators of compromise \n \n condition: \n all of them \n}, rule remsec_packer_A \n{ \n meta: \n copyright = ""Symantec"" \n \n strings: \n $code = \n /* \n 69 ?? AB 00 00 00 imul r0, 0ABh \n 81 C? CD 2B 00 00 add r0, 2BCDh \n F7 E? mul r0 \n C1 E? 0D shr r1, 0Dh \n 69 ?? 85 CF 00 00 imul r1, 0CF85h \n 2B sub r0, r1 \n */ \n { \n 69 ( C? | D? | E? | F? ) AB 00 00 00 \n ( 81 | 41 81 ) C? CD 2B 00 00 \n ( F7 | 41 F7 ) E? \n ( C1 | 41 C1 ) E? 0D \n ( 69 | 45 69 ) ( C? | D? | E? | F? ) 85 CF 00 00 \n ( 29 | 41 29 | 44 29 | 45 29 | 2B | 41 2B | 44 2B | 45 2B ) \n } \n condition: \n all of them \n}, rule remsec_packer_B \n{ \n meta: \n copyright = ""Symantec"" \n \n strings: \n $code = \n /* \n 48 8B 05 C4 2D 01 00 mov rax, cs:LoadLibraryA \n 48 89 44 24 48 mov qword ptr \nrsp+1B8h+descriptor+18h, rax \n 48 8B 05 A0 2D 01 00 mov rax, cs:GetProcAddress \n \n \nSecurity Response — August 8, 2016 — Copyright © 2016 Symantec \nPage 12 \nBackdoor.Remsec indicators of compromise \n \n 48 8D 4C 24 30 lea rcx, \nrsp+1B8h+descriptor \n 48 89 44 24 50 mov qword ptr \nrsp+1B8h+descriptor+20h, rax \n 48 8D 84 24 80 00 00 00 lea rax, \nrsp+1B8h+var_138 \n C6 44 24 30 00 mov rsp+1B8h+descriptor, \n0 \n 48 89 44 24 60 mov qword ptr \nrsp+1B8h+descriptor+30h, rax \n 48 8D 84 24 80 00 00 00 lea rax, \nrsp+1B8h+var_138 \n C7 44 24 34 03 00 00 00 mov dword ptr \nrsp+1B8h+descriptor+4, 3 \n 2B F8 sub edi, eax \n 48 89 5C 24 38 mov qword ptr \nrsp+1B8h+descriptor+8, rbx \n 44 89 6C 24 40 mov dword ptr \nrsp+1B8h+descriptor+10h, r13d \n 83 C7 08 add edi, 8 \n 89 7C 24 68 mov dword ptr \nrsp+1B8h+descriptor+38h, edi \n FF D5 call rbp \n 05 00 00 00 3A add eax, 3A000000h \n */ \n { \n 48 8B 05 ?? ?? ?? ?? \n 48 89 44 24 ?? \n 48 8B 05 ?? ?? ?? ?? \n 48 8D 4C 24 ?? \n 48 89 44 24 ?? \n 48 8D ( 45 ?? | 84 24 ?? ?? 00 00 ) \n ( 44 88 6? 24 ?? | C6 44 24 ?? 00 ) \n 48 89 44 24 ?? \n 48 8D ( 45 ?? | 84 24 ?? ?? 00 00 ) \n C7 44 24 ?? 0? 00 00 00 \n 2B ?8 \n 48 89 ?C 24 ?? \n 44 89 6? 24 ?? \n 83 C? 08 \n 89 ?C 24 ?? \n ( FF | 41 FF ) D? \n ( 05 | 8D 88 ) 00 00 00 3A \n } \n condition: \n all of them \n}, rule remsec_executable_blob_32 \n{ \n meta: \n copyright = ""Symantec"" \n strings: \n $code = \n /* \n 31 06 l0: xor esi, eax \n 83 C6 04 add esi, 4 \n D1 E8 shr eax, 1 \n 73 05 jnb short l1 \n 35 01 00 00 D0 xor eax, 0D0000001h \n E2 F0 l1: loop l0 \n */ \n { \n 31 06 \n 83 C6 04 \n D1 E8 \n 73 05 \n 35 01 00 00 D0 \n \n \nSecurity Response — August 8, 2016 — Copyright © 2016 Symantec \nPage 10 \nBackdoor.Remsec indicators of compromise \n \n E2 F0 \n } \n condition: \n all of them \n}, rule remsec_executable_blob_64 \n{ \n meta: \n copyright = ""Symantec"" \n strings: \n $code = \n /* \n 31 06 l0: xor rsi, eax \n 48 83 C6 04 add rsi, 4 \n D1 E8 shr eax, 1 \n 73 05 jnb short l1 \n 35 01 00 00 D0 xor eax, 0D0000001h \n E2 EF l1: loop l0 \n */ \n { \n 31 06 \n 48 83 C6 04 \n D1 E8 \n 73 05 \n 35 01 00 00 D0 \n E2 EF \n } \n condition: \n all of them \n}",,,,,,,,"Backdoor.Remsec, Lua, RSA, RC6",,,, 2016-08-08,Visa_Oracle-Micros-Compromise(08-08-2016),Carbanak Oracle Breach,https://app.box.com/s/4sfhcqaaxwui1dbvd13254wm5wfy9bmk,Visa,,,,fin7,RU,"Financial gain, Financial crime",2013,,,Phishing,"MalumPOS, Carbanak, Svchost.exe, Psexec",Financial Institutions,2015-02-01,2016-08-12,558.0 2016-08-08,ProjectSauron_ top level cyber-espionage platform covertly extracts encrypted government comms - Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.08.08.ProjectSauron/ProjectSauron_%20top%20level%20cyber-espionage%20platform%20covertly%20extracts%20encrypted%20government%20comms%20-%20Securelist.pdf,Kaspersky,CVE-2016-4171,,,,,,,"IR, IT, RU, RW",FALSE,,,"Government and Defense Agencies, Financial Institutions, Education and Research Institutions",2011-06-15,2016-04-15,1766.0 2016-08-08,The-ProjectSauron-APT_Technical_Analysis_KL,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.08.08.ProjectSauron/The-ProjectSauron-APT_Technical_Analysis_KL.pdf,Kaspersky,,,,projectsauron,US,"Espionage, Information theft and espionage",2011,,,,"wedding DLL installer, weddll, wipe, wtcdll, zeta2dll, symnet32",,,, 2016-08-08,The-ProjectSauron-APT_IOCs_KL,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.08.08.ProjectSauron/The-ProjectSauron-APT_IOCs_KL.pdf,Kaspersky,,,,projectsauron,US,"Espionage, Information theft and espionage",2011,,,,,,,, 2016-08-13,BrianKrebs_Carbanak-Oracle-breach(08-13-2016),Visa Alert and Update on the Oracle Breach,https://app.box.com/s/ejrvucttqc6eanln2kkmqtjklg563jxg,Brian Krebs,,,,fin7,RU,"Financial gain, Financial crime",2013,,,Exploit Vulnerability,"MalumPOS, WSO Web Shell","Corporations and Businesses, Financial Institutions",,, 2016-08-16,unit42-aveo-malware-family-targets-japanese-speaking-users,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.08.16.aveo-malware-family-targets-japanese/unit42-aveo-malware-family-targets-japanese-speaking-users.pdf,Palo Alto,,,,,,,,JP,,Malicious Documents,"Aveo, FormerFirstRAT, WinRAR, WildFire",Education and Research Institutions,,, 2016-08-17,Operation Ghoul_ targeted attacks on industrial and engineering organizations - Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.08.17_operation-ghoul/Operation%20Ghoul_%20targeted%20attacks%20on%20industrial%20and%20engineering%20organizations%20-%20Securelist.pdf,Kaspersky,,,,,,,,"AE, BH, CH, DE, DZ, EG, IN, IR, JO, JP, LB, MY, RU, TN, TR",FALSE,"Spear Phishing, Phishing",Hawkeye commercial spyware,"Corporations and Businesses, Manufacturing, Education and Research Institutions, Critical Infrastructure",,, 2016-08-19,Russian_Cyber_Operations_On_Steroids,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.08.19.fancy-bear-anti-doping-agency-phishing/Russian_Cyber_Operations_On_Steroids.pdf,ThreatConnect,,,,apt28,RU,"Espionage, Information theft and espionage",2004,,FALSE,Phishing,"Acunetix, SQLMap","Education and Research Institutions, Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",,, 2016-08-24,Citizenlab_NSO_iPhone_ZeroDays_UAE(08-24-2016),The Million Dollar Dissident: NSO Group's iPhone Zero-Days used against a UAE Human Rights Defender,https://app.box.com/s/adaa4lfxeohb7ehxv3ao6104gmvq226i,Citizen Lab,"CVE-2010-3333, CVE-2016-4655, CVE-2016-4656, CVE-2016-4657",,,stealth falcon,AE,"Espionage, Information theft and espionage",2012,"AE, BH, HU, IL, KE, MA, MX, MZ, NG, QA, SA, TH, TR, UZ, YE",TRUE,Spear Phishing,"XTremeRAT, SpyNet RAT, njRAT, Stealth Falcon","Corporations and Businesses, Media and Entertainment Companies, Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",,, 2016-08-25,lookout-pegasus-technical-analysis,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.08.25.lookout-pegasus-technical-analysis/lookout-pegasus-technical-analysis.pdf,Lookout,"CVE-2016-4655, CVE-2016-4656, CVE-2016-4657",,,nso group,IL,,,,TRUE,Phishing,"libdata.dylib, libimo.dylib, libvbcalls.dylib, libwacalls.dylib, lw-install, systemd, watchdog, workerd",,,, 2016-09-01,human-rights-impersonation-malware,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.09.01.human-rights-impersonation-malware/human-rights-impersonation-malware.pdf,RSA,,,,,,,,"AE, IQ, IR, PS, SA",,"Spear Phishing, Social Engineering","DroidJack, ExtremeDownloader, TeamSpeak.EXE","Non-Governmental Organizations (NGOs) and Nonprofits, Individuals, Education and Research Institutions",2016-07-15,2016-08-28,44.0 2016-09-06,Buckeye.cyberespionage.group.shifts.gaze.from.US.to.Hong.Kong.-.Symantec,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.09.06.buckeye-cyberespionage-group-shifts-gaze-us-hong-kong/Buckeye.cyberespionage.group.shifts.gaze.from.US.to.Hong.Kong.-.Symantec.pdf,Symantec,"CVE-2010-3962, CVE-2014-1776",,,buckeye,CN,"Espionage, Information theft and espionage",2007,"GB, HK, US",TRUE,"Spear Phishing, Exploit Vulnerability, Malicious Documents","Backdoor.Pirpi, RemoteCMD, PwDumpVariant, OSinfo","Government and Defense Agencies, Corporations and Businesses, Critical Infrastructure",,, 2016-09-14,mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.09.14.MILE_TEA/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies.pdf,RSA,,,,,,,,"JP, TW",,"Spear Phishing, Malicious Documents","Elirks, Micrass, Logedrut","Corporations and Businesses, Government and Defense Agencies, Energy and Utilities",,, 2016-09-18,Hunting Libyan Scorpions _ Cyberkov _ Professional Cybersecurity & Consultation Firm_,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.09.18.Hunting-Libyan-Scorpions/Hunting%20Libyan%20Scorpions%20_%20Cyberkov%20_%20Professional%20Cybersecurity%20%26%20Consultation%20Firm_.pdf,Cyberkov,,,,libyan scorpions,LY,Information theft and espionage,2015,,FALSE,"Social Engineering, Phishing",,Individuals,2015-09-15,2016-08-15,335.0 2016-09-18,Hunting-Libyan-Scorpions-AR,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.09.18.Hunting-Libyan-Scorpions/Hunting-Libyan-Scorpions-AR.pdf,Cyberkov,,,,عقارب ليبيا,,,,LY,,Spear Phishing,,Individuals,,, 2016-09-18,Cyberkov-Hunting-Libyan-Scorpions-EN(9-18-16),Hunting Libyan Scorpions,https://app.box.com/s/pov6xl0nvac5iaq4kafyw7p8ylmx3p8d,Cyberkov,,,,libyan scorpions,LY,Information theft and espionage,2015,LY,,"Spear Phishing, Social Engineering",,,2015-09-15,2016-08-15,335.0 2016-09-26,unit42-sofacys-komplex-os-x-trojan,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.09.26_Sofacy_Komplex_OSX_Trojan/unit42-sofacys-komplex-os-x-trojan.pdf,Palo Alto,,,,apt28,RU,"Espionage, Information theft and espionage",2004,,,"Phishing, Exploit Vulnerability","Komplex Trojan, Carberp variant Trojan, MacKeeper",Manufacturing,,, 2016-09-28,Confucius Says...Malware Families Get Further By Abusing Legitimate Websites,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.09.28.Confucius_Says/Confucius%20Says...Malware%20Families%20Get%20Further%20By%20Abusing%20Legitimate%20Websites.pdf,Palo Alto,,,,confucius,,,,PK,,"Phishing, Malicious Documents","CONFUCIUS_A, SNEEPY, BYEBYESHELL, Hangover, ApacheStealer",Corporations and Businesses,,, 2016-09-29,CS_organisation_CHINA_092016 (1),,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.09.29.China_and_Cyber_Attitudes_Strategies_Organisation/CS_organisation_CHINA_092016%20%281%29.pdf,Mandiant,,,,red hacker alliance,,,,"AU, JP, US",,,,"Government and Defense Agencies, Corporations and Businesses, Energy and Utilities, Critical Infrastructure, Financial Institutions",,, 2016-10-03,Kaspersky_StrongPity-Waterhole-Targeting-Italian-Belgian-Encryption-Users(10-03-2016),On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users,https://app.box.com/s/c9w0xp0mgndij268ku7ti5ee4lxu54bv,Kaspersky,,,,strongpity,TR,Information theft and espionage,2012,"BE, CA, CI, DZ, FR, IT, MA, NL, TN, TR",,"Watering Hole, Social Engineering","WinRAR, TrueCrypt, StrongPity components, putty.exe, filezilla.exe, winscp.exe, mstsc.exe, mRemoteNG.exe",Critical Infrastructure,,, 2016-10-05,VirusBulletin_EvronRaz(10-05-2016),"Apt Reports And Opsec Evolution, Or: These Are Not The Apt Reports You Are Looking For",https://app.box.com/s/6kow9e7d5ogd1qxskl5krels702fwyon,Virus Bulletin,,,,apt1,CN,"Espionage, Information theft and espionage",2006,,,,Turla,"Government and Defense Agencies, Corporations and Businesses",,, 2016-10-16,threatconnect-discovers-chinese-apt-activity-in-europe,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.10.16.A_Tale_of_Two_Targets/threatconnect-discovers-chinese-apt-activity-in-europe.pdf,ThreatConnect,,,,emissary panda,CN,"Espionage, Information theft and espionage",2010,US,,"Spear Phishing, Watering Hole",HttpBrowser,"Energy and Utilities, Corporations and Businesses",,, 2016-10-20,eset-sednit-part1(10-20-2016),En Route with Sednit Part 1: Approaching the Target,https://app.box.com/s/c7oz0zci5gxsbgnucxwah82bfdj0boe0,ESET,"CVE-2009-3129, CVE-2010-3333, CVE-2012-0158, CVE-2013-1347, CVE-2013-2729, CVE-2013-3897, CVE-2014-1510, CVE-2014-1511, CVE-2014-1761, CVE-2014-1776, CVE-2014-6332, CVE-2015-1641, CVE-2015-1701, CVE-2015-2387, CVE-2015-2424, CVE-2015-2590, CVE-2015-3043, CVE-2015-4902, CVE-2015-5119, CVE-2015-7645, CVE-2016-4117",,,apt28,RU,"Espionage, Information theft and espionage",2004,"AE, AR, BD, BR, CO, DJ, DZ, IN, IQ, KG, KP, KR, LB, MM, PK, TM, TR, UA, UZ, ZA, ZM",TRUE,"Spear Phishing, Exploit Vulnerability, Malicious Documents","Seduploader, Xagent, Sedreco, Downdelph bootkit, Downdelph rootkit","Government and Defense Agencies, Education and Research Institutions, Media and Entertainment Companies, Individuals",,, 2016-10-25,eset-sednit-part2(10-25-2016),En Route with Sednit Part 2: Observing the Comings and Goings,https://app.box.com/s/lmaensc7vzdugsy1nsh4bwligl07q53b,ESET,"CVE-2015-1701, CVE-2015-2424, CVE-2015-2590, CVE-2015-3043, CVE-2015-4902, CVE-2015-7645",,,apt28,RU,"Espionage, Information theft and espionage",2004,"DE, FR, US",TRUE,"Spear Phishing, Exploit Vulnerability, Removable Media","Sedreco, Xagent, Xtunnel, Seduploader, Downdelph bootkit, Downdelph rootkit, SecurityXploded tools, mimikatz",,,, 2016-10-25,PaloAlto_Houdinis-Magic-Reappearance(10-25-2016),Houdini's Magic Reappearance,https://app.box.com/s/y4zzbao34iv483op59h1dettrwgoe7li,Palo Alto,,,,,,,,,FALSE,Malicious Documents,"Hworm, AutoIT, VBS (Visual Basic Script), Delphi",Government and Defense Agencies,2015-07-15,2016-06-15,336.0 2016-10-25,Houdini.s.Magic.Reappearance.-.Palo.Alto.Networks.Blog,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.10.25.Houdini_Magic_Reappearance/Houdini.s.Magic.Reappearance.-.Palo.Alto.Networks.Blog.pdf,Palo Alto,,,,,,,,,FALSE,Malicious Documents,"Hworm, DynamicWrapperX, RunPE","Government and Defense Agencies, Media and Entertainment Companies",2016-06-15,2016-10-15,122.0 2016-10-26,VectraNetworks_Moonlight-Targeted-attacks-MiddleEast(10-26-2016),Moonlight - Targeted attacks in the Middle East,https://app.box.com/s/f7p6hmdojxrh6mzs91yvjmpgz528b7h9,Vectra,,,,gaza hackers team,PS,Information theft and espionage,2012,"CN, US",FALSE,"Spear Phishing, Social Engineering, Malicious Documents",,"Education and Research Institutions, Media and Entertainment Companies, Individuals",,, 2016-10-26,Forcepoint_BITTER-Targeted-attack-Pakistan(10-26-2016),BITTER: A Targeted attack against Pakistan,https://app.box.com/s/iegu4jz7v3q0vcvgrkzrnq3w28q3pyne,Forcepoint,CVE-2012-0158,,,bitter,IN,Information theft and espionage,2013,PK,FALSE,"Spear Phishing, Malicious Documents","PuTTY, AndroRAT",,,, 2016-11-03,BoozAllen_ukraine-report-when-the-lights-went-out(11-03-2016),When The Lights Went Out: Ukraine Cybersecurity Threat Briefing,https://app.box.com/s/pbj4aeiapdbblzs19gzymgsk73sxbe56,Booz Allen Hamilton,"CVE-2014-4114, CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7186, CVE-2014-7187",,,,,,,"FR, UA, US",TRUE,"Phishing, Social Engineering, Exploit Vulnerability, Malicious Documents","BlackEnergy (BE), Dropbear server, Visual Basic (VB) dropper, KillDisk malware, Virus Total Intelligence (VTI) service, YARA",Critical Infrastructure,,, 2016-11-09,down-the-h-w0rm-hole-with-houdinis-rat.html,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.11.09_down-the-h-w0rm-hole-with-houdinis-rat/down-the-h-w0rm-hole-with-houdinis-rat.html.pdf,Fidelis Cybersecurity,,,"rule win_vbs_rat_hworm\n{\n strings:\n $sa1 = ""CONFIG""\n $sa2 = ""MYCODE""\n $sa3 = ""SHELLOBJ.EXPANDENVIRONMENTSTRINGS""\n $sa4 = ""BASE64TOHEX""\n $sa5 = ""DCOM.VIRTUALALLOC""\n $sa6 = ""LOADER_""\n $sa7 = ""PE_PTR""\n $sa8 = ""OBJWMISERVICE.EXECQUERY""\n $sa9 = ""WSCRIPT.EXE"" nocase\n $sa10 = ""FUNCTION""\n $sa11 = ""DIM""\n $sa12 = ""END SUB""\n $sb1 = ""HOST_FILE""\n $sb2 = ""FILE_NAME""\n $sb3 = ""INSTALL_DIR""\n $sb4 = ""START_UP_REG""\n $sb5 = ""START_UP_TASK""\n $sb6 = ""START_UP_FOLDER""\n $sc1 = ""DCOM_DATA""\n $sc2 = ""LOADER_DATA""\n $sc3 = ""FILE_DATA""\n $sc4 = ""(1)""\n $sc5 = ""(2)""\n $sc6 = ""(3)""\n $sc7 = ""FILE_SIZE""\n condition:\n (all of ($sa*)) and ( (all of ($sb*)) or (all of ($sc*)) )\n}, rule win_exe_rat_hworm\n{\n strings:\n $sa1 = ""connection_host"" wide ascii\n $sa2 = ""connection_port"" wide ascii\n $sa3 = ""install_folder"" wide ascii\n $sa4 = ""install_name"" wide ascii\n $sa5 = ""nickname_id"" wide ascii\n $sa6 = ""password"" wide ascii\n $sa7 = ""injection"" wide ascii\n $sa8 = ""startup_registry"" wide ascii\n $sa9 = ""startup_folder"" wide ascii\n $sa10 = ""startup_task"" wide ascii\n $sa11 = ""process_name"" wide ascii\n $sa12 = ""fkeylogger_host"" wide ascii\n $sa13 = ""fkeylogger_port"" wide ascii\n $sa14 = ""keylogger_init"" wide ascii\n $sa15 = ""keylogger_offline"" wide ascii\n $sa16 = ""file_manager"" wide ascii\n $sa17 = ""usb"" wide ascii\n $sa18 = ""password"" wide ascii\n $sa19 = ""filemanager"" wide ascii\n $sa20 = ""keylogger"" wide ascii\n $sa21 = ""screenshot"" wide ascii\n $sa22 = ""show"" nocase wide ascii\n $sa23 = ""open"" wide ascii\n $sa25 = ""create"" wide ascii\n $sa26 = ""Self"" wide ascii\n $sa27 = ""createsuspended"" wide ascii\n condition:\n©2011 - 2016 Fidelis Cybersecurity | 1.800.652.4020\n \n \n \n \n \n (uint16(0) == 0x5A4D) and (all of them)\n}",black mafia,,,,,,,"Hworm, njRAT, Xtreme RAT, DarkComet, Black Worm, Fidelis Barncat",Corporations and Businesses,,, 2016-11-09,Volexity_Powerduke-Widespread-PostElection-Spear-Phish(11-09-2016),PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs,https://app.box.com/s/wd73vlkdiry8hibkbqvmtsn0bhmzkhgk,Volexity,,,,apt29,RU,"Espionage, Information theft and espionage",2008,US,FALSE,"Spear Phishing, Malicious Documents",PowerDuke,"Government and Defense Agencies, Non-Governmental Organizations (NGOs) and Nonprofits, Education and Research Institutions",2016-08-01,2016-11-09,100.0 2016-11-14,Trustwave_Carbanak _Anunak_Attack_Methodology(11-14-2016),New Carbanak / Anunak Attack Methodology,https://app.box.com/s/cbclbgiu54ihivxe7bvblwsv1e8jq44h,Trustwave,CVE-2013-3660,,,fin7,RU,"Financial gain, Financial crime",2013,,FALSE,"Social Engineering, Malicious Documents","AdobeUpdateManagementTool.vbs, el32.exe, el64.exe, Nmap, FreeRDP, NCat, NPing",Corporations and Businesses,,, 2016-11-17,Citizenlab_KeyBoy-targeting-Tibetan-Community(11-17-2016),It's Parliamentary: KeyBoy and the targeting of the Tibetan Community,https://app.box.com/s/q7rywbgt6s5c380vvjpk643ppcdtdl8v,Citizen Lab,"CVE-2012-0158, CVE-2012-1856, CVE-2015-1641, CVE-2015-1770",,,,,,,,FALSE,"Spear Phishing, Malicious Documents, Exploit Vulnerability",KeyBoy,Non-Governmental Organizations (NGOs) and Nonprofits,,, 2016-11-30,Cysinfo_NIC-CyberSecurity-Themed-Spear-Phishing-Target-India(11-30-2016),Malware Actors Using Nic Cyber Security Themed Spear Phishing To Target Indian Government Organizations,https://app.box.com/s/zsm16yh2sffqr9caehmifmvw2jrrwiga,Cysinfo,,,,,,,,IN,FALSE,"Spear Phishing, Malicious Documents",,"Government and Defense Agencies, Financial Institutions, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2016-12-13,rise-telebots-analyzing-disruptive-killdisk-attacks,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2016/2016.12.13.rise-telebots-analyzing-disruptive-killdisk-attacks/rise-telebots-analyzing-disruptive-killdisk-attacks.pdf,RSA,,,,sandworm,RU,"Espionage, Sabotage and destruction",2015,UA,FALSE,"Spear Phishing, Malicious Documents","Microsoft Excel, Intercepter-NG, LDAP query tool, Python/TeleBot backdoor, VBS (Visual Basic Script), script2exe, plainpwd, mimikatz, CredRaptor, SetWindowsHookEx, WinPcap","Financial Institutions, Energy and Utilities",2015-11-15,2016-01-15,61.0 2016-12-15,PaloAlto_Sofacy-DealersChoice-Attacks(12-15-2016),Let It Ride: The Sofacy Group's DealersChoice Attacks Continue,https://app.box.com/s/7u92nzu48zg6kq0pmtlh9pj8p6jmjmrt,Palo Alto,"CVE-2015-7645, CVE-2016-7255, CVE-2016-7855",,,apt28,RU,"Espionage, Information theft and espionage",2004,"AM, GB, KG, KZ, LT, TJ, TM, TR, UZ",TRUE,Malicious Documents,"DealersChoice, Seduploader, Carberp","Government and Defense Agencies, Education and Research Institutions",,, 2016-12-21,Crowdstrike_DangerClose-FancyBear-Tracking-Ukrainian-FieldArtilleryUnits(12-21-2016),Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units,https://app.box.com/s/77t5ropot0e1yy0r1i5g8s9bsvvnq6t3,CrowdStrike,,,,apt28,RU,"Espionage, Information theft and espionage",2004,UA,,,X-Agent,"Government and Defense Agencies, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2016-12-22,Crowdstrike_FancyBearTracksUkrainianArtillery(12-22-2016),Use of Fancy Bear Android Malware tracking of Ukrainian Artillery Units,https://app.box.com/s/8lj785rl608lsmf80bwvtuxb7b9mscxy,CrowdStrike,,,,apt28,RU,"Espionage, Information theft and espionage",2004,"PL, UA",,"Social Engineering, Website Equipping",X-Agent Android malware,"Government and Defense Agencies, Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",2014-12-21,2016-08-15,603.0 2016-12-28,tr1adx_Bear-Hunting-APT28-Tracking(12-28-2016),Bear Hunting Season: Tracking APT28,https://app.box.com/s/py4k1124p7hqacfb6dlkghvsh5xte2zw,tr1adx,,,,apt28,RU,"Espionage, Information theft and espionage",2004,"AM, AR, BY, ES, GB, GH, HK, IN, JP, KZ, LT, MY, SK, TR, TW, UA",,Spear Phishing,"Sofacy, Agent-X","Government and Defense Agencies, Non-Governmental Organizations (NGOs) and Nonprofits, Individuals, Corporations and Businesses, Media and Entertainment Companies",,, 2016-12-29,USCERT_GRIZZLY STEPPE(12-29-2016),GRIZZLY STEPPE - Russian Malicious Cyber Activity,https://app.box.com/s/5q1827f6ig94an0buhsk9i8k7e0eju8w,US-CERT,,,"rule PAS_TOOL_PHP_WEB_KIT \n{ \nmeta: \ndescription = ""PAS TOOL PHP WEB KIT FOUND"" \nstrings: \n$php = "" 20KB and filesize < 22KB) and \n#cookie == 2 and \n#isset == 3 and \nall of them \n}",apt29,RU,"Espionage, Information theft and espionage",2008,,,Spear Phishing,"Agent.btz, BlackEnergy V3, BlackEnergy2 APT, CakeDuke, Carberp, CHOPSTICK, CloudDuke, CORESHELL, CosmicDuke, COZYBEAR, COZYCAR, COZYDUKE, CrouchingYeti, DIONIS, Dragonfly, Energetic Bear, EVILTOSS, Fancy Bear, GeminiDuke, 20. GREY CLOUD, 2HammerDuke, 22. HAMMERTOSS, 23. Havex, 24","Government and Defense Agencies, Education and Research Institutions, Corporations and Businesses",,, 2017-01-01,tr1adx_Digital-Plagarist-Carbanak(01-01-2017),The Digital Plagiarist Campaign: TelePorting the Carbanak Crew to a New Dimension,https://app.box.com/s/7pr8b7cy9liv1bi88ha7frtzgrjycex3,tr1adx,,,,teleport crew,,,,"AU, BS, CH, GB, IE, US",FALSE,"Spear Phishing, Malicious Documents, Watering Hole",,"Corporations and Businesses, Energy and Utilities, Government and Defense Agencies, Critical Infrastructure",,, 2017-01-05,Iranian Fileless Attack Infiltrates Israeli Organizations,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.01.05.Iranian_Threat_Agent_OilRig/Iranian%20Fileless%20Attack%20Infiltrates%20Israeli%20Organizations.pdf,Morphisec,"CVE-2014-0640, CVE-2017-0199",,,apt34,IR,Espionage,,IL,TRUE,"Exploit Vulnerability, Malicious Documents","Helminth Trojan, PowerShell","Education and Research Institutions, Financial Institutions, Healthcare, Corporations and Businesses",2017-04-19,2017-04-24,5.0 2017-01-05,"Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford _ ClearSky Cybersecurity",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.01.05.Iranian_Threat_Agent_OilRig/Iranian%20Threat%20Agent%20OilRig%20Delivers%20Digitally%20Signed%20Malware%2C%20Impersonates%20University%20of%20Oxford%20_%20ClearSky%20Cybersecurity.pdf,ClearSky,,,,apt34,IR,Espionage,,"AE, IL, KW, LB, QA, SA, TR",,"Spear Phishing, Malicious Documents, Website Equipping","Backdoor.Cadelspy, Backdoor.Remexi","Energy and Utilities, Government and Defense Agencies, Education and Research Institutions",,, 2017-01-05,Forcepoint-MMCore-Fileless-Returns-BigBoss-SillyGoose(01-05-2017),Mm Core In-Memory Backdoor Returns As Bigboss And Sillygoose,https://app.box.com/s/4et31m42g0m8b1cj2ly2idlgruli1io6,Forcepoint,"CVE-2012-0158, CVE-2015-1641",,,,,,,"KG, KZ, TJ, TM, US, UZ",FALSE,"Malicious Documents, Exploit Vulnerability","MM Core, ChoiceGuard.dll, Microsoft executable, Shikata ga nai, TRITON ACE","Government and Defense Agencies, Energy and Utilities, Corporations and Businesses, Media and Entertainment Companies",,, 2017-01-05,PaloAlgo-DragonOK-Updates-Tools-Targets-Multiple-Regions(01-05-2017),DragonOK Updates Toolset and Targets Multiple Geographic Regions,https://app.box.com/s/50tu7yfcrcj3ntj6b894rq6londdps34,Palo Alto,CVE-2015-1641,,,dragonok,CN,"Espionage, Information theft and espionage",2014,"CN, JP, RU, TW",FALSE,"Phishing, Malicious Documents","Sysget version 2, Sysget version 3, Sysget version 4, TidePool, IsSpace, NFlog","Manufacturing, Education and Research Institutions, Energy and Utilities",,, 2017-01-09,unit42-second-wave-shamoon-2-attacks-identified,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.01.09.second-wave-shamoon-2-attacks-identified/unit42-second-wave-shamoon-2-attacks-identified.pdf,NATO,,,,,,,,,,Credential Reuse,"Shamoon 2, Disttrack",Corporations and Businesses,,, 2017-01-10,APT28 At The Center Of The Storm,,https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf,FireEye,"CVE-2015-1701, CVE-2015-2424, CVE-2015-2590, CVE-2015-3043, CVE-2015-5119, CVE-2016-7255, CVE-2016-7855",,,apt28,RU,"Espionage, Information theft and espionage",2004,"AF, DE, KG, PK",TRUE,"Spear Phishing, Exploit Vulnerability, Malicious Documents, Watering Hole","CHOPSTICK, EVILTOSS, GAMEFISH, SOURFACE, OLDBAIT, CORESHELL, PowerShell Empire, P.A.S. webshell, Metasploit modules","Government and Defense Agencies, Media and Entertainment Companies, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2017-01-12,The 'EyePyramid' Attacks - Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.01.12.EyePyramid.attacks/The%20%E2%80%9CEyePyramid%E2%80%9D%20Attacks%20-%20Securelist.pdf,Kaspersky,,,rule crime_ZZ_EyePyramid{\nmeta:\n2017/1/13\nThe “EyePyramid” Attacks - Securelist\nhttps://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/\n3/10\ncopyright\xa0=\xa0”\xa0Kaspersky\xa0Lab”\xa0\xa0\nauthor\xa0=\xa0”\xa0Kaspersky\xa0Lab”\xa0\nmaltype\xa0=\xa0“crimeware”\xa0\nfiletype\xa0=\xa0“Win32\xa0EXE”\xa0\ndate\xa0=\xa0“2016\xad01\xad11”\xa0\nversion\xa0=\xa0“1.0”\nstrings:\n$a0=”eyepyramid.com”\xa0ascii\xa0wide\xa0nocase\xa0fullword\xa0\n$a1=”hostpenta.com”\xa0ascii\xa0wide\xa0nocase\xa0fullword\xa0\n$a2=”ayexisfitness.com”\xa0ascii\xa0wide\xa0nocase\xa0fullword\xa0\n$a3=”enasrl.com”\xa0ascii\xa0wide\xa0nocase\xa0fullword\xa0\n$a4=”eurecoove.com”\xa0ascii\xa0wide\xa0nocase\xa0fullword\xa0\n$a5=”marashen.com”\xa0ascii\xa0wide\xa0nocase\xa0fullword\xa0\n$a6=”millertaylor.com”\xa0ascii\xa0wide\xa0nocase\xa0fullword\xa0\n$a7=”occhionero.com”\xa0ascii\xa0wide\xa0nocase\xa0fullword\xa0\n$a8=”occhionero.info”\xa0ascii\xa0wide\xa0nocase\xa0fullword\xa0\n$a9=”wallserv.com”\xa0ascii\xa0wide\xa0nocase\xa0fullword\xa0\n$a10=”westlands.com”\xa0ascii\xa0wide\xa0nocase\xa0fullword\xa0\n$a11=”217.115.113.181″\xa0ascii\xa0wide\xa0nocase\xa0fullword\xa0\n$a12=”216.176.180.188″\xa0ascii\xa0wide\xa0nocase\xa0fullword\xa0\n$a13=”65.98.88.29″\xa0ascii\xa0wide\xa0nocase\xa0fullword\xa0\n$a14=”199.15.251.75″\xa0ascii\xa0wide\xa0nocase\xa0fullword\xa0\n$a15=”216.176.180.181″\xa0ascii\xa0wide\xa0nocase\xa0fullword\xa0\n$a16=”MN600\xad849590C695DFD9BF69481597241E\xad668C”\xa0ascii\xa0wide\xa0nocase\nfullword\xa0\n$a17=”MN600\xad841597241E8D9BF6949590C695DF\xad774D”\xa0ascii\xa0wide\xa0nocase\nfullword\xa0\n$a18=”MN600\xad3E3A3C593AD5BAF50F55A4ED60F0\xad385D”\xa0ascii\xa0wide\xa0nocase\nfullword\xa0\n$a19=”MN600\xadAD58AF50F55A60E043E3A3C593ED\xad874A”\xa0ascii\xa0wide\xa0nocase\nfullword\xa0\n$a20=”gpool@hostpenta.com”\xa0ascii\xa0wide\xa0nocase\xa0fullword\xa0\n$a21=”hanger@hostpenta.com”\xa0ascii\xa0wide\xa0nocase\xa0fullword\xa0\n$a22=”hostpenta@hostpenta.com”\xa0ascii\xa0wide\xa0nocase\xa0fullword\xa0\n$a23=”ulpi715@gmx.com”\xa0ascii\xa0wide\xa0nocase\xa0fullword\xa0\n$b0=”purge626@gmail.com”\xa0ascii\xa0wide\xa0fullword\xa0\n$b1=”tip848@gmail.com”\xa0ascii\xa0wide\xa0fullword\xa0\n$b2=”dude626@gmail.com”\xa0ascii\xa0wide\xa0fullword\xa0\n$b3=”octo424@gmail.com”\xa0ascii\xa0wide\xa0fullword\xa0\n$b4=”antoniaf@poste.it”\xa0ascii\xa0wide\xa0fullword\xa0\n$b5=”mmarcucci@virgilio.it”\xa0ascii\xa0wide\xa0fullword\n$b6=”i.julia@blu.it”\xa0ascii\xa0wide\xa0fullword\xa0\n$b7=”g.simeoni@inwind.it”\xa0ascii\xa0wide\xa0fullword\xa0\n$b8=”g.latagliata@live.com”\xa0ascii\xa0wide\xa0fullword\xa0\n$b9=”rita.p@blu.it”\xa0ascii\xa0wide\xa0fullword\xa0\n$b10=”b.gaetani@live.com”\xa0ascii\xa0wide\xa0fullword\xa0\n$b11=”gpierpaolo@tin.it”\xa0ascii\xa0wide\xa0fullword\xa0\n$b12=”e.barbara@poste.it”\xa0ascii\xa0wide\xa0fullword\xa0\n$b13=”stoccod@libero.it”\xa0ascii\xa0wide\xa0fullword\xa0\n$b14=”g.capezzone@virgilio.it”\xa0ascii\xa0wide\xa0fullword\xa0\n$b15=”baldarim@blu.it”\xa0ascii\xa0wide\xa0fullword\xa0\n$b16=”elsajuliette@blu.it”\xa0ascii\xa0wide\xa0fullword\xa0\n$b17=”dipriamoj@alice.it”\xa0ascii\xa0wide\xa0fullword\xa0\n$b18=”izabelle.d@blu.it”\xa0ascii\xa0wide\xa0fullword\xa0\n$b19=”lu_1974@hotmail.com”\xa0ascii\xa0wide\xa0fullword\xa0\n$b20=”tim11235@gmail.com”\xa0ascii\xa0wide\xa0fullword\xa0\n$b21=”plars575@gmail.com”\xa0ascii\xa0wide\xa0fullword\xa0\n$b22=”guess515@fastmail.fm”\xa0ascii\xa0wide\xa0fullword\ncondition:\n((uint16(0)\xa0==\xa00x5A4D))\xa0and\xa0(filesize\xa0<\xa010MB)\xa0and\xa0\xa0\n((any\xa0of\xa0($a*))\xa0or\xa0(any\xa0of\xa0($b*))\xa0)\xa0\n},great,,,,"CN, DE, FR, ID, IT, MC, MX, PL, TW",FALSE,"Spear Phishing, Social Engineering, Malicious Documents","Trojan.Win32.AntiAV.choz, Trojan.Win32.AntiAV.ciok, Trojan.Win32.AntiAV.cisb, Trojan.Win32.AntiAV.ciyk, not­a­virus:HEUR:PSWTool.Win32.Generic, not­a­virus:PSWTool.Win32.NetPass.aku","Corporations and Businesses, Healthcare, Education and Research Institutions",,, 2017-01-14,tr1adx_Dope-Story-Bears(01-14-2017),A Pretty Dope Story About Bears: Early Indicators of Continued World Anti-Doping Agency (WADA) Targeting,https://app.box.com/s/7i5o08f6dd9j6idvav7kwek3sg0cyw5n,tr1adx,,,,apt28,RU,"Espionage, Information theft and espionage",2004,CA,,Phishing,,Education and Research Institutions,,, 2017-01-15,[tr1adx]_ Intel,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.01.15.Bear_Spotting_Vol.1/%5Btr1adx%5D_%20Intel.pdf,tr1adx,,,,apt28,RU,"Espionage, Information theft and espionage",2004,"DK, IN, JP, TR, US, VE",,Phishing,,Government and Defense Agencies,2015-02-20,2016-12-27,676.0 2017-01-19,Kashmir_Protest_Themed,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.01.19.uri-terror-attack/Kashmir_Protest_Themed.pdf,Symantec,,,,,,,,IN,FALSE,"Spear Phishing, Malicious Documents",njRAT,Government and Defense Agencies,2016-07-21,2016-09-30,71.0 2017-01-25,etecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.01.25.german-industrial-attacks/etecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp.pdf,Microsoft,,,,apt41,CN,"Financial crime, Information theft and espionage",2010,"AU, NZ, US",,"Phishing, Credential Reuse, Exploit Vulnerability","Winnti, Win32/Barlaiy","Corporations and Businesses, Manufacturing, Education and Research Institutions, Media and Entertainment Companies",2016-02-15,2016-12-15,304.0 2017-01-30,unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.01.30.downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments.pdf,F-Secure,,,,gaza cybergang,PS,Information theft and espionage,2012,,FALSE,Phishing,"Downeks, Quasar RAT, .NET Framework",Government and Defense Agencies,,, 2017-02-02,Citizenlab_NilePhish-Large-Scale-Targeting-Egyptian(02-02-2017),Nile Phish: Large-Scale Phishing Campaign Targeting Egyptian Civil Society,https://app.box.com/s/3140tmwszf3q0ywh3jl9uhwjxyckmgv5,Citizen Lab,,,,packrat,,Information theft and espionage,2008,EG,FALSE,"Phishing, Social Engineering","gophish, PassiveTotal","Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",,, 2017-02-03,"Several Polish banks hacked, information stolen by unknown attackers - BadCyber",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.02.03.several-polish-banks-hacked/Several%20Polish%20banks%20hacked%2C%20information%20stolen%20by%20unknown%20attackers%20%E2%80%93%20BadCyber.pdf,Infosec,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,,,Watering Hole,,Financial Institutions,,, 2017-02-03,kingslayer-a-supply-chain-attack,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.02.03.kingslayer-a-supply-chain-attack/kingslayer-a-supply-chain-attack.pdf,RSA,,,,shell crew,CN,"Financial crime, Information theft and espionage",2010,,,Exploit Vulnerability,K2 Trojan,"Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Education and Research Institutions",2015-04-09,2015-07-15,97.0 2017-02-03,Badcyber_Polish-banks-hacked-information-stolen-unknown-attackers(02-03-2017),"Several Polish banks hacked, information stolen by unknown attackers",https://app.box.com/s/7s2s43nlaqxllf4ugef1vyvkm3mr0ryt,Badcyber,,,,,,,,PL,,Watering Hole,,Financial Institutions,,, 2017-02-12,BAESystems_Lazarus-Watering-hole-attacks(02-12-2017),Lazarus & Watering-Hole Attacks,https://app.box.com/s/7wh9z15na9c823vtwo8fhyu2qt6a57df,BAE Systems,CVE-2016-0034,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,"MX, PL, UY",,Watering Hole,Enigma Protector,Financial Institutions,2016-10-07,2017-02-15,131.0 2017-02-14,Operation Kingphish_ Uncovering a Campaign of Cyber Attacks against Civil Society in Qatar and... - Amnesty Insights - Medium,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.02.14.Operation_Kingphish/Operation%20Kingphish_%20Uncovering%20a%20Campaign%20of%20Cyber%20Attacks%20against%20Civil%20Society%20in%20Qatar%20and%E2%80%A6%20%E2%80%93%20Amnesty%20Insights%20%E2%80%93%20Medium.pdf,Amnesty International,,,,operation kingphish,,,,,FALSE,"Phishing, Malicious Documents",,"Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",,, 2017-02-15,Secureworks_Iranian-PupyRAT-Middle-Eastern-Organizations(02-15-2017),Iranian PupyRAT Bites Middle Eastern Organizations,https://app.box.com/s/ztp64lp34bn9ax4vithevntn6pab6sxz,SecureWorks,,,,apt34,IR,Espionage,,"EG, SA",,"Spear Phishing, Malicious Documents",PupyRAT,"Financial Institutions, Energy and Utilities, Corporations and Businesses",,, 2017-02-15,PaloAlto_MagicHound-Campaign-Attacks-SaudiTargets(02-15-2017),Magic Hound Campaign Attacks Saudi Targets,https://app.box.com/s/qg2l481eu51ab9znszagv2ktlh4bh9z5,Palo Alto,,,,rocket kitten,IR,"Espionage, Information theft and espionage",2011,SA,,"Spear Phishing, Malicious Documents, Watering Hole",".NET Framework, Pupy, Meterpreter, Magic Unicorn, MagicHound.Leash, MagicHound.DropIt, MagicHound.Fetch, MagicHound.Rollover, MagicHound.Retriever","Government and Defense Agencies, Energy and Utilities, Corporations and Businesses",,, 2017-02-15,the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.02.15.the-full-shamoon/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks.pdf,IBM X-Force,,,,,,,,SA,FALSE,"Spear Phishing, Malicious Documents","Shamoon, malicious macros, PowerShell","Corporations and Businesses, Government and Defense Agencies, Energy and Utilities, Manufacturing",2016-11-15,2017-01-15,61.0 2017-02-15,Deep Dive on the DragonOK Rambo Backdoor _ Morphick Cyber Security,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.02.15.deep-dive-dragonok-rambo-backdoor/Deep%20Dive%20on%20the%20DragonOK%20Rambo%20Backdoor%20_%20Morphick%20Cyber%20Security.pdf,Morphisec,,,,dragonok,CN,"Espionage, Information theft and espionage",2014,,,,"Rambo Backdoor, vmwarebase.dll, vprintproxy.exe, HeartDll.dll",,,, 2017-02-15,Cyberx_Operation-BugDrop(02-15-2017),Operation Bugdrop: Cyberx Discovers Large-Scale Cyber-Reconnaissance Operation Targeting Ukrainian Organizations,https://app.box.com/s/uyl8gatur9prvuv4z0ghjakdcvv5zkrf,CyberX,,,,,,,,"AT, RU, SA, UA",,"Spear Phishing, Malicious Documents","Dropbox, Reflective DLL Injection, Encrypted DLLs, Legitimate free web hosting sites","Corporations and Businesses, Critical Infrastructure, Education and Research Institutions, Media and Entertainment Companies, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2017-02-16,Technical analysis of recent attacks against Polish banks - BadCyber,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.02.16.Technical_analysis_Polish_banks/Technical%20analysis%20of%20recent%20attacks%20against%20Polish%20banks%20%E2%80%93%20BadCyber.pdf,Symantec,"CVE-2015-8651, CVE-2016-1019, CVE-2016-4117",,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,PL,FALSE,"Watering Hole, Exploit Vulnerability","cambio.xap, cambio.swf, perfmon.dat, fdsvc.dll",Financial Institutions,,, 2017-02-16,Lookout_ViperRAT-IDF(02-16-2017),ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar,https://app.box.com/s/n2ruyugtbigi6yyvg6u2xmt32eyqn8gx,Lookout,,,,,,,,IL,,Social Engineering,"ViperRAT, SR Chat, YeeCall Pro, Pegasus","Government and Defense Agencies, Corporations and Businesses",,, 2017-02-16,Kaspersky_Breaking-Weakest-Link-IDF(02-16-2017),Breaking The Weakest Link Of The Strongest Chain,https://app.box.com/s/wlwdugbbup1g3kb0ol71eh74qo6e67pd,Kaspersky,,,,,,,,"CA, CH, DE",FALSE,Social Engineering,,Government and Defense Agencies,2016-07-15,2017-02-15,215.0 2017-02-17,chches-malware--93d6.html,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.02.17.chches-malware/chches-malware--93d6.html.pdf,RSA,,,,,,,,,FALSE,Spear Phishing,"ChChes, PlugX, Poison Ivy, PlugIvy, Dridex, impfuzzy for Volatility",,,, 2017-02-20,Part I. Russian APT - APT28 collection of samples including OSX XAgent,,https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html,Contagio Dump,"CVE-2006-2389, CVE-2006-2492, CVE-2007-0071, CVE-2007-5659, CVE-2008-0081, CVE-2008-0655, CVE-2008-2992, CVE-2008-3005, CVE-2008-4841, CVE-2008-5353, CVE-2009-0556, CVE-2009-0563, CVE-2009-0658, CVE-2009-0806, CVE-2009-0927, CVE-2009-1129, CVE-2009-1869, CVE-2009-3129, CVE-2009-3867, CVE-2009-3957, CVE-2009-4324, CVE-2010-0188, CVE-2010-0806, CVE-2010-1240, CVE-2010-1297, CVE-2010-1885, CVE-2010-2568, CVE-2010-2883, CVE-2010-3654, CVE-2010-3970, CVE-2010-4091, CVE-2011-0609, CVE-2011-0611, CVE-2011-1980, CVE-2011-1991, CVE-2011-2462, CVE-2012-0506, CVE-2012-0507, CVE-2012-0754, CVE-2012-0779, CVE-2012-1535, CVE-2012-1875, CVE-2012-1889, CVE-2012-4681, CVE-2012-4969, CVE-2012-5076",,,apt28,RU,"Espionage, Information theft and espionage",2004,,TRUE,,"Dark Comet, Duqu, Flamer, Gauss, Gh0stnet backdoor, Hikit, Linux, OSX","Financial Institutions, Government and Defense Agencies, Media and Entertainment Companies",,, 2017-02-20,lazarus-false-flag-malware.html,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.02.20.Lazarus_False_Flag_Malware/lazarus-false-flag-malware.html.pdf,BAE Systems,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,PL,,Watering Hole,"Lazarus toolkit, JBoss 5.0.0",Financial Institutions,2016-08-26,2017-02-05,163.0 2017-02-21,additional-insights-shamoon2,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.02.21.Additional_Insights_on_Shamoon2/additional-insights-shamoon2.pdf,Arbor Networks,,,,magic hound,IR,Information theft and espionage,2012,,,"Spear Phishing, Malicious Documents","Shamoon2, PowerShell",Energy and Utilities,,, 2017-02-21,ArborNetworks_Additional-Insights-Shamoon2(02-21-2017),Additional Insights on Shamoon2,https://app.box.com/s/dt59pijmmnxc3no13g55jbdr325fpnhs,Arbor Networks,,,,magic hound,IR,Information theft and espionage,2012,SA,,Spear Phishing,"Shamoon2, Magic Hound, Rocket Kitten, PuppyRAT",,,, 2017-02-22,Fireeye_SpearPhishing-Targeting-Mongolian-Government(02-22-2017),Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government,https://app.box.com/s/sgzri8xt5l6gaodokuvvfjt7emzu0z4o,FireEye,,,,,,,,MN,FALSE,"Spear Phishing, Social Engineering, Malicious Documents",Poison Ivy,Government and Defense Agencies,,, 2017-02-23,Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.02.23.APT28_Mac_OS_X_Payload/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf,Bitdefender,,,,apt28,RU,"Espionage, Information theft and espionage",2004,,,Malicious Documents,"Trojan.MAC.APT28, XAgent, Coreshell, Jhuhugit, Azzy, Fysbis, Komplex Trojan, roskosmos_2015-2025.app",Corporations and Businesses,,, 2017-02-27,Cylance_DeceptionProject-New-Japanese-Centric-Threat(02-27-2017),The Deception Project: A New Japanese-Centric Threat,https://app.box.com/s/5l02xyf45l1gww8vet75vom5jmn32m0h,Cylance,,,,snake wine,,Information theft and espionage,2016,JP,FALSE,Spear Phishing,"PowerShell, LNK files, RC.exe, Microsoft Resource Compiler","Government and Defense Agencies, Education and Research Institutions, Corporations and Businesses",,, 2017-02-27,The Gamaredon Group Toolset Evolution - Palo Alto Networks Blog,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.02.27.gamaredon-group-toolset-evolution/The%20Gamaredon%20Group%20Toolset%20Evolution%20-%20Palo%20Alto%20Networks%20Blog.pdf,Palo Alto,,,,gamaredon group,RU,Information theft and espionage,2013,UA,,Drive-by Download,,"Government and Defense Agencies, Individuals",,, 2017-02-28,AtomBombing_ Brand New Code Injection for Windows - Breaking Malware,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.02.28.dridexs-cold-war-enter-atombombing/AtomBombing_%20Brand%20New%20Code%20Injection%20for%20Windows%20-%20Breaking%20Malware.pdf,enSilo,,,,,,,,,FALSE,,,,,, 2017-02-28,AtomBombing_ A Code Injection that Bypasses Current Security Solutions,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.02.28.dridexs-cold-war-enter-atombombing/AtomBombing_%20A%20Code%20Injection%20that%20Bypasses%20Current%20Security%20Solutions.pdf,enSilo,,,,,,,,,FALSE,,"evil.exe, PowerLoaderEx, AtomBombing",Healthcare,,, 2017-02-28,Dridex's Cold War_ Enter AtomBombing,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.02.28.dridexs-cold-war-enter-atombombing/Dridex%27s%20Cold%20War_%20Enter%20AtomBombing.pdf,IBM,,,,,,,,,FALSE,,Dridex,Financial Institutions,,, 2017-03-06,Report_Shamoon_StoneDrill_final,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.03.06.from-shamoon-to-stonedrill/Report_Shamoon_StoneDrill_final.pdf,Kaspersky,,,"rule susp_file_enumerator_with_encrypted_resource_101 { \nmeta: \n \n \ncopyright = ""Kaspersky Lab"" \n \ndescription = ""Generic detection for samples that enumerate files with encrypted resource \ncalled 101"" \n \nhash = ""2cd0a5f1e9bcce6807e57ec8477d222a"" \n \nhash = ""c843046e54b755ec63ccb09d0a689674"" \n \nversion = ""1.4"" \n \nstrings: \n \n \n$mz = ""This program cannot be run in DOS mode."" \n \n \n$a1 = ""FindFirstFile"" ascii wide nocase \n \n$a2 = ""FindNextFile"" ascii wide nocase \n \n$a3 = ""FindResource"" ascii wide nocase \n \n$a4 = ""LoadResource"" ascii wide nocase \n \ncondition: \n \n \nuint16(0) == 0x5A4D and \n \nall of them and \n \nfilesize < 700000 and \n \npe.number_of_sections > 4 and \n \npe.number_of_signatures == 0 and \n \npe.number_of_resources > 1 and pe.number_of_resources < 15 and \n \nfor any i in (0..pe.number_of_resources - 1): \n \n( \n(math.entropy(pe.resourcesi.offset, pe.resourcesi.length) > 7.8) and \n \n \npe.resourcesi.id == 101 and \n \n \npe.resourcesi.length > 20000 and \n \n \npe.resourcesi.language == 0 and \n \n \nnot ($mz in (pe.resourcesi.offset..pe.resourcesi.offset + pe.resourcesi.length)) \n \n) \n}, rule StoneDrill_main_sub { \nmeta: \n author \n= ""Kaspersky Lab"" \n description = ""Rule to detect StoneDrill (decrypted) samples"" \n hash \n= ""d01781f1246fd1b64e09170bd6600fe1"" \n hash \n= ""ac3c25534c076623192b9381f926ba0d"" \n version \n= ""1.0"" \n \nstrings: \n \n $code = {B8 08 00 FE 7F FF 30 8F 44 24 ?? 68 B4 0F 00 00 FF 15 ?? ?? ?? 00 B8 08 00 FE 7F FF \n30 8F 44 24 ?? 8B ?? 24 1 - 4 2B ?? 24 6 F7 ?1 5 - 12 00} \n \ncondition: \n \n uint16(0) == 0x5A4D and \n $code and \n filesize < 5000000 \n}",cutting sword of justice,,,,SA,,,"StoneDrill, Shamoon, Shamoon 2.0, News Beef","Energy and Utilities, Corporations and Businesses",,, 2017-03-07,FireEye-FIN7-SpearPhishing-Targets-SEC-Filings(03-07-2017),FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings,https://app.box.com/s/7f2wiynwlbi58vsv206zn0695id5nl0k,FireEye,,,,fin7,RU,"Financial gain, Financial crime",2013,US,FALSE,"Spear Phishing, Malicious Documents","POWERSOURCE, TEXTMATE, DNS_TXT_Pwnage, CARBANAK","Corporations and Businesses, Financial Institutions, Education and Research Institutions",,, 2017-03-08,Targeted Attack Campaigns with Multi-Variate Malware Observed in the Cloud - Netskope,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.03.08.Targeted_Attack_Campaigns/Targeted%20Attack%20Campaigns%20with%20Multi-Variate%20Malware%20Observed%20in%20the%20Cloud%20-%20Netskope.pdf,Netskope,,,,,,,,,,Spear Phishing,"Locky/Zepto, Adwind RAT, Java Runtime","Corporations and Businesses, Cloud/IoT Services",,, 2017-03-14,Operation_Electric_Powder,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.03.14.Operation_Electric_Powder/Operation_Electric_Powder.pdf,ClearSky,CVE-2014-6332,,,molerats,PS,Information theft and espionage,2012,IL,FALSE,"Watering Hole, Exploit Vulnerability, Malicious Documents","Dropper, Trojan backdoor / downloader, Keylogger / screen grabber, CVE-2014-6332 exploit",,,, 2017-03-15,english-report-of-fhappi-freehosting,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.03.15.FHAPPI_Campaign/english-report-of-fhappi-freehosting.pdf,NATO,CVE-2014-6271,,,fhappi,,,,MN,TRUE,Phishing,"Poison IVY malware, PowerSploit, Windows PowerShell, VBScript, Reflow JavaScript Backdoor",,,, 2017-03-27,FireEye_APT29-Domain-Fronting-With-TOR(03-27-2017),APT29 Domain Fronting With TOR,https://app.box.com/s/8ytb4nym7whlldfvsaivnmsut9ole32h,FireEye,,,,apt29,RU,"Espionage, Information theft and espionage",2008,,FALSE,"Exploit Vulnerability, Covert Channels","TOR (The Onion Router), start.ps1, install.bat, Sticky Keys exploit, googleService.exe, GoogleUpdate.exe",,,, 2017-03-30,ESET_Carbon-Paper-Peering-into-Turlas-second-stage-backdoor(03-30-2017),Carbon Paper: Peering into Turla second stage backdoor,https://app.box.com/s/vmzqwqfrmtdjemtdaei60jqu5qrouwrt,ESET,,,"rule generic_carbon\n{\nstrings:\n$s1 = “ModStart”\n$s2 = “ModuleStart”\n$t1 = “STOP|OK”\n$t2 = “STOP|KILL”\ncondition:\n(uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($t*))\n}, rule carbon_metadata\n{\ncondition:\n(pe.version_info“InternalName” contains “SERVICE.EXE” or\npe.version_info“InternalName” contains “MSIMGHLP.DLL” or\npe.version_info“InternalName” contains “MSXIML.DLL”)\nand pe.version_info“CompanyName” contains “Microsoft Corporation”\n}",turla,RU,"Espionage, Information theft and espionage",1996,,,"Spear Phishing, Watering Hole","Carbon, Tavdig, Skipper, Uroburos",Government and Defense Agencies,,, 2017-04-03,PWC_cloud-hopper-report-final-v4(04-03-2017),Operation Cloud Hopper,https://app.box.com/s/ifeoa5huug0aqdecsniw7jmrxym0k85i,PricewaterhouseCoopers,,,,apt10,CN,Espionage,,"AU, BR, CA, CH, FI, FR, GB, IN, JP, KR, NO, SE, TH, US, ZA",,"Spear Phishing, Malicious Documents","ChChes, RedLeaves, Quasar, MimiKatz, PwDump6, Windows Defender, EvilGrab, Poison Ivy, PlugX, t.vbs, PSCP, Robocopy","Corporations and Businesses, Energy and Utilities, Healthcare, Manufacturing, Education and Research Institutions",,, 2017-04-03,Dissecting One of APT29's Fileless WMI and PowerShell Backdoors (POSHSPY),,https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html,FireEye,,,,apt29,RU,"Espionage, Information theft and espionage",2008,,,,"POSHSPY, PowerShell, Windows Management Instrumentation (WMI)",,,, 2017-04-03,Lazarus APT Spinoff Linked to Banking Hacks,,https://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/,Threatpost,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,"KR, PL",,"Watering Hole, Exploit Vulnerability","iframe, cryptocurrency mining software","Financial Institutions, Corporations and Businesses",,, 2017-04-05,"In-Depth Look at New Variant of MONSOON APT Backdoor, Part 1",,http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1,Fortinet,"CVE-2015-1641, CVE-2015-41, CVE-2017-0199",,,monsoon,IN,"Espionage, Information theft and espionage",2013,,FALSE,"Malicious Documents, Exploit Vulnerability",BADNEWS,Government and Defense Agencies,,, 2017-04-06,"APT10 (MenuPass Group) New Tools, Global Campaign Latest Manifestation of Longstanding Threat",,https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html,FireEye,,,,apt10,CN,Espionage,,"IN, JP",FALSE,"Spear Phishing, Malicious Documents","HAYMAKER, SNUGRIDE, BUGJUICE, QUASARRAT","Government and Defense Agencies, Corporations and Businesses, Manufacturing, Education and Research Institutions",,, 2017-04-07,PaloAlto_The-Blockbuster-Sequel(04-07-2017),The Blockbuster Sequel,https://app.box.com/s/lmzdurawuli1a65uvx4g6e8b9jvede3f,Palo Alto,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,KR,,"Spear Phishing, Malicious Documents",,,,, 2017-04-10,Longhorn_ Tools used by cyberespionage group linked to Vault 7,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.04.10_Longhorn/Longhorn_%20Tools%20used%20by%20cyberespionage%20group%20linked%20to%20Vault%207.pdf,Symantec,,,,longhorn,US,"Espionage, Information theft and espionage",2009,US,TRUE,,"Corentry, Plexor, Backdoor.Trojan.LH1, Backdoor.Trojan.LH2","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Energy and Utilities, Education and Research Institutions, Critical Infrastructure",,, 2017-04-11,Unraveling the Lamberts Toolkit,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.04.11.Lamberts_Toolkit/Unraveling%20the%20Lamberts%20Toolkit.pdf,Kaspersky,CVE-2014-4148,,,longhorn,US,"Espionage, Information theft and espionage",2009,,TRUE,Exploit Vulnerability,"Black Lambert, Windows TTF zero-day exploit (CVE-2014-4148)",,,, 2017-04-13,callisto-group,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.04.13.callisto-group/callisto-group.pdf,F-Secure,,,,callisto,RU,,,,FALSE,"Phishing, Malicious Documents","Scout, RCS Galileo","Government and Defense Agencies, Education and Research Institutions",,, 2017-05-03,kazuar,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.05.03.kazuar-multiplatform-espionage-backdoor-api-access/kazuar.pdf,Palo Alto,,,,turla,RU,"Espionage, Information theft and espionage",1996,,,,"Kazuar, .NET Framework, Carbon","Government and Defense Agencies, Education and Research Institutions",,, 2017-05-09,"APT3 is Boyusec, a Chinese Intelligence Contractor",,https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/,Intrusion Truth,,,,apt3,CN,"Espionage, Information theft and espionage",2007,,,,,Government and Defense Agencies,,, 2017-05-14,FireEye_Cyber-Espionage-Alive-Well-APT32(05-14-2017),Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations,https://app.box.com/s/zutjtgdovy2dc32ktf5347y46eslqxq0,FireEye,CVE-2016-7255,,,apt32,VN,"Espionage, Financial gain, Information theft and espionage",2012,"CN, DE, GB, PH, US, VN",FALSE,"Spear Phishing, Social Engineering, Malicious Documents","WINDSHIELD, KOMPROGO, SOUNDBITE, PHOREAL, Cobalt Strike BEACON, Metasploit framework, Meterpreter","Corporations and Businesses, Financial Institutions, Media and Entertainment Companies, Cloud/IoT Services, Manufacturing, Healthcare",,, 2017-05-17,RecordedFuture_Chinese-Ministry-State-APT3(05-17-2017),Recorded Future Research Concludes Chinese Ministry of State Security Behind APT3,https://app.box.com/s/rkactl8fr73y037u6fypz700i4e2dk2m,Recorded Future,,,,apt3,CN,"Espionage, Information theft and espionage",2007,"HK, US",TRUE,"Spear Phishing, Exploit Vulnerability",Pirpi,"Energy and Utilities, Government and Defense Agencies, Education and Research Institutions, Critical Infrastructure",,, 2017-05-24,Operation Cobalt Kitty A large-scale APT in Asia carried out by the OceanLotus Group,,https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/,Cybereason,,,,oceanlotus group,VN,"Espionage, Financial gain, Information theft and espionage",2012,,FALSE,"Spear Phishing, Social Engineering, Malicious Documents","Cobalt Strike Beacon, Backdoor.Win32.Denis, Mimikatz (PowerShell and Binary versions), DLL sideloading attack tools, COM scriptlet, JavaScript",,,, 2017-05-24,Cybereason_Cobalt-Kitty-ActorsProfiles-IOCs(05-24-2017),Operation Cobalt Kitty Threat Actor Profile & IOC,https://app.box.com/s/qmhs1k5awl5ibders0bwdlt9f9omhm4m,Cybereason,,,,oceanlotus group,VN,"Espionage, Financial gain, Information theft and espionage",2012,"CN, PH, VN",,"Malicious Documents, Exploit Vulnerability","PlugX, Bookworm RAT, PowerShell, Visual Basic, Cobalt Strike, Outlook backdoor, Denis backdoor, Goopy backdoor","Government and Defense Agencies, Corporations and Businesses, Media and Entertainment Companies",,, 2017-05-25,Citizenlab_Tainted-Leaks-Disinformation-Phishing-With-Russian-Nexus(05-25-2017),TAINTED LEAKS Disinformation and Phishing With a Russian Nexus,https://app.box.com/s/wiis486wq7lyb64necfw3qwieikezs40,Citizen Lab,,,,apt28,RU,"Espionage, Information theft and espionage",2004,"AF, AM, AT, EG, GE, KG, KH, KZ, LV, PE, RU, SD, SI, SK, TH, TR, UA, UZ, VN",,Phishing,,"Government and Defense Agencies, Media and Entertainment Companies, Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",,, 2017-05-30,Group-IB_Lazarus,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.05.30.Lazarus_Arisen/Group-IB_Lazarus.pdf,Group-IB,CVE-2016-0034,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,"BG, CA, CN, GB, IN, JP, MX, PL, TR, US, UY",FALSE,Watering Hole,"Server_RAT, Server_TrafficForwarder, Backend_Listener, Admin_Tool, SWIFT toolbox, Recon, SoftEther VPN, JBoss, Liferay, Silverlight CVE-2016-0034 (MS16-006), Flash exploits from Neutrino Exploit Kit","Corporations and Businesses, Financial Institutions, Energy and Utilities",2016-02-15,2017-02-15,366.0 2017-06-06,FireEye_Privileges-Credentials-Phished-Request-of-Counsel(06-06-2017),Privileges and Credentials: Phished at the Request of Counsel,https://app.box.com/s/sj821a63jgyif6xv2yz4gnut8kxgg7lo,FireEye,"CVE-2017-0199, CVE-2017-1099",,"rule FE_LEGALSTRIKE_RTF {\n meta:\n version="".1""\n filetype=""MACRO""\n author=""joshua.kim@FireEye.com""\n date=""2017-06-02""\n description=""Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain\n2bunnyDOTcom""\n strings:\n $header = ""{\\\\rt""\n $lnkinfo = ""4c0069006e006b0049006e0066006f""\n $encoded1 = ""4f4c45324c696e6b""\n $encoded2 = ""52006f006f007400200045006e007400720079""\n $encoded3 = ""4f0062006a0049006e0066006f""\n $encoded4 = ""4f006c0065""\n $http1 = ""68{""\n $http2 = ""74{""\n $http3 = ""07{""\n // 2bunny.com\n $domain1 = ""32{\\\\""\n $domain2 = ""62{\\\\""\n $domain3 = ""75{\\\\""\n $domain4 = ""6e{\\\\""\n $domain5 = ""79{\\\\""\n $domain6 = ""2e{\\\\""\n $domain7 = ""63{\\\\""\n $domain8 = ""6f{\\\\""\n $domain9 = ""6d{\\\\""\n $datastore = ""\\\\*\\\\datastore""\n condition:\n $header at 0 and all of them\n}, rule FE_LEGALSTRIKE_MACRO {\n meta:version="".1""\n filetype=""MACRO""\n author=""Ian.Ahl@fireeye.com @TekDefense""\n date=""2017-06-02""\n description=""This rule is designed to identify macros with the specific encoding used in the sample\n30f149479c02b741e897cdb9ecd22da7.""\nstrings:\n // OBSFUCATION\n $ob1 = ""ChrW(114) & ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118) & ChrW(114) & ChrW(51) &\nChrW(50) & ChrW(46) & ChrW(101)"" ascii wide\n $ob2 = ""ChrW(120) & ChrW(101) & ChrW(32) & ChrW(47) & ChrW(115) & ChrW(32) & ChrW(47) &\nChrW(110) & ChrW(32) & ChrW(47)"" ascii wide\n $ob3 = ""ChrW(117) & ChrW(32) & ChrW(47) & ChrW(105) & ChrW(58) & ChrW(104) & ChrW(116) &\nChrW(116) & ChrW(112) & ChrW(115)"" ascii wide\n $ob4 = ""ChrW(58) & ChrW(47) & ChrW(47) & ChrW(108) & ChrW(121) & ChrW(110) & ChrW(99) &\nChrW(100) & ChrW(105) & ChrW(115)"" ascii wide\n $ob5 = ""ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(46) & ChrW(50) &\nChrW(98) & ChrW(117) & ChrW(110)"" ascii wide\n $ob6 = ""ChrW(110) & ChrW(121) & ChrW(46) & ChrW(99) & ChrW(111) & ChrW(109) & ChrW(47) &\nChrW(65) & ChrW(117) & ChrW(116)"" ascii wide\n $ob7 = ""ChrW(111) & ChrW(100) & ChrW(105) & ChrW(115) & ChrW(99) & ChrW(111) & ChrW(118) &\nChrW(101) & ChrW(114) & ChrW(32)"" ascii wide\n $ob8 = ""ChrW(115) & ChrW(99) & ChrW(114) & ChrW(111) & ChrW(98) & ChrW(106) & ChrW(46) &\nChrW(100) & ChrW(108) & ChrW(108)"" ascii wide\n $obreg1 = /(\\w{5}\\s&\\s){7}\\w{5}/\n $obreg2 = /(Chrw\\(\\d{1,3}\\)\\s&\\s){7}/\n // wscript\n $wsobj1 = ""Set Obj = CreateObject(\\""WScript.Shell\\"")"" ascii wide\n $wsobj2 = ""Obj.Run "" ascii wide\ncondition:\n (\n (\n (uint16(0) != 0x5A4D)\n )\n and\n (\n all of ($wsobj*) and 3 of ($ob*)\n or\n all of ($wsobj*) and all of ($obreg*)\n )\n )\n}, rule FE_LEGALSTRIKE_MACRO_2 {\n meta:version="".1""\n filetype=""MACRO""\n author=""Ian.Ahl@fireeye.com @TekDefense""\n date=""2017-06-02""\n description=""This rule was written to hit on specific variables and powershell command fragments as seen in\nthe macro found in the XLSX file3a1dca21bfe72368f2dd46eb4d9b48c4.""\nstrings:\n // Setting the environment\n $env1 = ""Arch = Environ(\\""PROCESSOR_ARCHITECTURE\\"")"" ascii wide\n $env2 = ""windir = Environ(\\""windir\\"")"" ascii wide\n $env3 = ""windir + \\""\\\\syswow64\\\\windowspowershell\\\\v1.0\\\\powershell.exe\\"""" ascii wide\n // powershell command fragments\n $ps1 = ""-NoP"" ascii wide\n $ps2 = ""-NonI"" ascii wide\n $ps3 = ""-W Hidden"" ascii wide\n $ps4 = ""-Command"" ascii wide\n $ps5 = ""New-Object IO.StreamReader"" ascii wide\n $ps6 = ""IO.Compression.DeflateStream"" ascii wide\n $ps7 = ""IO.MemoryStream"" ascii wide\n $ps8 = "",$(Convert::FromBase64String"" ascii wide\n $ps9 = ""ReadToEnd();"" ascii wide\n $psregex1 = /\\W\\w+\\s+\\s\\"".+\\""/\ncondition:\n (\n (\n (uint16(0) != 0x5A4D)\n )\n and\n (\n all of ($env*) and 6 of ($ps*)\n or\n all of ($env*) and 4 of ($ps*) and all of ($psregex*)\n )\n )\n}",apt19,CN,"Espionage, Information theft and espionage",2013,,TRUE,"Phishing, Malicious Documents, Exploit Vulnerability","Meterpreter, PowerShell, Squiblydoo Application Whitelisting bypass technique","Corporations and Businesses, Financial Institutions",2017-05-15,2017-06-15,31.0 2017-06-07,Microsoft_PLATINUM-evolve-find-ways-to-maintain-invisibility(06-07-2017),"PLATINUM continues to evolve, find ways to maintain invisibility",https://app.box.com/s/iryvk6gcqx4qyzfn245ruoo7syyex2yv,Microsoft,,,,platinum,,Information theft and espionage,2009,,FALSE,Credential Reuse,PLATINUM tool,,,, 2017-06-12,Win32_Industroyer,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.06.12.INDUSTROYER/Win32_Industroyer.pdf,ESET,CVE-2015-5374,,,,,,,,FALSE,,"Win32/Industroyer, BlackEnergy, KillDisk, legitimate remote access software, port scanner tool, DoS tool","Energy and Utilities, Critical Infrastructure",2015-12-15,2016-12-17,368.0 2017-06-12,CrashOverride-01,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.06.12.CRASHOVERRIDE/CrashOverride-01.pdf,Dragos,CVE-2015-5374,,"rule dragos_crashoverride_serviceStomper\n{\n meta:\n description = “Identify service hollowing and persistence setting”\n author = “Dragos Inc”\n strings:\n $s0 = { 33 c9 51 51 51 51 51 51 ?? ?? ?? }\n $s1 = { 6a ff 6a ff 6a ff 50 ff 15 24 ?? 40 00 ff ?? ?? ff 15 20 ?? 40 00 }\n condition:\n all of them\n}, rule dragos_crashoverride_configReader\n{\n meta:\n description = “CRASHOVERRIDE v1 Config File Parsing”\n author = “Dragos Inc”\n strings:\n $s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 }\n $s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 }\n $s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? }\n $s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? }\n condition:\n all of them\n}, rule dragos_crashoverride_wiperModuleRegistry\n{\n meta:\n description = “Registry Wiper functionality assoicated with CRASHOVERRIDE”\n author = “Dragos Inc”\n strings:\n $s0 = { 8d 85 a0 ?? ?? ?? 46 50 8d 85 a0 ?? ?? ?? 68 68 0d ?? ?? 50 }\n $s1 = { 6a 02 68 78 0b ?? ?? 6a 02 50 68 b4 0d ?? ?? ff b5 98 ?? ?? ?? ff 15 \n04 ?? ?? ?? }\n $s2 = { 68 00 02 00 00 8d 85 a0 ?? ?? ?? 50 56 ff b5 9c ?? ?? ?? ff 15 00 ?? \n?? ?? 85 c0 }\n condition:\n all of them\n}, rule dragos_crashoverride_moduleStrings { \n\t\nmeta:\n\t\n\t\ndescription = “IEC-104 Interaction Module Program Strings”\n\t\n\t\nauthor = “Dragos Inc”\n\t\nstrings: \n\t\n\t\n$s1 = “IEC-104 client: ip=%s; port=%s; ASDU=%u” nocase wide ascii \n\t\n\t\n$s2 = “ MSTR ->> SLV” nocase wide ascii \n\t\n\t\n$s3 = “ MSTR <<- SLV” nocase wide ascii \n\t\n\t\n$s4 = “Unknown APDU format !!!” nocase wide ascii \n\t\n\t\n$s5 = “iec104.log” nocase wide ascii \n\t\ncondition: \n\t\n\t\nany of ($s*)\n}, rule dragos_crashoverride_name_search {\n\t\nmeta:\n\t\n\t\ndescription = “CRASHOVERRIDE v1 Suspicious Strings and Export”\n\t\n\t\nauthor = “Dragos Inc”\n\t\nstrings:\n\t\n\t\n$s0 = “101.dll” fullword nocase wide\n\t\n\t\n$s1 = “Crash101.dll” fullword nocase wide\n\t\n\t\n$s2 = “104.dll” fullword nocase wide\n\t\n\t\n$s3 = “Crash104.dll” fullword nocase wide\n\t\n\t\n$s4 = “61850.dll” fullword nocase wide\n\t\n\t\n$s5 = “Crash61850.dll” fullword nocase wide\n\t\n\t\n$s6 = “OPCClientDemo.dll” fullword nocase wide\n\t\n\t\n$s7 = “OPC” fullword nocase wide\n\t\n\t\n$s8 = “CrashOPCClientDemo.dll” fullword nocase wide\n\t\n\t\n$s9 = “D2MultiCommService.exe” fullword nocase wide\n\t\n\t\n$s10 = “CrashD2MultiCommService.exe” fullword nocase wide\n\t\n\t\n$s11 = “61850.exe” fullword nocase wide\n\t\n\t\n$s12 = “OPC.exe” fullword nocase wide\n\t\n\t\n$s13 = “haslo.exe” fullword nocase wide\n\t\n\t\n$s14 = “haslo.dat” fullword nocase wide \n\t\ncondition:\n\t\n\t\nany of ($s*) and pe.exports(“Crash”)\n}, rule dragos_crashoverride_wiperFileManipulation\n{\n meta:\n description = “File manipulation actions associated with CRASHOVERRIDE wip\xad\ner”\n author = “Dragos Inc”\n strings:\n $s0 = { 6a 00 68 80 00 00 00 6a 03 6a 00 6a 02 8b f9 68 00 00 00 40 57 ff 15 \n1c ?? ?? ?? 8b d8 }\n $s2 = { 6a 00 50 57 56 53 ff 15 4c ?? ?? ?? 56 }\n condition:\n all of them\n}, rule dragos_crashoverride_weirdMutex\n{\n meta:\n description = “Blank mutex creation assoicated with CRASHOVERRIDE”\n author = “Dragos Inc”\n strings:\n $s1 = { 81 ec 08 02 00 00 57 33 ff 57 57 57 ff 15 ?? ?? 40 00 a3 ?? ?? ?? 00 \n85 c0 }\n $s2 = { 8d 85 ?? ?? ?? ff 50 57 57 6a 2e 57 ff 15 ?? ?? ?? 00 68 ?? ?? 40 00}\n condition:\n all of them\n}, rule dragos_crashoverride_suspcious\n{\n\t\nmeta:\n\t\n\t\ndescription = “CRASHOVERRIDE v1 Wiper”\n\t\n\t\nauthor = “Dragos Inc”\n\t\nstrings:\n\t\n\t\n$s0 = “SYS_BASCON.COM” fullword nocase wide\n\t\n\t\n$s1 = “.pcmp” fullword nocase wide\n\t\n\t\n$s2 = “.pcmi” fullword nocase wide\n\t\n\t\n$s3 = “.pcmt” fullword nocase wide\n\t\n\t\n$s4 = “.cin” fullword nocase wide\n\t\ncondition:\n\t\n\t\npe.exports(“Crash”) and any of ($s*)\n}, rule dragos_crashoverride_hashes {\n meta:\n description = “CRASHOVERRIDE Malware Hashes”\n author = “Dragos Inc”\n condition:\n filesize < 1MB and\n hash.sha1(0, filesize) == “f6c21f8189ced6ae150f9ef2e82a3a57843b587d” or \n hash.sha1(0, filesize) == “cccce62996d578b984984426a024d9b250237533” or \n hash.sha1(0, filesize) == “8e39eca1e48240c01ee570631ae8f0c9a9637187” or \n hash.sha1(0, filesize) == “2cb8230281b86fa944d3043ae906016c8b5984d9” or \n hash.sha1(0, filesize) == “79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a” or \n hash.sha1(0, filesize) == “94488f214b165512d2fc0438a581f5c9e3bd4d4c” or\n hash.sha1(0, filesize) == “5a5fafbc3fec8d36fd57b075ebf34119ba3bff04” or\n hash.sha1(0, filesize) == “b92149f046f00bb69de329b8457d32c24726ee00” or\n hash.sha1(0, filesize) == “b335163e6eb854df5e08e85026b2c3518891eda8”\n}, rule dragos_crashoverride_exporting_dlls\n{\n\t\nmeta:\n\t\n\t\ndescription = “CRASHOVERRIDE v1 Suspicious Export”\n\t\n\t\nauthor = “Dragos Inc”\n\t\ncondition:\n\t\n\t\npe.exports(“Crash”) & pe.characteristics\n}",sandworm,RU,"Espionage, Sabotage and destruction",2015,,,Exploit Vulnerability,"CRASHOVERRIDE, opc.exe, 61850.exe, haslo.exe","Government and Defense Agencies, Energy and Utilities, Critical Infrastructure, Education and Research Institutions",2016-12-17,2017-06-08,173.0 2017-06-13,TA17-164A,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.06.13.HIDDEN_COBRA/TA17-164A.pdf,FireEye,"CVE-2015-6585, CVE-2015-8651, CVE-2016-0034, CVE-2016-1019, CVE-2016-4117",,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,,TRUE,Exploit Vulnerability,"Destover, Wild Positron/Duuzer, Hangman, DeltaCharlie DDoS bot","Media and Entertainment Companies, Financial Institutions, Critical Infrastructure",,, 2017-06-14,KASPERAGENT,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.06.14.KASPERAGENT/KASPERAGENT.pdf,Palo Alto,,,,,,,,"IL, PS",,,"KASPERAGENT, MICROPSIA",Government and Defense Agencies,2017-04-15,2017-05-15,30.0 2017-06-15,RecordedFuture_North-Korea-Is-Not-Crazy(06-15-2017),North Korea Is Not Crazy,https://app.box.com/s/tb68b0jfrwg7ji1o01jw28def2lp86y7,Recorded Future,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,"JP, KR",,,"Destover, Wild Positron/Duuzer, Hangman, MYDOOM, WannaCry","Government and Defense Agencies, Energy and Utilities, Media and Entertainment Companies, Financial Institutions",,, 2017-06-18,RECON-MTL-2017-evolution_of_pirpi,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.06.18.APT3_Uncovered_The_code_evolution_of_Pirpi/RECON-MTL-2017-evolution_of_pirpi.pdf,Palo Alto,"CVE-2010-3962, CVE-2014-1776, CVE-2014-4113, CVE-2014-6332, CVE-2015-3113, CVE-2015-5119",S0063:N/A,,,,,,,TRUE,Exploit Vulnerability,,Government and Defense Agencies,,, 2017-06-19,PoS Malware ShellTea PoSlurp_0,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.06.19.SHELLTEA_POSLURP_MALWARE/PoS%20Malware%20ShellTea%20PoSlurp_0.pdf,root9B,,,,,,,,,,"Spear Phishing, Malicious Documents","ActiveMIME document, MS Office-enabled macro, PowerShell, PowerSniff, ShellTea, PoSlurp","Corporations and Businesses, Healthcare, Education and Research Institutions",,, 2017-06-22,following-trail-blacktech-cyber-espionage-campaigns,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.06.22.following-trail-blacktech-cyber-espionage-campaigns/following-trail-blacktech-cyber-espionage-campaigns.pdf,Trend Micro,"CVE-2012-0158, CVE-2014-6352, CVE-2015-5119, CVE-2017-0199, CVE-2017-5638, CVE-2017-7269",,,blacktech,CN,Information theft and espionage,2010,"HK, JP, TW",TRUE,"Malicious Documents, Spear Phishing","PLEAD, KIVARS, Waterbear, Shrouded Crossbow, XBOW, BIFROSE","Government and Defense Agencies, Corporations and Businesses, Education and Research Institutions",,, 2017-06-22,unit42-new-improved-macos-backdoor-oceanlotus,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.06.22.new-improved-macos-backdoor-oceanlotus/unit42-new-improved-macos-backdoor-oceanlotus.pdf,Palo Alto,,T7700:N/A,,apt28,RU,"Espionage, Information theft and espionage",2004,VN,,"Spear Phishing, Malicious Documents","OceanLotus, Sofacy",,2015-05-15,2017-06-15,762.0 2017-06-23,Secureworks_Bronze-Butler-Report(06-23-2017),Bronze Butler,https://app.box.com/s/fz7ranw75zxuh6mc1023igycp1x96fs4,SecureWorks,,,,bronze butler,CN,,,JP,,"Spear Phishing, Watering Hole, Exploit Vulnerability","Mimikatz, WCE (Windows Credential Editor), gsecdump, 画面キャプチャツール (Screen capture tool), ネットワーク共有調査ツール (Network share investigation tool), T-SMBスキャンツール, WinRAR, IntelUpdata.exe, hlog.exe, IntelLogSrv.exe, a.dat, PerfLogs.exe, adobe.exe, Readersl.exe, jusctray.exe, JustsystemUpdate.exe, MSBlESAD.VBE, 18","Manufacturing, Critical Infrastructure",,, 2017-06-26,threat-group-4127-targets-google-accounts,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.06.26.Threat_Group-4127/threat-group-4127-targets-google-accounts.pdf,Google,,,,,,,,,,Spear Phishing,,,,, 2017-06-30,From BlackEnergy to ExPetr - Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.06.30.From_BlackEnergy_to_ExPetr/From%20BlackEnergy%20to%20ExPetr%20-%20Securelist.pdf,Kaspersky,,,"rule blackenergy_and_petya_similarities { \n \xa0 \n strings: \n \n//shutdown.exe /r /f \n \n$bytes00 = { 73 00 68 00 75 00 74 00 64 00 6f 00 77 00 6e 0\n \xa0 \n \n//ComSpec \n \n$bytes01 = { 43 00 6f 00 6d 00 53 00 70 00 65 00 63 00 } \n \xa0 \n \n//InitiateSystemShutdown \n \n$bytes02 = { 49 6e 69 74 69 61 74 65 53 79 73 74 65 6d 53 6\n \xa0 \n \n//68A4430110\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 push\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 0100143A4 ;’n\n \n//FF151CD10010\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 call\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 GetModuleHand\n \n//3BC7\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 cmp\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0eax,edi \n \n//7420\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 jz\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0… \n \n$bytes03 = { 68 ?? ?? ?1 ?0 ff 15 ?? ?? ?? ?0 3b c7 74 ?? }\n \xa0 \n \n// “/c” \n \n$bytes04 = { 2f 00 63 00 } \n \xa0 \n \xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0//wcscmp(… \n \n$hex_string = { b9 ?? ?? ?1 ?0 8d 44 24 ?c 66 8b 10 66 3b 1\n \xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa085 d2 74 15 66 8b 50 02 66 3b 51 02 75 0\n \xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0de 33 c0 eb 05 1b c0 83 d8 ff 85 c0 0f 8\n \xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa044 24 ?c 66 8b 10 66 3b 11 75 1e 66 85 d\n \xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa075 0f 83 c0 04 83 c1 04 66 85 d2 75 de 3\n \xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa00f 84 ?? 0? 00 00 } \n \xa0 \n condition: \n \xa0 \n \n((uint16(0) == 0x5A4D)) and (filesize < 5000000) and \n \n(all of them) \n }",blackenergy,RU,,,,TRUE,Spear Phishing,"BlackEnergy’s KillDisk ransomware, ExPetr/NotPetya/Nyetya/Petya, Wannacry","Energy and Utilities, Critical Infrastructure",,, 2017-07-05,Insider_Information,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.07.05.insider-information/Insider_Information.pdf,Kaspersky,CVE-2013-1347,,,passcv,CN,Information theft and espionage,2016,,FALSE,Phishing,NetWire,"Media and Entertainment Companies, Government and Defense Agencies",,, 2017-07-06,operation-desert-eagle.html,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.07.06.Operation_Desert_Eagle/operation-desert-eagle.html.pdf,Microsoft,,,,molerats,PS,Information theft and espionage,2012,,,Malicious Documents,"VBScript, System.ps1",,,, 2017-07-10,osx_dok-mac-malware-emmental-hijacks-user-network-traffic,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.07.10.osx_dok-mac-malware-emmental-hijacks-user-network-traffic/osx_dok-mac-malware-emmental-hijacks-user-network-traffic.pdf,Trend Micro,CVE-2017-5638,,,,,,,CH,FALSE,"Phishing, Malicious Documents","OSX_DOK.C, TROJ_WERDLOD, Tor",Financial Institutions,,, 2017-07-11,winnti-evolution-going-open-source.html,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.07.11.winnti-evolution-going-open-source/winnti-evolution-going-open-source.html.pdf,ProtectWise,,,,apt41,CN,"Financial crime, Information theft and espionage",2010,,FALSE,Spear Phishing,"PIVY, Chopper, PlugX, ZxShell, Winnti, Browser Exploitation Framework (BeEF), Metasploit Meterpreter, JAR files, MSI files, hook.js","Corporations and Businesses, Media and Entertainment Companies, Government and Defense Agencies",,, 2017-07-18,Recent Winnti Infrastructure and Samples _ ClearSky Cybersecurity,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.07.18.winnti/Recent%20Winnti%20Infrastructure%20and%20Samples%20_%20ClearSky%20Cybersecurity.pdf,ClearSky,CVE-2017-0199,,,apt41,CN,"Financial crime, Information theft and espionage",2010,IL,FALSE,"Malicious Documents, Exploit Vulnerability","Casper aka LEAD, Winnti",Media and Entertainment Companies,,, 2017-07-18,Bitdefender-Whitepaper-Inexsmar-A4-en-EN,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.07.18.Inexsmar/Bitdefender-Whitepaper-Inexsmar-A4-en-EN.pdf,Bitdefender,,,,,,,,,,,,"Corporations and Businesses, Cloud/IoT Services",,, 2017-07-18,blog Inexsmar,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.07.18.Inexsmar/blog%20Inexsmar.pdf,Bitdefender,,,,darkhotel,KR,"Espionage, Information theft and espionage",2007,,FALSE,"Spear Phishing, Social Engineering",,Corporations and Businesses,,, 2017-07-27,chessmaster-cyber-espionage-campaign,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.07.27.chessmaster-cyber-espionage-campaign/chessmaster-cyber-espionage-campaign.pdf,Trend Micro,,,,apt10,CN,Espionage,,JP,FALSE,"Spear Phishing, Malicious Documents","ChChes, TinyX, RedLeaves, PlugX, Trochilus","Education and Research Institutions, Media and Entertainment Companies, Corporations and Businesses, Government and Defense Agencies",,, 2017-07-27,unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.07.27.oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group.pdf,Palo Alto,,,,apt34,IR,Espionage,,,,"Spear Phishing, Malicious Documents","Clayslide, ISMAgent, ISMDoor, Helminth, DNS tunneling",,2016-06-15,2017-07-15,395.0 2017-07-27,Appendix,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.07.27.chessmaster-cyber-espionage-campaign/Appendix.pdf,Trend Micro,,,,,,,,,,,"TROJ_FAKEMS.USPO, TROJ_INJECTR.ZJDK -A, TROJ_INJECTR.ZJDK -C, TROJ_INJECTR.ZJDK -D, TROJ_INJECTR.ZKDJ -A, TROJ_INJECTR.ZKDJ -B, TROJ_INJECTR.ZKDJ -C, TROJ_INJECTR.ZLDK -A, TROJ_PASTEAL.JV, TROJ_PLUGX.DUKPT, BKDR_CHCHES.ZJEH, BKDR_CHCHES",Corporations and Businesses,,, 2017-08-01,cobalt-group-2017-cobalt-strikes-back.html,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.08.01.cobalt-group-2017-cobalt-strikes-back/cobalt-group-2017-cobalt-strikes-back.html.pdf,Microsoft,"CVE-2012-0158, CVE-2015-1641, CVE-2017-0199",,,cobalt,,Financial crime,2016,"AR, KG, KZ, TJ, TM, UZ",FALSE,"Spear Phishing, Malicious Documents, Drive-by Download","Ancalog, Microsoft Word Intruder (MWI), CVE-2017-0199","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Healthcare, Manufacturing, Media and Entertainment Companies",,, 2017-08-11,apt28-targets-hospitality-sector.html,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.08.11.apt28-targets-hospitality-sector/apt28-targets-hospitality-sector.html.pdf,FireEye,,,,apt28,RU,"Espionage, Information theft and espionage",2004,,,"Credential Reuse, Exploit Vulnerability","EternalBlue exploit, Responder, py2exe, GAMEFISH malware",Corporations and Businesses,2017-07-15,2017-08-11,27.0 2017-08-13,Analysis of APT28 hospitality malware (Part 2),,https://blog.xpnsec.com/apt28-hospitality-malware-part-2/,Blog,,,,apt28,RU,"Espionage, Information theft and espionage",2004,,FALSE,Malicious Documents,"mrset.bat, mvtband.dat, mvtband.dll, IDAPython",,,, 2017-08-15,Notepad_and_Chthonic,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.08.15.Notepad_and_Chthonic/Notepad_and_Chthonic.pdf,Palo Alto,,,,,,,,,,Malicious Documents,"Chthonic, Nymaim, Zeus, PowerShell",,2016-12-10,2017-08-07,240.0 2017-08-17,Turla APT actor refreshes KopiLuwak JavaScript backdoor for use in G20-themed attack,,https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack,Proofpoint,,,,turla,RU,"Espionage, Information theft and espionage",1996,,,"Spear Phishing, Watering Hole",".NET framework, KopiLuwak MSIL Dropper, KopiLuwak JS Dropper “Scr.js”, KopiLuwak JavaScript Decryptor “appidpolicyconverter.js”","Government and Defense Agencies, Media and Entertainment Companies",2017-07-15,, 2017-08-18,RSA_Russian-Bank-Offices-Phishing-Wave(08-18-2017),Russian Bank Offices Hit with Broad Phishing Wave,https://app.box.com/s/xgtoqdnl8tdviws0jgvxnj8oniia4qqr,RSA,"CVE-2015-2545, CVE-2017-0261, CVE-2017-0262",,,,,,,RU,TRUE,"Spear Phishing, Malicious Documents",,Financial Institutions,,, 2017-08-25,Operation RAT Cook Chinese APT actors use fake Game of Thrones leaks as lures,,https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures,Proofpoint,,,,deputy dog,CN,"Espionage, Information theft and espionage",2009,,TRUE,"Spear Phishing, Malicious Documents","9002 RAT, PhotoShow.jar, Invoke-Shellcode, wabmig.exe, UpdateCheck.lnk",,,, 2017-08-30,eset-gazer,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.08.30.Gazing_at_Gazer/eset-gazer.pdf,ESET,,,"rule Gazer_certificate\n{\n strings:\n $certif1 = {52 76 a4 53 cd 70 9c 18 da 65 15 7e 5f 1f de 02}\n $certif2 = {12 90 f2 41 d9 b2 80 af 77 fc da 12 c6 b4 96 9c}\n condition:\n (uint16(0) == 0x5a4d) and 1 of them and filesize < 2MB\n}, rule Gazer_logfile_name\n{\n strings:\n $s1 = “CVRG72B5.tmp.cvr”\n $s2 = “CVRG1A6B.tmp.cvr”\n $s3 = “CVRG38D9.tmp.cvr”\n condition:\n (uint16(0) == 0x5a4d) and 1 of them\n}, rule Gazer_certificate_subject {\n condition:\n for any i in (0..pe.number_of_signatures - 1):\n (pe.signaturesi.subject contains “Solid Loop” or \npe.signaturesi.subject contains “Ultimate Computer Support”)\n}",turla,RU,"Espionage, Information theft and espionage",1996,RU,,"Spear Phishing, Watering Hole","Gazer, Skipper",Government and Defense Agencies,,, 2017-08-30,Kaspersky_Introducing-WhiteBear(08-30-2017),Introducing WhiteBear,https://app.box.com/s/ck26ekr69wmhxk6hyii507o09p20eixs,Kaspersky,,,,turla,RU,"Espionage, Information theft and espionage",1996,"KG, KZ, TJ, TM, UZ",,"Spear Phishing, Malicious Documents","WhiteBear, WhiteAtlas, KernelInjector, KopiLuwak, Uroburos",Government and Defense Agencies,,, 2017-09-06,blog Dragonfly 2,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.09.06.intelligence-games-in-the-power-grid-2016/blog%20Dragonfly%202.pdf,Symantec,,,,dragonfly,RU,"Espionage, Sabotage and destruction",2010,,,,Dragonfly 2.0,"Energy and Utilities, Critical Infrastructure",,, 2017-09-06,Symantec_Dragonfly-Western-energy-sector-targeted(09-06-2017),Dragonfly: Western energy sector targeted by sophisticated attack group,https://app.box.com/s/4kpnzlrdqdcg3cq02hz4zj8nmjd9iywi,Symantec,,,,dragonfly,RU,"Espionage, Sabotage and destruction",2010,"CH, TR, US",FALSE,"Spear Phishing, Phishing, Watering Hole, Malicious Documents","PowerShell, PsExec, Bitsadmin, Phishery toolkit, Screenutil, Shellter, Backdoor.Goodor, Backdoor.Dorshel, Trojan.Karagany.B, Trojan.Heriplor, Trojan.Phisherly",Energy and Utilities,,, 2017-09-12,zero-day-used-to-distribute-finspy.html,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.09.12.FINSPY_CVE-2017-8759/zero-day-used-to-distribute-finspy.html.pdf,FireEye,"CVE-2017-0199, CVE-2017-8759",,,,,,,RU,TRUE,"Malicious Documents, Exploit Vulnerability","FINSPY, FinFisher, WingBird, System.Runtime.Remoting.ni.dll, .NET framework, csc.exe",,2017-07-15,, 2017-09-18,CCleanup,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.09.18.CCleanup/CCleanup.pdf,Symantec,,,,fin7,RU,"Financial gain, Financial crime",2013,,FALSE,Exploit Vulnerability,"CCleaner, Domain Generation Algorithm (DGA), Command and Control (C2) functionality.",Individuals,2017-08-15,2017-09-13,29.0 2017-09-18,An (un)documented Word feature abused by attackers _ Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.09.18.Windows_branch_of_the_Cloud_Atlas/An%20%28un%29documented%20Word%20feature%20abused%20by%20attackers%20_%20Securelist.pdf,Kaspersky,,,,,,,,,FALSE,"Spear Phishing, Malicious Documents",,,,, 2017-09-20,Insights into Iranian Cyber Espionage_ APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.09.20.apt33-insights-into-iranian-cyber-espionage/Insights%20into%20Iranian%20Cyber%20Espionage_%20APT33%20Targets%20Aerospace%20and%20Energy%20Sectors%20and%20has%20Ties%20to%20Destructive%20Malware%20%C2%AB%20Threat%20Research%20Blog%20_%20FireEye%20Inc.pdf,FireEye,,,,apt33,IR,"Espionage, Sabotage and destruction, Information theft and espionage",2013,"KR, SA, US",,Spear Phishing,"TURNEDUP, SHAPESHIFT, NANOCORE, NETWIRE, DROPSHOT","Corporations and Businesses, Energy and Utilities, Manufacturing",,, 2017-09-20,Aurora_Operation_CCleaner,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.09.20.Aurora_Operation_CCleaner/Aurora_Operation_CCleaner.pdf,Cisco,,,,pla unit 61398,CN,"Espionage, Information theft and espionage",2006,,FALSE,Exploit Vulnerability,"Base64, Shadowpad, Domain generation algorithm",Corporations and Businesses,,, 2017-09-25,Additional information regarding the recent CCleaner APT security incident,,https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident,Avast,,,,,,,,"CN, IN, RU",,,,"Corporations and Businesses, Critical Infrastructure",,, 2017-09-28,Threat Actors Target Government of Belarus Using CMSTAR Trojan,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.09.28.Belarus_CMSTAR_Trojan/Threat%20Actors%20Target%20Government%20of%20Belarus%20Using%20CMSTAR%20Trojan.pdf,Palo Alto,CVE-2015-1641,,,,,,,BY,FALSE,"Phishing, Malicious Documents","CMSTAR, BYEBY, PYLOT, Werow, CVE-2015-1641 (vulnerability), Microsoft Word (software involved due to vulnerability)",Government and Defense Agencies,,, 2017-10-02,Aurora_Operation_CCleaner_II,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.10.02.Aurora_Operation_CCleaner_II/Aurora_Operation_CCleaner_II.pdf,Intezer,,,,axiom,CN,"Espionage, Information theft and espionage",2009,,,,,,,, 2017-10-10,TW SpiderLabs Advanced Brief_Post-Soviet Bank Heists_PDF,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.10.10.Post-Soviet-Bank-Heists/TW%20SpiderLabs%20Advanced%20Brief_Post-Soviet%20Bank%20Heists_PDF.pdf,Trustwave,,,,,,,,RU,,"Spear Phishing, Social Engineering, Exploit Vulnerability","PSExec, plink.exe, Mipko Employee Monitor, Cobalt Strike Beacon, netscan.exe, crss.exe, adobeArm.exe, dropper.exe, servicePS1.txt, lor2.exe, java.exe, sys64.dll, mpk.exe, mpkview.exe",Financial Institutions,,, 2017-10-12,bronze-butler-targets-japanese-businesses,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.10.12.BRONZE_BUTLER/bronze-butler-targets-japanese-businesses.pdf,SecureWorks,CVE-2016-7836,,,bronze butler,CN,,,JP,TRUE,"Spear Phishing, Exploit Vulnerability, Watering Hole","Daserf, Mimikatz, Windows Credential Editor (WCE), gsecdump, T-SMB Scan, WinRAR","Critical Infrastructure, Manufacturing, Corporations and Businesses",,, 2017-10-16,Kaspersky_BlackOasis-APT-zero-day(10-16-2017),BlackOasis APT and new targeted attacks leveraging zero-day exploit,https://app.box.com/s/8ydblix231swgmjochzrvchwxcedis8z,Kaspersky,"CVE-2015-5119, CVE-2016-0984, CVE-2016-4117, CVE-2017-11292, CVE-2017-8759",,,blackoasis,,Information theft and espionage,2015,"AF, AO, BH, GB, IQ, IR, JO, LY, NG, NL, RU, SA, TN",TRUE,"Spear Phishing, Malicious Documents","FinSpy, FinFisher","Non-Governmental Organizations (NGOs) and Nonprofits, Media and Entertainment Companies, Education and Research Institutions, Individuals",2016-05-08,2017-10-10,520.0 2017-10-16,BAESytems_Taiwan-Heist-Lazarus-Tools-Ransomware(10-16-2017),,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.10.16.Taiwan-Heist/BAESytems_Taiwan-Heist-Lazarus-Tools-Ransomware%2810-16-2017%29.pdf,RSA,,,"rule Hermes2_1 {\n meta:\n date = ""2017/10/11""\n author = ""BAE""\n hash = ""b27881f59c8d8cc529fa80a58709db36""\n strings:\n $magic = { 4D 5A }\n //in both version 2.1 and sample in Feb\n $s1 = ""SYSTEM\\\\CurrentControlSet\\\\Control\\\\Nls\\\\Language\\\\""\n $s2 = ""0419""\n $s3 = ""0422""\n $s4 = ""0423""\n //in version 2.1 only\n $S1 = ""HERMES""\n $S2 = ""vssadminn""\n $S3 = ""finish work""\n $S4 = ""testlib.dll""\n $S5 = ""shadowstorageiet""\n //maybe unique in the file\n $u1 = ""ALKnvfoi4tbmiom3t40iomfr0i3t4jmvri3tb4mvi3btv3rgt4t777""\n $u2 = ""HERMES 2.1 TEST BUILD, press ok""\n $u3 = ""hnKwtMcOadHwnXutKHqPvpgfysFXfAFTcaDHNdCnktA"" //RSA Key part\n condition:\n $magic at 0 and all of ($s*) and 3 of ($S*) and 1 of ($u*)\n}",lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,"GB, KH, KP, LK, MX, MY, PL, TW, US",,Credential Reuse,"Hermes ransomware, msmpeng.exe, fdsvc.dll backdoor, splwow32.exe, Themida",Financial Institutions,2017-10-01,2017-10-12,11.0 2017-10-16,Leviathan_Espionage_actor,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.10.16.Leviathan/Leviathan_Espionage_actor.pdf,FireEye,"CVE‑2017‑0199, CVE‑2017‑8759",,,,,,,"HK, ID, MY, PH, TW, US",TRUE,"Spear Phishing, Malicious Documents","Orz, NanHaiShu, Cobalt Strike, SeDll JavaScript loader, MockDll dll loader, JavaScript, JavaScript Scriptlets in XML, HTA, PowerShell, WMI, regsvr32, Squiblydoo","Government and Defense Agencies, Education and Research Institutions",2014-11-15,2017-09-15,1035.0 2017-10-19,APT28 racing to exploit CVE-2017-11292 Flash vulnerability before patches are deployed,,https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed,Proofpoint,"CVE-2015-7645, CVE-2016-1019, CVE-2016-4117, CVE-2016-7855, CVE-2017-0262, CVE-2017-11292",,,apt28,RU,"Espionage, Information theft and espionage",2004,US,TRUE,"Malicious Documents, Exploit Vulnerability","DealersChoice.B, Uploader","Government and Defense Agencies, Corporations and Businesses",,, 2017-10-19,Bitdefender-Business-2017-WhitePaper-PZCHAO-crea2452-en-EN-GenericUse,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.10.19.Operation_PZCHAO/Bitdefender-Business-2017-WhitePaper-PZCHAO-crea2452-en-EN-GenericUse.pdf,Bitdefender,,,,iron tiger,CN,"Espionage, Information theft and espionage",2010,US,FALSE,Spear Phishing,"VBS script, YPrat, Port Scanning Tools","Government and Defense Agencies, Corporations and Businesses, Education and Research Institutions",,, 2017-10-22,CiscoTalos_Cyber-Conflict-Decoy-Document-Used-In-Real-Cyber-Conflict(10-22-2017),Cyber Conflict Decoy Document Used In Real Cyber Conflict,https://app.box.com/s/pm3fv6ll7l10d3qfcld1w4l0bqy5ajxo,Cisco,,,,apt28,RU,"Espionage, Information theft and espionage",2004,,FALSE,Malicious Documents,,Education and Research Institutions,2017-10-04,2017-10-18,14.0 2017-10-24,Clearskysec_IranianThreatAgent-Greenbug(10-24-2017),Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies,https://app.box.com/s/fga01c36ebgqga5ic0a4o73j5jq9vdvr,ClearSky,,,,greenbug,IR,"Espionage, Information theft and espionage",2016,"IL, SA",,,ISMdoor,"Corporations and Businesses, Critical Infrastructure",2016-11-06,2017-10-15,343.0 2017-10-26,RiskIQ_htpRAT-Malware-Attacks(10-26-2017),Remote Control Interloper: Analyzing New Chinese htpRAT Attacks Against ASEAN,https://app.box.com/s/ecn72owuoet5p0f916qutvsqv20rmmps,RiskIQ,,,,,,,,,FALSE,"Spear Phishing, Malicious Documents","htpRAT, GitHub, fsma32.dll, winnet.exe",Government and Defense Agencies,2016-11-08,2016-11-18,10.0 2017-10-27,PaloAlto_Tracking-Subaat-Phishing-Leads-Threat-Actors-Repository(10-27-2017),Tracking Subaat: Targeted Phishing Attack Leads to Threat Actor's Repository,https://app.box.com/s/35pitp2iml5h6y1b420kbojn82k2hcdl,Palo Alto,CVE-2012-0158,,,,,,,,FALSE,"Phishing, Malicious Documents","LuminosityLink, QuasarRAT, DarkComet, Crimson Downloader",Government and Defense Agencies,2017-07-06,2017-07-21,15.0 2017-10-27,"bellingcat - Bahamut Revisited, More Cyber Espionage in the Middle East and South Asia - bellingcat",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.10.27.bahamut-revisited/bellingcat%20-%20Bahamut%20Revisited%2C%20More%20Cyber%20Espionage%20in%20the%20Middle%20East%20and%20South%20Asia%20-%20bellingcat.pdf,Kaspersky,,,,bahamut,,Information theft and espionage,2016,"AE, BH, IN, IR, JO, LY, MA, PK",TRUE,"Spear Phishing, Social Engineering","Mixi Player malware, InPageCampaign malware, Khuai application","Government and Defense Agencies, Media and Entertainment Companies, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2017-10-27,NAOUK_Investigation-WannaCry-cyber-attack-and-the-NHS(10-27-2017),Investigation: WannaCry cyber attack and the NHS,https://app.box.com/s/gevfjbqv1n4j9j80zvtj2eh9lx1nlrs5,NAO UK,,,,isis-linked hackers,,,,,,Exploit Vulnerability,WannaCry,Healthcare,,, 2017-10-30,Gaza Cybergang - updated activity in 2017_ - Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.10.30.Gaza_Cybergang/Gaza%20Cybergang%20-%20updated%20activity%20in%202017_%20-%20Securelist.pdf,Kaspersky,CVE-2017-0199,,,gaza cybergang,PS,Information theft and espionage,2012,,TRUE,"Spear Phishing, Malicious Documents","Cobaltstrike, Android Trojan, Downeks, Quasar, Microsoft Access database files","Government and Defense Agencies, Energy and Utilities, Media and Entertainment Companies",2017-03-15,2017-07-25,132.0 2017-10-31,Night_of_the_Devil,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.10.31.MBR-ONI.Japan/Night_of_the_Devil.pdf,Cybereason,,,,,,,,JP,FALSE,"Spear Phishing, Malicious Documents","PetWrap, Mamba, SamSam, NotPetya, Shamoon, Bad Rabbit, DiskCryptor, Ammyy Admin, ONI, MBR-ONI, EternalBlue",Corporations and Businesses,2016-12-15,2017-09-15,274.0 2017-11-02,New Insights into Energetic Bear's Attacks on Turkish Critical Infrastructure,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.11.02.Energetic_Bear_on_Turkish_Critical_Infrastructure/New%20Insights%20into%20Energetic%20Bear%27s%20Attacks%20on%20Turkish%20Critical%20Infrastructure.pdf,RiskIQ,,,,energetic bear,RU,"Espionage, Sabotage and destruction",2010,TR,FALSE,Watering Hole,"The specific malware mentioned in the report is ""SMB credential-harvesting malware."" Additionally, a modified version of the ""jQuery easing JavaScript library"" is noted as compromised.","Energy and Utilities, Critical Infrastructure, Manufacturing",2017-05-15,2017-10-20,158.0 2017-11-02,Recent InPage Exploits Lead to Multiple Malware Families,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.11.02.InPage_Exploits/Recent%20InPage%20Exploits%20Lead%20to%20Multiple%20Malware%20Families.pdf,Palo Alto,,,rule InPageShellcodeHashing\n{\nstrings:\n$hashingFunction = {55 8B EC 51 53 52 33 C9 33 DB 33 D2 8B 45 08 8A 10 80 CA\n60 03 DA D1 E3 03 45 10 8A 08 84 C9 E0 EE 33 C0 8B 4D 0C 3B D9 74 01 40 5A 5B\n59 8B E5 5D C2 0C 00}\ncondition:\n$hashingFunction\n},,,,,,FALSE,Malicious Documents,"CONFUCIUS_B malware family, BioData, MY24, InPage",Government and Defense Agencies,,, 2017-11-02,PWC_KeyBoys-are-back-in-town(11-02-2017),The KeyBoys are back in town,https://app.box.com/s/fjeyg8km8vu1a2bu0itwe9pv8zqfl3gs,PricewaterhouseCoopers,,,,keyboys,,,,,FALSE,Malicious Documents,"HP-Socket, Dynamic Data Exchange (DDE) protocol",,2017-07-27,2017-10-11,76.0 2017-11-06,oceanlotus-blossoms,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.11.06.oceanlotus-blossoms/oceanlotus-blossoms.pdf,Volexity,,,,oceanlotus,VN,"Espionage, Financial gain, Information theft and espionage",2012,VN,,"Watering Hole, Spear Phishing","Cobalt Strike, Framework A, Framework B","Government and Defense Agencies, Media and Entertainment Companies, Energy and Utilities, Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",,, 2017-11-06,TrendMicro_ChessMasters-New-Strategy-Evolving-Tools-Tactics(11-06-2017),ChessMaster's New Strategy: Evolving Tools and Tactics,https://app.box.com/s/0rt1hrxzbo2il7vmjfyye25qrgdabova,Trend Micro,CVE-2017-8759,,,chessmaster,,,,,FALSE,"Exploit Vulnerability, Malicious Documents","Microsoft .NET Framework, Koadic, ChChes, RedLeaves, PlugX",,,, 2017-11-07,sowbug-cyber-espionage-group,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.11.07.sowbug-cyber-espionage-group-targets/sowbug-cyber-espionage-group.pdf,Symantec,,,,sowbug,,"Espionage, Information theft and espionage",2015,"AR, BN, BR, EC, MY, PE",,"Covert Channels, Website Equipping","Felismus, adobecms.exe, fb.exe, Starloader, Trojan.Starloader, Stars.jpg, AdobeUpdate.exe, AcrobatUpdate.exe, INTELUPDATE.EXE",Government and Defense Agencies,2016-09-01,2017-03-15,195.0 2017-11-07,Threat_Group_APT28_Slips_Office_Malware,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.11.07.APT28_Slips_Office_Malware/Threat_Group_APT28_Slips_Office_Malware.pdf,McAfee,,,,apt28,RU,"Espionage, Information theft and espionage",2004,,FALSE,Malicious Documents,"Seduploader, Microsoft Office Dynamic Data Exchange (DDE), PowerShell",,2017-10-19,2017-11-05,17.0 2017-11-08,PaloAlto_OilRig-Deploys-ALMA-DNS-Tunneling-Trojan(11-08-2017),"OilRig Deploys ""ALMA Communicator"" - DNS Tunneling Trojan",https://app.box.com/s/bseq5v27hez248arjyaypa7nt03omjvx,Palo Alto,,,,apt34,IR,Espionage,,,,"Spear Phishing, Malicious Documents","ALMA Communicator, Mimikatz, Clayslide",Energy and Utilities,,, 2017-11-10,unit42-new-malware-with-ties-to-sunorcal-discovered,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.11.10.New_Malware_with_Ties_to_SunOrcal_Discovered/unit42-new-malware-with-ties-to-sunorcal-discovered.pdf,Palo Alto,,,,,,,,"CN, HK, TW",,,"Reaver, SunOrcal",Non-Governmental Organizations (NGOs) and Nonprofits,,, 2017-11-22,muddywater-apt-targeting-middle-east,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.11.22.MuddyWater_APT/muddywater-apt-targeting-middle-east.pdf,RSA,,,,muddywater,IR,"Espionage, Information theft and espionage",2017,"AE, IQ, SA",FALSE,Malicious Documents,"Koadic JScript RAT, Meterpreter, PowerShell","Government and Defense Agencies, Energy and Utilities, Corporations and Businesses",2017-02-01,2017-11-20,292.0 2017-11-22,NCSC_Turla-Neuron-Nautilus-Snake-malware_1(11-22-2017),Turla group using Neuron and Nautilus tools alongside Snake malware,https://app.box.com/s/316mbg901wxjdarmtdlj6v4qv29a0ge8,NCSC,,,"rule neuron_common_strings { \n meta: \n description = ""Rule for detection of Neuron based on commonly used strings"" \n author = ""NCSC UK"" \n hash = ""d1d7a96fcadc137e80ad866c838502713db9cdfe59939342b8e3beacf9c7fe29"" \n strings: \n $strServiceName = ""MSExchangeService"" ascii \n $strReqParameter_1 = ""cadataKey"" wide \n $strReqParameter_2 = ""cid"" wide \n $strReqParameter_3 = ""cadata"" wide \n $strReqParameter_4 = ""cadataSig"" wide \n $strEmbeddedKey = \n""PFJTQUtleVZhbHVlPjxNb2R1bHVzPnZ3WXRKcnNRZjVTcCtWVG9Rb2xuaEVkMHVwWDFrVElFTUNTNEFnRkRCclNm\nclpKS0owN3BYYjh2b2FxdUtseXF2RzBJcHV0YXhDMVRYazRoeFNrdEpzbHljU3RFaHBUc1l4OVBEcURabVVZVklVb\nHlwSFN1K3ljWUJWVFdubTZmN0JTNW1pYnM0UWhMZElRbnl1ajFMQyt6TUhwZ0xmdEc2b1d5b0hyd1ZNaz08L01vZH\nVsdXM+PEV4cG9uZW50PkFRQUI8L0V4cG9uZW50PjwvUlNBS2V5VmFsdWU+"" wide \n $strDefaultKey = ""8d963325-01b8-4671-8e82-d0904275ab06"" wide \n $strIdentifier = ""MSXEWS"" wide \n $strListenEndpoint = ""443/ews/exchange/"" wide \n $strB64RegKeySubstring = ""U09GVFdBUkVcTWljcm9zb2Z0XENyeXB0b2dyYXBo"" wide \n $strName = ""neuron_service"" ascii \n $dotnetMagic = ""BSJB"" ascii \n \n condition: \n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $dotnetMagic and 6 of \n($str*) \n}, rule neuron_standalone_signature { \n meta: \n description = ""Rule for detection of Neuron based on a standalone signature from .NET \nmetadata"" \n author = ""NCSC UK"" \n hash = ""d1d7a96fcadc137e80ad866c838502713db9cdfe59939342b8e3beacf9c7fe29"" \n strings: \n $a = \n{eb073d151231011234080e12818d1d051281311d1281211d1281211d128121081d1281211d1281211d128121\n1d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211\nd1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281211d1281} \n $dotnetMagic = ""BSJB"" ascii \n condition: \n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them \n}, rule nautilus_rc4_key { \n meta: \n description = ""Rule for detection of Nautilus based on a hardcoded RC4 key"" \n author = ""NCSC UK"" \n hash = ""a415ab193f6cd832a0de4fcc48d5f53d6f0b06d5e13b3c359878c6c31f3e7ec3"" \n strings: \n $key = {31 42 31 34 34 30 44 39 30 46 43 39 42 43 42 34 36 41 39 41 43 39 36 34 33 38 \n46 45 45 41 38 42} \n condition: \n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $key \n}, rule nautilus_modified_rc4_loop { \n meta: \n description = ""Rule for detection of Nautilus based on assembly code for a modified \nRC4 loop"" \n author = ""NCSC UK"" \n hash = ""a415ab193f6cd832a0de4fcc48d5f53d6f0b06d5e13b3c359878c6c31f3e7ec3"" \n strings: \n $a = {42 0F B6 14 04 41 FF C0 03 D7 0F B6 CA 8A 14 0C 43 32 14 13 41 88 12 49 FF C2 \n49 FF C9} \n condition: \n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $a \n}, rule neuron_functions_classes_and_vars { \n meta: \n description = ""Rule for detection of Neuron based on .NET function, variable and \nclass names"" \n author = ""NCSC UK"" \n hash = ""d1d7a96fcadc137e80ad866c838502713db9cdfe59939342b8e3beacf9c7fe29"" \n strings: \n $class1 = ""StorageUtils"" ascii \n $class2 = ""WebServer"" ascii \n $class3 = ""StorageFile"" ascii \n $class4 = ""StorageScript"" ascii \n $class5 = ""ServerConfig"" ascii \n $class6 = ""CommandScript"" ascii \n $class7 = ""MSExchangeService"" ascii \n $class8 = ""W3WPDIAG"" ascii \n $func1 = ""AddConfigAsString"" ascii \n $func2 = ""DelConfigAsString"" ascii \n $func3 = ""GetConfigAsString"" ascii \n $func4 = ""EncryptScript"" ascii \n $func5 = ""ExecCMD"" ascii \n $func6 = ""KillOldThread"" ascii \n $func7 = ""FindSPath"" ascii \n $var1 = ""CommandTimeWait"" ascii \n $dotnetMagic = ""BSJB"" ascii \n condition: \n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $dotnetMagic and 6 of \nthem \n}, rule nautilus_common_strings { \n meta: \n description = ""Rule for detection of Nautilus based on common plaintext strings"" \n author = ""NCSC UK"" \n hash = ""a415ab193f6cd832a0de4fcc48d5f53d6f0b06d5e13b3c359878c6c31f3e7ec3"" \n strings: \n $ = ""nautilus-service.dll"" ascii \n $ = ""oxygen.dll"" ascii \n $ = ""config_listen.system"" ascii \n $ = ""ctx.system"" ascii \n $ = ""3FDA3998-BEF5-426D-82D8-1A71F29ADDC3"" ascii \n $ = ""C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Caches\\\\{%s}.2.ver0x0000000000000001.db"" \nascii \n condition: \n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and 3 of them \n}",turla,RU,"Espionage, Information theft and espionage",1996,,,"Spear Phishing, Exploit Vulnerability","Neuron, Nautilus, Snake, errorFE.aspx","Government and Defense Agencies, Corporations and Businesses, Energy and Utilities",,, 2017-11-22,A dive into MuddyWater APT targeting Middle-East,,https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/,Reaqta,,,,,,,,,TRUE,,,Corporations and Businesses,,, 2017-12-04,blog_anatomy-of-an-attack-carbanak,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.12.04.The_Shadows_of_Ghosts/blog_anatomy-of-an-attack-carbanak.pdf,RSA,CVE-2017-5638,,,fin7,RU,"Financial gain, Financial crime",2013,,FALSE,Phishing,"Apache Struts, Winexe, Tinyp (PSEXEC Variant), Auditunnel, PScan, WGet, SCP, PSCP",Financial Institutions,,, 2017-12-05,Charming_Kitten_2017,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.12.05.Charming_Kitten/Charming_Kitten_2017.pdf,ClearSky,,,,charming kitten,IR,Espionage,,"AE, CH, DE, DK, FR, GB, IL, IN, IR, TR, US",,"Spear Phishing, Watering Hole, Social Engineering","DownPaper Malware, BeEF (Browser Exploitation Framework), MAGICHOUND.RETRIEVER","Education and Research Institutions, Media and Entertainment Companies, Individuals",,, 2017-12-07,targeted-attack-in-middle-east-by-apt34.html,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.12.07.New_Targeted_Attack_in_the_Middle_East_by_APT34/targeted-attack-in-middle-east-by-apt34.html.pdf,FireEye,"CVE-2017-0199, CVE-2017-11882",,,apt34,IR,Espionage,,,FALSE,"Spear Phishing, Exploit Vulnerability, Malicious Documents","POWRUNER, CertUtil.exe, PowerShell","Financial Institutions, Energy and Utilities, Government and Defense Agencies, Critical Infrastructure, Healthcare",,, 2017-12-11,appendix-untangling-the-patchwork-cyberespionage-group,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.12.11.Patchwork_APT/appendix-untangling-the-patchwork-cyberespionage-group.pdf,Trend Micro,,,,,,,,,,,"BAT_DLOADER.AUSYSB, BKDR_SCADPRV.G, BKDR_SOCKSBOT.B, BKDR_SOKCSBOT.A, BKDR_XRAT.JCT, BKDR_XRAT.KVJ, TROJ_ARTIEF.EVV, TROJ_DDEX.SM, BKDR_DISMONN.A, TROJ_DLOADER.JEJOWJ, TROJ_DLOADR.AUSUGF, TROJ_DROPPR.DAM, TROJ_FUERY.A, TROJ_MDROP.YYSRH",Government and Defense Agencies,,, 2017-12-11,tech-brief-untangling-the-patchwork-cyberespionage-group,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.12.11.Patchwork_APT/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf,Trend Micro,"CVE-2012-1856, CVE-2014-4114, CVE-2015-1641, CVE-2017-0199, CVE-2017-8570",,,patchwork,IN,"Espionage, Information theft and espionage",2013,"BD, LK",FALSE,"Spear Phishing, Social Engineering, Malicious Documents, Exploit Vulnerability","xRAT, java-rmi.exe, msvcr71.dll, jli.dll (contains the Badnews backdoor), NDiskMonitor backdoor, WampServer",,,, 2017-12-14,attackers-deploy-new-ics-attack-framework-triton.html,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.12.14.attackers-deploy-new-ics-attack-framework-triton/attackers-deploy-new-ics-attack-framework-triton.html.pdf,Mandiant,,,"rule TRITON_ICS_FRAMEWORK\n{\n meta:\n author = ""nicholas.carr @itsreallynick""\n md5 = ""0face841f7b2953e7c29c064d6886523""\n description = ""TRITON framework recovered during Mandiant ICS incident response""\n strings:\n $python_compiled = "".pyc"" nocase ascii wide\n $python_module_01 = ""__module__"" nocase ascii wide\n $python_module_02 = """" nocase ascii wide\n $python_script_01 = ""import Ts"" nocase ascii wide\n $python_script_02 = ""def ts_"" nocase ascii wide \n $py_cnames_01 = ""TS_cnames.py"" nocase ascii wide\n $py_cnames_02 = ""TRICON"" nocase ascii wide\n $py_cnames_03 = ""TriStation "" nocase ascii wide\n $py_cnames_04 = "" chassis "" nocase ascii wide \n $py_tslibs_01 = ""GetCpStatus"" nocase ascii wide\n $py_tslibs_02 = ""ts_"" ascii wide\n $py_tslibs_03 = "" sequence"" nocase ascii wide\n $py_tslibs_04 = /import Ts(Hi|Low|Base)^:alpha:/ nocase ascii wide\n $py_tslibs_05 = /module\\s?version/ nocase ascii wide\n $py_tslibs_06 = ""bad "" nocase ascii wide\n $py_tslibs_07 = ""prog_cnt"" nocase ascii wide \n $py_tsbase_01 = ""TsBase.py"" nocase ascii wide\n $py_tsbase_02 = "".TsBase("" nocase ascii wide \n \n $py_tshi_01 = ""TsHi.py"" nocase ascii wide\n $py_tshi_02 = ""keystate"" nocase ascii wide\n $py_tshi_03 = ""GetProjectInfo"" nocase ascii wide\n $py_tshi_04 = ""GetProgramTable"" nocase ascii wide\n $py_tshi_05 = ""SafeAppendProgramMod"" nocase ascii wide\n $py_tshi_06 = "".TsHi("" ascii nocase wide \n $py_tslow_01 = ""TsLow.py"" nocase ascii wide\n $py_tslow_02 = ""print_last_error"" ascii nocase wide\n $py_tslow_03 = "".TsLow("" ascii nocase wide\n $py_tslow_04 = ""tcm_"" ascii wide\n $py_tslow_05 = "" TCM found"" nocase ascii wide \n $py_crc_01 = ""crc.pyc"" nocase ascii wide\n $py_crc_02 = ""CRC16_MODBUS"" ascii wide\n $py_crc_03 = ""Kotov Alaxander"" nocase ascii wide\n $py_crc_04 = ""CRC_CCITT_XMODEM"" ascii wide\n $py_crc_05 = ""crc16ret"" ascii wide\n $py_crc_06 = ""CRC16_CCITT_x1D0F"" ascii wide\n $py_crc_07 = /CRC16_CCITT^_/ ascii wide \n $py_sh_01 = ""sh.pyc"" nocase ascii wide \n $py_keyword_01 = "" FAILURE"" ascii wide\n $py_keyword_02 = ""symbol table"" nocase ascii wide \n $py_TRIDENT_01 = ""inject.bin"" ascii nocase wide\n $py_TRIDENT_02 = ""imain.bin"" ascii nocase wide \n condition:\n 2 of ($python_*) and 7 of ($py_*) and filesize < 3MB\n}",,,,,,,,"TRITON, Trilog.exe, libraries.zip, library.zip, inject.bin, imain.bin",Critical Infrastructure,,, 2017-12-14,Dragos_TRISIS-01(12-14-2017),TRISIS Malware,https://app.box.com/s/lczcjm4izqlu3fuve5lf7yof2gpcxn0h,Dragos,,,,,,,,,,Removable Media,TRISIS,"Energy and Utilities, Critical Infrastructure",,, 2017-12-17,Operation_Dragonfly_Analysis,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.12.17.operation-dragonfly-analysis-suggests-links-to-earlier-attacks/Operation_Dragonfly_Analysis.pdf,McAfee,,,,dragonfly,RU,"Espionage, Sabotage and destruction",2010,,FALSE,"Spear Phishing, Watering Hole, Exploit Vulnerability","Java exploit, TeamViewer, BlackEnergy","Corporations and Businesses, Financial Institutions, Energy and Utilities",,, 2017-12-19,pfpt-us-wp-north-korea-bitten-by-bitcoin-bug,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.12.19.North_Korea_Bitten_by_Bitcoin_Bug/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf,Proofpoint,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,KR,TRUE,"Spear Phishing, Malicious Documents, Phishing, Watering Hole","PowerRatankba, JavaScript Downloaders, VBScript Macro Microsoft Office Documents, Backdoored PyInstaller Applications","Corporations and Businesses, Financial Institutions, Individuals",,, 2018-01-01,APT 35,,https://www.cfr.org/cyber-operations/apt-35,Council on Foreign Relations,,,,apt 35,IR,Information theft and espionage,2012,US,,,,"Government and Defense Agencies, Corporations and Businesses, Media and Entertainment Companies, Energy and Utilities",,, 2018-01-01,APT38,,https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf,FireEye,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,,,,,Financial Institutions,,, 2018-01-01,APT1,,https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf,Mandiant,,,,,,,,,FALSE,,,,,, 2018-01-06,Malicious Document Targets Pyeongchang Olympics _ McAfee Blogs,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.01.06.malicious-document-targets-pyeongchang-olympics/Malicious%20Document%20Targets%20Pyeongchang%20Olympics%20_%20McAfee%20Blogs.pdf,McAfee,,,,,,,,KR,FALSE,"Spear Phishing, Malicious Documents","Invoke-PSImage, McAfee Advanced Threat Research","Corporations and Businesses, Critical Infrastructure",2017-12-22,2017-12-28,6.0 2018-01-10,Analysis of BlackTech's latest APT attack,,http://www.freebuf.com/column/159865.html,Freebuf,,,,,,,,,,,,,,, 2018-01-11,North_Korean_Defectors_and_Journalists_Targeted,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.01.11.North_Korean_Defectors_and_Journalists_Targeted/North_Korean_Defectors_and_Journalists_Targeted.pdf,McAfee,,,,sun team folder,,,,KR,FALSE,Spear Phishing,북한기도 (Pray for North Korea) and BloodAssistant,Individuals,,, 2018-01-12,TrendMicro_Update-PawnStorm-Politically-Motivated-Campaigns(01-12-2018),Update on Pawn Storm: New Targets and Politically Motivated Campaigns,https://app.box.com/s/1wrl9umiiziapt9qxnt3kyv195k1kjui,Trend Micro,,,,apt28,RU,"Espionage, Information theft and espionage",2004,"AF, DE, FR, IN, IR, ME, NL, PK, TR, UA, US",TRUE,"Phishing, Spear Phishing, Social Engineering",,"Government and Defense Agencies, Education and Research Institutions, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2018-01-15,New_killdisk,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.01.15.new-killdisk-variant-hits-financial-organizations-in-latin-america/New_killdisk.pdf,Trend Micro,CVE-2017-5689,,,,,,,"KR, RU, UA",,,"TROJ_KILLDISK.IUB, KillDisk","Corporations and Businesses, Financial Institutions, Cloud/IoT Services",,, 2018-01-16,APT3_Adversary_Emulation_Plan,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2017/2017.09.XX.APT3_Adversary_Emulation_Plan/APT3_Adversary_Emulation_Plan.pdf,MITRE,"CVE-2014-1776, CVE-2014-4113, CVE-2014-6332, CVE-2015-3113","T1056:Input Capture, T1064:Scripting, T1045:Software Packing, T1078:Valid Accounts, T1082:System Information Discovery, T1031:Modify Existing Service, T1059:Command-Line Interface, T1002:Data Compressed, T1027:Obfuscated Files or Information, T1021:Remote Services, T1018:Remote System Discovery, T1016:System Network Configuration Discovery, T1076:Remote Desktop Protocol, T1012:Query Registry, T1085:Rundll32, T1015:Accessibility Features, T1077:Windows Admin Shares, T1081:Credentials in Files, T1066:Indicator Removal from Tools, T1112:Modify Registry, T1087:Account Discovery, T1073:DLL Side-Loading, T1060:Registry Run Keys / Startup Folder, T1069:Permission Groups Discovery, T1107:File Deletion, T1083:File and Directory Discovery, T1053:Scheduled Task, T1074:Data Staged, T1005:Data from Local System, T1035:Service Execution, T1136:Create Account, T1049:System Network Connections Discovery, T1041:Exfiltration Over Command and Control Channel, T1105:Remote File Copy, T1135:Network Share Discovery, T1108:Redundant Access, T1110:Brute Force, T1050:New Service, T1043:Commonly Used Port, T1057:Process Discovery, T1003:Credential Dumping, T1113:Screen Capture",,apt3,CN,"Espionage, Information theft and espionage",2007,,TRUE,"Spear Phishing, Exploit Vulnerability, Malicious Documents","Pirpi, SHOTPUT, Backdoor.APT.CookieCutter, MetaSploit, Cobalt Strike, PlugX, OSInfo, pwdump, Mimikatz, Keylogger.",Corporations and Businesses,,, 2018-01-16,korea-in-crosshairs.html,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.01.16.korea-in-crosshairs/korea-in-crosshairs.html.pdf,Microsoft,"CVE-2013-0808, CVE-2017-0199",,,group 123,KP,Information theft and espionage,2012,KR,FALSE,"Spear Phishing, Exploit Vulnerability, Malicious Documents","ROKRAT, PoohMilk, Freenki, pCloud, Dropbox, Box, Yandex","Government and Defense Agencies, Education and Research Institutions",,, 2018-01-16,cta-2018-0116,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.01.16.north-korea-cryptocurrency-campaign/cta-2018-0116.pdf,Recorded Future,"CVE-2015-6585, CVE-2017-8291",,"rule apt_NK_Lazarus_Fall2017_payload_minCondition \n{ \n \u200bmeta: \n desc \u200b=\u200b \u200b""Minimal condition set to detect payloads from Fall 2017 Lazarus \nCampaign against Cryptocurrency Exchanges and Friends of MOFA 11"" \n author \u200b=\u200b \u200b""JAGS, Insikt Group, Recorded Future"" \n version \u200b=\u200b \u200b""2.0"" \n \nRecorded Future\u200b \u200b|\u200b \u200bwww.recordedfuture.com\u200b \u200b|\u200b \u200bCTA-2018-0116\u200b \u200b|\u200b \u200b 10 \n \n\xa0\nCYBER THREAT ANALYSIS\xa0\n \n TLP \u200b=\u200b \u200b""Green"" \n md5 \u200b=\u200b \u200b""46d1d1f6e396a1908471e8a8d8b38417"" \n md5 \u200b=\u200b \u200b""6b061267c7ddeb160368128a933d38be"" \n md5 \u200b=\u200b \u200b""afa40517d264d1b03ac5c4d2fef8fc32"" \n md5 \u200b=\u200b \u200b""c270eb96deaf27dd2598bc4e9afd99da"" \n md5 \u200b=\u200b \u200b""d897b4b8e729a408f64911524e8647db"" \n md5 \u200b=\u200b \u200b""e1cc2dcb40e729b2b61cf436d20d8ee5"" \n \n \n \u200bstrings: \n $sub1800115A0 \u200b= \n{\u200b488\u200bD542460488D8DB005000041FF9424882000004C8BE84883F8FF0F84EA010000488D8DC007000033D\n241B800400000E8} \n $sub18000A720 \u200b=\u200b {\u200b33\u200bC0488BBC2498020000488B9C2490020000488B8D600100004833CCE8} \n \n \n \u200bcondition: \n uint16(\u200b0\u200b) \u200b==\u200b \u200b0x5A4D\u200b and filesize \u200b<\u200b \u200b5\u200bMB \n and \n any of them \n}, rule apt_NK_Lazarus_SKOlympics_EPS \n{ \nmeta: \nauthor\u200b =\u200b \u200b""JAG-S, Insikt Group, RF"" \ndesc\u200b =\u200b \u200b""CN terms in PostScript loader"" \nTLP \u200b=\u200b \u200b""Green"" \nversion \u200b=\u200b \u200b""1.0"" \nmd5\u200b =\u200b \u200b""231fe349faa7342f33402c562f93a270"" \n \nstrings: \n$eps_strings1\u200b \u200b=\u200b \u200b""/yinzi { token pop exch pop } bind def""\u200b ascii wide \n$eps_strings2\u200b \u200b=\u200b \u200b""/yaoshi def""\u200b ascii wide \n$eps_strings8\u200b \u200b=\u200b \u200b/\\/\u200byaoshi \u200b<\u200bA\u200b-F0\u200b-9\u200b\u200b{8}> def/ ascii wide \n$eps_strings3 = ""/yima{"" ascii wide \n$eps_strings4 = ""/funcA exch def"" ascii wide \n$eps_strings5 = ""0 1 funcA length 1 sub {"" ascii wide \n$eps_strings6 = ""/funcB exch def"" ascii wide \n$eps_strings7 = ""funcA funcB 2 copy get yaoshi funcB 4 mod get xor put"" \nascii wide \n \ncondition: \n6 of them\n \n}",lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,KR,FALSE,Malicious Documents,"Destover, Lazarus Hangman malware family","Financial Institutions, Education and Research Institutions, Media and Entertainment Companies",2017-02-15,2017-11-15,273.0 2018-01-16,Skygofree_ Following in the footsteps of HackingTeam - Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.01.16.skygofree/Skygofree_%20Following%20in%20the%20footsteps%20of%20HackingTeam%20-%20Securelist.pdf,Kaspersky,"CVE-2013-2094, CVE-2013-2595, CVE-2013-6282, CVE-2014-3153, CVE-2015-3636",,,negg,,,,IT,FALSE,"Drive-by Download, Website Equipping","FirebaseCloudMessaging, NG SuperShell, update.exe, Xenotix Python Keylogger, msconf.exe",Corporations and Businesses,,, 2018-01-16,Skygofree_appendix_eng,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.01.16.skygofree/Skygofree_appendix_eng.pdf,ESET,,S0024:N/A,,,,,,,,,,,,, 2018-01-18,Turla Neuron Malware Update,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.01.18.Turla_group_update_Neuron_malware/Turla%20Neuron%20Malware%20Update.pdf,NCSC,,,"rule neuron2_loader_strings { \n meta: \n description = ""Rule for detection of Neuron2 based on strings within the loader"" \n author = ""NCSC"" \n hash = ""51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927"" \n strings: \n $ = ""dcom_api"" ascii \n $ = ""http://*:80/OWA/OAB/"" ascii \n $ = ""https://*:443/OWA/OAB/"" ascii \n $ = ""dcomnetsrv.cpp"" wide \n $ = ""dcomnet.dll"" ascii \n $ = ""D:\\\\Develop\\\\sps\\\\neuron2\\\\x64\\\\Release\\\\dcomnet.pdb"" ascii \n condition: \n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and 2 of them \n}, rule neuron2_decryption_routine { \n meta: \n description = ""Rule for detection of Neuron2 based on the routine used to decrypt the \npayload"" \n author = ""NCSC"" \n hash = ""51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927"" \n strings: \n $ = {81 FA FF 00 00 00 0F B6 C2 0F 46 C2 0F B6 0C 04 48 03 CF 0F B6 D1 8A 0C 14 8D 50 \n01 43 32 0C 13 41 88 0A 49 FF C2 49 83 E9 01} \n condition: \n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them \n}, rule neuron2_dotnet_strings { \n meta: \n description = ""Rule for detection of the .NET payload for Neuron2 based on strings \nused"" \n author = ""NCSC"" \n hash = ""83d8922e7a8212f1a2a9015973e668d7999b90e7000c31f57be83803747df015"" \n strings: \n $dotnetMagic = ""BSJB"" ascii \n $s1 = ""http://*:80/W3SVC/"" wide \n $s2 = ""https://*:443/W3SVC/"" wide \n $s3 = ""neuron2.exe"" ascii \n $s4 = ""D:\\\\Develop\\\\sps\\\\neuron2\\\\neuron2\\\\obj\\\\Release\\\\neuron2.pdb"" ascii \n condition: \n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $dotnetMagic and 2 of \n($s*) \n}",turla,RU,"Espionage, Information theft and espionage",1996,GB,,,"Neuron, Nautilus",Corporations and Businesses,,, 2018-01-24,Lazarus_Campaign_Targeting_Cryptocurrencies,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.01.24.lazarus-campaign-targeting-cryptocurrencies/Lazarus_Campaign_Targeting_Cryptocurrencies.pdf,RSA,CVE-2017-9791,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,IN,FALSE,Malicious Documents,"RATANKBA, TROJ_RATANKBA.A, BKDR_RATANKBA.ZAEL-A, PowerShell, OfficeScan, Trend Micro Deep Discovery, sandboxing","Corporations and Businesses, Individuals",,, 2018-01-26,unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.01.26.TopHat_Campaign/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services.pdf,Palo Alto,CVE-2017-0199,,,,,,,PS,FALSE,"Malicious Documents, Exploit Vulnerability","Scote, DustySky Core",Individuals,,, 2018-01-27,Accenture-Security-Dragonfish-Threat-Analysis,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.01.27.DRAGONFISH/Accenture-Security-Dragonfish-Threat-Analysis.pdf,Accenture,CVE-2017-11882,,,dragonfish,CN,"Espionage, Information theft and espionage",2010,"HK, ID, MY, PH, TW",FALSE,"Malicious Documents, Exploit Vulnerability","iexplore.exe, NavShExt.dll, thumbcache_1CD60.db","Government and Defense Agencies, Education and Research Institutions, Critical Infrastructure",2018-01-19,2018-01-25,6.0 2018-01-29,PoriewSpy.India,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.01.29.PoriewSpy.India/PoriewSpy.India.pdf,Trend Micro,,,,,,,,,FALSE,Exploit Vulnerability,"DroidJack, SandroRAT, PoriewSpy","Government and Defense Agencies, Individuals",,, 2018-01-30,apt32-continues-asean-targeting,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.01.30.APT32_Continues_ASEAN_Targeting/apt32-continues-asean-targeting.pdf,RSA,"CVE-2017-1182, CVE-2017-11882",,,apt32,VN,"Espionage, Financial gain, Information theft and espionage",2012,,FALSE,"Malicious Documents, Exploit Vulnerability, Watering Hole","Elise backdoor, NavShExt.dll, Microsoft Equation Editor (EQNEDT32.exe), RTF Dropper",Government and Defense Agencies,,2018-01-15, 2018-02-01,Operation PZChao a possible return of the Iron Tiger APT,,https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/,Bitdefender,CVE-2024-23204,,,backdoordiplomacy,,Information theft and espionage,2017,,,,", Atomic Stealer, MegaCortex Decryptor, EyeSpy, Infostealer Malware",Cloud/IoT Services,,, 2018-02-07,Targeted-attacks,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.02.07.targeted-attacks-in-middle-east_VBS_CAMPAIGN/Targeted-attacks.pdf,Dar El-Jaleel,,,,,,,,,,Malicious Documents,Jenxcus (a.k.a. Houdini/H-Worm),Government and Defense Agencies,,, 2018-02-13,deciphering-confucius,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.02.13.deciphering-confucius/deciphering-confucius.pdf,Trend Micro,"CVE-2015-1641, CVE-2017-11882, CVE-2017-5689",,,confucius,,,,,FALSE,Social Engineering,"Simple Chat Point: Secret Chat Point, Tweety Chat, Patchwork","Government and Defense Agencies, Corporations and Businesses, Individuals",,, 2018-02-20,Fireeye_rpt_APT37(02-20-2018),APT37 (Reaper): The Overlooked North Korean Actor,https://app.box.com/s/144qx5sbghcvom6k0ivz77h1t5gbg3d8,FireEye,"CVE-2013-4979, CVE-2014-8439, CVE-2015-2387, CVE-2015-2419, CVE-2015-2545, CVE-2015-3043, CVE-2015-3105, CVE-2015-5119, CVE-2015-5122, CVE-2015-7645, CVE-2016-1019, CVE-2016-4117, CVE-2017-0199, CVE-2018-0802, CVE-2018-4878",,,apt37,KP,Information theft and espionage,2012,"JP, KR, VN",TRUE,"Spear Phishing, Watering Hole, Social Engineering","CORALDECK, DOGCALL, KARAE, SOUNDWAVE, ZUMKONG, RICECURRY, POORAIM, SLOWDRIFT, MILKDROP, GELCAPSULE, HAPPYWORK, RUHAPPY, SHUTTERSPEED, WINERACK","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Healthcare, Manufacturing, Media and Entertainment Companies, Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",,, 2018-02-20,APT37.blog,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.02.20.APT37/APT37.blog.pdf,FireEye,CVE-2018-0802,,,apt37,KP,Information theft and espionage,2012,"JP, KR, VN",TRUE,"Social Engineering, Exploit Vulnerability",,"Corporations and Businesses, Healthcare, Manufacturing",,, 2018-02-20,A Slice of 2017 Sofacy Activity - Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.02.20.a-slice-of-2017-sofacy-activity/A%20Slice%20of%202017%20Sofacy%20Activity%20-%20Securelist.pdf,NATO,"CVE-2017-0262, CVE-2017-0263",,,apt28,RU,"Espionage, Information theft and espionage",2004,"AE, AM, AU, AZ, BA, BE, CH, DE, FR, GB, IQ, IT, KG, KR, LV, MA, MN, MY, NL, OM, PK, PL, SA, SE, SK, TJ, TM, TR, UA, US, UZ, VN, ZA",TRUE,"Spear Phishing, Exploit Vulnerability, Malicious Documents","CosmicDuke, CORESHELL, SPLM (aka Xagent, aka CHOPSTICK), JHUHUGIT, AZZY (aka ADVSTORESHELL, NETUI, EVILTOSS), USB stealers, Sofacy (aka SOURFACE), Zebrocy, GAMEFISH, AutoIT","Government and Defense Agencies, Education and Research Institutions, Energy and Utilities, Non-Governmental Organizations (NGOs) and Nonprofits, Critical Infrastructure, Media and Entertainment Companies, Healthcare",,, 2018-02-20,Latest Elise APT comes packed with Sandbox Evasions,,https://www.joesecurity.org/blog/8409877569366580427,Joe Security,"CVE-2017-11882, CVE-2018-0802",,,dragonfish,CN,"Espionage, Information theft and espionage",2010,,FALSE,Malicious Documents,"Elise Malware, Microsoft Office Equation Editor, EQNEDT32.EXE, IExplorer.exe",Government and Defense Agencies,,, 2018-02-21,Avast tracks down Tempting Cedar Spyware,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.02.21.Tempting_Cedar/Avast%20tracks%20down%20Tempting%20Cedar%20Spyware.pdf,RSA,,,,,,,,IL,FALSE,"Social Engineering, Phishing","The specific malware mentioned in the report is the ""Tempting Cedar Spyware"" and the malicious version of the ""Kik Messenger app"".",Individuals,,, 2018-02-28,Chafer_ Latest Attacks Reveal Heightened Ambitions _ Symantec Blogs,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.02.28.Chafer_Latest_Attacks_Reveal/Chafer_%20Latest%20Attacks%20Reveal%20Heightened%20Ambitions%20_%20Symantec%20Blogs.pdf,Symantec,,,,chafer,IR,Information theft and espionage,2014,"AE, IL, JO, SA, TR",,"Exploit Vulnerability, Spear Phishing, Malicious Documents","VBS file, UltraVNC, NBTScan, Remexi (Backdoor.Remexi), PsExec, Mimikatz (Hacktool.Mimikatz), Pwdump, Plink (PuTTY Link), Remcom",Corporations and Businesses,,, 2018-03-01,The 'Icefog' APT A Tale of Cloak and Three Daggers,,https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133739/icefog.pdf,Kaspersky,"CVE-2010-3333, CVE-2012-0158, CVE-2012-1723, CVE-2012-1856, CVE-2013-0422",,,icefog,CN,"Espionage, Information theft and espionage",2014,"JP, KR, TW",FALSE,"Spear Phishing, Exploit Vulnerability, Malicious Documents","Type “2” backdoors, Password and hash dumping tools, Tools to dump Internet Explorer saved passwords, Tools to dump Outlook e-mail accounts and passwords, Debugging tools","Government and Defense Agencies, Media and Entertainment Companies, Corporations and Businesses, Education and Research Institutions",,, 2018-03-01,Territorial Dispute - NSA's perspective on APT landscape,,https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf,CrySyS Lab,,,,iron tiger,CN,"Espionage, Information theft and espionage",2010,,,,", Dark Hotel, Stuxnet, SIG25, SIG8, winver32.exe",,,, 2018-03-01,MuddyWater's Recent Activity,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.03.01.a-quick-dip-into-muddywaters-recent/MuddyWater%27s%20Recent%20Activity.pdf,Palo Alto,,,,muddywater,IR,"Espionage, Information theft and espionage",2017,,,Malicious Documents,,Financial Institutions,,, 2018-03-02,Operation_Honeybee,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.03.02.Operation_Honeybee/Operation_Honeybee.pdf,McAfee,,,,,,,,"AR, CA, ID, JP, KR, SG, VN",,Malicious Documents,"SYSCON backdoor, MaoCheng dropper.",Non-Governmental Organizations (NGOs) and Nonprofits,,, 2018-03-06,The-Slingshot-APT_report_ENG_final,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.03.06.The-Slingshot-APT/The-Slingshot-APT_report_ENG_final.pdf,Kaspersky,"CVE-2007-5633, CVE-2009-0824, CVE-2010-1592",,,slingshot,,Information theft and espionage,2012,"AE, AF, CG, IQ, JO, KE, LY, MU, SD, SO, TR, TZ, YE",TRUE,Exploit Vulnerability,"Slingshot, Mikrotik routers, Winbox Loader",,,, 2018-03-07,patchwork-continues-deliver-badnews,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.03.07.patchwork-continues-deliver-badnews-indian-subcontinent/patchwork-continues-deliver-badnews.pdf,Palo Alto,"CVE-2015-2545, CVE-2017-0261",,,patchwork,IN,"Espionage, Information theft and espionage",2013,"IN, PK",FALSE,"Malicious Documents, Exploit Vulnerability",BADNEWS,Government and Defense Agencies,,, 2018-03-08,McAfee_Hidden-Cobra-Turkish-Financial-Sector-Bankshot-Implant(03-08-2018),Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant,https://app.box.com/s/a5yxk9ttke0l3wg054ub6tgb54hwp35a,McAfee,CVE-2018-4878,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,TR,TRUE,"Malicious Documents, Exploit Vulnerability","Bankshot, DLL implant",Financial Institutions,2017-12-27,2018-03-03,66.0 2018-03-08,hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.03.08.hidden-cobra-targets-turkish-financial/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant.pdf,McAfee,CVE-2018-4878,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,TR,TRUE,"Spear Phishing, Exploit Vulnerability, Malicious Documents","Bankshot, Adobe Flash exploit",Financial Institutions,2017-12-27,2018-03-03,66.0 2018-03-08,olympicdestroyer,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.03.08.olympicdestroyer-is-here-to-trick-the-industry/olympicdestroyer.pdf,CrowdStrike,,,,apt28,RU,"Espionage, Information theft and espionage",2004,"AT, AU, CA, DE, FR, KR, LA",,"Spear Phishing, Malicious Documents","PsExec tool from SysInternals’ suite, Credential stealer modules, Wiper, PowerShell scriptlets","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Healthcare, Energy and Utilities, Media and Entertainment Companies, Critical Infrastructure",2017-12-15,2018-02-12,59.0 2018-03-09,An analysis of RoyalCli and RoyalDNS,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.03.09.APT15_is_alive_and_strong/An%20analysis%20of%20RoyalCli%20and%20RoyalDNS.pdf,NCC Group,,,,apt15,CN,"Espionage, Information theft and espionage",2010,GB,FALSE,Credential Reuse,"spwebmember, WinRAR, Mimikatz, RemoteExec, RoyalCli, RoyalDNS, Nwsapagent",Government and Defense Agencies,,, 2018-03-09,The Slingshot APT FAQ,,https://securelist.com/apt-slingshot/84312/,Kaspersky,"CVE-2007-5633, CVE-2010-1592",,,slingshot,,Information theft and espionage,2012,"AF, CG, IQ, JO, KE, LY, SD, SO, TR, TZ, YE",FALSE,Exploit Vulnerability,"Slingshot, Winbox Loader, scesrv.dll (malicious library)","Government and Defense Agencies, Individuals",,, 2018-03-09,masha-and-these-bears,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.03.09.masha-and-these-bears/masha-and-these-bears.pdf,RSA,,,,apt28,RU,"Espionage, Information theft and espionage",2004,"AF, AM, CN, JP, KZ, MN, TJ, TR, US",,,"SPLM, ZEBROCY, GAMEFISH, GREY LAMBERT, GREYWARE/PEN-TESTING NBTSCAN, powercat, XAgent, InjectApp, Screenshot, FileObserver, PasswordFirefox, InfoOS","Government and Defense Agencies, Corporations and Businesses, Education and Research Institutions",,, 2018-03-09,new-traces-hacking-team-wild,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.03.09.new-traces-hacking-team-wild/new-traces-hacking-team-wild.pdf,ESET,,,,callisto,RU,,,,,"Spear Phishing, Malicious Documents","Trojan.Win32/CrisisHT.F, Trojan.Win32/CrisisHT.H, Trojan.Win32/CrisisHT.E, Trojan.Win32/CrisisHT.L, Trojan.Win32/CrisisHT.J, Trojan.Win32/Agent.ZMW, Trojan.Win32/Agent.ZMX, Trojan.Win32/Agent.ZMY, Trojan.Win32/Agent.ZMZ, VMProtect",Government and Defense Agencies,,, 2018-03-09,BAD TRAFFIC_ Sandvine's PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads_,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.03.09.Sandvine_PacketLogic_Devices_APT/BAD%20TRAFFIC_%20Sandvine%E2%80%99s%20PacketLogic%20Devices%20Used%20to%20Deploy%20Government%20Spyware%20in%20Turkey%20and%20Redirect%20Egyptian%20Users%20to%20Affiliate%20Ads_.pdf,Citizen Lab,,,,strongpity,TR,Information theft and espionage,2012,"SY, TR",FALSE,Drive-by Download,"FinFisher, StrongPity",Individuals,,, 2018-03-10,APT15 is alive and strong An analysis of RoyalCli and RoyalDNS,,https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/,NCC Group,,,,apt15,CN,"Espionage, Information theft and espionage",2010,GB,,,"spwebmember, WinRAR, Mimikatz, RemoteExec, RoyalCli, RoyalDNS, BS2005",Government and Defense Agencies,,, 2018-03-10,NCCGroup_APT15-alive-analysis-RoyalCli-RoyalDNS(03-10-2018),APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS,https://app.box.com/s/4qi7z4cclbg0746pa1x3qfpxtn6zamfd,NCC Group,,,,apt15,CN,"Espionage, Information theft and espionage",2010,,,Credential Reuse,"RoyalDNS, Nwsapagent, WinRAR, spwebmember, RemoteExec, BS2005, RoyalCli",Government and Defense Agencies,,, 2018-03-13,BlackTDS,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.03.13.BlackTDS/BlackTDS.pdf,Proofpoint,,,,ta505,RU,,,"AU, DE, ES, FR, GB, JP, US",FALSE,"Drive-by Download, Malicious Documents, Social Engineering","BlackTDS, Keitaro TDS, Grandsoft Exploit Kit, FlawedAmmyy RAT, Smominru Monero mining botnet",,2018-02-15,2018-03-15,28.0 2018-03-13,therapeutic_postmortem_of_connected_medicine,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.03.13.A_therapeutic_postmortem_of_connected_medicine/therapeutic_postmortem_of_connected_medicine.pdf,Google,,,,,,,,"BD, VN",,Exploit Vulnerability,"PlugX, Cobalt Strike, Mimikatz, Meterpreter, Powerpreter, Remote admin",Healthcare,,, 2018-03-14,"Inception Framework_ Alive and Well, and Hiding Behind Proxies _ Symantec Blogs",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.03.14.Inception_Framework/Inception%20Framework_%20Alive%20and%20Well%2C%20and%20Hiding%20Behind%20Proxies%20_%20Symantec%20Blogs.pdf,Symantec,"CVE-2012-0158, CVE-2014-1761",,,inception framework,RU,"Espionage, Information theft and espionage",2012,"BE, FR, GB, IR, KE, MD, MY, RU, SR, UA, ZA",FALSE,"Spear Phishing, Malicious Documents, Exploit Vulnerability","Reconnaissance document, RTF document, In-memory DLL payload, WebDAV protocol","Government and Defense Agencies, Corporations and Businesses, Energy and Utilities, Education and Research Institutions, Media and Entertainment Companies",,, 2018-03-15,Russian_Government_Cyber_Activity,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.03.15.Russian_Government_Cyber_Activity_TA18-074A/Russian_Government_Cyber_Activity.pdf,FireEye,,,"rule Query_XML_Code_MAL_DOC{\nmeta:\n\xa0\xa0\xa0\xa0\xa0\xa0name=\xa0""Query_XML_Code_MAL_DOC""\n\xa0\xa0\xa0\xa0\xa0\xa0author\xa0=\xa0""other""\n\xa0\nstrings:\n\xa0\xa0\xa0\xa0\xa0\xa0$zip_magic\xa0=\xa0{\xa050\xa04b\xa003\xa004\xa0}\n\xa0\xa0\xa0\xa0\xa0\xa0$dir\xa0=\xa0""word/_rels/""\xa0ascii\n\xa0\xa0\xa0\xa0\xa0\xa0$dir2\xa0=\xa0""word/theme/theme1.xml""\xa0ascii\n\xa0\xa0\xa0\xa0\xa0\xa0$style\xa0=\xa0""word/styles.xml""\xa0ascii\n\xa0\ncondition:\n\xa0\xa0\xa0\xa0\xa0\xa0$zip_magic\xa0at\xa00\xa0and\xa0$dir\xa0at\xa00x0145\xa0and\xa0$dir2\xa0at\xa00x02b7\xa0and\xa0$style\xa0at\xa00x08fd\n}, rule\xa0APT_malware_2\n{\nmeta:\n\xa0\xa0\xa0\xa0\xa0\xa0description\xa0=\xa0""rule\xa0detects\xa0malware""\n\xa0\xa0\xa0\xa0\xa0\xa0author\xa0=\xa0""other""\n\xa0\nstrings:\n\xa0\xa0\xa0\xa0\xa0\xa0$api_hash\xa0=\xa0{\xa08A\xa008\xa084\xa0C9\xa074\xa00D\xa080\xa0C9\xa060\xa001\xa0CB\xa0C1\xa0E3\xa001\xa003\xa045\xa010\xa0EB\xa0ED\xa0}\n\xa0\xa0\xa0\xa0\xa0\xa0$http_push\xa0=\xa0""X\xadmode:\xa0push""\xa0nocase\n\xa0\xa0\xa0\xa0\xa0\xa0$http_pop\xa0=\xa0""X\xadmode:\xa0pop""\xa0nocase\n\xa0\ncondition:\n\xa0\xa0\xa0\xa0\xa0\xa0any\xa0of\xa0them\n}, rule\xa0Query_Javascript_Decode_Function\n{\nmeta:\n\xa0\xa0\xa0\xa0\xa0\xa0name=\xa0""Query_Javascript_Decode_Function""\n\xa0\xa0\xa0\xa0\xa0\xa0author\xa0=\xa0""other""\n\xa0\nstrings:\n\xa0\xa0\xa0\xa0\xa0\xa0$decode1\xa0=\xa0{72\xa065\xa070\xa06C\xa061\xa063\xa065\xa028\xa02F\xa05B\xa05E\xa041\xa02D\xa05A\xa061\xa02D\xa07A\xa030\xa02D\xa039\xa05C\xa02B\xa05C\n2F\xa05C\xa03D\xa05D\xa02F\xa067\xa02C\xa022\xa022\xa029\xa03B}\n\xa0\xa0\xa0\xa0\xa0\xa0$decode2\xa0=\xa0{22\xa041\xa042\xa043\xa044\xa045\xa046\xa047\xa048\xa049\xa04A\xa04B\xa04C\xa04D\xa04E\xa04F\xa050\xa051\xa052\xa053\xa054\xa055\xa056\xa057\n58\xa059\xa05A\xa061\xa062\xa063\xa064\xa065\xa066\xa067\xa068\xa069\xa06A\xa06B\xa06C\xa06D\xa06E\xa06F\xa070\xa071\xa072\xa073\xa074\xa075\xa076\xa077\xa078\xa079\xa07A\n30\xa031\xa032\xa033\xa034\xa035\xa036\xa037\xa038\xa039\xa02B\xa02F\xa03D\xa022\xa02E\xa069\xa06E\xa064\xa065\xa078\xa04F\xa066\xa028\xa0??\xa02E\xa063\xa068\xa061\xa072\n41\xa074\xa028\xa0??\xa02B\xa02B\xa029\xa029}\n\xa0\xa0\xa0\xa0\xa0\xa0$decode3\xa0=\xa0{3D\xa0??\xa03C\xa03C\xa032\xa07C\xa0??\xa03E\xa03E\xa034\xa02C\xa0??\xa03D\xa028\xa0??\xa026\xa031\xa035\xa029\xa03C\xa03C\xa034\xa07C\n??\xa03E\xa03E\xa032\xa02C\xa0??\xa03D\xa028\xa0??\xa026\xa033\xa029\xa03C\xa03C\xa036\xa07C\xa0??\xa02C\xa0??\xa02B\xa03D\xa01\xad2\xa053\xa074\xa072\xa069\xa06E\xa067\n2E\xa066\xa072\xa06F\xa06D\xa043\xa068\xa061\xa072\xa043\xa06F\xa064\xa065\xa028\xa0??\xa029\xa02C\xa036\xa034\xa021\xa03D\xa0??\xa026\xa026\xa028\xa0??\xa02B\xa03D\xa053\n74\xa072\xa069\xa06E\xa067\xa02E\xa066\xa072\xa06F\xa06D\xa043\xa068\xa061\xa072\xa043\xa06F\xa064\xa065\xa028\xa0??\xa029}\n\xa0\xa0\xa0\xa0\xa0\xa0$decode4\xa0=\xa0{73\xa075\xa062\xa073\xa074\xa072\xa069\xa06E\xa067\xa028\xa034\xa02C\xa0??\xa02E\xa06C\xa065\xa06E\xa067\xa074\xa068\xa029}\n\xa0\xa0\xa0\xa0\xa0\xa0$func_call=""a(\\""""\n\xa0\ncondition:\n\xa0\xa0\xa0\xa0\xa0\xa0filesize\xa0<\xa020KB\xa0and\xa0#func_call\xa0>\xa020\xa0and\xa0all\xa0of\xa0($decode*)\nTLP:WHITE\nTLP:WHITE\n\xa0\n}, rule\xa0z_webshell\n{\nmeta:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0description\xa0=\xa0""Detection\xa0for\xa0the\xa0z_webshell""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0author\xa0=\xa0""DHS\xa0NCCIC\xa0Hunt\xa0and\xa0Incident\xa0Response\xa0Team""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0date\xa0=\xa0""2018/01/25""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0md5\xa0=\xa0\xa0""2C9095C965A55EFC46E16B86F9B7D6C6""\n\xa0\nstrings:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$aspx_identifier1\xa0=\xa0""<%@\xa0""\xa0nocase\xa0ascii\xa0wide\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$aspx_identifier2\xa0=\xa0""\xa010\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0and\xa0#case_string\xa0>\xa07\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0and\xa02\xa0of\xa0($webshell_*)\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0and\xa0filesize\xa0<\xa0100KB\n}, rule\xa0APT_malware_1\n{\nmeta:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0description\xa0=\xa0""inveigh\xa0pen\xa0testing\xa0tools\xa0&\xa0related\xa0artifacts""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0author\xa0=\xa0""DHS\xa0|\xa0NCCIC\xa0Code\xa0Analysis\xa0Team""\xa0\xa0\xa0\xa0\nTLP:WHITE\nTLP:WHITE\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0date\xa0=\xa0""2017/07/17""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0hash0\xa0=\xa0""61C909D2F625223DB2FB858BBDF42A76""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0hash1\xa0=\xa0""A07AA521E7CAFB360294E56969EDA5D6""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0hash2\xa0=\xa0""BA756DD64C1147515BA2298B6A760260""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0hash3\xa0=\xa0""8943E71A8C73B5E343AA9D2E19002373""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0hash4\xa0=\xa0""04738CA02F59A5CD394998A99FCD9613""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0hash5\xa0=\xa0""038A97B4E2F37F34B255F0643E49FC9D""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0hash6\xa0=\xa0""65A1A73253F04354886F375B59550B46""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0hash7\xa0=\xa0""AA905A3508D9309A93AD5C0EC26EBC9B""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0hash8\xa0=\xa0""5DBEF7BDDAF50624E840CCBCE2816594""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0hash9\xa0=\xa0""722154A36F32BA10E98020A8AD758A7A""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0hash10\xa0=\xa0""4595DBE00A538DF127E0079294C87DA0""\nstrings:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s0\xa0=\xa0""file://""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s1\xa0=\xa0""/ame_icon.png""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s2\xa0=\xa0""184.154.150.66""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s3\xa0=\xa0{\n87D081F60C67F5086A003315D49A4000F7D6E8EB12000081F7F01BDD21F7DE\xa0}\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s4\xa0=\xa0{\n33C42BCB333DC0AD400043C1C61A33C3F7DE33F042C705B5AC400026AF2102\xa0}\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s5\xa0=\xa0""(g.charCodeAt(c)^l(lb+le)%256)""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s6\xa0=\xa0""for(b=0;256>b;b++)kb=b;for(b=0;256>b;b++)""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s7\xa0=\xa0""VXNESWJfSjY3grKEkEkRuZeSvkE=""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s8\xa0=\xa0""NlZzSZk=""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s9\xa0=\xa0""WlJTb1q5kaxqZaRnser3sw==""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s10\xa0=\xa0""for(b=0;256>b;b++)kb=b;for(b=0;256>b;b++)""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s11\xa0=\xa0""fromCharCode(d.charCodeAt(e)^k(kb+kh)%256)""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s12\xa0=\xa0""ps.exe\xa0\xadaccepteula\xa0\\\\%ws%\xa0\xadu\xa0%user%\xa0\xadp\xa0%pass%\xa0\xads\xa0cmd\xa0/c\xa0netstat""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s13\xa0=\xa0{\n22546F6B656E733D312064656C696D733D5C5C222025254920494E20286C6973742E74787429\n}\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s14\xa0=\xa0{\n68656C6C2E657865202D6E6F65786974202D657865637574696F6E706F6C69637920627970617373202D636F6D6D\n}\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s15\xa0=\xa0{\xa0476F206275696C642049443A202266626433373937623163313465306531\xa0}\n//inveigh\xa0pentesting\xa0tools\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s16\xa0=\xa0{\n24696E76656967682E7374617475735F71756575652E4164642822507265737320616E79206B657920746F2073746F\n}\n//specific\xa0malicious\xa0word\xa0document\xa0PK\xa0archive\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s17\xa0=\xa0{\n2F73657474696E67732E786D6CB456616FDB3613FEFE02EF7F10F4798E64C54D06A14ED125F19A225E87C9FD0\n}\nTLP:WHITE\nTLP:WHITE\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s18\xa0=\xa0{\n6C732F73657474696E67732E786D6C2E72656C7355540500010076A41275780B0001040000000004000000008D90\n}\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s19\xa0=\xa0{\n8D90B94E03311086EBF014D6F4D87B48214471D210A41450A0E50146EBD943F8923D41C9DBE3A54A240ACA394\n}\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s20\xa0=\xa0{\n8C90CD4EEB301085D7BD4F61CDFEDA092150A1BADD005217B040E10146F124B1F09FEC01B56F8FC3AA9558B\n}\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s21\xa0=\xa0{\n8C90CD4EEB301085D7BD4F61CDFEDA092150A1BADD005217B040E10146F124B1F09FEC01B56F8FC3AA9558B\n}\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s22\xa0=\xa0""5.153.58.45""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s23\xa0=\xa0""62.8.193.206""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s24\xa0=\xa0""/1/ree_stat/p""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s25\xa0=\xa0""/icon.png""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s26\xa0=\xa0""/pshare1/icon""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s27\xa0=\xa0""/notepad.png""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s28\xa0=\xa0""/pic.png""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s29\xa0=\xa0""http://bit.ly/2m0x8IH""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\ncondition:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0($s0\xa0and\xa0$s1\xa0or\xa0$s2)\xa0or\xa0($s3\xa0or\xa0$s4)\xa0or\xa0($s5\xa0and\xa0$s6\xa0or\xa0$s7\xa0and\xa0$s8\xa0and\xa0$s9)\xa0or\xa0($s10\nand\xa0$s11)\xa0or\xa0($s12\xa0and\xa0$s13)\xa0or\xa0($s14)\xa0or\xa0($s15)\xa0or\xa0($s16)\xa0or\xa0($s17)\xa0or\xa0($s18)\xa0or\xa0($s19)\xa0or\n($s20)\xa0or\xa0($s21)\xa0or\xa0($s0\xa0and\xa0$s22\xa0or\xa0$s24)\xa0or\xa0($s0\xa0and\xa0$s22\xa0or\xa0$s25)\xa0or\xa0($s0\xa0and\xa0$s23\xa0or\n$s26)\xa0or\xa0($s0\xa0and\xa0$s22\xa0or\xa0$s27)\xa0or\xa0($s0\xa0and\xa0$s23\xa0or\xa0$s28)\xa0or\xa0($s29)\n}, rule\xa0Query_XML_Code_MAL_DOC_PT_2\n{\nmeta:\n\xa0\xa0\xa0\xa0\xa0name=\xa0""Query_XML_Code_MAL_DOC_PT_2""\n\xa0\xa0\xa0\xa0\xa0author\xa0=\xa0""other""\n\xa0\nstrings:\n\xa0\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$zip_magic\xa0=\xa0{\xa050\xa04b\xa003\xa004\xa0}\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$dir1\xa0=\xa0""word/_rels/settings.xml.rels""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$bytes\xa0=\xa0{8c\xa090\xa0cd\xa04e\xa0eb\xa030\xa010\xa085\xa0d7}\n\xa0\ncondition:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0$zip_magic\xa0at\xa00\xa0and\xa0$dir1\xa0and\xa0$bytes\n}",,,,,,FALSE,"Spear Phishing, Watering Hole, Malicious Documents","FortiClient, Hydra, SecretsDump, CrackMapExec, Microsoft Word","Energy and Utilities, Critical Infrastructure",,, 2018-03-16,Royal APT - APT15 Repository,,https://github.com/nccgroup/Royal_APT,NCC Group,,,,apt15,CN,"Espionage, Information theft and espionage",2010,,,,"RoyalCLI, BS2005, .net tool (used for enumerating the victim's SharePoint database)",,,, 2018-03-21,TrickBot Banking Trojan Adapts with New Module,,https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/,Webroot,,,,,,,,,FALSE,Exploit Vulnerability,"TrickBot, MS17-010, EternalRomance, ImprovedReflectiveDLLInjection","Financial Institutions, Corporations and Businesses",,, 2018-03-23,Tech_Report_Malicious_Hancom,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.03.23.Targeted_Attacks_on_South_Korean_Organizations/Tech_Report_Malicious_Hancom.pdf,AhnLab,CVE-2015-2545,,,group 123,KP,Information theft and espionage,2012,KR,FALSE,Malicious Documents,"Mutex, Hangul","Individuals, Education and Research Institutions, Media and Entertainment Companies, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2018-03-27,Panda Banker Zeros,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.03.27.panda-banker-zeros-in-on-japanese-targets/Panda%20Banker%20Zeros.pdf,Arbor Networks,,T1185:Man in the Browser,,,,,,"AU, CA, DE, GB, IT, JP, US",FALSE,"Drive-by Download, Exploit Vulnerability","Panda Banker, Full Info Grabber, RIG exploit kit",Financial Institutions,,, 2018-03-28,Intezer_Lazarus-Cryptocurrency-Exchanges-FinTech-Companies(03-28-2018),Lazarus Group Targets More Cryptocurrency Exchanges and FinTech Companies,https://app.box.com/s/yepeditzh0t0upifbucv99utoretbbzl,Intezer,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,,FALSE,Malicious Documents,RAT (Remote Access Trojan),Financial Institutions,2018-02-15,2018-03-15,28.0 2018-03-29,ChessMaster Adds Updated Tools to Its Arsenal,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.03.29.ChessMaster_Adds_Updated_Tools/ChessMaster%20Adds%20Updated%20Tools%20to%20Its%20Arsenal.pdf,ESET,"CVE-2017-11882, CVE-2017-5689, CVE-2017-8759",,,chessmaster,,,,JP,FALSE,"Spear Phishing, Malicious Documents","Magniber Ransomware, Koadic, ChChes, ANEL, Microsoft Word’s “Frames/Frameset”, CVE-2017-8759, CVE-2017-11882, DDEAUTO, Microsoft Office Frameset, Link auto update","Corporations and Businesses, Individuals",,, 2018-03-31,NavRAT,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.03.31.NavRAT_Uses_US-North_Korea_Summit_As_Decoy/NavRAT.pdf,AhnLab,,,,group 123,KP,Information theft and espionage,2012,KR,FALSE,"Spear Phishing, Malicious Documents","NavRAT, Advanced Malware Protection (AMP), CWS or WSA, Email Security, NGFW, NGIPS, Meraki MX, AMP Threat Grid, Umbrella, Snort",,,, 2018-04-12,Operation-Parliament,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.04.12.operation-parliament/Operation-Parliament.pdf,Kaspersky,,,,,,,,"AE, AF, CA, CL, DE, DJ, DK, EG, GB, IL, IN, IQ, IR, JO, KR, KW, LB, MA, OM, PS, QA, RS, RU, SA, SO, SY, US",,Phishing,VMProtect,"Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Media and Entertainment Companies, Education and Research Institutions, Critical Infrastructure",,, 2018-04-17,nccgroup.trust-Decoding network data from a Gh0st RAT variant,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.04.17.Iron_Tiger_Gh0st_RAT_variant/nccgroup.trust-Decoding%20network%20data%20from%20a%20Gh0st%20RAT%20variant.pdf,Bitdefender,,,,iron tiger,CN,"Espionage, Information theft and espionage",2010,,,,"Gh0st RAT, Mozilla.exe, Noodles.exe, Coal.exe, Abg.exe, 23d.exe, 89d.exe, ConEmu.exe",,,, 2018-04-17,Recent findings from CCleaner APT investigation reveal that attackers entered the Piriform network via TeamViewer,,https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer,Avast,,,,,,,,"KR, RU",FALSE,Credential Reuse,"ShadowPad, CryptoPro CSP, Firefox, Windows Remote Desktop application, mscoree.dll (as a .NET runtime library)","Corporations and Businesses, Government and Defense Agencies",,, 2018-04-20,Researchers Discover New variants of APT34 Malware,,https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2,Booz Allen Hamilton,,,,apt34,IR,Espionage,,,,,"BONDUPDATER, POWRUNER, ATH Tool, RetroHunt",,,, 2018-04-20,Fireeye_rpt-fin6(04-20-2018),Follow The Money: Dissecting the Operations of the Cyber Crime Group FIN,https://app.box.com/s/74lm8z2znl12kfeufvkruzo659iogms6,FireEye,"CVE-2010-4398, CVE-2011-2005, CVE-2013-3660",,,fin6,,"Financial gain, Financial crime",2015,US,FALSE,Credential Reuse,"Metasploit Framework, PowerShell, HARDTACK, SHIPBREAD, Windows Credentials Editor, PsExec NTDSGRAB, TRINITY, Microsoft’s built-in SQL querying tool (osql.exe), Query Express, AdFind",Corporations and Businesses,,, 2018-04-23,orangeworm-targets-healthcare-us-europe-asia,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.04.23.New_Orangeworm/orangeworm-targets-healthcare-us-europe-asia.pdf,Symantec,,,,orangeworm,,Information theft and espionage,2015,,FALSE,,Trojan.Kwampirs,"Healthcare, Manufacturing, Cloud/IoT Services, Energy and Utilities, Corporations and Businesses",,, 2018-04-23,energetic-bear-crouching,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.04.23.energetic-bear-crouching-yeti/energetic-bear-crouching.pdf,Kaspersky,CVE-2015-2545,,rule Backdoored_ssh {\nstrings:\n$a1 = “OpenSSH”\n$a2 = “usage: ssh”\n$a3 = “HISTFILE”\nWith PDFmyURL anyone can convert entire websites to PDF!\ncondition:\nuint32(0) == 0x464c457f and filesize<1000000 and all of ($a*)\n},energetic bear,RU,"Espionage, Sabotage and destruction",2010,"DE, GB, GR, RU, TR, UA, US",FALSE,Watering Hole,"ftpChecker.py, nmap, dirsearch, SMBTrap, commix, subbrute-master, sqlmap, wpscan, Sublist3r, sma.php, theme.php, media.php","Corporations and Businesses, Energy and Utilities, Critical Infrastructure",,, 2018-04-24,sednit-update-analysis-zebrocy_,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.04.24.sednit-update-analysis-zebrocy/sednit-update-analysis-zebrocy_.pdf,Kaspersky,,,,apt28,RU,"Espionage, Information theft and espionage",2004,"AZ, BA, CH, EG, GE, IR, KG, KR, KZ, RS, RU, SA, TJ, TM, TR, UA, UY, ZW",,Spear Phishing,"DealersChoice, Seduploader, Zebrocy, Xagent, Xtunnel, Downdelph",Government and Defense Agencies,,, 2018-04-24,metamorfo-campaign-targeting-brazilian-users_html,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.04.24.metamorfo-campaign/metamorfo-campaign-targeting-brazilian-users_html.pdf,FireEye,,,,,,,,BR,,"Phishing, Malicious Documents","Banking Trojans, HTA (HTML Application), VBS (Visual Basic Script), AutoIt, Microsoft tool (legitimate), CRYPTUI.dll (malicious DLL), JAR file (Java ARchive), ZIP file",,,, 2018-04-26,GravityRAT - The Two-Year Evolution Of An APT Targeting India,,https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html,Cisco,,,,,,,,IN,FALSE,Malicious Documents,".NET, GravityRAT, Microsoft Office Word with embedded macros","Government and Defense Agencies, Corporations and Businesses",,, 2018-04-27,[CN]_OceanLotus_new_malware,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.04.27.OceanLotus_new_malware/%5BCN%5D_OceanLotus_new_malware.pdf,Tencent,,,,oceanlotus,VN,"Espionage, Financial gain, Information theft and espionage",2012,CN,FALSE,"Exploit Vulnerability, Malicious Documents",,"Government and Defense Agencies, Education and Research Institutions, Corporations and Businesses, Energy and Utilities",,, 2018-05-03,Red_Eyes_Hacking_Group_Report,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.05.03.Red_Eyes_Hacking_Group/Red_Eyes_Hacking_Group_Report.pdf,AhnLab,CVE-2018-4878,,,red eyes,KP,Information theft and espionage,2012,KR,TRUE,"Spear Phishing, Exploit Vulnerability, Malicious Documents","HwpConvert, CppUACSelfElevation, FirstUrlMon, Installer, InstallBD, Manager, Manager_Them, KeyLogger, OffSM, PrivilegeEscalation, ScreenCap, SoundRec, ConsoleApplication5, ConsoleApplication9, ConsoleApplication12","Government and Defense Agencies, Education and Research Institutions, Media and Entertainment Companies, Individuals, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2018-05-03,20180503_Burning_Umbrella,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.05.03.Burning_Umbrella/20180503_Burning_Umbrella.pdf,401TRG,,,,apt41,CN,"Financial crime, Information theft and espionage",2010,"CN, JP, KR, TH, US",,"Phishing, Spear Phishing, Malicious Documents","Metasploit, Cobalt Strike, Browser Exploitation Framework (BeEF), Bookworm trojan, ShadowPad, Winnti, PlugX","Corporations and Businesses, Government and Defense Agencies, Media and Entertainment Companies",,, 2018-05-03,ZooPark_for_public_final_edit,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.05.03.whos-who-in-the-zoo/ZooPark_for_public_final_edit.pdf,Kaspersky,,,,,,,,"EG, IR, JO, LB, MA",FALSE,"Watering Hole, Website Equipping",,Non-Governmental Organizations (NGOs) and Nonprofits,,, 2018-05-03,blog_whos-who-in-the-zoo,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.05.03.whos-who-in-the-zoo/blog_whos-who-in-the-zoo.pdf,Kaspersky,,,,energetic bear,RU,"Espionage, Sabotage and destruction",2010,"EG, IR, JO, LB, MA",,Watering Hole,,Individuals,,, 2018-05-09,blogs_360_cn_blog_cve-2018-8174-en_,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.05.09.APT-C-06_CVE-2018-8174/blogs_360_cn_blog_cve-2018-8174-en_.pdf,360,"CVE-2017-0199, CVE-2018-8174",,,apt-c-06,KR,"Espionage, Information theft and espionage",2007,CN,TRUE,"Exploit Vulnerability, Malicious Documents, Watering Hole","Retro Trojan, Lurker Trojan, CVE-2018-8174, CVE-2017-0199","Government and Defense Agencies, Education and Research Institutions, Corporations and Businesses",,, 2018-05-21,Decrypting APT33's Dropshot Malware with Radare2 and Cutter - Part 1,,https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/,MegaBeets,,,,apt33,IR,"Espionage, Sabotage and destruction, Information theft and espionage",2013,SA,,,"Dropshot, StoneDrill, radare2, Cutter, IDA Pro",Energy and Utilities,,, 2018-05-22,The_destruction_of_APT3,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.05.22.The_destruction_of_APT3/The_destruction_of_APT3.pdf,Intrusion Truth,,,,apt3,CN,"Espionage, Information theft and espionage",2007,,,,,Corporations and Businesses,,, 2018-05-22,turla-mosquito-shift-towards-generic-tools,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.05.22.Turla_Mosquito/turla-mosquito-shift-towards-generic-tools.pdf,ESET,,,,turla,RU,"Espionage, Information theft and espionage",1996,,,Exploit Vulnerability,"Metasploit shellcode, Meterpreter, Mosquito backdoor, Fake Flash installer, PowerShell, Mosquito JScript backdoor, Google Apps Script",Government and Defense Agencies,,, 2018-05-23,VPNFilter,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.05.23.New_VPNFilter/VPNFilter.pdf,Cisco,,,,,,,,,FALSE,,,"Corporations and Businesses, Individuals",,, 2018-05-25,Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack,,https://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/,360,"CVE-2017-0199, CVE-2018-8174",,,apt-c-06,KR,"Espionage, Information theft and espionage",2007,CN,TRUE,"Exploit Vulnerability, Malicious Documents",,"Government and Defense Agencies, Education and Research Institutions, Corporations and Businesses",,, 2018-05-29,iron-cybercrime-group-under-the-scope-2,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.05.29.iron-cybercrime-group/iron-cybercrime-group-under-the-scope-2.pdf,Intezer,,,,iron group,,Financial gain,2018,CN,FALSE,Exploit Vulnerability,"Iron Backdoor, HackingTeam’s “Soldier” implant, HackingTeam’s “core” library, Remote Control System (RCS), Xagent, JbossMiner Mining Worm, VMProtect, UPX",,,, 2018-06-06,sofacy-groups-parallel-attacks,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.06.06.sofacy-groups-parallel-attacks/sofacy-groups-parallel-attacks.pdf,Palo Alto,,,,apt28,RU,"Espionage, Information theft and espionage",2004,"KG, KZ, TJ, TM, UZ",FALSE,"Spear Phishing, Malicious Documents","Dynamic Data Exchange (DDE), Zebrocy, Koadic, SofacyCarberp, AutoIT, DealersChoice",Government and Defense Agencies,,, 2018-06-06,vpnfilter-update,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.06.06.vpnfilter-update/vpnfilter-update.pdf,Cisco,,,,,,,,,,,"VPNFilter, ssler, dstr",Cloud/IoT Services,,, 2018-06-07,adobe-flash-zero-day-targeted-attack,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.06.07.dobe-flash-zero-day-targeted-attack/adobe-flash-zero-day-targeted-attack.pdf,ICEBRG,CVE-2018-5002,,,,,,,QA,TRUE,Malicious Documents,,,,, 2018-06-07,patchwork-apt-group-targets-us-think-tanks,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.06.07.patchwork-apt-group-targets-us-think-tanks/patchwork-apt-group-targets-us-think-tanks.pdf,Volexity,"CVE-2017-8570, CVE-2017-8750",,,patchwork,IN,"Espionage, Information theft and espionage",2013,"AF, CN, HK, JP",FALSE,"Spear Phishing, Malicious Documents","QuasarRAT, .NET Task Scheduler Managed Wrapper, Delphi RAT",Education and Research Institutions,2018-03-15,2018-04-15,31.0 2018-06-13,Kaspersky_LuckyMouse-datacenter-waterholing-campaign(06-13-2018),LuckyMouse hits national data center to organize country-level waterholing campaign,https://app.box.com/s/325jld1s8ymwd8a56jcao39i6cbc1m8g,Kaspersky,CVE-2017-11882,,,luckymouse,CN,"Espionage, Information theft and espionage",2010,"KG, KZ, TJ, TM, UZ",FALSE,"Watering Hole, Malicious Documents","Metasploit’s shikata_ga_nai encoder, LZNT1 compression, HyperBro Trojan, CVE-2017-11882 (Microsoft Office Equation Editor)",Government and Defense Agencies,,, 2018-06-14,miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.06.14.MirageFox_APT15/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones.pdf,Intezer,,,,apt15,CN,"Espionage, Information theft and espionage",2010,,,,"MirageFox, Reaver, Intezer Analyze, PDFmyURL web to PDF API",Healthcare,,, 2018-06-15,Mustang Panda _ Threat Actor Profile _ CrowdStrike,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.06.15.Mustang_Panda/Mustang%20Panda%20_%20Threat%20Actor%20Profile%20_%20CrowdStrike.pdf,CrowdStrike,,,,mustang panda,CN,"Espionage, Information theft and espionage",2012,"MN, US",FALSE,Phishing,"Poison Ivy, PlugX, Cobalt Strike",Non-Governmental Organizations (NGOs) and Nonprofits,,, 2018-06-18,Decrypting APT33's Dropshot Malware with Radare2 and Cutter - Part 2,,https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-2/,MegaBeets,,,,apt33,IR,"Espionage, Sabotage and destruction, Information theft and espionage",2013,,,,"Dropshot, StoneDrill, Cutter, radare2, r2pipe",,,, 2018-06-20,thrip-hits-satellite-telecoms-defense-targets,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.06.20.thrip-hits-satellite-telecoms-defense-targets/thrip-hits-satellite-telecoms-defense-targets.pdf,Symantec,,,,thrip,CN,"Espionage, Information theft and espionage",2012,US,FALSE,,"PsExec, PowerShell, Mimikatz, WinSCP, LogMeIn, Trojan.Rikamanu, Infostealer.Catchamas, Trojan.Mycicil, Backdoor.Spedear, Trojan.Syndicasec","Government and Defense Agencies, Corporations and Businesses, Critical Infrastructure",,, 2018-06-22,Tick Group Weaponized Secure USB Drives to Target Air-Gapped Critical Systems,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.06.22.Iick.Group-weaponized-secure-usb/Tick%20Group%20Weaponized%20Secure%20USB%20Drives%20to%20Target%20Air-Gapped%20Critical%20Systems.pdf,Palo Alto,,,,tick,CN,"Espionage, Information theft and espionage",2006,"JP, KR",,"Social Engineering, Removable Media","HomamDownloader, SymonLoader, SysmonLoader","Government and Defense Agencies, Critical Infrastructure",,, 2018-06-23,[AhnLab]Andariel_a_Subgroup_of_Lazarus (3),,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.06.23.Andariel_Group/%5BAhnLab%5DAndariel_a_Subgroup_of_Lazarus%20%283%29.pdf,AhnLab,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,,,"Spear Phishing, Watering Hole, Exploit Vulnerability","Andarat, Andaratm, Phandoor, Rifdoor, Aryan, Gh0st RAT, Putty Link, Port scanner, Pcon.exe, Portc.exe, Zcon.exe","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Education and Research Institutions, Critical Infrastructure",,, 2018-06-25,[KR]_ASEC_REPORT_vol.91,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.06.xx.Operation_Red_Gambler/%5BKR%5D_ASEC_REPORT_vol.91.pdf,AhnLab,,,,a 공격 그룹,,,,,FALSE,"Spear Phishing, Malicious Documents, Drive-by Download","Dropper/Win32.Fakeinstaller, Dropper/Win32.Agent","Corporations and Businesses, Individuals, Media and Entertainment Companies",2016-10-15,2017-08-15,304.0 2018-06-26,rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families_,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.06.26.RANCOR/rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families_.pdf,Palo Alto,,,,rancor,CN,"Espionage, Information theft and espionage",2017,"KH, SG",FALSE,"Malicious Documents, Spear Phishing","PLAINTEE, DDKONG, KHRAT Trojan",Government and Defense Agencies,,, 2018-06-27,Latest observed JS payload used for APT32 profiling,,https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef,Github (9b),,,,apt32,VN,"Espionage, Financial gain, Information theft and espionage",2012,,,,,,,, 2018-07-03,"Iranian APT Charming Kitten impersonates ClearSky, the security firm that uncovered its campaigns",,https://cyware.com/news/iranian-apt-charming-kitten-impersonates-clearsky-the-security-firm-that-uncovered-its-campaigns-7fea0b4f,Cyware,,,,charming kitten,IR,Espionage,,"GB, IL, IR, US",FALSE,"Spear Phishing, Phishing, Watering Hole",DownPaper,"Education and Research Institutions, Media and Entertainment Companies, Corporations and Businesses",,, 2018-07-08,apt-attack-middle-east-big-bang,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.07.08.Big_Bang/apt-attack-middle-east-big-bang.pdf,Check Point,,,,gaza cybergang,PS,Information theft and espionage,2012,PS,,"Phishing, Malicious Documents","Micropsia, DriverInstallerU.exe, Interenet Assistant.exe",,2017-06-15,2018-05-29,348.0 2018-07-08,hussarini---targeted-cyber-attack-in-the-philippines,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.07.08.Hussarini/hussarini---targeted-cyber-attack-in-the-philippines.pdf,Fortinet,CVE-2017-11882,,,hussarini,,,,"PH, TH",FALSE,"Exploit Vulnerability, Malicious Documents","Hussarini, Outllib.dll, OutExtra.exe, finder.exe (misused in the attack), Microsoft Office (as part of the attack vector)",Government and Defense Agencies,,, 2018-07-09,certificates-stolen-taiwanese-tech,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.07.09.certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/certificates-stolen-taiwanese-tech.pdf,ESET,,,,blacktech,CN,Information theft and espionage,2010,TW,FALSE,,"Plead malware, Ammyy Admin",Critical Infrastructure,,, 2018-07-13,20180713_CSE_APT28_X-Agent_Op-Roman Holiday-Report_v6_1,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.07.13.Operation_Roman_Holiday/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf,CSE CyberSec Enterprise SPA,,,"rule FirstPayload_upnphost_APT28XAGENTJuly2018 { \n \n meta: \n description = ""Yara Rule for APT28 XAGENT July2018 First \nPayload"" \n author = ""CSE CybSec Enterprise - Z-Lab"" \n last_updated = ""2018-07-13"" \n tlp = ""white"" \n category = ""informational"" \n \n strings: \n $a = {56 AB 37 92 E8} \n $b = {41 75 74 6F 49 74} \n \nCSE CyberSec Enterprise SPA \nVia G.B. Martini 6, Rome, Italy 00100, Italia \nEmail: info@csecybsec.com \nWebsite: www.csecybsec.com \n \n \n condition: \n pe.number_of_resources == 26 \n and pe.resources19.type == pe.RESOURCE_TYPE_RCDATA \n and pe.version_info""FileDescription"" contains \n""Compatibility"" \n and all of them \n}, rule Dropper_APT28XAGENTJuly2018 { \n \n meta: \n description = ""Yara Rule for dropper of APT28 XAGENT \nJuly2018"" \n author = ""CSE CybSec Enterprise - Z-Lab"" \n last_updated = ""2018-07-13"" \n tlp = ""white"" \n category = ""informational"" \n \n strings: \n $a = {8B 45 FC 8B 10 FF} \n $b = {33 2E 34 2D 31 39} \n \n condition: \n (pe.number_of_sections == 9 \n and pe.sections3.name == "".bss"" \n and all of them) \n or (pe.number_of_sections == 3 \n and pe.sections0.name == ""UPX0"" \n and pe.sections1.name == ""UPX1"" \n and pe.number_of_resources == 70 \n and pe.resources61.type == pe.RESOURCE_TYPE_RCDATA \n and pe.resources60.type == pe.RESOURCE_TYPE_RCDATA \n and pe.resources59.type == pe.RESOURCE_TYPE_RCDATA) \n}, rule SecondPayload_sdbn_APT28XAGENTJuly2018 { \n \n meta: \n description = ""Yara Rule for APT28 XAGENT July2018 Second \nPayload sdbn.dll"" \n author = ""CSE CybSec Enterprise - Z-Lab"" \n last_updated = ""2018-07-13"" \n tlp = ""white"" \n category = ""informational"" \n \n strings: \n $a = {0F BE C9 66 89} \n $b = {8B EC 83 EC 10} \n \n \n condition: \n pe.number_of_sections == 6 \n and pe.number_of_resources == 1 \n and pe.resources0.type == pe.RESOURCE_TYPE_VERSION \n and pe.version_info""ProductName"" contains ""Microsoft"" \n and all of them \n}",apt28,RU,"Espionage, Information theft and espionage",2004,,,,"sdbn.dll, X-Agent, upnphost.exe",Government and Defense Agencies,,, 2018-07-16,new-andariel-reconnaissance-tactics-hint-at-next-targets,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.07.16.new-andariel/new-andariel-reconnaissance-tactics-hint-at-next-targets.pdf,IssueMakersLab,CVE-2017-5689,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,KR,TRUE,"Watering Hole, Exploit Vulnerability",,Government and Defense Agencies,,, 2018-07-23,20180723_CSE_APT27_Syria_v1,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.07.23_APT27_Syria/20180723_CSE_APT27_Syria_v1.pdf,CSE CyberSec Enterprise SPA,,,"rule windowsExecutableMalware { \n \nmeta: \n \n \ndescription = ""Yara Rule for APT-C-27 Windows malware"" \n \n \nauthor = ""CSE CybSec Enterprise - Z-Lab"" \n \n \nlast_updated = ""2018-07-20"" \n \n \ntlp = ""white"" \n \n \ncategory = ""informational"" \n \n \n \n \ncondition: \n \n \npe.version_info""InternalName"" contains ""WiNANd5ro16XP"" and \n \n \npe.imports(""mscoree.dll"") \n}, rule embeddedDLL { \n \nmeta: \n \n \ndescription = ""Yara Rule for APT-C-27 Embedded DLL"" \n \n \nauthor = ""CSE CybSec Enterprise - Z-Lab"" \n \n \nlast_updated = ""2018-07-20"" \n \n \ntlp = ""white"" \n \n \ncategory = ""informational"" \n \n \n \ncondition: \n \n \npe.version_info""InternalName"" contains ""Win64AndoX"" and \n \n \npe.imports(""mscoree.dll"") \n}, rule androidMalware { \n \n \nmeta: \n \n \ndescription = ""Yara Rule for APT-C-27 Android malware"" \n \n \nauthor = ""CSE CybSec Enterprise - Z-Lab"" \n \n \nlast_updated = ""2018-07-20"" \n \n \ntlp = ""white"" \n \n \ncategory = ""informational"" \n \n \nstrings: \n \n \n$a = ""hmzvbs"" \n \n \n$b = { ?8 ?D ?A } \n \n \ncondition: \n \n \nall of them \n}",,,,,SY,,,,,,, 2018-07-27,New Threat Actor Group DarkHydrus Targets Middle East Government,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.07.27.DarkHydrus/New%20Threat%20Actor%20Group%20DarkHydrus%20Targets%20Middle%20East%20Government.pdf,Kaspersky,,,,darkhydrus,,Information theft and espionage,2016,,FALSE,Spear Phishing,"Meterpreter, Mimikatz, PowerShellEmpire, Veil, CobaltStrike, RogueRobin.",Government and Defense Agencies,,, 2018-07-31,malicious-document-targets-vietnamese-officials,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.07.31.APT_SideWinder_Malicious_Doc/malicious-document-targets-vietnamese-officials.pdf,Symantec,CVE-2017-11882,,,1937cn,CN,,,VN,FALSE,Malicious Documents,,Government and Defense Agencies,,, 2018-07-31,bisonal-malware-used-attacks-russia-south-korea,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.07.31.bisonal-malware-used-attacks-russia-south-korea/bisonal-malware-used-attacks-russia-south-korea.pdf,FireEye,,,,,,,,"JP, KR, RU",FALSE,"Spear Phishing, Malicious Documents","Bisonal, RC4 cipher, Microsoft Windows",Government and Defense Agencies,,, 2018-08-02,Goblin_Panda_against_Bears,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.08.02.Goblin_Panda/Goblin_Panda_against_Bears.pdf,CrowdStrike,,,,goblin panda,CN,Information theft and espionage,2013,RU,,"Exploit Vulnerability, Malicious Documents","Sisfader RAT, PlugX (mentioned for comparison, not used in this attack)",Corporations and Businesses,,, 2018-08-09,"More on Huaying Haitai and Laoying Baichaun, the companies associated with APT10. Is there a state connection",,https://intrusiontruth.wordpress.com/2018/08/09/was-apt10-the-work-of-individuals-a-company-or-the-state/,Intrusion Truth,,,,apt10,CN,Espionage,,,,,,Corporations and Businesses,,, 2018-08-15,APT organization Lemons Threat to Attack,,https://www.venustech.com.cn/uploads/2018/08/231401512426.pdf,Beijing Venus Information Security Tech,,,,狼毒草,CN,Information theft and espionage,2014,TW,,Watering Hole,"flash_security_component_installer_1.0.0.2.rar, FxCoder, utility",,,, 2018-08-16,cta-2018-0816,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.08.16.Chinese_Cyberespionage_Tsinghua_University/cta-2018-0816.pdf,Recorded Future,,,"rule apt_ext4_linuxlistener{\xa0\n\xa0\xa0\xa0meta:\xa0\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0description\xa0=\xa0""Detects\xa0Unique\xa0Linux\xa0Backdoor,\xa0Ext4""\xa0\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0author\xa0=\xa0""Insikt\xa0Group,\xa0Recorded\xa0Future""\xa0\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0TLP\xa0=\xa0""White""\xa0\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0date\xa0=\xa0""2018‐08‐14""\xa0\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0md5_x64\xa0=\xa0""d08de00e7168a441052672219e717957""\xa0\n\xa0\n\xa0\xa0\xa0strings:\xa0\n\xa0\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0$s1=""rm\xa0/tmp/0baaf161db39""\xa0\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0$op1=\xa0{3c\xa061\xa00f}\xa0\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0$op2=\xa0{3c\xa06e\xa00f}\xa0\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0$op3=\xa0{3c\xa074\xa00f}\xa0\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0$op4=\xa0{3c\xa069\xa00f}\xa0\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0$op5=\xa0{3c\xa03a\xa00f}\xa0\n\xa0\n\xa0\xa0\xa0condition:\xa0\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0all\xa0of\xa0them\xa0\n}",redalpha,,Information theft and espionage,2015,"BR, DE, KE, MN, US",FALSE,,"""ext4"" backdoor, CentOS web server","Government and Defense Agencies, Corporations and Businesses, Energy and Utilities, Education and Research Institutions, Critical Infrastructure",,, 2018-08-20,Fortinet_Russian-Decoy-Leads-BISKVIT(08-20-2018),Russian Army Exhibition Decoy Leads to New BISKVIT Malware,https://app.box.com/s/9y7hpv3evobjjpw8c3mnq1sgrqrxpt4d,Fortinet,"CVE-2017-0199, CVE-2017-8570",,,,,,,,FALSE,"Exploit Vulnerability, Malicious Documents","Biskvit malware, W32/BiskvitLoader.A!tr, MSIL/BiskvitAutoRun.A!tr, MSIL/BiskvitLib.A!tr, MSIL/Biskvit.A!tr, MSOffice/Exploit.CVE20178570!tr","Government and Defense Agencies, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2018-08-21,Eset-Turla-Outlook-Backdoor,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.08.21.Turla.Outlook.Backdoor/Eset-Turla-Outlook-Backdoor.pdf,ESET,,,,gamaredon group,RU,Information theft and espionage,2013,,,Malicious Documents,"Turla Outlook Backdoor, Empire PSInject","Government and Defense Agencies, Education and Research Institutions",,, 2018-08-22,ESTSecurity_ESRC-1808-TLP-White-IR002_RocketMan_English(08-22-2018),"OPERATION ""Rocket Man""",https://app.box.com/s/93olse6t4ugbbpqe3wdjmxgi4efbjq7v,ESTSecurity,"CVE-2014-8439, CVE-2015-0313, CVE-2015-3090, CVE-2015-3105, CVE-2015-5119, CVE-2017-8759, CVE-2018-4878",,,geumseong121,KP,Information theft and espionage,2012,"CN, IN, KR, RU, US",TRUE,"Spear Phishing, Watering Hole, Phishing","PubNub, KakaoTalk Messenger, Flash Player","Corporations and Businesses, Individuals",,, 2018-08-23,Operation_AppleJeus,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.08.23.Operation_AppleJeus/Operation_AppleJeus.pdf,Kaspersky,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,,FALSE,Spear Phishing,"Fallchill, Updater.exe, TManager",Financial Institutions,2018-06-15,2018-08-13,59.0 2018-08-28,ceidpagelock-a-chinese-rootkit,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.08.28.CeidPageLock/ceidpagelock-a-chinese-rootkit.pdf,Check Point,"CVE-2018-8006, CVE-2018-8373",,,apt-c-23,PS,,,"CN, DK, GB, HK, JP, TW, US",,,"Ransom Warrior, houzi.sys, EternalBlue, Labeless, VMProtect, LockPos",,,, 2018-08-29,The Urpage Connection to Bahamut Confucius and Patchwork,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.08.29.Bahamut_Confucius_Patchwork/The%20Urpage%20Connection%20to%20Bahamut%20Confucius%20and%20Patchwork.pdf,Trend Micro,"CVE-2017-12824, CVE-2017-8750",,,urpage,,,,,,Malicious Documents,"“BioData” Delphi backdoor and file stealer, VB backdoor, Android “Bahamut-like” malware, Custom Android malware, AndroRAT Android malware, InPage malicious documents, simply obfuscated HTA downloaders, IOS malware, Confucius malware, remote-access-c3 backdoor, Sneepy/Byebye shell malware, Python cloud filestealers, AllaKore RAT, Badnews malware, QuasarRAT, NDiskMonitor malware",,,, 2018-08-29,Appendix-TheUrpageConnectiontoBahamutConfuciusandPatchwork,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.08.29.Bahamut_Confucius_Patchwork/Appendix-TheUrpageConnectiontoBahamutConfuciusandPatchwork.pdf,Trend Micro,,,,bahamut,,Information theft and espionage,2016,,TRUE,"Malicious Documents, Exploit Vulnerability","BKDR_DELF.XXVR, TROJ_CVE201712824.A, Mal_CVE20170199 -2, TROJ_CVE20152545.CR, TROJ_CVE20178570.DBU, TROJ_CVE20120158.MVZ, AndroidOS_Bahamut.HRX, AndroidOS_BahmutSpy.HRXA",,,, 2018-08-30,Two Birds One STONE PANDA,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.08.30.Stone_Panda/Two%20Birds%20One%20STONE%20PANDA.pdf,IntrusionTruth,CVE-2018-0802,,,apt10,CN,Espionage,,,TRUE,,,"Government and Defense Agencies, Corporations and Businesses, Healthcare",,, 2018-08-30,In the Trails of WINDSHIFT APT,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.08.30.WINDSHIFT_APT/In%20the%20Trails%20of%20WINDSHIFT%20APT.pdf,Bellingcat,,,,greenbug,IR,"Espionage, Information theft and espionage",2016,,,"Spear Phishing, Drive-by Download, Phishing","Empire, Metasploit, Mimikatz, invoke-obfuscation, PsExec, NANOCORE, NETWIRE, njRAT, POWERSTATS, ISMAGENT, MICROSPIA","Government and Defense Agencies, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2018-08-30,Reversing malware in a custom format_ Hidden Bee elements,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.08.30.Hidden_Bee_Custom_format/Reversing%20malware%20in%20a%20custom%20format_%20Hidden%20Bee%20elements.pdf,Malwarebytes,,,,,,,,,,,"Hidden Bee, IDA (Interactive DisAssembler), IFL plugin, Web Assembly (imitated by .wasm extension)",,,, 2018-08-30,Double the Infection Double the Fun,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.08.30.Cobalt_Group_Fun/Double%20the%20Infection%20Double%20the%20Fun.pdf,Arbor,,,,cobalt,,Financial crime,2016,RU,FALSE,"Spear Phishing, Malicious Documents","JavaScript Backdoor, CobInt/COOLPANTS, “more_eggs”, RC4 (encryption for traffic)",Financial Institutions,,, 2018-08-31,"Who is Mr An, and was he working for APT10",,https://intrusiontruth.wordpress.com/2018/08/31/who-is-mr-an-and-was-he-working-for-apt10/,Intrusion Truth,,,,apt10,CN,Espionage,,,,,,,,, 2018-09-04,oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.09.04.OilRig_Targets_Middle_Eastern/oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie.pdf,Palo Alto,,,,apt34,IR,Espionage,,,FALSE,"Spear Phishing, Social Engineering, Malicious Documents","QUADAGENT, OopsIE Trojan",Government and Defense Agencies,,, 2018-09-04,silence_moving-into-the-darkside,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.09.04.Silence/silence_moving-into-the-darkside.pdf,Group-IB,"CVE-2008-4250, CVE-2017-0199, CVE-2017-0262, CVE-2017-0263, CVE-2017-11882, CVE-2017-262, CVE-2018-0802, CVE-2018-8174",,,silence,,Financial crime,2016,"AZ, BY, KZ, PL, RU, UA",TRUE,"Spear Phishing, Malicious Documents","Backdoor loader of Silence, Silence Trojan, ProxyBot, Kikothac, Atmosphere, Silence, Farse, Cleaner, Smoke bot, Modified Perl IRC DDoS, Atmosphere.Injector, Atmosphere.Dropper, Silence.ProxyBot, Silence.ShadowingModule, Silence.MainModule, Silence.Downloader, Silence.ProxyBot.Net",Financial Institutions,2016-07-15,2018-04-15,639.0 2018-09-07,Checkpoint_Domestic-Kitten-Iranian-Surveillance-Operation(09-07-2018),Domestic Kitten: An Iranian Surveillance Operation,https://app.box.com/s/48z6mq7k6xlzicxbj9360eskrta92fbm,Check Point,,,,domestic kitten,,Information theft and espionage,2016,"AF, GB, IQ, IR",,,,Individuals,,, 2018-09-07,Goblin_Panda_targets_Cambodia,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.09.07.Goblin_Panda_targets_Cambodia/Goblin_Panda_targets_Cambodia.pdf,FireEye,,,,goblin panda,CN,Information theft and espionage,2013,"KH, KR",,"Malicious Documents, Exploit Vulnerability","RTF exploit kits, Newcore RAT",Government and Defense Agencies,,, 2018-09-07,Targeted Attack on Indian Ministry of External Affairs using Crimson RAT,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.09.07.indian-ministry_crimson-rat/Targeted%20Attack%20on%20Indian%20Ministry%20of%20External%20Affairs%20using%20Crimson%20RAT.pdf,Volon,,,,operation transparent tribe,PK,Information theft and espionage,2013,"KZ, SA",FALSE,"Spear Phishing, Malicious Documents","Crimson RAT, Microsoft Excel (used for spear phishing with a malicious XLS document)",Government and Defense Agencies,,, 2018-09-10,LuckyMouse,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.09.10.LuckyMouse/LuckyMouse.pdf,Kaspersky,,,,luckymouse,CN,"Espionage, Information theft and espionage",2010,"KG, KZ, TJ, TM, UZ",FALSE,Meta Data Monitoring,"Metasploit, CobaltStrike, Earthworm tunneler, Scanline network scanner, NDISProxy",Government and Defense Agencies,,, 2018-09-19,20180919,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.09.19.Green_Spot_APT/20180919.pdf,Antiy Labs,"CVE-2012-0158, CVE-2014-4114, CVE-2017-8759",,,greenspot,TW,,,CN,FALSE,"Spear Phishing, Social Engineering, Malicious Documents, Exploit Vulnerability","Trojan/Win32.Agent, Trojan[Backdoor]/Win32.Poison, rar.exe, hport.exe, keylog.exe, spooler.exe, nc.exe, mt1.exe, http.exe, h.exe","Government and Defense Agencies, Education and Research Institutions",,, 2018-09-27,ESET-LoJax,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.09.27.LoJax/ESET-LoJax.pdf,CrowdStrike,,,,apt28,RU,"Espionage, Information theft and espionage",2004,"BG, HR, RO, RS, SI",TRUE,,", LoJax, SedUploader, XAgent, Xtunnel, DownDelph",Government and Defense Agencies,,, 2018-10-03,APT37 Final1stspy Reaping the FreeMilk,,https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/,Intezer,,,,group 123,KP,Information theft and espionage,2012,,,Malicious Documents,"Final1stspy, KimJongRAT, KONNI, NOKKI, ROKRAT, DOGCALL",,,, 2018-10-10,MuddyWater expands operations,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.10.10.MuddyWater_expands/MuddyWater%20expands%20operations.pdf,Kaspersky,,,,muddywater,IR,"Espionage, Information theft and espionage",2017,"AF, AT, AZ, BH, IQ, IR, JO, ML, PK, RU, SA, TR",,"Spear Phishing, Social Engineering, Malicious Documents",,Government and Defense Agencies,,, 2018-10-11,Gallmaker New Attack Group Eschews Malware to Live off the Land,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.10.11.Gallmaker/Gallmaker%20New%20Attack%20Group%20Eschews%20Malware%20to%20Live%20off%20the%20Land.pdf,Symantec,,,"rule Suspicious_docx\n{\nmeta:\ncopyright = ""Symantec""\n5/6\nfamily = ""Suspicious DOCX”\ngroup = ""Gallmaker""\ndescription = ""Suspicious file that might be Gallmaker”\nstrings:\n$quote = /.dll (BKDR64_BINLODR.ZNFJ-A), Auditcred.dll.mui/rOptimizer.dll.mui (TROJ_BINLODRCONF.ZNFJ-A)",Corporations and Businesses,,, 2018-11-26,3ve_google_whiteops_whitepaper_final_nov_2018,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.11.The_Hunt_for_3ve/3ve_google_whiteops_whitepaper_final_nov_2018.pdf,Google and White Ops,,,,3ve,,,,"CA, GB, US",FALSE,Social Engineering,,"Corporations and Businesses, Media and Entertainment Companies",,, 2018-11-27,DNSpionage Campaign Targets Middle East,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.11.27.dnspionage-campaign-targets-middle-east/DNSpionage%20Campaign%20Targets%20Middle%20East.pdf,Cisco,,,,dnspionage,,Information theft and espionage,2019,"AE, LB",,"Spear Phishing, Malicious Documents","DNSpionage, JSON library","Government and Defense Agencies, Corporations and Businesses",2018-09-13,2018-11-14,62.0 2018-11-28,MuddyWater-Operations-in-Lebanon-and-Oman,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.11.28.MuddyWater-Operations-in-Lebanon-and-Oman/MuddyWater-Operations-in-Lebanon-and-Oman.pdf,Microsoft,,,,muddywater,IR,"Espionage, Information theft and espionage",2017,"LB, OM, SA",FALSE,"Spear Phishing, Malicious Documents","Viper Monkey, Excel, PowerShell, POWERSTATS","Government and Defense Agencies, Education and Research Institutions, Energy and Utilities, Corporations and Businesses",,, 2018-11-28,Tropic_Trooper_microsoft,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.11.28.Tropic_Trooper_microsoft/Tropic_Trooper_microsoft.pdf,Microsoft,CVE-2018-0802,,,tropic trooper,CN,Information theft and espionage,2011,,FALSE,"Exploit Vulnerability, Malicious Documents","EQNEDT32.exe, Office 365 ATP Threat Explorer, Windows Defender Security Center, bitsadmin.exe","Energy and Utilities, Corporations and Businesses",,, 2018-11-29,EN_version,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.11.29.Attack_Pakistan_By_Exploiting_InPage/EN_version.pdf,360,"CVE-2017-11882, CVE-2017-12824",,,bahamut,,Information theft and espionage,2016,"CN, PK",FALSE,"Exploit Vulnerability, Malicious Documents","Visual Basic backdoor program, Delphi backdoor attack framework, ShellCode, InPage100",,2016-06-15,2018-11-15,883.0 2018-11-30,PowerShell-based Backdoor Found in Turkey Strikingly Similar to MuddyWater Tools,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.11.30.MuddyWater_Turkey/PowerShell-based%20Backdoor%20Found%20in%20Turkey%20Strikingly%20Similar%20to%20MuddyWater%20Tools.pdf,Malwarebytes,,,,muddywater,IR,"Espionage, Information theft and espionage",2017,"SA, TR",,"Spear Phishing, Social Engineering, Malicious Documents","POWERSTATS backdoor, Trend Micro™ Deep Discovery™ Email Inspector, InterScan™ Web Security, Trend Micro™ Smart Protection Suites, XGen™ security","Government and Defense Agencies, Financial Institutions, Energy and Utilities",,, 2018-12-11,Poking the Bear Three-Year Campaign Targets Russian Critical Infrastructure,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.12.11.Poking_the_Bear/Poking%20the%20Bear%20Three-Year%20Campaign%20Targets%20Russian%20Critical%20Infrastructure.pdf,Cylance,,,,,,,,RU,,"Phishing, Malicious Documents",,Critical Infrastructure,,, 2018-12-12,rp-operation-sharpshooter,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.12.12.Operation_Sharpshooter/rp-operation-sharpshooter.pdf,McAfee,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,US,,Malicious Documents,"Rising Sun, Duuzer","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Energy and Utilities, Critical Infrastructure",,, 2018-12-12,Mcafee_OperationSharpshooter(12-12-2018),https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/,https://app.box.com/s/vsx9duzr1pzh67ua7oqzit2ydprpwpgb,McAfee,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,US,,Malicious Documents,"Rising Sun implant, Duuzer Trojan","Government and Defense Agencies, Energy and Utilities, Financial Institutions, Critical Infrastructure",,, 2018-12-13,The Return of The Charming Kitten,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.12.13.Charming_Kitten_Return/The%20Return%20of%20The%20Charming%20Kitten.pdf,ClearSky,,,,charming kitten,IR,Espionage,,"IL, US",FALSE,"Phishing, Spear Phishing",,"Media and Entertainment Companies, Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",2018-09-15,2018-11-15,61.0 2018-12-13,Shamoon 3 Targets Oil and Gas Organization,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.12.13.Shamoon_3/Shamoon%203%20Targets%20Oil%20and%20Gas%20Organization.pdf,Palo Alto,,,,,,,,,FALSE,,"Shamoon malware, Disttrack dropper, Disttrack wiper, WildFire, AutoFocus",Energy and Utilities,,, 2018-12-13,tech-brief-tildeb-analyzing-the-18-year-old-implant-from-the-shadow-brokers-leak,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.12.13.Tildeb_Shadow_Brokers/tech-brief-tildeb-analyzing-the-18-year-old-implant-from-the-shadow-brokers-leak.pdf,Trend Micro,,,,,,,,,TRUE,Exploit Vulnerability,"UNITEDRAKE, MOSSFERN, EXPANDINGPULLY, GROK, FOGGYBOTTOM, MORBIDANGEL, PATROLWAGON",Government and Defense Agencies,,, 2018-12-20,analyzing WindShift implant OSX.WindTail,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.12.20.WindShift_Middle_East/analyzing%20WindShift%20implant%20OSX.WindTail.pdf,Objective-See,,,,windshift,,Information theft and espionage,2018,,,"Spear Phishing, Exploit Vulnerability","OSX.WindTail, OSX.WindTail.A, OSX.WindTail.B, OSX.WindTape","Government and Defense Agencies, Critical Infrastructure",,, 2018-12-21,Let's Learn In-Depth on APT28Sofacy Zebrocy Golang Loader,,https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html,Blog,,,,,,,,,,,,Media and Entertainment Companies,,, 2018-12-27,The Enigmatic Roma225 Campaign,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.12.27.Roma225_Campaign/The%20Enigmatic%20Roma225%20Campaign.pdf,Yoroi,,,,the gorgon group,PK,Information theft and espionage,2017,"ES, GB, RU, US",FALSE,"Spear Phishing, Malicious Documents","RevengeRAT, njRAT, mshta.exe, VBA macro","Corporations and Businesses, Manufacturing",,, 2018-12-28,Goblin Panda changes the dropper and reuses the old infrastructure,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2018/2018.12.28.Goblin_Panda/Goblin%20Panda%20changes%20the%20dropper%20and%20reuses%20the%20old%20infrastructure.pdf,Symantec,CVE-2017-1882,,,goblin panda,CN,Information theft and espionage,2013,"KZ, RU",FALSE,"Exploit Vulnerability, Malicious Documents","PlugX, newcore rat, sysfader","Energy and Utilities, Critical Infrastructure",,, 2019-01-07,The APT Chronicles_December 2018nbspedition,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/Report/2019.01.07.APT_chronicles_december_2018_edition/The%20APT%20Chronicles_December%202018nbspedition.pdf,FireEye,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,"IT, KP, KR, US",,"Phishing, Malicious Documents","Rising Sun, Duuzer, QuasarRAT, PlugX, RedLeaves, Shamoon","Government and Defense Agencies, Critical Infrastructure",,, 2019-01-15,2018_ A Year of Cyber Attacks - HACKMAGEDDON,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/Report/2019.01.15.2018-a-year-of-cyber-attacks/2018_%20A%20Year%20of%20Cyber%20Attacks%20%E2%80%93%20HACKMAGEDDON.pdf,Hackmageddon,,,,roaming mantis,,Financial crime,2017,"CA, IL, JP, KR, US",,Spear Phishing,"Hancitor, MalwareX","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Healthcare, Energy and Utilities, Manufacturing, Education and Research Institutions",,, 2019-01-16,darkhydruns-group-against-middle-east-en,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.01.16.DarkHydruns/darkhydruns-group-against-middle-east-en.pdf,360,CVE-2018-8414,,,darkhydrus,,Information theft and espionage,2016,,FALSE,Malicious Documents,DarkHydrus,Government and Defense Agencies,,, 2019-01-17,Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.01.17.Rocke_Group/Malware%20Used%20by%20Rocke%20Group%20Evolves%20to%20Evade%20Detection%20by%20Cloud%20Security%20Products.pdf,Palo Alto,CVE-2017-10271,,,rocke,,Financial gain,2018,,FALSE,Exploit Vulnerability,"Coin Miner, a7 shell script, Apache Struts 2, Oracle WebLogic, Adobe ColdFusion",Cloud/IoT Services,,, 2019-01-18,"Spotted JobCrypter Ransomware Variant With New Encryption Routines, Captures Desktop Screenshots",,https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/jobcrypter-ransomware-with-new-routines-for-encryption-desktop-screenshots,Trend Micro,,,,,,,,,,,"GenAI, RANSOM.WIN32.JOBCRYPTER.THOAAGAI, JobCrypter",,,, 2019-01-24,GandCrab and Ursnif Campaign,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.01.24.GandCrab_and_Ursnif/GandCrab%20and%20Ursnif%20Campaign.pdf,Carbon Black,,,,,,,,,FALSE,"Phishing, Malicious Documents","Ursnif malware, GandCrab ransomware, PowerShell",,2018-12-17,2019-01-21,35.0 2019-01-29,APT39 An Iranian Cyber Espionage Group Focused on Personal Information,,https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html,FireEye,,,,apt39,IR,Information theft and espionage,2014,,FALSE,"Spear Phishing, Exploit Vulnerability","SEAWEED, CACHEMONEY, POWBAT, Mimikatz, Ncrack, Windows Credential Editor, ProcDump, BLUETORCH, Remote Desktop Protocol (RDP), Secure Shell (SSH), PsExec, RemCom, xCmdSvc, REDTRIP, PINKTRIP, BLUETRIP, ANTAK, ASPXSPY, Outlook Web Access (OWA)","Corporations and Businesses, Critical Infrastructure, Individuals, Cloud/IoT Services",,, 2019-01-30,dragos.com-Webinar Summary Uncovering ICS Threat Activity Groups,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/Report/2019.01.30.Uncovering_ICS_Threat_Activity_Groups/dragos.com-Webinar%20Summary%20Uncovering%20ICS%20Threat%20Activity%20Groups.pdf,Dragos,,,,,,,,,,,,,,, 2019-01-30,Operation_Kitty_Phishing,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.01.30.Operation_Kitty_Phishing/Operation_Kitty_Phishing.pdf,AhnLab,,,,sectora05,,,,KR,FALSE,Spear Phishing,"Cobra_[MAC Address], 3.wsf, AlyacMonitor64, cookie.a, 2.a, AppContainer32.a, AppContainer64.a, BuildSteps32, BuildSteps64, CoreWin32, CoreWin64, f.a, kakao.a, MSOfficeUpdate64, xpad64.exe","Government and Defense Agencies, Financial Institutions, Individuals",2017-09-15,2019-01-15,487.0 2019-01-30,Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.01.30.Chafer_APT_Spy_Iran/Chafer%20used%20Remexi%20malware%20to%20spy%20on%20Iran-based%20foreign%20diplomatic%20entities.pdf,Kaspersky,,,,chafer,IR,Information theft and espionage,2014,IR,FALSE,,"Remexi malware, Microsoft Background Intelligent Transfer Service (BITS) bitsadmin.exe, Qt Creator IDE, Microsoft IIS using .asp technology, cmd.exe, wmic.exe (for WMI commands), Windows 32 CryptoAPI",Government and Defense Agencies,,, 2019-01-30,New Campaign delivers orcus rat,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.01.30.ORCUS_RAT/New%20Campaign%20delivers%20orcus%20rat.pdf,Morphisec,,,,pusikurac,,,,,FALSE,Spear Phishing,"VBscript, PowerShell, .NET executable, ConfuserEx, Orcus RAT, Notepad++, vmtoolsd, Sandboxie",,,, 2019-02-01,OceanLotus_KerrDown,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.02.01.OceanLotus_KerrDown/OceanLotus_KerrDown.pdf,Palo Alto,,,,oceanlotus,VN,"Espionage, Financial gain, Information theft and espionage",2012,VN,FALSE,Malicious Documents,"KerrDown, Cobalt Strike Beacon, Microsoft Office Document, RAR archive, networkx, Jaccard index, Microsoft Word 2007",Individuals,,, 2019-02-02,Threat_Intel_Reads_January_2019,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/Report/2019.02.02.Threat_Intel_Reads_January_2019/Threat_Intel_Reads_January_2019.pdf,CrowdStrike,,,,greyenergy,,,,,,,RogueRobin Trojan,"Government and Defense Agencies, Healthcare, Energy and Utilities, Critical Infrastructure, Education and Research Institutions, Individuals",,, 2019-02-06,APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.02.06.APT10_Sustained_Campaign/APT10%20Targeted%20Norwegian%20MSP%20and%20US%20Companies%20in%20Sustained%20Campaign.pdf,Recorded Future,,,,apt10,CN,Espionage,,"AE, BR, CA, CH, DE, FI, FR, GB, IN, JP, SE, US",FALSE,Credential Reuse,"unpack200.exe, coInst.exe, CASRTSP.exe, MSVCR100.DLL, libcurl.dll, WinRAR (rar.exe renamed to r.exe), curl.exe (renamed to c.exe), ccSEUPDT.exe, GUP.exe, Mimikatz (pd.exe), BITSAdmin utility, Trochilus payload",Corporations and Businesses,2017-11-15,2018-09-15,304.0 2019-02-07,An Inside Look at the Infrastructure Behind the Russian APT Gamaredon Group,,https://blog.threatstop.com/russian-apt-gamaredon-group,ThreatStop,,,,gamaredon group,RU,Information theft and espionage,2013,,,,Pteranodon implant,Government and Defense Agencies,,, 2019-02-14,suspected-molerats-new-attack-in-the-middle-east-cn,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.02.14.Molerats_APT/suspected-molerats-new-attack-in-the-middle-east-cn.pdf,360,,,,molerats,PS,Information theft and espionage,2012,"GB, IL, NZ, TR, US",FALSE,"Spear Phishing, Social Engineering, Malicious Documents","ihelp.exe, Enigma Virtual Box, SFML library",Government and Defense Agencies,,, 2019-02-18,apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.02.18.APT-C-36.Colombian/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en.pdf,360,,,,,,,,CO,FALSE,Malicious Documents,Imminent Backdoor,"Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Energy and Utilities, Manufacturing",2018-04-15,2019-02-11,302.0 2019-02-20,LAZARUS GROUP DIRECTED TO ORGANIZATIONS IN RUSSIA_google_translate,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.02.20.LAZARUS_to_RUSSIA/LAZARUS%20GROUP%20DIRECTED%20TO%20ORGANIZATIONS%20IN%20RUSSIA_google_translate.pdf,Microsoft,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,"KR, RU",FALSE,Malicious Documents,"KEYMARBLE, StarForce Technologies agreement",Corporations and Businesses,,, 2019-02-25,Defeating Compiler-Level Obfuscations Used in APT10 Malware,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.02.25.APT10_Defeating_Compiler_Level/Defeating%20Compiler-Level%20Obfuscations%20Used%20in%20APT10%20Malware.pdf,Carbon Black,,,,apt10,CN,Espionage,,JP,FALSE,,"APT10 ANEL, Turla mosquito, Dharma ransomware packer, HexRaysDeob",,,, 2019-02-26,The Arsenal Behind the Australian Parliament Hack,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.02.26.Australian_Parliament_Hack/The%20Arsenal%20Behind%20the%20Australian%20Parliament%20Hack.pdf,Yoroi,,,,,,,,,FALSE,,"PowershellAgent, LazyCat DLL",Government and Defense Agencies,,, 2019-02-27,A Peek into BRONZE UNION's Toolbox,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.02.27.BRONZE_UNION_Toolbox/A%20Peek%20into%20BRONZE%20UNION%E2%80%99s%20Toolbox.pdf,SecureWorks,,,,bronze union,CN,"Espionage, Information theft and espionage",2010,,FALSE,"Credential Reuse, Malicious Documents, Watering Hole","SysUpdate, HyperBro",,,, 2019-02-28,"Ransomware, Trojan and Miner together against 'PIK-Group'",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.02.28_RIK_Group/Ransomware%2C%20Trojan%20and%20Miner%20together%20against%20%E2%80%9CPIK-Group%E2%80%9D.pdf,RSA,,,,,,,,,FALSE,Phishing,"Ransomware, Trojan, Miner, BruteForce Module",Corporations and Businesses,,, 2019-03-04,APT40 Examining a China-Nexus Espionage Actor APT40 Examining a China-Nexus Espionage Actor,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.03.04.APT40/APT40%20Examining%20a%20China-Nexus%20Espionage%20Actor%20%20APT40%20Examining%20a%20China-Nexus%20Espionage%20Actor.pdf,FireEye,,,,apt40,CN,"Espionage, Information theft and espionage",2013,"DE, GB, ID, KH, NO, SA, US",,"Spear Phishing, Exploit Vulnerability, Website Equipping","MURKYTOP, DISHCLOTH, HOMEFRY, AIRBREAK, BADFLICK, ProcDump, Windows Credential Editor (WCE), MURKYSHELL, FRESHAIR, BEACON","Government and Defense Agencies, Education and Research Institutions",,, 2019-03-06,Whitefly_ Espionage Group has Singapore in Its Sights,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.03.06.Whitefly/Whitefly_%20Espionage%20Group%20has%20Singapore%20in%20Its%20Sights.pdf,Symantec,CVE-2016-0051,,,whitefly,,Information theft and espionage,2012,"GB, RU, SG",FALSE,"Spear Phishing, Malicious Documents","Termite (Hacktool.Rootkit), Trojan.Nibatad, Vcrodat, Mimikatz","Healthcare, Media and Entertainment Companies, Critical Infrastructure, Manufacturing",,, 2019-03-06,taidoor_analysis_jp,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.03.06_Taidoor_Analysis/taidoor_analysis_jp.pdf,NTT Japan Security,,,,,,,,JP,,"Spear Phishing, Social Engineering, Malicious Documents","Taidoor, PoshC2, SERKDES","Government and Defense Agencies, Corporations and Businesses",,, 2019-03-06,Operation_Pistacchietto,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.03.06.Operation_Pistacchietto/Operation_Pistacchietto.pdf,Yoroi,,,"rule pistacchietto_campaign_0219 { \n \nmeta: \n \n \ndescription = ""Yara rule for Pistacchietto campaign"" \n \n \nauthor = ""Yoroi ZLab - Cybaze"" \n \n \nlast_updated = ""2019-03-01"" \n \n \ntlp = ""white"" \n \n \ncategory = ""informational"" \n \n \nstrings: \n \n \n$nc = ""nc.exe"" wide ascii \n \n \n$nc64 = ""nc64.exe"" wide ascii \n \n \n$dns1 = ""config02.addns.org"" wide ascii \n \n \n$dns2 = ""config01.homepc.it"" wide ascii \n \n \n$dns3 = ""verifiche.ddns.net"" wide ascii \n \n \n$dns4 = ""paner.altervista.org"" wide ascii \n \n \n$dns5 = ""certificates.ddns.net"" wide ascii \n \n \n$id = ""pistacchietto"" wide ascii \n \n \n$path = ""/svc/wup.php?pc="" wide ascii \n \ncondition: \n \n \n(1 of ($nc*)) and (1 of ($dns*)) or $id or $path \n}",,,,,,,,"OSX backdoor, AhMyth Android Rat, Netcat (nc64.exe)",Individuals,,, 2019-03-07,security-report-2019,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/Report/2019.02.Targeted_Attacks/security-report-2019.pdf,Swisscom,,,,,,,,,FALSE,Spear Phishing,"Mimikatz, PsExec, Net, PoisonIvy, Systeminfo, Tasklist, ipconfig, Cobalt Strike, cmd, Reg, netstat, PlugX, Empire Powershell, Metasploit.",Critical Infrastructure,,, 2019-03-07,New SLUB Backdoor Uses GitHub Communicates via Slack,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.03.07.SLUB_Backdoor/New%20SLUB%20Backdoor%20Uses%20GitHub%20Communicates%20via%20Slack.pdf,NATO,"CVE-2015-1701, CVE-2018-8174",,,,,,,,FALSE,"Watering Hole, Exploit Vulnerability","Slack, GitHub, PowerShell",Individuals,,, 2019-03-08,Supply Chain - The Major Target of Cyberespionage Groups,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.03.08.Supply_Chain_Groups/Supply%20Chain%20%E2%80%93%20The%20Major%20Target%20of%20Cyberespionage%20Groups.pdf,Resecurity,,,,mabna institute,IR,Information theft and espionage,2013,,FALSE,Credential Reuse,,"Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Energy and Utilities, Critical Infrastructure",,, 2019-03-11,Gaming-Industry.Asia,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.03.11.Gaming-Industry.Asia/Gaming-Industry.Asia.pdf,ESET,,"T1079:Multilayer Encryption, T1043:Commonly Used Port, T1009:Binary Padding, T1022:Data Encrypted, T1032:Standard Cryptographic Protocol, T1050:New Service, T1195:Supply Chain Compromise",,apt41,CN,"Financial crime, Information theft and espionage",2010,TH,FALSE,Meta Data Monitoring,,Media and Entertainment Companies,,, 2019-03-11,Researcher Claims Iranian APT Behind 6TB Data Heist at Citrix,,https://threatpost.com/ranian-apt-6tb-data-citrix/142688/,Threatpost,,,,iridium,IR,Information theft and espionage,2018,,FALSE,Credential Reuse,,"Government and Defense Agencies, Corporations and Businesses, Energy and Utilities, Financial Institutions, Critical Infrastructure",,, 2019-03-12,Operation_Comando,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.03.12.Operation_Comando/Operation_Comando.pdf,Palo Alto,,,,,,,,BR,FALSE,"Spear Phishing, Malicious Documents","CapturaTela, LimeRAT, RevengeRAT, NjRAT, AsyncRAT, NanoCoreRAT, RemcosRAT",Corporations and Businesses,,, 2019-03-13,DMSniff_POS_Malware,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.03.13.DMSniff_POS_Malware/DMSniff_POS_Malware.pdf,Flashpoint,,,,,,,,,FALSE,Exploit Vulnerability,"DMSniff, SSH","Corporations and Businesses, Media and Entertainment Companies",,, 2019-03-13,Operation_Sheep,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.03.13.Operation_Sheep/Operation_Sheep.pdf,Check Point,,,,shun wang technologies,,,,CN,FALSE,Exploit Vulnerability,SWAnalytics SDK,"Corporations and Businesses, Individuals",,, 2019-03-13,GlitchPOS_New_Pos_Malwre_for_sale,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.03.13.GlitchPOS_POS_Malware/GlitchPOS_New_Pos_Malwre_for_sale.pdf,Cisco,,,,edbitss,,,,,,,"GlitchPOS, DiamondFox L!NK botnet, VisualBasic",Corporations and Businesses,,, 2019-03-20,APT38 DYEPACK FRAMEWORK,,https://github.com/649/APT38-DYEPACK,GitHub,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,,,,APT38 DYEPACK,Financial Institutions,,, 2019-03-22,LUCKY ELEPHANT Campaign Masquerading,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.03.22.LUCKY_ELEPHANT/LUCKY%20ELEPHANT%20Campaign%20Masquerading.pdf,NETSCOUT,,,,lucky elephant,,,,"BD, CN, LK, MM, MV, NP, PK",FALSE,Phishing,,Government and Defense Agencies,2019-02-15,2019-03-15,28.0 2019-03-24,JEShell An OceanLotus (APT32) Backdoor,,https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/,One Night in Norfolk,,,,oceanlotus,VN,"Espionage, Financial gain, Information theft and espionage",2012,,FALSE,,"JEShell, KerrDown, Cobalt Strike Beacon",Manufacturing,,, 2019-03-25,Qihoo360_PatBear-APT-C-37-Armed-Organizations-Attacks(03-25-2019),Pat Bear (APT-C-37),https://app.box.com/s/gv5ug3d8shq5d6uuj6vb8nfgemtpznil,360,,,,apt-c-37,,,,,,Watering Hole,"SSLove, DroidJack, SpyNote, H-Worm, njRAT",,,, 2019-03-27,Elfin Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and US,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.03.27.Elfin/Elfin%20Relentless%20Espionage%20Group%20Targets%20Multiple%20Organizations%20in%20Saudi%20Arabia%20and%20US.pdf,Symantec,CVE-2018-20250,,,elfin,IR,"Espionage, Sabotage and destruction, Information theft and espionage",2013,"SA, US",FALSE,"Spear Phishing, Exploit Vulnerability, Drive-by Download","Remcos (Backdoor.Remvio), DarkComet (Backdoor.Breut), Quasar RAT (Trojan.Quasar), Pupy RAT (Backdoor.Patpoopy), NanoCore (Trojan.Nancrat), NetWeird (Trojan.Netweird.B), Notestuk (Backdoor.Notestuk) (aka TURNEDUP), Stonedrill (Trojan.Stonedrill), AutoIt backdoor, FastUploader, PowerShell Empire","Corporations and Businesses, Manufacturing, Healthcare, Financial Institutions, Energy and Utilities, Education and Research Institutions, Government and Defense Agencies",,, 2019-03-28,"Desktop, Mobile Phishing Campaign Targets South Korean Websites, Steals Credentials Via Watering Hole",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.03.28.Desktop_Mobile_Phishing_Campaign/Desktop%2C%20Mobile%20Phishing%20Campaign%20Targets%20South%20Korean%20Websites%2C%20Steals%20Credentials%20Via%20Watering%20Hole.pdf,Trend Micro,,,,,,,,KR,FALSE,Watering Hole,"Trojan.HTML.PHISH.TIAOOHDW, Cloudflare","Corporations and Businesses, Individuals",2019-03-14,, 2019-03-28,Threat Actor Group using UAC Bypass Module to run BAT File,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.03.28.UAC_Bypass_BAT_APT/Threat%20Actor%20Group%20using%20UAC%20Bypass%20Module%20to%20run%20BAT%20File.pdf,ThreatRecon,,,,,,,,"KR, US",FALSE,"Spear Phishing, Malicious Documents","BABYFACE, SYSCON",,,, 2019-03-28,Above+Us+Only+Stars,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.03.28.Exposing_GPS_Spoofing_in_Russia_and_Syria/Above%2BUs%2BOnly%2BStars.pdf,C4ADS,,,,,,,,"RU, SY",,,,"Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Energy and Utilities, Critical Infrastructure",,, 2019-04-02,OceanLotus-Steganography-Malware-Analysis-White-Paper,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.04.02.OceanLotus_Steganography/OceanLotus-Steganography-Malware-Analysis-White-Paper.pdf,Cylance,,,"rule OceanLotus_Steganography_Loader\n{\n meta:\n description = “OceanLotus Steganography Loader”\n strings:\n $data1 = “.?AVCBC_ModeBase@CryptoPP@@” ascii\n condition:\\\n // Must be MZ file\n uint16(0) == 0x5A4D and\n // Must be smaller than 2MB\n filesize < 2MB and\n // Must be a DLL\n pe.characteristics & pe.DLL and\n // Must contain the following imports\n pe.imports(“gdiplus.dll”, “GdipGetImageWidth”) and\n pe.imports(“gdiplus.dll”, “GdipCreateBitmapFromFile”) and\n pe.imports(“kernel32.dll”, “WriteProcessMemory”) and\n // Check for strings in .data\n for all of ($data*) : \n ( \n $ in\n (\n pe.sectionspe.section_index(“.data”).raw_data_offset\n ..\n pe.sectionspe.section_index(“.data”).raw_data_offset + pe.sectionspe.section_index(“.data”).\nraw_data_size\n ) \n )\n}",oceanlotus,VN,"Espionage, Financial gain, Information theft and espionage",2012,,,,", mcvsocfg.dll, Crypto++ library, Remy backdoor",,,, 2019-04-02,Report OceanLotus APT Group Leveraging Steganography,,https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html,Cylance,,,,oceanlotus,VN,"Espionage, Financial gain, Information theft and espionage",2012,,,,"CobaltStrike Beacon, Denes backdoor, Remy backdoor",,,, 2019-04-10,The Muddy Waters of APT Attacks,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.04.10.Muddy_Waters/The%20Muddy%20Waters%20of%20APT%20Attacks.pdf,Check Point,,,,muddywater,IR,"Espionage, Information theft and espionage",2017,"AE, BY, SA, TR, UA",FALSE,"Spear Phishing, Malicious Documents",,,,, 2019-04-10,Project TajMahal,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.04.10.Project_TajMahal/Project%20TajMahal.pdf,Kaspersky,,,,,,,,"KG, KZ, TJ, TM, UZ",,,"Tokyo, Yokohama, SuicideWatcher, XZip/XUnzip, zlib",Government and Defense Agencies,,, 2019-04-10,Gaza Cybergang Group1 operation SneakyPastes,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.04.10.Operation_SneakyPastes/Gaza%20Cybergang%20Group1%20operation%20SneakyPastes.pdf,Kaspersky,,,,gaza cybergang,PS,Information theft and espionage,2012,"AE, AF, AM, AZ, BA, BE, CY, DE, EG, ES, FR, GB, ID, IE, IL, IN, IQ, IR, IT, JO, KW, LB, LK, LY, MA, MY, OM, PL, PS, RO, RS, RU, SA, SD, SI, SN, SY, TN, US",FALSE,Phishing,"The specific malware, tool names, or software frameworks mentioned in the attack from this report include, PowerShell, VBS (Visual Basic Script), JS (JavaScript), dotnet (DotNet framework)","Government and Defense Agencies, Education and Research Institutions, Media and Entertainment Companies, Healthcare, Financial Institutions",,, 2019-04-10,ASEC_REPORT_vol.94_ENG,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/Report/AhnLab/ASEC_REPORT_vol.94_ENG.pdf,AhnLab,,,,,,,,,,"Malicious Documents, Social Engineering","Flawed Ammyy RAT, Gh0st RAT, CoinMiner",Corporations and Businesses,,, 2019-04-17,DNS Hijacking Abuses Trust In Core Internet Service,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.04.17.Operation_Sea_Turtle/DNS%20Hijacking%20Abuses%20Trust%20In%20Core%20Internet%20Service.pdf,Cisco,"CVE-2009-1151, CVE-2014-6271, CVE-2017-12617, CVE-2017-3881, CVE-2017-6736, CVE-2018-0296, CVE-2018-7600",,,,,,,"AE, AL, IQ",FALSE,"Exploit Vulnerability, Spear Phishing",,"Government and Defense Agencies, Energy and Utilities",2017-01-15,2019-04-15,820.0 2019-04-17,"Aggah Campaign_ Bit.ly, BlogSpot, and Pastebin Used for C2 in Large Scale Campaign",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.04.17.Aggah_Campaign/Aggah%20Campaign_%20Bit.ly%2C%20BlogSpot%2C%20and%20Pastebin%20Used%20for%20C2%20in%20Large%20Scale%20Campaign.pdf,Palo Alto,,,,gorgon group,PK,Information theft and espionage,2017,US,FALSE,"Spear Phishing, Malicious Documents",RevengeRAT,"Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Manufacturing, Education and Research Institutions, Media and Entertainment Companies",,, 2019-04-18,APT28 and Upcoming Elections Evidence of Possible Interference (Part II),,https://blog.yoroi.company/research/apt28-and-upcoming-elections-possible-interference-signals-part-ii/,Yoroi,,,"rule APT28_office_document_dropper_GAMEFISH {\n meta:\n description = ""Yara Rule for office_document dropper (2017)""\n author = ""ZLAB Yoroi-Cybaze""\n last_updated = ""2019-04-16""\n tlp = ""white""\n category = ""informational""\n strings:\n $a = ""word\\\\vbaProject.binPK""\n $b = {E3 5D B8 1E 9C C7 11 F4 1E}\n $c = {36 B7 DD E9 6F 33 4b D7 E7 7F}\n condition:\n all of them\n}, rule APT28_mvtband_dat_dll {\n meta:\n description = ""Yara Rule for mvtband_dat_dll (2017)""\n author = ""ZLAB Yoroi-Cybaze""\n last_updated = ""2019-04-16""\n tlp = ""white""\n category = ""informational""\n strings:\n $a = ""DGMNOEP""\n $b = {C7 45 94 0A 25 73 30 8D 45 94} // two significant instructions\n condition:\n all of them and pe.sections2.raw_data_size == 0 and pe.version_info""OriginalFilen\n}, rule APT28_mrset_bat {\n meta:\n description = ""Yara Rule for mrset_bat_file (2017)""\n author = ""ZLAB Yoroi-Cybaze""\n last_updated = ""2019-04-16""\n tlp = ""white""\n category = ""informational""\n strings:\n $a = ""inst_pck""\n $b = ""mvtband.dat""\n condition:\n all of them\n}, rule APT28_user_dll {\n meta:\n description = ""Yara Rule for user_dll (2017)""\n author = ""ZLAB Yoroi-Cybaze""\n last_updated = ""2019-04-16""\n tlp = ""white""\n category = ""informational""\n strings:\n $a = ""MZ""\n $b = ""GetEnvironmentVariable""\n $c = {49 73 50 72 6F 63 65 73 73 6F 72}\n condition:\n all of them and pe.number_of_sections == 5\nSeat\nYoroi S.r.l.\nPiazza Sallustio, 9\n00187 Roma (RM)\nContact\n all of them and pe.number_of_sections == 5\n}",fancybear,,,,,FALSE,"Malicious Documents, Spear Phishing","Empire stager, GAMEFISH malware, mrset.bat, mvtband.dat",Government and Defense Agencies,,, 2019-04-19,Funky malware format found in Ocean Lotus sample,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.04.19.Funky_malware_format/Funky%20malware%20format%20found%20in%20Ocean%20Lotus%20sample.pdf,Malwarebytes,,,,apt 32,VN,"Espionage, Financial gain, Information theft and espionage",2012,VN,FALSE,"Spear Phishing, Malicious Documents",,"Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",,, 2019-04-22,Fireeye_CARBANAK-Week-1-Rare-Occurrence(04-22-2019),CARBANAK Week Part One: A Rare Occurrence,https://app.box.com/s/l3dcqd6i8rnmxgi0ykd9zfmlwctcaq1g,FireEye,,,,fin7,RU,"Financial gain, Financial crime",2013,,,,,Financial Institutions,,, 2019-04-22,FINTEAM Trojanized TeamViewer Against Government Targets,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.04.22.FINTEAM/FINTEAM%20Trojanized%20TeamViewer%20Against%20Government%20Targets.pdf,Check Point,,,,,,,,"BM, GY, IT, KE, LB, LR, NP",FALSE,"Spear Phishing, Malicious Documents","XLSM document with malicious macros, Malicious DLL, Delphi code, Check Point’s Threat Emulation, Check Point’s Threat Extraction, SandBlast Network, SandBlast Zero-Day Protection","Government and Defense Agencies, Financial Institutions",,, 2019-04-23,APT34 webmask project,,https://marcoramilli.com/2019/04/23/apt34-webmask-project/,Marco Ramilli's Blog,,,,apt34,IR,Espionage,,,,"Spear Phishing, Malicious Documents",,"Energy and Utilities, Financial Institutions, Government and Defense Agencies",,, 2019-04-24,Sea Lotus APT organization's attack techniques against China in the first quarter of 2019 revealed,,https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A,Weixin,,,,海莲花,,,,CN,,,,Government and Defense Agencies,,, 2019-04-24,CyberInt_Legit Remote Access Tools Turn Into Threat Actors' Tools_Report,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.04.24.TA505_Abusing_Legit_Remote_Admin_Tool/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%27%20Tools_Report.pdf,CyberInt,,,,ta505,RU,,,"CL, IN, IT, KR, MW, PK",FALSE,"Spear Phishing, Malicious Documents","Remote Manipulator System (RMS), RAT (remote access trojan)","Financial Institutions, Corporations and Businesses",2018-12-15,2019-03-15,90.0 2019-04-25,Fireeye_CARBANAK-Week-4-CARBANAK-Desktop-Video-Player(04-25-2019),CARBANAK Week Part Four: The CARBANAK Desktop Video Player,https://app.box.com/s/30mizln4f525yv482qqampa8vybjj764,FireEye,,,,fin7,RU,"Financial gain, Financial crime",2013,,,,"CARBANAK, tinymet, Meterpreter",Financial Institutions,,, 2019-04-30,APT 40,,https://www.cfr.org/interactive/cyber-operations/apt-40,Council on Foreign Relations,,,,apt 40,CN,"Espionage, Information theft and espionage",2013,"HK, MY, PH, US",,Spear Phishing,,"Government and Defense Agencies, Corporations and Businesses, Education and Research Institutions",,, 2019-04-30,SectorB06 using Mongolian language in lure document,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.04.30.SectorB06_Mongolian/SectorB06%20using%20Mongolian%20language%20in%20lure%20document.pdf,ThreatRecon,"CVE-2017-11882, CVE-2018-0802","T1064:Scripting, T1045:Software Packing, T1204:User Execution, T1022:Data Encrypted, T1203:Exploitation for Client Execution, T1059:Command-Line Interface, T1116:Code Signing, T1012:Query Registry, T1038:DLL Search Order Hijacking, T1124:System Time Discovery, T1099:Timestomp, T1063:Security Software Discovery, T1218:Signed Binary Proxy Execution, T1071:Standard Application Layer Protocol, T1060:Registry Run Keys / Startup Folder, T1119:Automated Collection, T1055:Process Injection, T1107:File Deletion, T1193:Spearphishing Attachment, T1043:Commonly Used Port, T1057:Process Discovery",,sectorb06,,,,,FALSE,Spear Phishing,,,,, 2019-05-02,APT34 Glimpse project,,https://marcoramilli.com/2019/05/02/apt34-glimpse-project/,Marco Ramilli's Blog,,,,apt34,IR,Espionage,,,,"Spear Phishing, Malicious Documents",,Energy and Utilities,,, 2019-05-07,ATMitch_ New Evidence Spotted In The Wild,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.05.07.ATMitch/ATMitch_%20New%20Evidence%20Spotted%20In%20The%20Wild.pdf,Yoroi,,,"rule ATMitch { \nmeta: \n \n description = ""Yara Rule for ATMitch Dropper/Payload"" \n \n author = ""ZLAB Yoroi - Cybaze"" \n \n last_updated = ""2019-05-03"" \n \n tlp = ""white"" \n \n category = ""informational"" \n \n strings: \n $str1 = {4A 75 E6 8B C7 8B 4D FC} \n \n $str2 = {EC 53 8D 4D DC 88} \n $str3 = ""MSXFS.dll"" \n $str4 = ""DISPENSE"" \n \n$str5 = ""PinPad"" \n $str6 = ""cash"" \n $str7 = {40 59 41 50 41 58 49 40 5A} \n $str8 = ""WFMFreeBuffer"" \n \ncondition: \n \npe.number_of_sections == 4 and pe.number_of_resources == 3 and $str1 and $str2 or $str3 \nand $str4 and $str5 and $str6 and $str7 and $str8 \n}",fin7,RU,"Financial gain, Financial crime",2013,,,Exploit Vulnerability,"ATMitch, MSXFS.dll",Financial Institutions,,, 2019-05-07,Buckeye_ Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.05.07.Buckeye/Buckeye_%20Espionage%20Outfit%20Used%20Equation%20Group%20Tools%20Prior%20to%20Shadow%20Brokers%20Leak.pdf,Symantec,"CVE-2010-3962, CVE-2014-1776, CVE-2017-0143, CVE-2019-0703",,,buckeye,CN,"Espionage, Information theft and espionage",2007,"GB, IT, LU, PH, SE, US, VN",TRUE,Exploit Vulnerability,"Pirpi, Filensfer (C/C++), Filensfer (Powershell), Filensfer (py2exe), Bemstour, DoublePulsar, FuzzBunch, EternalBlue, EternalSynergy, EternalRomance","Corporations and Businesses, Manufacturing, Media and Entertainment Companies",,, 2019-05-08,FIN7.5_ the infamous cybercrime rig 'FIN7' continues its activities,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.05.08.Fin7.5/FIN7.5_%20the%20infamous%20cybercrime%20rig%20%E2%80%9CFIN7%E2%80%9D%20continues%20its%20activities.pdf,FireEye,CVE-2017-11882,,,fin7,RU,"Financial gain, Financial crime",2013,,FALSE,"Spear Phishing, Malicious Documents","Powershell Empire, Griffon JS backdoor, Cobalt/Meterpreter, AveMaria botnet, ThreadKit","Corporations and Businesses, Manufacturing, Financial Institutions",,, 2019-05-08,OceanLotus Attacks to Indochinese Peninsula,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.05.08.OceanLotus/OceanLotus%20Attacks%20to%20Indochinese%20Peninsula.pdf,QiAnXin,,,,oceanlotus,VN,"Espionage, Financial gain, Information theft and espionage",2012,"CN, KH, LA, TH, VN",FALSE,"Phishing, Exploit Vulnerability, Malicious Documents","CocCocUpated.exe, Trojan framework of OceanLotus","Education and Research Institutions, Media and Entertainment Companies, Financial Institutions, Corporations and Businesses",,, 2019-05-09,Iranian-Nation-State-APT-Leak-Analysis-and-Overview,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.05.09.Iranian_APT_Leak/Iranian-Nation-State-APT-Leak-Analysis-and-Overview.pdf,ClearSky,,,,rana,,,,"AE, AF, AU, AZ, BH, CO, EG, ET, FJ, HK, ID, IL, IN, IQ, KE, KG, KW, LB, LK, MA, MU, MY, NZ, OM, PH, PK, QA, SY, TH, TR, ZA",FALSE,"Credential Reuse, Exploit Vulnerability, Social Engineering","Havij, Python (for writing malware), SQL Loader, Bulk insert, BCP utility","Government and Defense Agencies, Corporations and Businesses",,, 2019-05-11,Chineses Actor APT target Ministry of Justice Vietnamese,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.05.11.Chinese_APT_Vietnamese/Chineses%20Actor%20APT%20target%20Ministry%20of%20Justice%20Vietnamese.pdf,Medium,CVE-2017-11882,,,goblin panda,CN,Information theft and espionage,2013,VN,FALSE,"Exploit Vulnerability, Malicious Documents",Gh0st RAT,Government and Defense Agencies,,, 2019-05-13,"ScarCruft continues to evolve, introduces Bluetooth harvester _ Securelist",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.05.13.ScarCruft_Bluetooth/ScarCruft%20continues%20to%20evolve%2C%20introduces%20Bluetooth%20harvester%20_%20Securelist.pdf,Kaspersky,CVE-2018-8120,,,scarcruft,KP,Information theft and espionage,2012,"HK, KP, RU, VN",TRUE,"Spear Phishing, Watering Hole, Exploit Vulnerability","ROKRAT, Dropper, Simple HTTP Downloader, Simple HTTP Uploader, GreezaBackdoor, Konni","Financial Institutions, Government and Defense Agencies",,, 2019-05-14,Reaver Mapping Connections Between Disparate Chinese APT Groups,,https://threatvector.cylance.com/en_us/home/reaver-mapping-connections-between-disparate-chinese-apt-groups.html,Cylance,"CVE-2017-11882, CVE-2017-8570",,,grand theft auto panda,,,,,FALSE,"Malicious Documents, Exploit Vulnerability","SURTR Malware Family, Reaver, Sisfader RAT",Manufacturing,,, 2019-05-15,Winnti_ More than just Windows and Gates,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.05.15.Winnti_More/Winnti_%20More%20than%20just%20Windows%20and%20Gates.pdf,Chronicle,,,,,,,,,,,"Winnti, libxselinux, libxselinux.so, Azazel","Healthcare, Media and Entertainment Companies",,, 2019-05-19,HiddenWasp Malware Stings Targeted Linux Systems,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.05.19.HiddenWasp_Linux/HiddenWasp%20Malware%20Stings%20Targeted%20Linux%20Systems.pdf,Intezer,,,,,,,,,,,"HiddenWasp, Mirai, Azazel rootkit, Adore-ng",,,, 2019-05-22,A journey to Zebrocy land,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.05.22.Zebrocy_Land/A%20journey%20to%20Zebrocy%20land.pdf,ESET,,"T1056:Input Capture, T1132:Data Encoding, T1025:Data from Removable Media, T1204:User Execution, T1082:System Information Discovery, T1022:Data Encrypted, T1032:Standard Cryptographic Protocol, T1012:Query Registry, T1079:Multilayer Encryption, T1085:Rundll32, T1024:Custom Cryptographic Protocol, T1020:Automated Exfiltration, T1192:Spearphishing Link, T1071:Standard Application Layer Protocol, T1060:Registry Run Keys / Startup Folder, T1001:Data Obfuscation, T1107:File Deletion, T1083:File and Directory Discovery, T1053:Scheduled Task, T1005:Data from Local System, T1074:Data Staged, T1122:Component Object Model Hijacking, T1008:Fallback Channels, T1041:Exfiltration Over Command and Control Channel, T1047:Windows Management Instrumentation, T1039:Data from Network Shared Drive, T1043:Commonly Used Port, T1057:Process Discovery, T1113:Screen Capture, T1089:Disabling Security Tools",,apt28,RU,"Espionage, Information theft and espionage",2004,"KG, KZ, TJ, TM, UZ",FALSE,Spear Phishing,"Win32/TrojanDownloader.Sednit.CMT, Win32/HackTool.PSWDump.D, Win32/PSW.Agent.OGE, Zebrocy Delphi backdoor, LoJax UEFI rootkit",,,, 2019-05-24,Uncovering New Activity By APT10,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.05.24_APT10_New_Activity/Uncovering%20New%20Activity%20By%20APT10.pdf,enSilo,,,,apt10,CN,Espionage,,,,,"PlugX, Quasar RAT, SharpSploit, Mimikatz",Government and Defense Agencies,2018-12-22,2019-04-27,126.0 2019-05-28,Emissary Panda Attacks Middle East Government Sharepoint Servers,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.05.28.Emissary_Panda/Emissary%20Panda%20Attacks%20Middle%20East%20Government%20Sharepoint%20Servers.pdf,Palo Alto,"CVE-2017-0144, CVE-2019-0604",,,emissary panda,CN,"Espionage, Information theft and espionage",2010,,FALSE,Exploit Vulnerability,"cURL, etool.exe, checker1.exe, psexec.exe (similar to PsExec offered by Impacket), zzz_exploit.py, checker.py, Mimikatz, pwdump, smb1.exe, China Chopper, Sublime Text plugin host, Microsoft’s Create Media application",Government and Defense Agencies,2019-04-01,2019-04-16,15.0 2019-05-29,TA505 is Expanding its Operations,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.05.29.TA505/TA505%20is%20Expanding%20its%20Operations.pdf,Yoroi,,,"rule uninstall_exe { \nmeta: \n description = ""Yara rule for uninstall SFX archive"" \n author = ""Cybaze - Yoroi ZLab"" \n last_updated = ""2019-05-22"" \n tlp = ""white"" \n category = ""informational"" \nstrings: \n $a1 = { E8 68 BA 01 00 51 } \n $a2 = { 58 E9 8B C6 4F 6F 7A } \n $a3 = { D9 4E D5 FA D4 34 } \n \ncondition: \n pe.number_of_resources == 24 and all of them \n}, rule veter_random { \nmeta: \n description = ""Yara rule for veter_trojan"" \n author = ""Cybaze - Yoroi ZLab"" \n last_updated = ""2019-05-22"" \n tlp = ""white"" \n category = ""informational"" \nstrings: \n $a = { 5E C2 04 00 F6 44 24 04 01 56 } \n \n $b1 = { 01 8B 02 8B 48 04 03} \n $b2 = { 4A 3B C2 7E 08 8B C2 } \n \n $c1 = { E8 83 CA 04 89 55 E8 } \n $c2 = { 1F DF 70 07 22 84 82 } \n \ncondition: \n $a and (($b1 and $b2 and pe.version_info""CompanyName"" contains ""Miranda"") \nor ($c1 and $c2 and pe.version_info""InternalName"" contains ""DrldwgRom"")) \n}, rule excel_dropper { \nmeta: \n description = ""Yara rule for excel dropper"" \n author = ""Cybaze - Yoroi ZLab"" \n last_updated = ""2019-05-22"" \n tlp = ""white"" \n category = ""informational"" \nstrings: \n $a1 = { 98 C3 AB F0 E7 F3 BD F4 } \n $a2 = { 41 6E D5 7E F0 10 AB A7 } \n $a3 = ""gxbgarjktzyu"" \n $a4 = ""Bob Brown"" \n \ncondition: \n all of them \n}, rule pasmmm_exe { \nmeta: \n description = ""Yara rule for pasmmm SFX archive"" \n author = ""Cybaze - Yoroi ZLab"" \n last_updated = ""2019-05-22"" \n tlp = ""white"" \n category = ""informational"" \nstrings: \n $a1 = { 1C Cf 43 39 C8 32 B4 B0 } \n $a2 = { 60 6C B8 7C 5F FA } \n $a3 = ""LookupPrivilege"" \n $a4 = ""LoadBitmap"" \n \ncondition: \n pe.number_of_sections == 6 and all of them \n}, rule winserv_exe { \nmeta: \n description = ""Yara rule for winserv backdoor"" \n author = ""Cybaze - Yoroi ZLab"" \n last_updated = ""2019-05-22"" \n tlp = ""white"" \n5/29/2019\nTA505 is Expanding its Operations – Yoroi Blog\nhttps://blog.yoroi.company/research/ta505-is-expanding-its-operations/\n13/13\n category = ""informational"" \nstrings: \n $a1 = ""MPRESS1"" \n $a2 = { 90 C4 73 05 E6 92 } \n $a3 = { E9 64 4B 56 3F EC } \n $a4 = { 10 EF D0 E1 36 E1 14 3C } \n \ncondition: \n all of them and pe.version_info""CompanyName"" contains ""tox"" \n}",ta505,RU,,,,,"Spear Phishing, Malicious Documents","RMS (Remote Manipulator System), TektonIT, i.cmd, exit.exe, rtegre.exe, veter1605_MAPS_10cr0.exe, winserv.exe, MPress PE compressor","Financial Institutions, Corporations and Businesses",,, 2019-05-29,A dive into Turla PowerShell usage,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.05.29.Turla_PowerShell/A%20dive%20into%20Turla%20PowerShell%20usage.pdf,ESET,,"T1012:Query Registry, T1099:Timestomp, T1140:Deobfuscate/Decode Files or Information, T1025:Data from Removable Media, T1041:Exfiltration Over Command and Control Channel, T1071:Standard Application Layer Protocol, T1120:Peripheral Device Discovery, T1055:Process Injection, T1027:Obfuscated Files or Information, T1057:Process Discovery, T1086:PowerShell, T1083:File and Directory Discovery, T1005:Data from Local System, T1084:Windows Management Instrumentation Event Subscription",,turla,RU,"Espionage, Information theft and espionage",1996,,FALSE,,"ComRAT version 4, PowerShell, PowerStallion, Turla LightNeuron, Posh-SecMod, RPC backdoor, RPCSpoofServer, RPC interface patcher",Government and Defense Agencies,,, 2019-06-03,Zebrocy Multilanguage Malware Salad,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.06.03.Zebrocy/Zebrocy%20Multilanguage%20Malware%20Salad.pdf,EFF,,,,zebrocy,,,,"AF, DE, GB, IR, KG, KZ, MM, SY, TJ, TM, TZ, UA",FALSE,Spear Phishing,"AutoIT, Delphi, C#, PowerShell, Go, Python, Nim, CentBrowser, 7Star, Empire, Responder, BeEF, Mimikatz",,,, 2019-06-04,An APT Blueprint Gaining New Visibility into Financial Threats,,https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf,Bitdefender,"CVE-2017-11882, CVE-2017-8570, CVE-2018-0802",,,fin7,RU,"Financial gain, Financial crime",2013,"AM, BG, BY, EE, ES, GB, GE, KG, MD, MY, NL, PL, RO, RU, TW",FALSE,"Spear Phishing, Exploit Vulnerability, Malicious Documents",Cobalt Strike Beacon,Financial Institutions,,, 2019-06-05,scattered-canary,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.06.05.Scattered_Canary/scattered-canary.pdf,Agari,,,,scattered canary,NG,,,"JP, MY, US",FALSE,Phishing,,"Government and Defense Agencies, Corporations and Businesses, Individuals",,, 2019-06-06,APT34 Jason project,,https://marcoramilli.com/2019/06/06/apt34-jason-project/,Marco Ramilli's Blog,,,,apt34,IR,Espionage,,,,"Spear Phishing, Malicious Documents",,"Energy and Utilities, Financial Institutions, Government and Defense Agencies",,, 2019-06-10,Threat Spotlight_ MenuPass_QuasarRAT Backdoor,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.06.10.MenuPass_QuasarRAT_Backdoor/Threat%20Spotlight_%20MenuPass_QuasarRAT%20Backdoor.pdf,Cylance,,,"rule QuasarRAT_Loader\n {\n meta:\n description = ""MenuPass/APT10 QuasarRAT Loader""\n strings:\n $rdata1 = "" !\\""#$%&\()*+,-\n./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\\\\^_`ABCDE-\nFGHIJKLMNOPQRSTUVWXYZ{|}~"" ascii\n $rdata2 = ""CONOUT$"" wide\n condition:\n // Has MZ header?\n uint16(0) == 0x5a4d and\n // File size less than 600KB\n filesize < 600KB and\n // Is a DLL?\n pe.characteristics & pe.DLL and\n // Contains the following sections (in order)\n pe.section_index("".text"") == 0 and\n pe.section_index("".rdata"") == 1 and\n pe.section_index("".data"") == 2 and\n pe.section_index("".pdata"") == 3 and\n pe.section_index("".rsrc"") == 4 and\n pe.section_index("".reloc"") == 5 and\n // Has the following export\n pe.exports(""ServiceMain"") and\n // Does not have the following export\n not pe.exports(""WUServiceMain"") and\n // Has the following imports\n pe.imports(""advapi32.dll"", ""RegisterServiceCtrlHandlerW"") and\n // Contains the following strings in .rdata\n for all of ($rdata*) : ( $ in \n (pe.sectionspe.section_index("".rdata"").raw_data_offset..pe.sectionspe.section_index\n("".rdata"").raw_data_offset+pe.sectionspe.section_index("".rdata"").raw_data_size) )\n }, rule Possible_QuasarRAT_Payload\n {\n meta:\n description = ""Possible encrypted QuasarRAT payload""\n condition:\n uint16(0) != 0x5A4D and \n uint16(0) != 0x5449 and \n uint16(0) != 0x4947 and \n math.entropy(0, filesize) > 7.5\n }",menupass,,,,,,,"QuasarRAT, .NET, CppHostCLR, Microsoft.NET Framework",Corporations and Businesses,,, 2019-06-10,wp_new_muddywater_findings_uncovered,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.06.10.MuddyWater_Resurfaces/wp_new_muddywater_findings_uncovered.pdf,Trend Micro,CVE-2017-11882,,,muddywater,IR,"Espionage, Information theft and espionage",2017,US,FALSE,"Spear Phishing, Malicious Documents, Exploit Vulnerability","CrackMapExec, ChromeCookiesView, chrome-passwords, EmpireProject, FruityC2, Koadic, LaZagne, Meterpreter, Mimikatz, MZCookiesView, PowerSploit, Shootback, Smbmap, POWERSTATS, CLOUDSTATS, SHARPSTATS, DELPHSTATS","Government and Defense Agencies, Corporations and Businesses, Education and Research Institutions",,, 2019-06-10,blog_new_muddywater_findings_uncovered,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.06.10.MuddyWater_Resurfaces/blog_new_muddywater_findings_uncovered.pdf,Trend Micro,"CVE-2017-11882, CVE-2017-5689, CVE-2019-2725",,,muddywater,IR,"Espionage, Information theft and espionage",2017,"JO, TR",FALSE,"Spear Phishing, Malicious Documents, Exploit Vulnerability","CrackMapExec, ChromeCookiesView, chrome-passwords, EmpireProject, FruityC2, Koadic, LaZagne, Meterpreter, Mimikatz, MZCookiesView, PowerSploit, Shootback, Smbmap, POWERSTATS","Government and Defense Agencies, Education and Research Institutions",,, 2019-06-11,cta-2019-0612,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.06.11.Fishwrap_Group/cta-2019-0612.pdf,Recorded Future,,,,,,,,,FALSE,Social Engineering,,"Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",,, 2019-06-20,Symantec_Waterbug-Group-NewToolset(06-20-2019),Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments,https://app.box.com/s/u5p5eae02amqr2n0zg7017cx43t1icwz,Symantec,,,,turla,RU,"Espionage, Information theft and espionage",1996,,FALSE,Removable Media,"Neptun, EternalBlue, EternalRomance, DoublePulsar, SMBTouch, Hacktool.Mimikatz, Certutil.exe, IntelliAdmin, SScan, NBTScan, PsExec, Meterpreter","Government and Defense Agencies, Education and Research Institutions",,, 2019-06-25,Operation Soft Cell_ A Worldwide Campaign Against Telecommunications Providers,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.06.25.Operation_Soft_Cell/Operation%20Soft%20Cell_%20A%20Worldwide%20Campaign%20Against%20Telecommunications%20Providers.pdf,Cybereason,,,,apt10,CN,Espionage,,,FALSE,Exploit Vulnerability,"China Chopper web shell, Nbtscan, PoisonIvy, PlugX",Critical Infrastructure,,, 2019-06-25,MuddyC3,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.06.25.MuddyC3/MuddyC3.pdf,QiAnXin,,,,muddywater,IR,"Espionage, Information theft and espionage",2017,"AF, AZ, IQ, IR, TJ, TR",FALSE,"Spear Phishing, Malicious Documents","muddyc3, PowerStats v3","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Education and Research Institutions",2019-02-15,2019-04-15,59.0 2019-06-26,cta-2019-0626,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.06.26.Iranian_to_Saudi/cta-2019-0626.pdf,Recorded Future,,,,apt33,IR,"Espionage, Sabotage and destruction, Information theft and espionage",2013,"AE, BF, EG, HR, IN, SA, TR",,"Phishing, Website Equipping","njRAT, RevengeRAT, AdwindRAT, NanoCoreRAT, DarkComet, SpyNet, RemcosRAT, XtremeRAT, ImminentMonitor, NetWireRAT, Orcus, QuasarRAT, 888RAT, qRat, SandroRAT, PlasmaRAT, AsyncRAT, BitterRat, StoneDrill, 20. Netcat","Corporations and Businesses, Manufacturing, Cloud/IoT Services, Financial Institutions, Healthcare, Media and Entertainment Companies, Critical Infrastructure, Energy and Utilities, Government and Defense Agencies",,, 2019-07-01,New Network Vermin from OceanLotus,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.07.01.OceanLotus_Ratsnif/New%20Network%20Vermin%20from%20OceanLotus.pdf,Cylance,,"T1065:Uncommonly Used Port, T1493:Transmitted Data Manipulation, T1082:System Information Discovery, T1040:Network Sniffing, T1001:Data Obfuscation, T1043:Commonly Used Port, T1046:Network Service Scanning",,oceanlotus group,VN,"Espionage, Financial gain, Information theft and espionage",2012,,,,"OceanLotus loader, WolfSSL library (version 3.11), http_parser.c, Ratsnif trojans",,,, 2019-07-01,Operation Tripoli,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.07.01.Operation_Tripoli/Operation%20Tripoli%20.pdf,Check Point,,,,,,,,"CA, LY, US",FALSE,"Watering Hole, Website Equipping","VBE files, WSF files, APK files, Houdini, Remcos, SpyNote, .NET executable",Individuals,,, 2019-07-03,Multiple Chinese Threat Groups Exploiting CVE-2018-0798 Equation Editor Vulnerability Since Late 2018,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.07.03.Chinese_APT_CVE-2018-0798/Multiple%20Chinese%20Threat%20Groups%20Exploiting%20CVE-2018-0798%20Equation%20Editor%20Vulnerability%20Since%20Late%202018.pdf,Anomali,"CVE-2017-11882, CVE-2018-0798, CVE-2018-0802",,"rule RTF_Equation_Editor_CVE_2018_0798 \n \n{ \nMeta: \n \nauthor = ""Anomali"" \n tlp = ""GREEN"" \n version = ""1.0"" \n date = ""2019-05-10"" \n hash = ""264cee1c1854698ef0eb3a141912db40"" \n description = ""Detects Malicious RTFs exploiting CVE-2018-0798"" \n \nstrings: \n \n$S1= ""4460606060606060606061616161616161616161616161616161fb0b"" \n$RTF= ""{\\\\rt"" \n \ncondition: \n \n$RTF at 0 and $S1 \n}",conimes,CN,Information theft and espionage,2013,"JP, KP, MN, RU, US, VN",FALSE,"Social Engineering, Malicious Documents","AsyncRAT, Royal Road weaponizer, OLE package objects, DLL Sideloading",Government and Defense Agencies,,, 2019-07-04,Twas the night before,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.07.04.NewsBeef_APT/Twas%20the%20night%20before.pdf,Kaspersky,,,,newsbeef,IR,Espionage,,"GB, SA",FALSE,"Spear Phishing, Watering Hole","PowerSploit, Pupy, BSS:Exploit.Win32.Generic, Trojan-Downloader.Win32.Powdr.a, Trojan-Downloader.MSIL.Steamilik.zzo, Trojan-Downloader.PowerShell.Agent.ah, DangerousObject.Multi.Generic",Government and Defense Agencies,,, 2019-07-04,Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.07.04.TA505_Gelup_FlowerPippi/Latest%20Spam%20Campaigns%20from%20TA505%20Now%20Using%20New%20Malware%20Tools%20Gelup%20and%20FlowerPippi.pdf,Trend Micro,,,,ta505,RU,,,"AE, AR, ID, IN, IT, JP, KR, LB, MA, PH, SA",FALSE,"Malicious Documents, Phishing","Gelup, FlawedAmmyy RAT, FlowerPippi, AndroMut",,,, 2019-07-04,Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.07.04.TA505_Gelup_FlowerPippi/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf,Trend Micro,,,,ta505,RU,,,"AR, JP, PH",FALSE,,"Gelup, FlowerPippi, VirtualBox",,,, 2019-07-04,Appendix-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.07.04.TA505_Gelup_FlowerPippi/Appendix-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf,Trend Micro,,,,ta505,RU,,,,,Malicious Documents,"Trojan.XF.DEDEX.SMNH3, FlawedAmmyy RAT, Backdoor.Win32.FLAWEDAMMY.AN, Backdoor.Win32.FLAWEDAMMY.AP, Backdoor.Win32.FLAWEDAMMY.SMKAT, Amadey",,,, 2019-07-10,Flirting With IDA and APT28,,https://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html,Cylance,,,,apt28,RU,"Espionage, Information theft and espionage",2004,,,,"X-tunnel (aka XAPS), Microsoft Visual C++, IDA Flirt",,,, 2019-07-11,Buhtrap group uses zero-day in latest espionage campaigns,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.07.11.Buhtrap_Group/Buhtrap%20group%20uses%20zero%E2%80%91day%20in%20latest%20espionage%20campaigns.pdf,ESET,"CVE-2015-2387, CVE-2019-1132","T1056:Input Capture, T1116:Code Signing, T1094:Custom Command and Control Protocol, T1204:User Execution, T1106:Execution through API, T1022:Data Encrypted, T1041:Exfiltration Over Command and Control Channel, T1071:Standard Application Layer Protocol, T1105:Remote File Copy, T1111:Two-Factor Authentication Interception, T1059:Command-Line Interface, T1115:Clipboard Data, T1043:Commonly Used Port, T1020:Automated Exfiltration, T1053:Scheduled Task",,buhtrap,RU,Financial crime,2015,,TRUE,Exploit Vulnerability,"VBA/TrojanDropper.Agent.ABM, VBA/TrojanDropper.Agent.AGK, Win32/Spy.Buhtrap.W, Win32/Spy.Buhtrap.AK, Win32/RiskWare.Meterpreter.G","Government and Defense Agencies, Corporations and Businesses, Financial Institutions",,, 2019-07-15,Comprehensive Threat Intelligence_ SWEED_ Exposing years of Agent Tesla campaigns,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.07.15.SWEED/Comprehensive%20Threat%20Intelligence_%20SWEED_%20Exposing%20years%20of%20Agent%20Tesla%20campaigns.pdf,Cisco,"CVE-2017-11882, CVE-2017-8759",,,sweed,,Information theft and espionage,2017,,FALSE,"Phishing, Exploit Vulnerability, Malicious Documents","Agent Tesla, Formbook, Lokibot, Microsoft .NET framework","Manufacturing, Corporations and Businesses",,, 2019-07-17,Newly identified StrongPity operations _ AT&T Alien Labs,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.07.17.StrongPity_operations/Newly%20identified%20StrongPity%20operations%20_%20AT%26T%20Alien%20Labs.pdf,AT&T Alien Labs,CVE-2016-4117,,,promethium,TR,Information theft and espionage,2012,"BE, IT, SY, TR",TRUE,"Watering Hole, Exploit Vulnerability","WinRAR, WinBox, IDM (Internet Download Manager)",Individuals,,, 2019-07-17,EvilGnome_ Rare Malware Spying on Desktop Users,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.07.17.EvilGnome/EvilGnome_%20Rare%20Malware%20Spying%20on%20Desktop%20Users.pdf,Intezer,,,,gamaredon group,RU,Information theft and espionage,2013,,FALSE,"Spear Phishing, Malicious Documents","EvilGnome, Makeself SFX, Spy Agent",,,, 2019-07-18,Fireeye_APT34-Invite-Join-Professional-Network(07-18-2019),Hard Pass: Declining APT34's Invite to Join Their Professional Network,https://app.box.com/s/xrhqs26aajdbb92ivgoenotrdykup5uu,FireEye,,,,apt34,IR,Espionage,,,,"Phishing, Social Engineering, Malicious Documents","TONEDEAF, PICKPOCKET, VALUEVAULT, LONGWATCH","Energy and Utilities, Government and Defense Agencies, Critical Infrastructure",,, 2019-07-18,Spam Campaign Targets Colombian Entities with Custom-made Proyecto RAT,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.07.18.Proyecto_RAT_Colombian/Spam%20Campaign%20Targets%20Colombian%20Entities%20with%20Custom-made%20Proyecto%20RAT.pdf,Trend Micro,,,,,,,,CO,FALSE,"Spear Phishing, Malicious Documents","Xpert RAT, Proyecto RAT, Visual Basic 6","Government and Defense Agencies, Financial Institutions, Healthcare, Corporations and Businesses",,, 2019-07-18,ESET_Okrum_and_Ketrican,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.07.18.Okrum/ESET_Okrum_and_Ketrican.pdf,ESET,,"T1056:Input Capture, T1064:Scripting, T1132:Data Encoding, T1033:System Owner/User Discovery, T1082:System Information Discovery, T1090:Connection Proxy, T1022:Data Encrypted, T1032:Standard Cryptographic Protocol, T1059:Command-Line Interface, T1002:Data Compressed, T1027:Obfuscated Files or Information, T1016:System Network Configuration Discovery, T1124:System Time Discovery, T1158:Hidden Files and Directories, T1497:Virtualization/Sandbox Evasion, T1066:Indicator Removal from Tools, T1071:Standard Application Layer Protocol, T1060:Registry Run Keys / Startup Folder, T1001:Data Obfuscation, T1107:File Deletion, T1023:Shortcut Modification, T1083:File and Directory Discovery, T1053:Scheduled Task, T1036:Masquerading, T1035:Service Execution, T1140:Deobfuscate/Decode Files or Information, T1134:Access Token Manipulation, T1049:System Network Connections Discovery, T1041:Exfiltration Over Command and Control Channel, T1050:New Service, T1043:Commonly Used Port, T1003:Credential Dumping",,ke3chang,CN,"Espionage, Information theft and espionage",2010,"BE, BR, CL, CZ, GB, GT, HR, IN, SK",,,"Keylogger, RAR archiver utility, MimikatzLite, DriveLetterView, Netsess (RiskWare), Modified Quarks PwDump, NetSess, NetE, ProcDump, PsExec, Get-PassHashes, BS2005 backdoors, TidePool, Okrum, Ketrican, RoyalDNS, Mirage RAT (MirageFox)",Government and Defense Agencies,,, 2019-07-22,APT33 PowerShell Malware,,https://norfolkinfosec.com/apt33-powershell-malware/,One Night in Norfolk,,,,apt33,IR,"Espionage, Sabotage and destruction, Information theft and espionage",2013,,,,APT33 PowerShell Malware,,,, 2019-07-23,Chinese APT 'Operation LagTime IT' Targets Government Information Technology Agencies in Eastern Asia,,https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology,Proofpoint,CVE-2018-0798,,,ta428,CN,Information theft and espionage,2013,,FALSE,"Spear Phishing, Malicious Documents","Cotx RAT, Poison Ivy, Async RAT, RasTls.dll, IntelGraphicsController.exe, AcroRd32.exe","Government and Defense Agencies, Education and Research Institutions",,, 2019-07-24,APT17 is run by the Jinan bureau of the Chinese Ministry of State Security,,https://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/,Intrusion Truth,,,,apt17,CN,"Espionage, Information theft and espionage",2009,,FALSE,Exploit Vulnerability,"ZoxRPC, ZoxPNG, BLACKCOFFEE",,,, 2019-07-24,Winnti_ Attacking the Heart of the German Industry,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.07.24.Winnti_German/Winnti_%20Attacking%20the%20Heart%20of%20the%20German%20Industry.pdf,BR and NDR,,,,apt41,CN,"Financial crime, Information theft and espionage",2010,"DE, ID, US",,Phishing,Winnti,Corporations and Businesses,,, 2019-07-24,Resurgent Iron Liberty Targeting Energy Sector,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.07.24.Resurgent_Iron_Liberty/Resurgent%20Iron%20Liberty%20Targeting%20Energy%20Sector.pdf,SecureWorks,,,,iron liberty,RU,"Espionage, Sabotage and destruction",2010,"CA, GB, NO, US",FALSE,"Spear Phishing, Watering Hole","CrackMapExec, Mimikatz, Angry IP Scanner, PsExec, Karagany malware, MCMD remote access tool, SoftEther VPN","Energy and Utilities, Critical Infrastructure",,, 2019-07-25,Encore! APT17 hacked Chinese targets and offered the data for sale,,https://intrusiontruth.wordpress.com/2019/07/25/encore-apt17-hacked-chinese-targets-and-offered-the-data-for-sale/,Intrusion Truth,,,,apt17,CN,"Espionage, Information theft and espionage",2009,CN,,,,,,, 2019-08-05,blog_Sharpening the Machete,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.08.05.Sharpening_the_Machete/blog_Sharpening%20the%20Machete.pdf,ESET,,,,machete,,"Espionage, Information theft and espionage",2010,"EC, VE",FALSE,"Spear Phishing, Malicious Documents","7z SFX Builder, py2exe, RAR SFX, pyobfuscate, pyminifier, GoogleCrash.exe, Chrome.exe, GoogleUpdate.exe, jer.dll","Government and Defense Agencies, Education and Research Institutions",,, 2019-08-08,Suspected BITTER APT Continues Targeting Government of China and Chinese Organizations _ Anomali,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.08.08.BITTER_APT/Suspected%20BITTER%20APT%20Continues%20Targeting%20Government%20of%20China%20and%20Chinese%20Organizations%20_%20Anomali.pdf,360,,,,bitter,IN,Information theft and espionage,2013,"CN, PK, SA",FALSE,Phishing,,"Government and Defense Agencies, Corporations and Businesses",,, 2019-08-12,Kaspersky_Recent-Cloud-Atlas-activity(08-12-2019),Recent Cloud Atlas activity,https://app.box.com/s/i3x6bxmcche1jwn0j91tll3ln3shzyk6,Kaspersky,"CVE-2017-11882, CVE-2018-0802",,,cloud atlas,RU,"Espionage, Information theft and espionage",2012,"RU, UA",FALSE,"Spear Phishing, Malicious Documents, Exploit Vulnerability","VBShower, PowerShower, LaZagne, Microsoft Equation","Government and Defense Agencies, Corporations and Businesses",,, 2019-08-14,"In the Balkans, businesses are under fire from a double-barreled weapon",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.08.14.Balkans_Campaign/In%20the%20Balkans%2C%20businesses%20are%20under%20fire%20from%20a%20double%E2%80%91barreled%20weapon.pdf,RSA,CVE-2018-20250,"T1056:Input Capture, T1064:Scripting, T1204:User Execution, T1082:System Information Discovery, T1090:Connection Proxy, T1203:Exploitation for Client Execution, T1059:Command-Line Interface, T1027:Obfuscated Files or Information, T1116:Code Signing, T1219:Remote Access Tools, T1106:Execution through API, T1158:Hidden Files and Directories, T1043:Commonly Used Port, T1192:Spearphishing Link, T1112:Modify Registry, T1071:Standard Application Layer Protocol, T1060:Registry Run Keys / Startup Folder, T1014:Rootkit, T1055:Process Injection, T1107:File Deletion, T1036:Masquerading, T1140:Deobfuscate/Decode Files or Information, T1035:Service Execution, T1008:Fallback Channels, T1134:Access Token Manipulation, T1108:Redundant Access, T1050:New Service, T1143:Hidden Window, T1113:Screen Capture, T1089:Disabling Security Tools",,,,,,"BA, HR, ME, RS",FALSE,"Spear Phishing, Exploit Vulnerability, Malicious Documents","BalkanDoor, BalkanRAT, WinRAR",Corporations and Businesses,,, 2019-08-15,MICROPSIA (APT-C-23),,https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/micropsia_apt_c_23.md,Github (jeFF0Falltrades),,,"rule micropsia_2018 {\n meta:\n author = ""jeFF0Falltrades""\n hash = ""4c3fecea99a469a6daf2899cefe93d\n strings:\n $gen_app_id = { 53 31 DB 69 93\n $get_temp_dir = { 68 00 04 00\n $str_install_appid = ""ApppID.txt\n condition:\n 2 of them\n}",apt-c-23,PS,,,,,,"MICROPSIA, Kasperagent",,,, 2019-08-20,CyberThreatIntel_Malware analysis 20-08-19.md at master - StrangerealIntel_CyberThreatIntel,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.08.20.unknown_Chinese_APT/CyberThreatIntel_Malware%20analysis%2020-08-19.md%20at%20master%20%C2%B7%20StrangerealIntel_CyberThreatIntel.pdf,ESET,,,,,,,,"CN, IN, PK",FALSE,Malicious Documents,ESET RA T tool,Government and Defense Agencies,,, 2019-08-21,Cybersecurity-threatscape-2019-Q2-eng,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/Report/PTSecurity/Cybersecurity-threatscape-2019-Q2-eng.pdf,Positive Technologies,"CVE-2019-0708, CVE-2019-10149, CVE-2019-3396",,,,,,,,FALSE,"Social Engineering, Exploit Vulnerability","DanaBot, GandCrab","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Healthcare, Education and Research Institutions, Cloud/IoT Services, Individuals",,, 2019-08-22,APT34 The Helix Kitten Cybercriminal Group Loves to Meow Middle Eastern and International Organizations,,https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae,Cyware,"CVE-2017-0199, CVE-2017-11882",,,apt34,IR,Espionage,,"AL, KR, US, ZW",TRUE,"Spear Phishing, Phishing, Social Engineering, Malicious Documents","Pickpocket, ValueVault, LongWatch, Neptun, Quadagent, ThreeDollars, Fox Panel, HighShell, Glimpse, Webmask, RunningBee, HyperShell, Karkoff","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Energy and Utilities, Education and Research Institutions, Critical Infrastructure",,, 2019-08-22,Operation-Taskmasters-2019-eng,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.08.22.Operation_TaskMasters/Operation-Taskmasters-2019-eng.pdf,Positive Technologies,CVE-2017-0176,,,taskmasters,CN,,,RU,,Exploit Vulnerability,"RemShell, AtNow, pwdump, gsecdump, HTran, NBTScan, RAR","Corporations and Businesses, Cloud/IoT Services, Education and Research Institutions, Manufacturing, Energy and Utilities, Government and Defense Agencies",,, 2019-08-26,APT-C-09,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.08.26.APT-C-09/APT-C-09.pdf,QiAnXin,CVE-2017-11882,,,bitter,IN,Information theft and espionage,2013,"CN, IN, PK",FALSE,"Exploit Vulnerability, Malicious Documents",MSBuild.exe,"Government and Defense Agencies, Corporations and Businesses",2018-07-03,2019-08-15,408.0 2019-08-27,China Chopper still active 9 years later,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.08.27.China_Chopper/China%20Chopper%20still%20active%209%20years%20later.pdf,ESET,"CVE-2015-0062, CVE-2015-1701, CVE-2016-0099, CVE-2018–8440",,,china chopper,,,,LB,FALSE,Exploit Vulnerability,"Mini Mimikatz, CVE-2015-0062, CVE-2015-1701/CVE-2016-0099, Replace Studio, Gh0stRAT, Venom multi-hop proxy, China Chopper, procdump64.exe, PowerShell (remote shell)",Corporations and Businesses,,, 2019-08-27,Cyber Threat Group LYCEUM Takes Center Stage in Middle East Campaign,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.08.27.LYCEUM_threat_group/Cyber%20Threat%20Group%20LYCEUM%20Takes%20Center%20Stage%20in%20Middle%20East%20Campaign.pdf,SecureWorks,,,,lyceum,IR,Information theft and espionage,2017,,FALSE,"Spear Phishing, Credential Reuse, Malicious Documents","DanBot, DanDrop, kl.ps1, Decrypt-RDCMan.ps1, Get-LAPSP.ps1","Corporations and Businesses, Critical Infrastructure",2018-04-15,2019-05-15,395.0 2019-08-27,Malware analysis about sample of APT Patchwork,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.08.27.Patchwork_Malware_Analysis/Malware%20analysis%20about%20sample%20of%20APT%20Patchwork.pdf,StrangerealIntel,,"T1060:Registry Run Keys / Startup Folder, T1087:Account Discovery, T1064:Scripting, T1093:Process Hollowing",,,,,,"AZ, PK",TRUE,Exploit Vulnerability,,Financial Institutions,,, 2019-08-28,Inside the APT28 DLL Backdoor Blitz,,https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html,Cylance,,,"rule apt28_backdoor_cls\n{\n strings:\n $st1 = ""AES_256_poco"" ascii\n $st2 = ""TEncryption"" ascii\n $st3 = ""shell"" ascii\n condition:\n all of them\n}, rule apt28_backdoor_crc32\n{\n strings:\n $xor1 = { 48 8B 07 39 48 0C 75 3A 44 8B 70 08 4C 8B 38 4D 85 C0 74 2E 45 85 E4 74 29 } \n \n condition:\n $xor1\n}",apt28,RU,"Espionage, Information theft and espionage",2004,,,,"OpenSSL, Poco C++ framework, npmproxy.dll (Microsoft)",,,, 2019-08-29,Heatstroke Campaign Uses Multistage Phishing Attack to Steal PayPal and Credit Card Information,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.08.29.Heatstroke_Campaign/Heatstroke%20Campaign%20Uses%20Multistage%20Phishing%20Attack%20to%20Steal%20PayPal%20and%20Credit%20Card%20Information.pdf,Trend Micro,,,,,,,,,FALSE,Phishing,,"Corporations and Businesses, Individuals",,, 2019-08-29,tickgroupavar201920191111chaminseokpublish-191126231730,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.08.29_Tick_Tock/tickgroupavar201920191111chaminseokpublish-191126231730.pdf,AhnLab,,,,tick,CN,"Espionage, Information theft and espionage",2006,KR,,Removable Media,"Bisodown, Linkinfo.dll, Datper, Netboy, Daserf, Xxmm (KVNDM, Minzen, Murim, ShadowWali, Wali, Wrim)","Government and Defense Agencies, Corporations and Businesses, Energy and Utilities, Manufacturing, Critical Infrastructure",,, 2019-08-29,"More_eggs, Anyone_ Threat Actor ITG08 Strikes Again",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.08.29.FIN6_ITG08/More_eggs%2C%20Anyone_%20Threat%20Actor%20ITG08%20Strikes%20Again.pdf,IBM,,,,itg08,,"Financial gain, Financial crime",2015,US,FALSE,"Spear Phishing, Social Engineering","Apache Bench (masqueraded), Metasploit, More_eggs backdoor, Meterpreter, Mimikatz, UPX (packer), msxsl.exe, WMI (Windows Management Instrumentation), PowerShell","Corporations and Businesses, Financial Institutions",,, 2019-08-29,SectorJ04 Group's Increased Activity in 2019,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.08.29.SectorJ04_2019/SectorJ04%20Group%E2%80%99s%20Increased%20Activity%20in%202019.pdf,ThreatRecon,,,,sectorj04,RU,,,"AE, AR, BD, BG, BH, CH, CN, DE, EC, FR, GB, HK, ID, IN, IT, JP, KR, MK, PH, PK, QA, RO, RS, RU, SA, SN, TH, TR, TW, UA, US, ZA",FALSE,Spear Phishing,"Nullsoft Installer, ServHelper, FlawedAmmy RAT, Remote Manipulator System (RMS) RAT, AdroMut, FlowerPippi","Financial Institutions, Government and Defense Agencies, Corporations and Businesses, Manufacturing, Education and Research Institutions, Media and Entertainment Companies, Healthcare, Energy and Utilities",2019-02-15,2019-08-15,181.0 2019-08-31,Bitter_APT_Malware_analysis,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.08.31.Bitter_APT_Malware_analysis/Bitter_APT_Malware_analysis.pdf,Microsoft,,"T1060:Registry Run Keys / Startup Folder, T1203:Exploitation for Client Execution, T1012:Query Registry, T1105:Remote File Copy",,bitter,IN,Information theft and espionage,2013,,,Malicious Documents,ArtraDownloader,,,, 2019-09-04,Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.09.04.Glupteba_Campaign/Glupteba%20Campaign%20Hits%20Network%20Routers%20and%20Updates%20C%26C%20Servers%20with%20Data%20from%20Bitcoin%20Transactions.pdf,Trend Micro,CVE-2018-14847,,,,,,,,FALSE,"Drive-by Download, Exploit Vulnerability","Glupteba, WinMonFs64.sys, WinMonprocessmonitor32.sys, WinMonProcessMonitor64.sys, WinmonSystemMonitor-10-64.sys, WinmonSystemMonitor-7-10-32.sys, WinmonSystemMonitor-7-64.sys, dsefix.exe, patch.exe","Individuals, Corporations and Businesses",,, 2019-09-05,UPSynergy_ Chinese-American Spy vs. Spy Story,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.09.05.UPSynergy/UPSynergy_%20Chinese-American%20Spy%20vs.%20Spy%20Story.pdf,Check Point,"CVE-2017-0143, CVE-2019-0703",,"rule apt3_bemstour_implant_byte_patch \n{ \nmeta: \n \ndescription = ""Detects an implant used by Bemstour exploitation tool (APT3)"" \nauthor = ""Mark Lechtik"" \ncompany = ""Check Point Software Technologies LTD."" \ndate = ""2019-06-25"" \nsha256 = ""0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a"" \n \n/* \n \n0x41b7e1L C745B8558BEC83\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x48, 0x83ec8b55 \n0x41b7e8L C745BCEC745356\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x44, 0x565374ec \n0x41b7efL C745C08B750833\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x40, 0x3308758b \n0x41b7f6L C745C4C957C745\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x3c, 0x45c757c9 \n0x41b7fdL C745C88C4C6F61\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x38, 0x616f4c8c \n \n*/ \n \nstrings: \n \n$chunk_1 = { \n \nC7 45 ?? 55 8B EC 83 \nC7 45 ?? EC 74 53 56 \nC7 45 ?? 8B 75 08 33 \nC7 45 ?? C9 57 C7 45 \nC7 45 ?? 8C 4C 6F 61 \n \n} \n \ncondition: \n any of them \n}, rule apt3_bemstour_strings \n{ \nmeta: \n \ndescription = ""Detects strings used by the Bemstour exploitation tool"" \nauthor = ""Mark Lechtik"" \ncompany = ""Check Point Software Technologies LTD."" \ndate = ""2019-06-25"" \nsha256 = ""0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a"" \nstrings: \n \n$dbg_print_1 = ""leaked address is 0x%llx"" ascii wide \n$dbg_print_2 = ""========== %s =========="" ascii wide \n$dbg_print_3 = ""detailVersion:%d"" ascii wide \n$dbg_print_4 = ""create pipe twice failed"" ascii wide \n$dbg_print_5 = ""WSAStartup function failed with error: %d"" ascii wide \n$dbg_print_6 = ""can\t open input file."" ascii wide \n$dbg_print_7 = ""Allocate Buffer Failed."" ascii wide \n$dbg_print_8 = ""Connect to target failed."" ascii wide \n$dbg_print_9 = ""connect successful."" ascii wide \n$dbg_print_10 = ""not supported Platform"" ascii wide \n$dbg_print_11 = ""Wait several seconds."" ascii wide \n$dbg_print_12 = ""not set where to write ListEntry ."" ascii wide \n$dbg_print_13 = ""backdoor not installed."" ascii wide \n$dbg_print_14 = ""REConnect to target failed."" ascii wide \n$dbg_print_15 = ""Construct TreeConnectAndX Request Failed."" ascii wide \n$dbg_print_16 = ""Construct NTCreateAndXRequest\xa0 Failed."" ascii wide \n$dbg_print_17 = ""Construct Trans2\xa0 Failed."" ascii wide \n$dbg_print_18 = ""Construct ConsWXR\xa0 Failed."" ascii wide \n$dbg_print_19 = ""Construct ConsTransSecondary\xa0 Failed."" ascii wide \n$dbg_print_20 = ""if you don\t want to input password , use server2003 version.."" ascii \nwide \n \n$cmdline_1 = ""Command format\xa0 %s TargetIp domainname username password 2"" ascii wide \n$cmdline_2 = ""Command format\xa0 %s TargetIp domainname username password 1"" ascii wide \n$cmdline_3 = ""cmd.exe /c net user test test /add && cmd.exe /c net localgroup \nadministrators test /add"" ascii wide \n$cmdline_4 = ""hello.exe\xa0 \\""C:\\\\WINDOWS\\\\DEBUG\\\\test.exe\\"""" ascii wide \n$cmdline_5 = ""parameter not right"" ascii wide \n \n$smb_param_1 = ""browser"" ascii wide \n$smb_param_2 = ""spoolss"" ascii wide \n$smb_param_3 = ""srvsvc"" ascii wide \n$smb_param_4 = ""\\\\PIPE\\\\LANMAN"" ascii wide \n$smb_param_5 = ""Werttys for Workgroups 3.1a"" ascii wide \n$smb_param_6 = ""PC NETWORK PROGRAM 1.0"" ascii wide \n$smb_param_7 = ""LANMAN1.0"" ascii wide \n$smb_param_8 = ""LM1.2X002"" ascii wide \n$smb_param_9 = ""LANMAN2.1"" ascii wide \n$smb_param_10 = ""NT LM 0.12"" ascii wide \n$smb_param_12 = ""WORKGROUP"" ascii wide \n$smb_param_13 = ""Windows Server 2003 3790 Service Pack 2"" ascii wide \n$smb_param_14 = ""Windows Server 2003 5.2"" ascii wide \n$smb_param_15 = ""Windows 2002 Service Pack 2 2600"" ascii wide \n$smb_param_16 = ""Windows 2002 5.1"" ascii wide \n$smb_param_17 = ""PC NETWORK PROGRAM 1.0"" ascii wide \n$smb_param_18 = ""Windows 2002 5.1"" ascii wide \n$smb_param_19 = ""Windows for Workgroups 3.1a"" ascii wide \n \n$unique_str_1 = ""WIN-NGJ7GKNROVS"" \n$unique_str_2 = ""XD-A31C2E0087B2"" \n \ncondition:\n9/6/2019\nUPSynergy: Chinese-American Spy vs. Spy Story - Check Point Research\nhttps://research.checkpoint.com/upsynergy/\n21/24\n uint16(0) == 0x5a4d and (5 of ($dbg_print*) or 2 of ($cmdline*) or 1 of \n($unique_str*)) and 3 of ($smb_param*) \n}, rule apt3_bemstour_implant_command_stack_variable \n{ \nmeta: \n \ndescription = ""Detecs an implant used by Bemstour exploitation tool (APT3)"" \nauthor = ""Mark Lechtik"" \ncompany = ""Check Point Software Technologies LTD."" \ndate = ""2019-06-25"" \nsha256 = ""0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a"" \n \n \nstrings: \n \n \n/* \n \n0x41ba18L C78534FFFFFF636D642E\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0xcc, 0x2e646d63 \n0x41ba22L C78538FFFFFF65786520\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0xc8, 0x20657865 \n0x41ba2cL C7853CFFFFFF2F632063\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0xc4, 0x6320632f \n0x41ba36L C78540FFFFFF6F707920\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0xc0, 0x2079706f \n0x41ba40L C78544FFFFFF2577696E\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0xbc, 0x6e697725 \n0x41ba4aL C78548FFFFFF64697225\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0xb8, 0x25726964 \n0x41ba54L C7854CFFFFFF5C737973\xa0 \xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0mov dword ptr ebp - 0xb4, 0x7379735c \n0x41ba5eL C78550FFFFFF74656D33\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0xb0, 0x336d6574 \n0x41ba68L C78554FFFFFF325C636D\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0xac, 0x6d635c32 \n0x41ba72L C78558FFFFFF642E6578\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0xa8, 0x78652e64 \n0x41ba7cL C7855CFFFFFF65202577\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0xa4, 0x77252065 \n0x41ba86L C78560FFFFFF696E6469\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0xa0, 0x69646e69 \n0x41ba90L C78564FFFFFF72255C73\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x9c, 0x735c2572 \n0x41ba9aL C78568FFFFFF79737465\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x98, 0x65747379 \n0x41baa4L C7856CFFFFFF6D33325C\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x94, 0x5c32336d \n0x41baaeL C78570FFFFFF73657468\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x90, 0x68746573 \n0x41bab8L C78574FFFFFF632E6578\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x8c, 0x78652e63 \n0x41bac2L C78578FFFFFF65202F79\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x88, 0x792f2065 \n0x41baccL 83A57CFFFFFF00\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 and dword ptr ebp - 0x84, 0 \n \n*/ \n \n$chunk_1 = { \n \nC7 85 ?? ?? ?? ?? 63 6D 64 2E \nC7 85 ?? ?? ?? ?? 65 78 65 20 \nC7 85 ?? ?? ?? ?? 2F 63 20 63 \nC7 85 ?? ?? ?? ?? 6F 70 79 20 \nC7 85 ?? ?? ?? ?? 25 77 69 6E \nC7 85 ?? ?? ?? ?? 64 69 72 25 \nC7 85 ?? ?? ?? ?? 5C 73 79 73 \nC7 85 ?? ?? ?? ?? 74 65 6D 33 \nC7 85 ?? ?? ?? ?? 32 5C 63 6D \nC7 85 ?? ?? ?? ?? 64 2E 65 78 \nC7 85 ?? ?? ?? ?? 65 20 25 77 \nC7 85 ?? ?? ?? ?? 69 6E 64 69 \nC7 85 ?? ?? ?? ?? 72 25 5C 73 \nC7 85 ?? ?? ?? ?? 79 73 74 65 \nC7 85 ?? ?? ?? ?? 6D 33 32 5C \nC7 85 ?? ?? ?? ?? 73 65 74 68 \nC7 85 ?? ?? ?? ?? 63 2E 65 78 \nC7 85 ?? ?? ?? ?? 65 20 2F 79 \n83 A5 ?? ?? ?? ?? 00 \n} \n \n \n9/6/2019\nUPSynergy: Chinese-American Spy vs. Spy Story - Check Point Research\nhttps://research.checkpoint.com/upsynergy/\n23/24\n \n/* \n \n0x41baeeL C785D8FEFFFF636D6420\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x128, 0x20646d63 \n0x41baf8L C785DCFEFFFF2F632022\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x124, 0x2220632f \n0x41bb02L C785E0FEFFFF6E657420\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x120, 0x2074656e \n0x41bb0cL C785E4FEFFFF75736572\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x11c, 0x72657375 \n0x41bb16L C785E8FEFFFF20636573\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x118, 0x73656320 \n0x41bb20L C785ECFEFFFF73757070\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x114, 0x70707573 \n0x41bb2aL C785F0FEFFFF6F727420\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x110, 0x2074726f \n0x41bb34L C785F4FEFFFF3171617A\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x10c, 0x7a617131 \n0x41bb3eL C785F8FEFFFF23454443\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x108, 0x43444523 \n0x41bb48L C785FCFEFFFF202F6164\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x104, 0x64612f20 \n0x41bb52L C78500FFFFFF64202626\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x100, 0x26262064 \n0x41bb5cL C78504FFFFFF206E6574\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0xfc, 0x74656e20 \n0x41bb66L C78508FFFFFF206C6F63\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0xf8, 0x636f6c20 \n0x41bb70L C7850CFFFFFF616C6772\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0xf4, 0x72676c61 \n0x41bb7aL C78510FFFFFF6F757020\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0xf0, 0x2070756f \n0x41bb84L C78514FFFFFF61646D69\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0xec, 0x696d6461 \n0x41bb8eL C78518FFFFFF6E697374\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0xe8, 0x7473696e \n0x41bb98L C7851CFFFFFF7261746F\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0xe4, 0x6f746172 \n0x41bba2L C78520FFFFFF72732063\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0xe0, 0x63207372 \n0x41bbacL C78524FFFFFF65737375\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0xdc, 0x75737365 \n0x41bbb6L C78528FFFFFF70706F72\xa0 \xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0mov dword ptr ebp - 0xd8, 0x726f7070 \n0x41bbc0L C7852CFFFFFF74202F61\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0xd4, 0x612f2074 \n0x41bbcaL C78530FFFFFF64642200\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0xd0, 0x226464 \n0x41bbd4L 6A5C\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 push 0x5c \n \n*/ \n \n$chunk_2 = { \n \nC7 85 ?? ?? ?? ?? 63 6D 64 20 \nC7 85 ?? ?? ?? ?? 2F 63 20 22 \nC7 85 ?? ?? ?? ?? 6E 65 74 20 \nC7 85 ?? ?? ?? ?? 75 73 65 72 \nC7 85 ?? ?? ?? ?? 20 63 65 73 \nC7 85 ?? ?? ?? ?? 73 75 70 70 \nC7 85 ?? ?? ?? ?? 6F 72 74 20 \nC7 85 ?? ?? ?? ?? 31 71 61 7A \nC7 85 ?? ?? ?? ?? 23 45 44 43 \nC7 85 ?? ?? ?? ?? 20 2F 61 64 \nC7 85 ?? ?? ?? ?? 64 20 26 26 \nC7 85 ?? ?? ?? ?? 20 6E 65 74 \nC7 85 ?? ?? ?? ?? 20 6C 6F 63 \nC7 85 ?? ?? ?? ?? 61 6C 67 72 \nC7 85 ?? ?? ?? ?? 6F 75 70 20 \nC7 85 ?? ?? ?? ?? 61 64 6D 69 \nC7 85 ?? ?? ?? ?? 6E 69 73 74 \nC7 85 ?? ?? ?? ?? 72 61 74 6F \nC7 85 ?? ?? ?? ?? 72 73 20 63 \nC7 85 ?? ?? ?? ?? 65 73 73 75 \nC7 85 ?? ?? ?? ?? 70 70 6F 72 \nC7 85 ?? ?? ?? ?? 74 20 2F 61 \nC7 85 ?? ?? ?? ?? 64 64 22 00 \n6A 5C \n \n} \n \n/* \n \n0x41be22L C745D057696E45\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x30, 0x456e6957 \n0x41be29L C745D478656300\nmov dword ptr ebp - 0x2c, 0x636578\n9/6/2019\nUPSynergy: Chinese-American Spy vs. Spy Story - Check Point Research\nhttps://research.checkpoint.com/upsynergy/\n24/24\n0x41be30L C7459C47657450\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x64, 0x50746547 \n0x41be37L C745A0726F6341\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x60, 0x41636f72 \n0x41be3eL C745A464647265\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x5c, 0x65726464 \n0x41be45L C745A873730000\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x58, 0x7373 \n0x41be4cL C745C443726561\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x3c, 0x61657243 \n0x41be53L C745C874654669\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x38, 0x69466574 \n0x41be5aL C745CC6C654100\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x34, 0x41656c \n0x41be61L C745B857726974\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x48, 0x74697257 \n0x41be68L C745BC6546696C\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x44, 0x6c694665 \n0x41be6fL C745C065000000\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x40, 0x65 \n0x41be76L C745AC436C6F73\xa0\xa0\xa0\xa0\xa0 \xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0mov dword ptr ebp - 0x54, 0x736f6c43 \n0x41be7dL C745B06548616E\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x50, 0x6e614865 \n0x41be84L C745B4646C6500\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x4c, 0x656c64 \n0x41be8bL 894DE8\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 mov dword ptr ebp - 0x18, ecx \n \n*/ \n \n$chunk_3 = { \n \nC7 45 ?? 57 69 6E 45 \nC7 45 ?? 78 65 63 00 \nC7 45 ?? 47 65 74 50 \nC7 45 ?? 72 6F 63 41 \nC7 45 ?? 64 64 72 65 \nC7 45 ?? 73 73 00 00 \nC7 45 ?? 43 72 65 61 \nC7 45 ?? 74 65 46 69 \nC7 45 ?? 6C 65 41 00 \nC7 45 ?? 57 72 69 74 \nC7 45 ?? 65 46 69 6C \nC7 45 ?? 65 00 00 00 \nC7 45 ?? 43 6C 6F 73 \nC7 45 ?? 65 48 61 6E \nC7 45 ?? 64 6C 65 00 \n89 4D ?? \n \n} \n \n \ncondition: \n any of them \n}",apt3,CN,"Espionage, Information theft and espionage",2007,,TRUE,Exploit Vulnerability,"Bemstour, UPSynergy, EternalRomance, Eternal* Exploits",,,, 2019-09-06,BITTER APT_ Not So Sweet,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.09.06.BITTER_APT_Not_So_Sweet/BITTER%20APT_%20Not%20So%20Sweet.pdf,Microsoft,CVE-2017-11882,,,bitter,IN,Information theft and espionage,2013,"CN, PK",FALSE,"Exploit Vulnerability, Malicious Documents","ArtraDownloader, BitterRAT","Government and Defense Agencies, Corporations and Businesses",,, 2019-09-09,Thrip_ Ambitious Attacks Against High Level Targets Continue,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.09.09.Thrip/Thrip_%20Ambitious%20Attacks%20Against%20High%20Level%20Targets%20Continue.pdf,Symantec,,,,billbug,CN,"Espionage, Information theft and espionage",2012,"HK, ID, MO, MY, PH, VN",,"Spear Phishing, Watering Hole, Malicious Documents","Hannotog, Sagerunex, Catchamas (Infostealer.Catchamas), Evora","Government and Defense Agencies, Education and Research Institutions, Media and Entertainment Companies",,, 2019-09-11,RANCOR APT_ Suspected targeted attacks against South East Asia,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.09.11.RANCOR_APT/RANCOR%20APT_%20Suspected%20targeted%20attacks%20against%20South%20East%20Asia.pdf,MeltX0R Security,CVE-2018-0798,,,rancor,CN,"Espionage, Information theft and espionage",2017,,FALSE,"Exploit Vulnerability, Malicious Documents","DDKONG, PLAINTEE, GoogleUpdate.exe",Government and Defense Agencies,,, 2019-09-15,The-Kittens-Are-Back-in-Town-Charming-Kitten-2019,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.09.15_Kittens_back/The-Kittens-Are-Back-in-Town-Charming-Kitten-2019.pdf,ClearSky,,,,charming kitten,IR,Espionage,,"FR, US",FALSE,"Spear Phishing, Phishing, Social Engineering",,,,, 2019-09-18,Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.09.18.Magecart_Hotel_Chain_Booking/Magecart%20Skimming%20Attack%20Targets%20Mobile%20Users%20of%20Hotel%20Chain%20Booking%20Websites.pdf,Trend Micro,CVE-2019-2215,,,mirrorthief,,,,,TRUE,Website Equipping,Magecart,"Corporations and Businesses, Education and Research Institutions, Individuals",,, 2019-09-18,Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.09.18.Tortoiseshell-APT/Tortoiseshell%20Group%20Targets%20IT%20Providers%20in%20Saudi%20Arabia%20in%20Probable%20Supply%20Chain%20Attacks.pdf,Symantec,,,,"apt34, tortoiseshell",IR; IR,Espionage; Information theft and espionage,NaN; 2018,SA,,Exploit Vulnerability,"Backdoor.Syskit, Infostealer/Sha.exe/Sha432.exe, Infostealer/stereoversioncontrol.exe, get-logon-history.ps1, Poison Frog",Corporations and Businesses,2018-07-15,2019-07-15,365.0 2019-09-19,Emissary Panda APT Recent infrastructure and RAT analysis,,https://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html,MeltX0R Security,,,,emissary panda,CN,"Espionage, Information theft and espionage",2010,"GB, US",,Watering Hole,"ZxShell Remote Access Trojan (RAT), Svchost.exe, odbccx32.dll, autochk.sys","Government and Defense Agencies, Corporations and Businesses, Energy and Utilities, Manufacturing",,, 2019-09-24,APT or not APT What's Behind the Aggah Campaign,,https://yoroi.company/research/apt-or-not-apt-whats-behind-the-aggah-campaign/,Yoroi,,,,gorgon group,PK,Information theft and espionage,2017,,FALSE,Malicious Documents,"AzoRult 3.2, Mana Tools, RevengeRAT, Hackitup DLL",,,, 2019-09-24,How Tortoiseshell created a fake veteran hiring website to host malware,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.09.24_New_Tortoiseshell/How%20Tortoiseshell%20created%20a%20fake%20veteran%20hiring%20website%20to%20host%20malware.pdf,Cisco,,,,tortoiseshell,IR,Information theft and espionage,2018,,FALSE,Watering Hole,"Cisco AMP for Endpoints, Cisco Cloud Web Security (CWS), Web Security Appliance (WSA), Email Security, Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), Meraki MX, AMP Threat Grid, SNORT, IvizTech (RAT)",Corporations and Businesses,,, 2019-09-24,DeadlyKiss_TAAR,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.09.24.DeadlyKiss_APT/DeadlyKiss_TAAR.pdf,360,,,,,,,,,,,,,,, 2019-09-26,Chinese APT Hackers Attack Windows Users via FakeNarrator Malware,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.09.26_China_APT_FakeNarrator_To_PcShare/Chinese%20APT%20Hackers%20Attack%20Windows%20Users%20via%20FakeNarrator%20Malware.pdf,Cylance,,,,,,,,,FALSE,Exploit Vulnerability,"PcShare backdoor, FakeNarrator malware, bespoke Trojan, NVIDIA application (used as a legitimate application to help load malware)",Corporations and Businesses,,, 2019-10-01,New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.10.01.kovcoreg-malvertising-campaign/New%20Fileless%20Botnet%20Novter%20Distributed%20by%20KovCoreG%20Malvertising%20Campaign.pdf,Trend Micro,,,,kovcoreg,,,,US,FALSE,"Social Engineering, Malicious Documents","Novter, KovCoreG, Nodster, Adobe Flash, Player{timestamp}.hta, Invoke-PSInject",Corporations and Businesses,,, 2019-10-01,Tech-Brief-New-Fileless-Botnet-Novter-Distributed-by-KovCoreG-Malvertising-Campaign,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.10.01.kovcoreg-malvertising-campaign/Tech-Brief-New-Fileless-Botnet-Novter-Distributed-by-KovCoreG-Malvertising-Campaign.pdf,Trend Micro,,,,kovcoreg,,,,,FALSE.,Social Engineering,"Novter, WinDivert, Nodster, NodeJS, socket.io, KovCoreG, Adobe Flash, Invoke-PSInject, PowerShell Reflective Injection, CMSTPLUA COM interface, RC4",Individuals,,, 2019-10-01,Appendix-New-Fileless-Botnet-Novter-Distributed-by-KovCoreG-Malvertising-Campaign,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.10.01.kovcoreg-malvertising-campaign/Appendix-New-Fileless-Botnet-Novter-Distributed-by-KovCoreG-Malvertising-Campaign.pdf,Trend Micro,,,,,,,,,FALSE,,"Trojan.JS.Nodster.A, Downloader.JS.TRX.XXJSE9EFF011R5B53, Trojan.JS.WINDIVERT.B, Trojan.JS.WINDIVERT.A, Trojan.Win32.Novter.A, Troj.Win32.TRX.XXPE50FFF031, Trojan.JS.KovCoreG.A",,,, 2019-10-01,New Adwind Campaign targets US Petroleum Industry,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.10.01.Adwind_Campaign_US_Petroleum_Industry/New%20Adwind%20Campaign%20targets%20US%20Petroleum%20Industry.pdf,Netskope,,,,,,,,US,FALSE,,"ByteCode-JAVA.Trojan.Kryptik, Gen:Variant.Application.Agentus.1, Adwind RAT",Energy and Utilities,,, 2019-10-03,PKPLUG_ Chinese Cyber Espionage Group Attacking Asia,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.10.03.PKPLUG/PKPLUG_%20Chinese%20Cyber%20Espionage%20Group%20Attacking%20Asia.pdf,Palo Alto,CVE-2012-0158,,,pkplug,CN,,,"CN, ID, MM, MN, TW, VN",FALSE,Spear Phishing,"PlugX, Poison Ivy, 9002 Trojan, PowerSploit, HenBox",,,, 2019-10-03,Contextis_AVIVORE-Aerospace-Supply-Chain(10-03-2019),AVIVORE - Hunting Global Aerospace through the Supply Chain,https://app.box.com/s/jzzs9epfezg1oxqthimjsi4llk0hxhpo,Contextis,,,,avivore,CN,Information theft and espionage,2015,GB,FALSE,Credential Reuse,"Network scanning and certificate extractions tools, Windows SysInternals tools, ProcDump, PlugX Remote Access Trojan, 'net' commands, RDP (Remote Desktop Protocol)","Corporations and Businesses, Manufacturing, Energy and Utilities, Critical Infrastructure, Cloud/IoT Services",,, 2019-10-07,"The Kittens Are Back in Town 2 - Charming Kitten Campaign Keeps Going on, Using New Impersonation Methods - ClearSky Cyber Security",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.10.07.Charming_Kitten_Back_in_Town_2/The%20Kittens%20Are%20Back%20in%20Town%202%20-%20Charming%20Kitten%20Campaign%20Keeps%20Going%20on%2C%20Using%20New%20Impersonation%20Methods%20-%20ClearSky%20Cyber%20Security.pdf,ClearSky,,,,charming kitten,IR,Espionage,,"DE, FR, IR, US",,Spear Phishing,,"Education and Research Institutions, Media and Entertainment Companies, Individuals",2019-07-15,2019-09-15,62.0 2019-10-07,CERTFR-2019-CTI-005,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.10.07.Supply_Chain_Attacks/CERTFR-2019-CTI-005.pdf,ANSSI,,,,,,,,,FALSE,"Exploit Vulnerability, Phishing, Credential Reuse","Custom malware (designed to monitor web browsers and gather credentials and session cookies), ProcDump, CertMig, WMIExec.vbs, rar.exe, MimiKatz, Netscan, Acunetix, PlugX (mentioned as part of former intrusions using PlugX malwares)",Corporations and Businesses,,, 2019-10-07,"China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.10.07.Panda_minority-groups/China-Based%20APT%20Mustang%20Panda%20Targets%20Minority%20Groups%2C%20Public%20and%20Private%20Sector%20Organizations.pdf,Anomali,,,,mustang panda,CN,"Espionage, Information theft and espionage",2012,"DE, MM, MN, PK, VN",FALSE,"Spear Phishing, Malicious Documents","PlugX, Cobalt Strike","Government and Defense Agencies, Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",2018-11-15,2019-08-29,287.0 2019-10-10,Mahalo_FIN7,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.10.10.Fin7/Mahalo_FIN7.pdf,FireEye,,"T1129:Execution through Module Load, T1116:Code Signing, T1140:Deobfuscate/Decode Files or Information, T1106:Execution through API, T1022:Data Encrypted, T1038:DLL Search Order Hijacking, T1027:Obfuscated Files or Information, T1107:File Deletion, T1179:Hooking","rule Exports_BOOSTWRITE\n{\nmeta:\n\xa0 \xa0 \xa0author = ""Steve Miller (@stvemillertime) & Nick Carr (@itsreallynick)""\nstrings:\n\xa0 \xa0 \xa0$exyPants = ""DWriteImpl.dll"" nocase\ncondition:\n\xa0 \xa0 \xa0uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $exyPants at pe.rva_to_offset(uin‐\nt32(pe.rva_to_offset(pe.data_directoriespe.IMAGE_DIRECTORY_ENTRY_EXPORT.virtual_address) +\n12)) and filesize < 6MB\n}, rule ConventionEngine_BOOSTWRITE\n{\n\xa0meta:\n\xa0 \xa0 \xa0author = ""Nick Carr (@itsreallynick)""\n\xa0 \xa0 \xa0reference = ""https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-\ndetails-part-one-pdb-paths-malware.html""\nstrings:\n\xa0 \xa0 \xa0$weetPDB = /RSDS\\x00-\\xFF{20}a-zA-Z?:?\\\\\\\\\\s|*\\s?.{0,250}\\\\DWriteImpl\\\\\\s|*\\s?.{0,250}\\.pdb\\x00/\nnocase\n\xa0condition:\n\xa0 \xa0 \xa0(uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $weetPDB and filesize < 6MB\n}",fin7,RU,"Financial gain, Financial crime",2013,,,,"BOOSTWRITE, RDFSNIFFER, MalwareGuard, APTFIN.Dropper.Win.BOOSTWRITE, APTFIN.Backdoor.Win.RDFSNIFFER, FE_APTFIN_Dropper_Win_BOOSTWRITE, FE_APTFIN_Backdoor_Win_RDFSNIFFER",Corporations and Businesses,,, 2019-10-10,ASEC_REPORT_vol.96_ENG,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/Report/AhnLab/ASEC_REPORT_vol.96_ENG.pdf,AhnLab,,,,,,,,KR,,Spear Phishing,"wsat.dll, WinSAT.dll, WinSat64.dll, Mcx2Svc.dat, ChromeDrop.rar, ChromeSearch.klg, ChromeSearch.lst, ChromeSearch.scf, ChromInst.cif, ChromInst.klg, ChromInst.lst, ChromInst.scf, IEUpdate.cif, IEUpdate.klg, IEUpdate.lst, IEUpdate.scf, NaverAddress.db, sponge.apk, WinSat.cif, 20. WinSat.klg, 2WinSAT.lst, 22. WinSAT.rem, 23. WinSat",Government and Defense Agencies,,, 2019-10-10,"ESET discovers Attor, a spy platform with curious GSM fingerprinting _ WeLiveSecurity",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.10.10.Attor_GSM_fingerprinting_spy_platform/ESET%20discovers%20Attor%2C%20a%20spy%20platform%20with%20curious%20GSM%20fingerprinting%20_%20WeLiveSecurity.pdf,ESET,,"T1056:Input Capture, T1082:System Information Discovery, T1022:Data Encrypted, T1032:Standard Cryptographic Protocol, T1129:Execution through Module Load, T1079:Multilayer Encryption, T1085:Rundll32, T1106:Execution through API, T1020:Automated Exfiltration, T1099:Timestomp, T1123:Audio Capture, T1158:Hidden Files and Directories, T1497:Virtualization/Sandbox Evasion, T1112:Modify Registry, T1071:Standard Application Layer Protocol, T1119:Automated Collection, T1120:Peripheral Device Discovery, T1055:Process Injection, T1107:File Deletion, T1083:File and Directory Discovery, T1053:Scheduled Task, T1074:Data Staged, T1036:Masquerading, T1188:Multi-hop Proxy, T1035:Service Execution, T1140:Deobfuscate/Decode Files or Information, T1041:Exfiltration Over Command and Control Channel, T1105:Remote File Copy, T1108:Redundant Access, T1050:New Service, T1043:Commonly Used Port, T1037:Logon Scripts, T1113:Screen Capture",,,,,,RU,FALSE,,"Attor, TrueCrypt, Tor",Government and Defense Agencies,,, 2019-10-14,winnti_EN,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.10.14.From_tweet_to_rootkit/winnti_EN.pdf,ExaTrack,,,,,,,,,,,"workdll64.dll, rasppp.dll, Hybrid Analysis",,,, 2019-10-14,huge-fan-of-your-work-intelligence-report,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.10.14.TURBINE_PANDA/huge-fan-of-your-work-intelligence-report.pdf,CrowdStrike,,,,sakula,,,,"FR, US",,Watering Hole,"Sakula, FFRAT, IsSpace, PlugX, Winnti","Government and Defense Agencies, Corporations and Businesses, Healthcare, Critical Infrastructure",,, 2019-10-14,Is Emotet gang targeting companies with external SOC,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.10.14.Emotet_external_SOC/Is%20Emotet%20gang%20targeting%20companies%20with%20external%20SOC.pdf,Microsoft,,,"rule EMOTET_SOC_EXE { \n meta: \n date = ""2019-10-13"" \n hash1 = ""de6a8b8612b5236a18eea1a6a8f53e117d046cf2ad95e079a6715af68f8d2216"" \n strings: \n $x1 = ""c:\\\\Users\\\\User\\\\Desktop\\\\2003\\\\Efential\\\\Release\\\\EFENTIAL.pdb"" fullword \nascii \n $s2 = ""EFENTIAL.exe"" fullword ascii \n $s3 = \n""ZNtlsIkbp2bxIIBXLbRtd3e85g7mJ73gSFPnybocDj/xsKVPWxzllXY/FdB150/ewzkkdzDw5VMbiVfS/SPd0FlXp\n ascii \n $s4 = \n""tblJgbnpgZmZCaHxmfEpoaS9Cb31DfHpZfVJobW5SYG56YGZmQmh8ZnxKaGkvQm99Q3x6WX1SaG1uUmBuemBmZkJo\n ascii /* base64 encoded string \n\nR`nz`ffBh|f|Jhi/Bo}C|zY}RhmnR`nz`ffBh|f|Jhi/Bo}C|zY}RhmnR`nz`ffBh|f|Jhi/Bo}C|zY}RhmnR`nz\n */ \n $s5 = \n""C9813Hcfx1BkY3VrYVwfB4tWs+/Eb93UVwdvrbdywicNqMdPSiMzJFXbZbSLG6cDA/O9Vy2ob3d3PeVLcie95EpT5\n ascii \n $s6 = \n""G+MfTPu8J3chkKdvVwmN7R/fNdx3H8cxWUFva2FcHweLIPfrnG/d1FcHb/FxEOQnDajHT0qu26c122W0ixunZpkE2\n ascii \n $s7 = \n""RSVloG9h6HM56NP1tCMFZKs69gEEW+JoiOCz9U3uI3uYsb+mL2+97Wf903wpFDCKiBjjtt/TznbwXOcnHS87rh7rG\n ascii \n $s8 = \n""iOC7W7cnZWhtQTw5nu3bSa/eHxvVFB3RfZP9CFkKs3KWazNkXJPk+HTPmTvpWFcnpLn2DUFtp2v1ELP9acqRoKOXI\n ascii \n $s9 = \n""6RzgkjSOWDNk6FtXIb1gBQ0oTx93sMelCVJYrG9ZEJB07FiwoYhZkKiSkNh3DQweyOCz9UXEmKjkHOXYfeRY2qT4p\n ascii \n $s10 = \n""StOEJiPbZbiKG6dLTcWrVy28bnd3MRHI6Se9+EtT5xnfnbI/8aimT1vHvvS1PxXYdudP5QazN3cw+OZTG6WMoPkj3\n ascii \n $s11 = \n""mQOhiAgYsPyI4DhFgdYtLdGQ1W9Bxmd6m3lnTJcfr4gYGLD8iOA41oOuIaXdCNnnTaphWJ1HYWqR+qqIKBiwmIjgO\n ascii \n $s12 = \n""Jd812HQfx5Qv5tVrYSAcB4t1CVi1b93QVAdvpSmDyCcNpMRPSpcCbzzbZbCIG6fu/FMSVy20bHd3ShSspye94ElT5\n ascii \n $s13 = \n""f64odyFEoG9XrrnC4d81EHAfx9MLlPdrYegYB4s9h95Cb91oUAdvuYg3nCcNHMBPSk5z9mnbZfiNG6fklZhYVy38a\n ascii \n $s14 = \n""G5WtAP8+00dbvQhs6PgZzXSo8WjM1YD2S2wk9prpUJn8oG0I4laYrNKGZTi4kPTVMKbGcImVZllhx5Tj+amkWDhXp\n ascii \n $s15 = \n""3ie9qEhT593fXyw/8filT1s1hgetPxWodedPR5foK3cwiOVTG/Eyi+Yj3ZhZV6cVyoNtTw00TR93mxbYI2udnBnjH\n ascii \n $s16 = \n""RpFqNpYQapubxqPNu6yDXrsXC6qB7CzF0GzVj0FjbT6RdW15ncWnY7/vh92xHgE5j7MjB9mZ3mVK5FiwlKhYoKj4k\n ascii \n $s17 = \n""5Ewf7cgaGLAv7VSjeroTTJAjcpy+a7Ql2VPnU2HVntv/mUgzY6rVrB/TYQX35L9Xj+N9SPwkjLT2k+D48S0nWy/tV\n ascii \n $s18 = \n""5Ewf7cgaGLAv7VSjeroTTJAjcpy+a7Ql2VPnU2HVntv/mUgzY6rVrB/TYQX35L9Xj+N9SPwkjLT2k+D48S0nWy/tV\n ascii \n2/11/2020\nIs Emotet gang targeting companies with external SOC? – Marco Ramilli Web Corner\nhttps://marcoramilli.com/2019/10/14/is-emotet-gang-targeting-companies-with-external-soc/\n8/9\n $s19 = \n""iBunjDe9gVct7Gx3d65SQF8nvahJU+cRqKveP/H4pE9bLL3YAz8VqHTnT7v1JHR3MIjkUxv0uwvjI92YWFenoW2yz\n ascii \n $s20 = \n""pKjTapsqZ36hVbhZOPU4sD5ekeEYE2WaixuncUK41ZSfp87TA/3tI91r1DvwoBcDoQywknwbTexd6FjAV+2Ac8gY7\n ascii \n condition: \n uint16(0) == 0x5a4d and filesize < 800KB and \n ( pe.imphash() == ""ffcd1ab4ae5e052202d6af1ea2767498"" or ( 1 of ($x*) or 4 of them ) \n) \n}, rule EMOTET_SOC_PE { \n meta: \n date = ""2019-10-13"" \n hash1 = ""6125489453c1824da3e28a54708e7c77875e500dd82a59c96c1d1e5ee88dcad7"" \n strings: \n $x1 = ""*\\\\G{0D452EE1-E08F-101A-852E-\n02608C4D0BB4}#2.0#0#C:\\\\windows\\\\system32\\\\FM20.DLL#Microsoft Forms 2.0 Object Library"" \nfullword wide \n $x2 = ""Customer50041 Keeling Bypass, North Christellefort, Tunisia Global128 Manuel \nStravenue, New Nicholasfort, Montserrat"" fullword ascii \n $x3 = ""*\\\\G{00020430-0000-0000-C000-\n000000000046}#2.0#0#C:\\\\Windows\\\\system32\\\\stdole2.tlb#OLE Automation"" fullword wide \n $x4 = ""Forward297 German Trail, West Miloshire, Germany Product44796 Chesley \nBypass, East Santos, Antigua and Barbudan"" fullword ascii \n $x5 = ""Regional1198 Rahsaan Motorway, Klockoburgh, Czech Republic Human326 Olson \nBypass, North Nicholaus, Zimbabwe"" fullword ascii \n $x6 = ""Dynamic6743 Hickle Bypass, West Karliborough, United States Minor Outlying \nIslands Product6344 Zieme Inlet, Gloverfurt, Taiwan"" fullword ascii \n $x7 = ""*\\\\G{3D3F9F38-A9F3-48A3-AE60-\n38AE7491F39A}#2.0#0#C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\Word8.0\\\\MSForms.exd#Micros\n Forms"" wide \n $s8 = ""Central080 Ari Ranch, Port Sarinachester, Saint Vincent and the Grenadines \nProduct4773 Cornelius Ford, Maybelleville, Morocco"" fullword ascii \n $s9 = ""Senior75970 Kiehn Brook, Port Joaquin, Comoros Forward6656 Parker Extension, \nHalvorsonton, Zambia"" fullword ascii \n $s10 = ""6868686868686868686868"" ascii /* reversed goodware string \n\8686868686868686868686\ */ /* hex encoded string \hhhhhhhhhhh\ */ \n $s11 = ""*\\\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\\\Program Files\\\\Common \nFiles\\\\Microsoft Shared\\\\OFFICE16\\\\MSO.DLL#Microsoft "" wide \n $s12 = ""Dynamic98251 Karli Mission, Deronhaven, Democratic People\s Republic of \nKorea Chief1365 Hermann Passage, Rickyport, Oman24 "" fullword ascii \n $s13 = ""Forward0973 Nienow Dam, Walkermouth, Egypt Customer976 MacGyver Mountain, \nSchoentown, Northern Mariana Islands+ Lo "" fullword ascii \n $s14 = ""Corporate28089 Etha Bypass, Jastbury, Turkmenistan Dynamic764 Price Cliffs, \nWelchtown, Algeriaog(1 "" fullword ascii \n $s15 = ""National4629 Brianne Locks, Port Shadburgh, Bangladesh Forward481 Ashton \nCourse, Lake Judson, Pakistana Pr"" fullword ascii \n $s16 = ""Forward563 Sasha Mountains, Nitzschestad, Palau Lead58549 Lesch Parkways, \nPort Archburgh, Burundi"" fullword ascii \n $s17 = ""Forward00009 Labadie Valley, Lake Othaview, Brunei Darussalam Future796 \nFritsch Road, Mertzchester, Montserrat1831 "" fullword ascii \n $s18 = ""Central9007 Leland Isle, Laurynview, Morocco Product75313 Mueller Harbors, \nWest Nakiafort, Lithuania+ Log( "" fullword ascii \n $s19 = ""Regional973 Aubrey Squares, South Simoneville, Svalbard & Jan Mayen Islands \nDynamic7842 Madilyn Course, O\Harastad, Armenia"" fullword ascii \n $s20 = ""Lead7617 Nicolas Meadows, West Odell, Saint Pierre and Miquelon Product9412 \n2/11/2020\nIs Emotet gang targeting companies with external SOC? – Marco Ramilli Web Corner\nhttps://marcoramilli.com/2019/10/14/is-emotet-gang-targeting-companies-with-external-soc/\n9/9\nStamm Cove, South Katlynnport, Comoros "" fullword ascii \n condition: \n uint16(0) == 0xcfd0 and filesize < 900KB and \n 1 of ($x*) and 4 of them \n}",emotet gang,,,,"KM, TN",,"Spear Phishing, Malicious Documents",Emotet Malware,Corporations and Businesses,2019-10-11,, 2019-10-15,LOWKEY_ Hunting for the Missing Volume Serial ID,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.10.15.LOWKEY/LOWKEY_%20Hunting%20for%20the%20Missing%20Volume%20Serial%20ID.pdf,FireEye,,,,apt41,CN,"Financial crime, Information theft and espionage",2010,,,,"LOWKEY, POISONPLUG, DEADEYE, IIS_Share, DeviceIOContrl-Hook","Corporations and Businesses, Healthcare, Education and Research Institutions, Media and Entertainment Companies",,, 2019-10-16,APT15,,https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/,Intezer,,,,teamtnt,,,,,,,,Corporations and Businesses,,, 2019-10-17,ESET_Operation_Ghost_Dukes,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.10.17.Operation_Ghost/ESET_Operation_Ghost_Dukes.pdf,ESET,,"T1078:Valid Accounts, T1064:Scripting, T1045:Software Packing, T1025:Data from Removable Media, T1090:Connection Proxy, T1027:Obfuscated Files or Information, T1129:Execution through Module Load, T1085:Rundll32, T1106:Execution through API, T1077:Windows Admin Shares, T1086:PowerShell, T1084:Windows Management Instrumentation Event Subscription, T1112:Modify Registry, T1071:Standard Application Layer Protocol, T1060:Registry Run Keys / Startup Folder, T1001:Data Obfuscation, T1107:File Deletion, T1083:File and Directory Discovery, T1053:Scheduled Task, T1005:Data from Local System, T1193:Spearphishing Attachment, T1035:Service Execution, T1140:Deobfuscate/Decode Files or Information, T1008:Fallback Channels, T1049:System Network Connections Discovery, T1041:Exfiltration Over Command and Control Channel, T1135:Network Share Discovery, T1039:Data from Network Shared Drive, T1102:Web Service, T1057:Process Discovery",,apt29,RU,"Espionage, Information theft and espionage",2008,US,FALSE,Spear Phishing,"Twitter, Reddit, Windows Management Instrumentation (WMI), PowerShell, C/C++, .NET, Python, PsExec",Government and Defense Agencies,,, 2019-10-21,Winnti Group's skip-2.0_ A Microsoft SQL Server backdoor,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.10.21.Winnti_skip_2.0/Winnti%20Group%E2%80%99s%20skip%E2%80%912.0_%20A%C2%A0Microsoft%20SQL%20Server%20backdoor.pdf,ESET,,"T1485:Data Destruction, T1035:Service Execution, T1045:Software Packing, T1494:Runtime Data Manipulation, T1038:DLL Search Order Hijacking, T1492:Stored Data Manipulation, T1057:Process Discovery, T1179:Hooking, T1054:Indicator Blocking",,apt41,CN,"Financial crime, Information theft and espionage",2010,,FALSE,,"skip-2.0, Inner-Loader, VMProtected launcher, Winnti Group’s custom packer, PortReuse backdoor, ShadowPad",Media and Entertainment Companies,,, 2019-10-24,10242019 - APT28 Targeted attacks against mining corporations in Kazakhstan,,https://meltx0r.github.io/tech/2019/10/24/apt28.html,MeltX0R Security,,,,apt28,RU,"Espionage, Information theft and espionage",2004,KZ,FALSE,Malicious Documents,"Zebrocy Implant, gorodpavlodar.doc (Suspected Zebrocy dropper document)","Corporations and Businesses, Critical Infrastructure",,, 2019-10-28,SWEED Targeting Precision Engineering Companies in Italy,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.10.28_SWEED_Italy/SWEED%20Targeting%20Precision%20Engineering%20Companies%20in%20Italy.pdf,Microsoft,CVE-2017-11882,"T1158:Hidden Files and Directories, T1193:Spearphishing Attachment, T1081:Credentials in Files, T1045:Software Packing, T1204:User Execution, T1071:Standard Application Layer Protocol, T1214:Credentials in Registry, T1002:Data Compressed, T1107:File Deletion, T1043:Commonly Used Port, T1005:Data from Local System, T1003:Credential Dumping","rule educrety { \n meta: \n description = ""a - file educrety.exe"" \n date = ""2019-10-27"" \n hash1 = ""64114c398f1c14d4e840f62395edd9a8c43d834708f8d8fce12f8a6502b0e981"" \n strings: \n $x1 = \n""C:\\\\xampp\\\\htdocs\\\\BuilderTest\\\\8fa3c458f356fcd36f352a5923691b32\\\\Release\\\\Project1.pdb"" \nfullword ascii \n $s2 = ""prestezza.exe"" fullword wide \n $s3 = \n""hxikekatmipxycmzxzdzyjvjvbauhwajtoqytlpiphvdjeptultdnxoycrwnhxikekatmipxycmzxzdzyjvjvbauh\n fullword ascii \n $s4 = \n""auhwajtoqytlpiphvdjeptultdnxoycrwnhxikekatmipxycmzxzdzyjvjvbauhwajtoqytlpiphvdjeptultdnxo\n fullword ascii \n $s5 = \n""jvjvbauhwajtoqytlpiphvdjeptultdnxoycrwnhxikekatmipxycmzxzdzyjvjvbauhwajtoqytlpiphvdjeptul\n fullword ascii \n $s6 = ""cardsharper.exe"" fullword wide \n $s7 = \n""8BAndVNaiTqIJaSMbWPhG3OnQybcZriOD73f3HId4JvZZf8QducIzH3eWmFNUKj0LLeKfMRDoLm6IYxKzu7FpJp5d\n fullword ascii \n $s8 = \n""0auylusmslgqkcklxtxksvnfn00crwnhxikekatmipxycmzxzdzyjvjvbauhwajtoqytlpiphvdjeptultdnxoy7.\n("" fullword ascii \n $s9 = ""Aerdaekatmipxycmzxzdzyjvjvbauhwajtoqytlpiphvdjeptultdnxoycrwnhxik"" fullword \nascii \n $s10 = \n""ipxycmzxzdzyjvjvbauhwajtoqytlpiphvdjeptultdnxoycrwnhxikekatmipxycmzxzdzyjvjvbauhwajt?\npy(lpiphvdjeptultdnxoycrwnhxikK "" fullword ascii \n $s11 = ""i,hBdXe5tAl5d+x-\nyRrZn)xkVkQt@iDxMc+zLzIz;jEjEb\\""uEw\jEoHyAl2i2h@d_eDtLlGd_xAy"" fullword ascii \n $s12 = ""all-encompassing"" fullword wide \n $s13 = ""mzxzdzyjvjvbauhwajtoqytlpiphvdjept"" fullword ascii \n $s14 = ""ytlpiphvdjeptultdnxoycrwnhxikekatmipx"" fullword ascii \n $s15 = ""operator co_await"" fullword ascii \n $s16 = ""iphvd+e2t6l0d+x)y$r?n!x#k.k-t i>x6c=z)z6z*j\\""j#b7u?w9j-o+ytlpi"" fullword \nascii \n $s17 = ""operator<=>"" fullword ascii \n $s18 = ""Uqipxvdj5qtul4dnhoycpwnmxhkekathiqxycmzxZnzynvjvbaujwa"" fullword ascii \n $s19 = \n""IYxKzu7FpJp5dYrRb3rtzDn8BAndVNaiTqIJaSMbWPhG3OnQybcZriOD73f3HId4JvZZf8QducIzH3eWmFNUKj0LL\n ascii \n $s20 = \n""NaiTqIJaSMbWPhG3OnQybcZriOD73f3HId4JvZZf8QducIzH3eWmFNUKj0LLeKfMRDoLm6IYxKzu7FpJp5dYrRb3r\n ascii \n condition: \n uint16(0) == 0x5a4d and filesize < 2000KB and \n ( pe.imphash() == ""f9ea456264964fa19880b9033ecc9db2"" or ( 1 of ($x*) or 4 of them ) \n) \n}, rule order { \n meta: \n description = ""a - file order.xlsx"" \n2/11/2020\nSWEED Targeting Precision Engineering Companies in Italy – Marco Ramilli Web Corner\nhttps://marcoramilli.com/2019/10/28/sweed-targeting-precision-engineering-companies-in-italy/\n11/11\n date = ""2019-10-27"" \n hash1 = ""863934c1fa4378799ed0c3e353603ba0bee3a357a5c63d845fe0d7f4ebc1a64c"" \n strings: \n $s1 = ""xl/printerSettings/printerSettings1.binUT"" fullword ascii \n $s2 = ""xl/printerSettings/printerSettings2.binUT"" fullword ascii \n $s3 = ""xl/worksheets/_rels/sheet2.xml.relsUT"" fullword ascii \n $s4 = ""xl/worksheets/_rels/sheet1.xml.relsUT"" fullword ascii \n $s5 = ""Content_Types.xmlUT"" fullword ascii \n $s6 = ""xl/_rels/workbook.xml.relsUT"" fullword ascii \n $s7 = ""xl/embeddings/oleObject1.binUT"" fullword ascii \n $s8 = ""xl/sharedStrings.xmlUT"" fullword ascii \n $s9 = ""xl/worksheets/sheet2.xmlUT"" fullword ascii \n $s10 = ""xl/worksheets/sheet1.xmlUT"" fullword ascii \n $s11 = ""xl/worksheets/sheet3.xmlUT"" fullword ascii \n $s12 = ""xl/drawings/vmlDrawing1.vmlUT"" fullword ascii \n $s13 = ""docProps/app.xmlUT"" fullword ascii \n $s14 = ""xl/workbook.xmlUT"" fullword ascii \n $s15 = ""xl/theme/theme1.xmlUT"" fullword ascii \n $s16 = ""docProps/core.xmlUT"" fullword ascii \n $s17 = ""_rels/.relsUT"" fullword ascii \n $s18 = ""xl/styles.xmlUT"" fullword ascii \n condition: \n uint16(0) == 0x4b50 and filesize < 50KB and \n 8 of them \n}",sweed,,Information theft and espionage,2017,IT,FALSE,"Spear Phishing, Malicious Documents, Exploit Vulnerability","Formbook, Lokibot, Agent Tesla, LokiBot",Manufacturing,,, 2019-10-31,Calypso APT new group attacking state institutions,,https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/,Positive Technologies,,,,calypso,CN,Information theft and espionage,2016,"BR, IN, KZ, RU, TH, TR",FALSE,Exploit Vulnerability,"Calypso RAT, PlugX, Byeby trojan, SysInternals, Nbtscan, Mimikatz, ZXPortMap, TCP Port Scanner, Netcat, QuarksPwDump, WmiExec, EarthWorm, OS_Check_445, DoublePulsar, EternalBlue, EternalRomance",Government and Defense Agencies,,, 2019-10-31,calypso-apt-2019-eng(10-31-2019),Calypso APT: new group attacking state institutions,https://app.box.com/s/7vzrq3frrll02n1gx4ssbtljnbgl0h7w,Positive Technologies,,"T1097:Pass the Ticket, T1064:Scripting, T1082:System Information Discovery, T1059:Command-Line Interface, T1027:Obfuscated Files or Information, T1085:Rundll32, T1024:Custom Cryptographic Protocol, T1158:Hidden Files and Directories, T1087:Account Discovery, T1060:Registry Run Keys / Startup Folder, T1001:Data Obfuscation, T1053:Scheduled Task, T1005:Data from Local System, T1046:Network Service Scanning, T1114:Email Collection, T1135:Network Share Discovery, T1043:Commonly Used Port, T1003:Credential Dumping, T1113:Screen Capture",,calypso,CN,Information theft and espionage,2016,"BR, IN, KZ, RU, TH, TR",FALSE,"Exploit Vulnerability, Credential Reuse","ASPX web shell, Calypso RAT, PlugX, Byeby trojan, SysInternals, Nbtscan, Mimikatz, ZXPortMap, TCP Port Scanner, Netcat, QuarksPwDump, WmiExec, EarthWorm, OS_Check_445, DoublePulsar, EternalBlue, EternalRomance",Government and Defense Agencies,,, 2019-10-31,MESSAGETAP_ Who's Reading Your Text Messages,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.10.31.MESSAGETAP/MESSAGETAP_%20Who%E2%80%99s%20Reading%20Your%20Text%20Messages.pdf,FireEye,,,,apt41,CN,"Financial crime, Information theft and espionage",2010,,,,MESSAGETAP,"Critical Infrastructure, Corporations and Businesses, Healthcare",,, 2019-11-04,Is LazarusAPT38 Targeting Critical Infrastructures,,https://marcoramilli.com/2019/11/04/is-lazarus-apt38-targeting-critical-infrastructures/,Marco Ramilli's Blog,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,,,"Spear Phishing, Malicious Documents",,Critical Infrastructure,,, 2019-11-04,Is Lazarus_APT38 Targeting Critical Infrastructures _ - Marco Ramilli Web Corner,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.11.04.Lazarus_APT38/Is%20Lazarus_APT38%20Targeting%20Critical%20Infrastructures%20_%20%E2%80%93%20Marco%20Ramilli%20Web%20Corner.pdf,FireEye,,,"rule lazarus_dtrack { \n meta: \n description = ""lazarus - dtrack on nuclear implant KKNPP"" \n date = ""2019-11-02"" \n hash1 = ""bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364"" \n strings: \n $x1 = ""move /y %s \\\\\\\\10.38.1.35\\\\C$\\\\Windows\\\\Temp\\\\MpLogs\\\\"" fullword ascii \n $x2 = ""Execute_%s.log"" fullword ascii \n $x3 = ""%s\\\\%s\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles"" fullword ascii \n $s4 = ""CCS_/c ping -n 3 127.0.0.1 >NUL & echo EEEE > \\""%s\\"""" fullword ascii \n $s5 = ""%s\\\\%s\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\History"" \nfullword ascii \n $s6 = ""Usage: .system COMMAND"" fullword ascii \n $s7 = ""Usage: .dump ?--preserve-rowids? ?--newlines? ?LIKE-PATTERN?"" fullword ascii \n $s8 = ""CCS_shell32.dll"" fullword ascii \n $s9 = ""%s:%d: expected %d columns but found %d - filling the rest with NULL"" \nfullword ascii \n $s10 = ""%s:%d: expected %d columns but found %d - extras ignored"" fullword ascii \n $s11 = ""%s\\\\%s\\\\AppData\\\\Application Data\\\\Mozilla\\\\Firefox\\\\Profiles"" fullword \nascii \n $s12 = ""net use \\\\\\\\10.38.1.35\\\\C$ su.controller5kk /user:KKNPP\\\\administrator"" \nfullword ascii \n $s13 = ""VALUES(0,\memo\,\Missing SELFTEST table - default checks only\,\\), \n(1,\run\,\PRAGMA integrity_check\,\ok\)"" fullword ascii \n $s14 = ""CCS_Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like \nGecko) Chrome/54.0.2840.99 Safari/537.36"" fullword ascii \n $s15 = ""Usage %s sub-command ?switches...?"" fullword ascii \n $s16 = ""Usage: .log FILENAME"" fullword ascii \n $s17 = ""Content-Disposition: form-data; name=\\""result\\""; filename=\\""%s.bmp\\"""" \nfullword ascii \n $s18 = ""%z%sSELECT pti.name FROM \\""%w\\"".sqlite_master AS sm JOIN \npragma_table_info(sm.name,%Q) AS pti WHERE sm.type=\table\"" fullword ascii \n $s19 = ""CCS_kernel32.dll"" fullword ascii \n $s20 = ""CCS_Advapi32.dll"" fullword ascii \n condition: \n uint16(0) == 0x5a4d and filesize < 2000KB and \n ( pe.imphash() == ""75171549224b4292974d6ee3cf397db8"" or ( 1 of ($x*) or 4 of them ) \n) \n}",lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,,,,DTrack,"Financial Institutions, Media and Entertainment Companies",2019-09-04,2019-10-28,54.0 2019-11-05,Kaspersky_DarkUniverse-APT-framework27(11-05-2019),DarkUniverse - the mysterious APT framework 27,https://app.box.com/s/art5rlfy1079wxmma9c0wu0jjtax2a55,Kaspersky,,,,itaduke,,Information theft and espionage,2017,"AE, AF, BY, ET, IR, RU, SD, SY, TZ",FALSE,"Spear Phishing, Malicious Documents","DarkUniverse, ItaDuke, rundll32.exe, updater.mod, glue30.dll, uncparse.dll, arpSniff.pcap",Government and Defense Agencies,,, 2019-11-08,Massive malicious campaign by FakeSecurity JS-sniffer,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.11.08_FakeSecurity_JS-sniffer/Massive%20malicious%20campaign%20by%20FakeSecurity%20JS-sniffer.pdf,Microsoft,,,,,,,,,FALSE,"Phishing, Malicious Documents","FakeSecurity JS-sniffer, Vidar, Mephistophilus phishing kit","Corporations and Businesses, Healthcare, Financial Institutions",2018-12-15,2019-11-15,335.0 2019-11-08,Titanium_ the Platinum group strikes again,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.11.08_Titanium_Action_Platinum_group/Titanium_%20the%20Platinum%20group%20strikes%20again.pdf,Kaspersky,,,,platinum,,Information theft and espionage,2009,,,Watering Hole,"Titanium APT, Trojan-backdoor, BITS Downloader, COM object DLL (a loader)",,,, 2019-11-09,APT34 Event Analysis Report,,https://nsfocusglobal.com/apt34-event-analysis-report/,NSFOCUS,CVE-2017-11882,,"/*\nYARA Rule Set\nAuthor: Florian Roth\nDate: 2019-04-17\nIdentifier: Leaked APT34 / OilRig tools\nReference: https://twitter.com/0xffff0800/status/1118406371165126656\n*/\nrule APT_APT34_PS_Malware_Apr19_1 {\nmeta:\ndescription = “Detects APT34 PowerShell malware”\nauthor = “Florian Roth”\nreference = “https://twitter.com/0xffff0800/status/1118406371165126656”\ndate = “2019-04-17”\nhash1 =\n“b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768”\n“b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768”\nstrings:\n$x1 = “= get-wmiobject Win32_ComputerSystemProduct | Select-Object -\nExpandProperty UUID” ascii\n$x2 = “Write-Host \\”excepton occured!\\”” ascii /* \x00 */\n \n$s1 = “Start-Sleep -s 1;” fullword ascii\n$s2 = “Start-Sleep -m 100;” fullword ascii\ncondition:\n1 of ($x*) or 2 of them\n}, rule APT_APT34_PS_Malware_Apr19_3 {\nmeta:\ndescription = “Detects APT34 PowerShell malware”\nauthor = “Florian Roth”\nauthor = “Florian Roth”\nreference = “https://twitter.com/0xffff0800/status/1118406371165126656”\ndate = “2019-04-17”\nhash1 =\n“27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed”\nstrings:\n$x1 = “Powershell.exe -exec bypass -file ${global:$address1}”\n$x2 = “schtasks /create /F /ru SYSTEM /sc minute /mo 10 /tn”\n$x3 = “\\”\\\\UpdateTasks\\\\UpdateTaskHosts\\””\n$x4 = “wscript /b \\\\`\\”${global:$address1” ascii\n$x5 = “::FromBase64String(string${global:$http_ag}))” ascii\n$x6 = “.run command1, 0, false\\” | Out-File ” fullword ascii\n$x7 = “\\\\UpdateTask.vbs” fullword ascii\n$x8 = “hUpdater.ps1” fullword ascii\ncondition:\n1 of them\n}, rule APT_APT34_PS_Malware_Apr19_2 {\nmeta:\ndescription = “Detects APT34 PowerShell malware”\nauthor = “Florian Roth”\nreference = “https://twitter.com/0xffff0800/status/1118406371165126656”\ndate = “2019-04-17”\nhash1 =\n“2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459”\nstrings:\n$x1 = “= \\”http://\\” + System.Net.Dns::GetHostAddresses(\\”” ascii\n$x2 = “$t = get-wmiobject Win32_ComputerSystemProduct | Select-Object -\nExpandProperty UUID” fullword ascii\n$x3 = “| Where { $_ -notmatch ‘^\\\\s+$’ }” ascii\n \n$s1 = “= new-object System.Net.WebProxy($u, $true);” fullword ascii\n$s2 = ” -eq \\”dom\\”){$” ascii\n$s3 = ” -eq \\”srv\\”){$” ascii\n$s4 = “+\\”<>\\” | Set-Content” ascii\ncondition:\n1 of ($x*) and 3 of them\n}",apt34,IR,Espionage,,"AE, AL, CN, CO, EG, HK, KP, KW, LB, MM, MO, MX, NG, SA, TR, TW",FALSE,"Credential Reuse, Website Equipping","Glimpse, PoisonFrog, HyperShell, HighShell, MinionProject, Webmask","Energy and Utilities, Financial Institutions, Corporations and Businesses",,, 2019-11-12,TA-505 Cybercrime on System Integrator Companies,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.11.12_TA-505_On_SI/TA-505%20Cybercrime%20on%20System%20Integrator%20Companies.pdf,Microsoft,,,"rule TA505_Target_SystemIntegrators_sample { \n meta: \n description = ""TA505 target System Integrators"" \n date = ""2019-11-11"" \n hash1 = ""7ebd1d6fa8c21b0d0c015475ab8c7225f949c13a33d0a39b8c069072a4281392"" \n strings: \n $x1 = ""*\\\\G{00020430-0000-0000-C000-\n000000000046}#2.0#0#C:\\\\Windows\\\\system32\\\\stdole2.tlb#OLE Automation"" fullword wide \n $s2 = ""*\\\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.3#0#C:\\\\Program Files\\\\Common \nFiles\\\\Microsoft Shared\\\\OFFICE11\\\\MSO.DLL#Microsoft "" wide \n $s3 = ""\%TEMP%\\\\conjunctiva.exe\"" fullword ascii \n $s4 = ""rams.exe"" fullword ascii \n $s5 = ""*\\\\G{000204EF-0000-0000-C000-\n000000000046}#4.0#9#C:\\\\PROGRA~1\\\\COMMON~1\\\\MICROS~1\\\\VBA\\\\VBA6\\\\VBE6.DLL#Visual Basic \nFor Applicat"" wide \n $s6 = ""WScript.Shell"" fullword ascii \n $s7 = ""\\\\nanagrams.exe"" fullword ascii \n $s8 = ""*\\\\G{00020905-0000-0000-C000-000000000046}#8.3#0#C:\\\\Program \nFiles\\\\Microsoftvolcano"" fullword wide \n $s9 = "" Office\\\\OFFICE11\\\\MSWORD.OLB#Microsoft Word 11.0 Object Library"" fullword \nwide \n $s10 = ""PROJECT.THISDOCUMENT.AUTOOPEN"" fullword wide \n $s11 = \n""5\\\\x64\\\\x7b\\\\x6e\\\\x65\\\\x23\\\\x29\\\\x4c\\\\x4e\\\\x5f\\\\x29\\\\x27\\\\x7e\\\\x79\\\\x67\\\\x27\\\\x6d\\\\x6a\\\\x\n fullword ascii \n $s12 = ""Project.ThisDocument.AutoOpen"" fullword wide \n $s13 = ""mistyeyed"" fullword ascii \n $s14 = ""(xor_key ^ plain_str.charCodeAt(i)); return xored_str;}"" fullword ascii \n $s15 = ""IVa.ExE\); StaRT "" fullword ascii \n $s16 = \n""65\\\\x2b\\\\x73\\\\x63\\\\x79\\\\x25\\\\x79\\\\x6e\\\\x78\\\\x7b\\\\x64\\\\x65\\\\x78\\\\x6e\\\\x49\\\\x64\\\\x6f\\\\x72\\\\\n fullword ascii \n $s17 = ""costaTEMP%instantaneous"" fullword ascii \n $s18 = ""wdSeekCurrentPageHeader$$0"" fullword ascii \n $s19 = ""TEMP%in "" fullword ascii \n $s20 = ""conjecturalitygclamydospore"" fullword ascii \n condition: \n uint16(0) == 0xcfd0 and filesize < 100KB and \n 1 of ($x*) and 4 of them \n}",ta-505,,,,,,Malicious Documents,"Get2, FlawedGrace, FlawedAmmyy, Snatch, Locky, Dridex","Financial Institutions, Corporations and Businesses",,, 2019-11-13,sophoslabs-uncut-2020-threat-report,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/Report/Sophos/sophoslabs-uncut-2020-threat-report.pdf,Sophos,CVE-2018-8453,,,,,,,,,"Spear Phishing, Credential Reuse, Exploit Vulnerability","PowerShell, PsExec, Anubis banker Trojan",Cloud/IoT Services,,, 2019-11-18,REWTERZ THREAT ALERT - IRANIAN APT USES JOB SCAMS TO LURE TARGETS,,http://www.rewterz.com/rewterz-news/rewterz-threat-alert-iranian-apt-uses-job-scams-to-lure-targets,Rewterz,,,,apt33,IR,"Espionage, Sabotage and destruction, Information theft and espionage",2013,,FALSE,Phishing,,Corporations and Businesses,,, 2019-11-20,Mac Backdoor Linked to Lazarus Targets Korean Users,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.11.20.Mac_Lazarus/Mac%20Backdoor%20Linked%20to%20Lazarus%20Targets%20Korean%20Users.pdf,Trend Micro,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,KR,,Malicious Documents,"Backdoor.MacOS.NUKESPED.A, Trend Micro Home Security for Mac, Trend Micro’s Smart Protection Suites with XGen™ security",,,, 2019-11-20,APT-C-34.cn,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.11.20.Golden_Eagle_APT-C-34/APT-C-34.cn.pdf,360,,,,apt-c-34,,Information theft and espionage,2014,KZ,TRUE,"Social Engineering, Malicious Documents, Removable Media","Framaroot, HackingTeam, TeamViewer QuickSupport (modified with a backdoor DLL)","Education and Research Institutions, Government and Defense Agencies, Media and Entertainment Companies",,, 2019-11-21,"Registers as 'Default Print Monitor', but is a malicious downloader. Meet DePriMon",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.11.21.DePriMon/Registers%20as%20%E2%80%9CDefault%20Print%20Monitor%E2%80%9D%2C%20but%20is%20a%20malicious%20downloader.%20Meet%20DePriMon.pdf,ESET,,"T1140:Deobfuscate/Decode Files or Information, T1043:Commonly Used Port, T1134:Access Token Manipulation, T1112:Modify Registry, T1082:System Information Discovery, T1071:Standard Application Layer Protocol, T1090:Connection Proxy, T1107:File Deletion, T1124:System Time Discovery, T1013:Port Monitors, T1057:Process Discovery, T1007:System Service Discovery, T1036:Masquerading",,longhorn,US,"Espionage, Information theft and espionage",2009,,,,"DePriMon, ColoredLambert",Corporations and Businesses,,, 2019-11-25,Studying Donot Team,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.11.25_Donot_Team/Studying%20Donot%20Team.pdf,Positive Technologies,CVE-2018-0802,,,donot team,IN,Information theft and espionage,2016,"AE, AR, BD, GB, IN, LK, PH, PK, TH",FALSE,"Spear Phishing, Malicious Documents","Framework yty, Microsoft Equation, UACMe, MS Word",Government and Defense Agencies,,, 2019-11-26,Insights from one year of tracking a polymorphic threat,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.11.26.Dexphot/Insights%20from%20one%20year%20of%20tracking%20a%20polymorphic%20threat.pdf,Microsoft,,,,,,,,,,Drive-by Download,"Dexphot, MSI package file, ZIP archive, DLL (loader DLL), Encrypted data file, Microsoft Defender Advanced Threat Protection, Cryptocurrency miner",,,, 2019-11-28,RevengeHotels_ cybercrime targeting hotel front desks worldwide,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.11.28.RevengeHotels/RevengeHotels_%20cybercrime%20targeting%20hotel%20front%20desks%20worldwide.pdf,Kaspersky,CVE-2017-0199,,,revengehotels,,,,"AR, BO, BR, CL, CR, ES, FR, IT, MX, PT, TH, TR",FALSE,"Spear Phishing, Social Engineering, Malicious Documents, Exploit Vulnerability","RevengeRAT, NjRAT, NanoCoreRAT, 888 RAT, ProCC",Corporations and Businesses,,, 2019-11-29,Group-IB_Hi-Tech_Crime_Trends_2019-2020,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/Report/Group-IB/Group-IB_Hi-Tech_Crime_Trends_2019-2020.pdf,Group-IB,,,,apt10,CN,Espionage,,"AU, BR, JP, PL, RU",,"Spear Phishing, Phishing, Social Engineering, Exploit Vulnerability, Drive-by Download","Ratankba, PowerRatankba, ClientRAT (aka FALLCHILL aka Manuscrypt), ClientTraficForwarder (Proxy), AppleJeus, PowerTask, PowershellRAT, Banswift/BBSwift, FastCash, RatankbaPOS, Mimikatz, Metasploit, Cobalt Strike, Dtrack, China Chopper, Poison Ivy, Shamoon","Corporations and Businesses, Financial Institutions, Energy and Utilities, Cloud/IoT Services, Critical Infrastructure",,, 2019-12-03,Threat Actor Targeting Hong Kong Pro-Democracy Figures,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.12.03.Hong_Kong_Pro-Democracy/Threat%20Actor%20Targeting%20Hong%20Kong%20Pro-Democracy%20Figures.pdf,NSHC,,"T1064:Scripting, T1132:Data Encoding, T1033:System Owner/User Discovery, T1204:User Execution, T1082:System Information Discovery, T1022:Data Encrypted, T1032:Standard Cryptographic Protocol, T1027:Obfuscated Files or Information, T1102:Web Service, T1124:System Time Discovery, T1192:Spearphishing Link, T1218:Signed Binary Proxy Execution, T1112:Modify Registry, T1071:Standard Application Layer Protocol, T1060:Registry Run Keys / Startup Folder, T1083:File and Directory Discovery, T1005:Data from Local System, T1036:Masquerading, T1140:Deobfuscate/Decode Files or Information, T1041:Exfiltration Over Command and Control Channel, T1043:Commonly Used Port",,,,,,HK,FALSE,Spear Phishing,"GetCurrentRollback.exe, GetCurrentDeploy.dll",Individuals,,, 2019-12-04,New_Destructive_Wiper_ZeroCleare_Final_,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.12.04.ZeroCleare/New_Destructive_Wiper_ZeroCleare_Final_.pdf,IBM Security,,,,apt34,IR,Espionage,,KW,FALSE,"Credential Reuse, Exploit Vulnerability","ZeroCleare, TWOFACE/SEASHARPEE, Mimikatz, TeamViewer, EldoS RawDisk, ASPX web shells, PowerShell/Batch scripts",Energy and Utilities,,, 2019-12-05,APT28 Attacks Evolution,,https://marcoramilli.com/2019/12/05/apt28-attacks-evolution/,Marco Ramilli's Blog,,,,apt28,RU,"Espionage, Information theft and espionage",2004,,,"Spear Phishing, Malicious Documents",,"Government and Defense Agencies, Energy and Utilities, Media and Entertainment Companies",,, 2019-12-05,PoshC2 (specifically as used by APT33),,https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md,Github (jeFF0Falltrades),,,,,,,,,,,,,,, 2019-12-06,Cosmic Banker campaign is still active revealing link with Banload malware,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.12.06.Cosmic_Banker_campaign/Cosmic%20Banker%20campaign%20is%20still%20active%20revealing%20link%20with%20Banload%20malware.pdf,SCILabs,,,,cosmic banker,,,,"BR, MX",,Phishing,"YARA, VMProtect, Banload",Financial Institutions,2019-03-15,2019-10-15,214.0 2019-12-10,Anchor Project The Deadly Planeswalker How The TrickBot Group United High-Tech Crimeware & APT,,https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/,SentinelOne,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,"DE, KR, UA",,,"TrickBot, Anchor, Metasploit, Cobalt Strike, TerraLoader, PowerShell Empire, anchorInstaller, anchorDeInstaller, AnchorBot, Bin2hex, psExecutor, memoryScraper","Healthcare, Critical Infrastructure",,, 2019-12-11,Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.11.1.Operation_WizardOpium/Chrome%200-day%20exploit%20CVE-2019-13720%20used%20in%20Operation%20WizardOpium%20.pdf,Kaspersky,CVE-2019-13720,,,,,,,,TRUE,Watering Hole,"JavaScript, RC4, msdisp64.exe",Media and Entertainment Companies,,, 2019-12-11,Anchor IOCs,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.12.11_DROPPING_ANCHOR/Anchor%20IOCs.pdf,EFF,,,,,,,,,,,"TrickBot-Anchor, AnchorInstaller_x86, anchorInstaller_x64, Anchor_x86, Anchor_x64",,,, 2019-12-11,Dropping Anchor_ From a TrickBot Infection to the Discovery of the Anchor Malware,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.12.11_DROPPING_ANCHOR/Dropping%20Anchor_%20From%20a%20TrickBot%20Infection%20to%20the%20Discovery%20of%20the%20Anchor%20Malware.pdf,Cybereason,,,,fin6,,"Financial gain, Financial crime",2015,US,,Spear Phishing,"Anchor_DNS, Anchor, TrickBot, Meterpreter, PowerShell Empire, Cobalt Strike","Corporations and Businesses, Financial Institutions, Manufacturing",,, 2019-12-12,cta-2019-1212,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.12.12.Operation_Gamework/cta-2019-1212.pdf,Recorded Future,,,,bluealpha,RU,Information theft and espionage,2013,"SA, UA",,,,,,, 2019-12-12,GALLIUM_ Targeting global telecom,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.12.12.GALLIUM/GALLIUM_%20Targeting%20global%20telecom.pdf,Microsoft,,,,gallium,,Information theft and espionage,2018,,FALSE,Exploit Vulnerability,"Black-Mould, China Chopper, Poison Ivy (modified), QuarkBandit, HTRAN, Mimikatz, NBTScan, Netcat, PsExec, Windows Credential Editor (WCE), WinRAR",Corporations and Businesses,,, 2019-12-12,wp-drilling-deep-a-look-at-cyberattacks-on-the-oil-and-gas-industry,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.12.12.Drilling_Deep/wp-drilling-deep-a-look-at-cyberattacks-on-the-oil-and-gas-industry.pdf,Trend Micro,,,,apt33,IR,"Espionage, Sabotage and destruction, Information theft and espionage",2013,"GB, IN, US",TRUE,"Spear Phishing, Phishing, Watering Hole, Exploit Vulnerability","POWERSTATS V3, Bluetooth harvester, Webshells, China Chopper webshell","Corporations and Businesses, Energy and Utilities, Critical Infrastructure",,, 2019-12-16,sophoslabs-uncut-mykings-report,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.12.16.MyKings/sophoslabs-uncut-mykings-report.pdf,RSA,,,,,,,,"BR, CN, IN, JP, RU, TW, US",FALSE,Exploit Vulnerability,"ns.exe, downShell.exe, ok32.dll, ok64.dll, 1.ini",,,, 2019-12-17,Rancor_ Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.12.17.Rancor/Rancor_%20Cyber%20Espionage%20Group%20Uses%20New%20Custom%20Malware%20to%20Attack%20Southeast%20Asia.pdf,Palo Alto,,,,rancor,CN,"Espionage, Information theft and espionage",2017,,FALSE,Malicious Documents,"Dudell, Derusbi, KHRat, DDKONG Plugin",Government and Defense Agencies,,, 2019-12-17,"CN_Dacls, the Dual platform RAT",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.12.17.Dacls_RAT/CN_Dacls%2C%20the%20Dual%20platform%20RAT.pdf,360,CVE-2019-3396,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,,,Exploit Vulnerability,"Win32.Dacls, Linux.Dacls, Socat, Confluence CVE-2019-3396 Payload",,2019-05-01,2019-10-25,177.0 2019-12-18,Deepinstinct_Untanglin-Legion(12-18-2019),Untangling Legion Loader's Hornet Nest of Malware,https://app.box.com/s/k5zrxyqw1q5aoaog5allrvzakqw5q62h,Deep Instinct,,,,,,,,US,,,"Emotet, TrickBot, IcedID, Ryuk, Vidar, Predator the Thief, Racoon stealer, Crypto-Currency stealer, RDP backdoor, Crypto-miner, Legion Loader, MS Visual C++, PowerShell, VMware, VBOX",,,, 2019-12-19,201912_Report_Operation_Wacao,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.12.19.Operation_Wocao/201912_Report_Operation_Wacao.pdf,Fox-IT,,,,apt20,CN,Information theft and espionage,2014,"BR, CN, DE, ES, FR, GB, IT, MX, PT, US",FALSE,"Spear Phishing, Exploit Vulnerability, Drive-by Download, Removable Media, Social Engineering, Credential Reuse, Covert Channels","File upload webshell, File upload and command execution webshell, Socket tunnel, Reconnaissance script, XServer, Agent, Directory list tool, Process launcher, CheckAdmin, OS scanner, Keylogger","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Healthcare, Energy and Utilities, Manufacturing",,, 2019-12-26,Targeting Portugal_ A new trojan 'Lampion' has spread using template emails from the Portuguese Government Finance & Tax,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.12.26.Trojan-Lampion/Targeting%20Portugal_%20A%20new%20trojan%20%27Lampion%27%20has%20spread%20using%20template%20emails%20from%20the%20Portuguese%20Government%20Finance%20%26%20Tax.pdf,Microsoft,,,"rule Lampion_VBS_File_Portugal {\n2. meta:\n3. description = ""Yara rule for Lampion Portugal - December version""\n4. author = ""SI-LAB - https://seguranca-informatica.pt""\n5. last_updated = ""2019-12-28""\n6. tlp = ""white""\n7. category = ""informational""\n8. strings:\n9. $lampion_a = {53 65 74 20 76 69 61 64 6f 20 3d 20 63 75 7a 61}\n10. $lampion_b = {76 69 61 64 6f 2e 57 69 6e 64 6f 77 53 74 79 6c}\n11. condition:\n12. all of ($lampion_*)\n13. }, rule Lampion_DLL_Portugal {\n17. meta:\n18. description = ""Yara rule for Lampion Portugal - December version""\n19. author = ""SI-LAB - https://seguranca-informatica.pt""\n20. last_updated = ""2019-12-28""\n21. tlp = ""white""\n22. category = ""informational""\n23. strings:\n24. $lampion_a = {5468 6973 4269 6368 7400 4669 6c74 6572}\n25. condition:\n26. all of ($lampion_*) or\n27. hash.md5(0, filesize) == ""76eed98b40db9ad3dc1b10c80e957ba1""\n28. }, rule Lampion_malware_portugal {\n32. meta:\n33. description = ""Yara rule for Lampion Portugal - December version""\n34. author = ""SI-LAB - https://seguranca-informatica.pt""\n35. last_updated = ""2019-12-28""\n36. tlp = ""white""\n37. category = ""informational""\n38. strings:\n39. $lampion_a = {3f 3f 3f 3f 3f 3f 3f 74 61 3f 3f 3f 3f 3f 3f 00}\n40. condition:\n41. all of ($lampion_*) or\n42. hash.md5(0, filesize) == ""18977c78983d5e3f59531bd6654ad20f""\n43. }",,,,,PT,,Spear Phishing,"Lampion, VMProtect 3.x",Individuals,,, 2019-12-29,BRONZE PRESIDENT Targets NGOs,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2019/2019.12.29_BRONZE_PRESIDENT_NGO/BRONZE%20PRESIDENT%20Targets%20NGOs.pdf,SecureWorks,,,,bronze president,CN,"Espionage, Information theft and espionage",2012,"IN, MN",FALSE,Phishing,"Powerview.ps1, PowerSploit, PVE Find AD User, AdFind, NetSess, Netview, TeamViewer, RCSession, Nbtscan, Nmap, Wmiexec, Cobalt Strike","Non-Governmental Organizations (NGOs) and Nonprofits, Government and Defense Agencies",,, 2020-01-07,Saudi-Arabia-CNA-report,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.01.07_Destructive_Attack_DUSTMAN/Saudi-Arabia-CNA-report.pdf,IBM Security,,,"rule agent { \n meta: \n hash1 = ""44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2"" \n strings: \n $x1 = ""C:\\\\Users\\\\Admin\\\\Desktop\\\\Dustman\\\\Furutaka\\\\drv\\\\agent.plain.pdb"" fullword ascii \n $s2 = ""************** “The Political Statement” ************** "" fullword ascii \n $s3 = ""api-ms-win-core-synch-l1-2-0.dll"" fullword wide \n $s4 = ""AppPolicyGetProcessTerminationMethod"" fullword ascii \n $s5 = ""b4b615c28ccd059cf8ed1abf1c71fe03c0354522990af63adf3c911e2287a4b906d47d"" fullword wide \n $s6 = ""operator co_await"" fullword ascii \n $s7 = ""api-ms-win-appmodel-runtime-l1-1-2"" fullword wide \n $s8 = ""bad array new length"" fullword ascii \n $s9 = "".CRT$XIAC"" fullword ascii \n $s10 = "".?AVERDError@@"" fullword ascii \n $s11 = "".?AVbad_array_new_length@std@@"" fullword ascii \n $s12 = ""\\\\\\\\?\\\\ElRawDisk"" fullword wide \nDestructive Attack “DUSTMAN”\n \n \n21 \nTechnical Report \n $s13 = ""api-ms-win-core-file-l1-2-2"" fullword wide \n $s14 = "".CRT$XCL"" fullword ascii \n condition: \n ( uint16(0) == 0x5a4d and \n filesize < 300KB and \n pe.imphash() == ""75f159bf634600808810849f244592eb"" and \n ( 1 of ($x*) or 4 of ($s*) ) \n ) or ( all of them ) \n}, rule elrawdsk { \n meta: \n hash1 = ""36a4e35abf2217887e97041e3e0b17483aa4d2c1aee6feadd48ef448bf1b9e6c"" \n strings: \n $x1 = ""c:\\\\projects\\\\rawdisk\\\\bin\\\\wnet\\\\fre\\\\amd64\\\\elrawdsk.pdb"" fullword ascii \n $s2 = ""elrawdsk.sys"" fullword wide \n $s3 = ""RawDisk Driver. Allows write access to files and raw disk sectors for user mode applications in \nWindows 2000 and later."" fullword wide \n $s4 = ""\\\\DosDevices\\\\ElRawDisk"" fullword wide \n $s5 = ""Copyright (C) 2007-2012, EldoS Corporation "" fullword wide \n $s6 = ""IoGetDiskDeviceObject"" fullword wide \n $s7 = ""\\\\#{9A6DB7D2-FECF-41ff-9A92-6EDA696613DF}#"" fullword wide \n $s8 = ""\\\\#{8A6DB7D2-FECF-41ff-9A92-6EDA696613DE}#"" fullword wide \n $s9 = ""EldoS Corporation"" fullword wide \n $s10 = ""{25EC4453-AB06-4b3f-BCF0-B260A68B64C9}"" fullword ascii \n $s11 = ""\\\\Device\\\\ElRawDisk"" fullword wide \n $s12 = ""###ElRawDiskAMD64###"" fullword ascii \n condition: \n ( uint16(0) == 0x5a4d and \n filesize < 70KB and \n pe.imphash() == ""6863bacaac5428e1e55a107a613c0717"" and \n ( 1 of ($x*) or 4 of ($s*) ) \n ) or ( all of them ) \n}, rule dustman { \n meta: \n hash1 = ""f07b0c79a8c88a5760847226af277cf34ab5508394a58820db4db5a8d0340fc7"" \n strings: \n $x1 = ""C:\\\\windows\\\\system32\\\\cmd.exe"" fullword ascii \n $x2 = ""C:\\\\Users\\\\Admin\\\\Desktop\\\\Dustman\\\\x64\\\\Release\\\\Dustman.pdb"" fullword ascii \n $s3 = ""AppPolicyGetProcessTerminationMethod"" fullword ascii \n $s4 = ""elrawdsk.sys"" fullword wide \n $s5 = \n""qpppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp\npppppppppppppppppppppppppppqphppphpp"" fullword ascii \n $s6 = \n""Wpppppppppppppppqpppfppprppprpppsppprppptppphpppuppp}pppvpppypppwppp|pppxppp|pppyppp|pp\npzpppwppp{pppxppp|pppfppp}pppfppp"" fullword ascii \n $s7 = \n""ipppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp\npppppppppppppppppppppppppppppppppOp0qppp"" fullword ascii \n $s8 = \n""!q0qpppyPppppppp\\""q0qpppzPpppppp`\\""q0qpppKPppppppP\\""q0qpppqTpppppp@\\""q0qpppyTpppppp0\\""q0\nqpppzTpppppp \\""q0qpppKTpppppp"" fullword ascii \n $s9 = \n""qppppp{0x.pppp~ppppppppppppppppqpppppppppppppppppppppppppppppppppppppppppppppppppppppp\npppppppppppppppppppppppppppppppp0"" fullword ascii \n $s10 = \n""ppLSppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp\nppppppppppppppppppppp8"" fullword ascii \n $s11 = \n""\\""q0qpppqDppppppp#q0qpppyDpppppp`#q0qpppzDppppppP#q0qpppqHpppppp@#q0qpppzHpppppp0#q0q\npppqLpppppp #q0qpppzLpppppp"" fullword ascii \n $s12 = ""zpppppp"" fullword ascii /* reversed goodware string \ppppppz\ */ \n $s13 = ""ppprppp`ppp}pppapppbpppbppprpppQppp}pppEppprppp1ppp}ppp3ppprppp \npppappp\\""ppp}ppp#ppp}ppp\pppfppp)ppp{ppp"" fullword ascii \n $s14 = ""/c agent.exe A"" fullword ascii \n $s15 = \n""q0qpppjxppppppx?q0qpppmxppppppP?q0qppp\\\\xpppppp@?q0qpppKxpppppp8?q0qpppNxpppppp(?q0qpp\np3xpppppp"" fullword ascii \n $s20 = "";q0qpppZtppppppx %#x; uCmd=%#x!"" fullword ascii \n $s13 = ""supdrvLdrFree: Image \%s\ has %d dangling objects!"" fullword ascii \n $s14 = ""SUP_IOCTL_PAGE_LOCK: Invalid input/output sizes. cbOut=%ld expected %ld."" fullword ascii \n $s15 = ""!supdrvCheckInvalidChar(pReq->u.In.szName, \\"";:(){}/\\\\\\\\|&*%#@!~`\\\\\\""\\\"")"" fullword ascii \n $s16 = ""\\\\DosDevices\\\\VBoxDrv"" fullword wide \n $s17 = ""SUP_IOCTL_LDR_GET_SYMBOL: %s"" fullword ascii \n $s18 = ""pReq->Hdr.cbIn <= SUP_IOCTL_PAGE_ALLOC_SIZE_IN"" fullword ascii \n $s19 = ""pReq->Hdr.cbIn <= SUP_IOCTL_LOW_ALLOC_SIZE_IN"" fullword ascii \n $s20 = ""SUP_IOCTL_LDR_LOAD: sym #%ld: unterminated name! (%#lx / %#lx)"" fullword ascii \n condition: \n ( uint16(0) == 0x5a4d and \n filesize < 200KB and \n pe.imphash() == ""b262e8d078ede007ebd0aa71b9152863"" and pe.exports(""AssertMsg1"") and \npe.exports(""RTAssertDoBreakpoint"") and pe.exports(""RTMpDoesCpuExist"") and pe.exports(""SUPR0ContAlloc"") \nand pe.exports(""SUPR0ContFree"") and pe.exports(""SUPR0GipMap"") and \n ( 1 of ($x*) or 4 of ($s*) ) \n ) or ( all of them ) \n}",,,,,,FALSE,Exploit Vulnerability,"DUSTMAN, Eldos RawDisk, ZeroCleare",Energy and Utilities,,, 2020-01-08,Operation AppleJeus Sequel,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.01.08_Operation_AppleJeus_Sequel/Operation%20AppleJeus%20Sequel.pdf,Kaspersky,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,"CN, GB, PL, RU",,Malicious Documents,"SWIFT, Object-C, QT framework, ADVobfuscator, .NET downloader",Financial Institutions,,, 2020-01-13,Reviving MuddyC3 Used by MuddyWater (IRAN) APT,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.01.13.muddyc3.Revived/Reviving%20MuddyC3%20Used%20by%20MuddyWater%20%28IRAN%29%20APT.pdf,Shells.Systems,,,,muddywater,IR,"Espionage, Information theft and espionage",2017,"PK, TJ, TR",FALSE,Spear Phishing,"POWERSTATS, muddyc3","Government and Defense Agencies, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2020-01-13,APT27 ZXShell RootKit module updates,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.01.13.APT27_ZxShell_RootKit/APT27%20ZXShell%20RootKit%20module%20updates.pdf,Lab52,,,,apt27,CN,"Espionage, Information theft and espionage",2010,,FALSE,,"ZxShell RAT, Sysmon, GitHub, MmGetSystemRoutineAddress API, Virustotal",,,, 2020-01-15,APT-C-36 recent activity analysis,,https://lab52.io/blog/apt-c-36-recent-activity-analysis/,Lab52,,,,apt-c-36,,Information theft and espionage,2018,,FALSE,Spear Phishing,"LimeRAT, VJWorm",Financial Institutions,,, 2020-01-15,Hainan Xiandun Technology Company is APT40,,https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40,Intrusion Truth,,,,apt40,CN,"Espionage, Information theft and espionage",2013,"ID, KH, US, VN",,,,"Government and Defense Agencies, Corporations and Businesses, Education and Research Institutions",,, 2020-01-16,JSAC2020_3_takai_jp,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/other/JSAC2020_3_takai_jp.pdf,AhnLab,CVE-2018-20250,,,,,,,"JP, KR, RU",,"Spear Phishing, Exploit Vulnerability, Malicious Documents","Operation Bitter Biscuit, CVE-2018-20250, Wordのアドインフォルダ, MS17-010, Bisonal, RC4, checkers.exe, tools.exe, s.exe",,,, 2020-01-16,JhoneRAT_ Cloud based python RAT targeting Middle Eastern countries,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.01.16.JhoneRAT/JhoneRAT_%20Cloud%20based%20python%20RAT%20targeting%20Middle%20Eastern%20countries.pdf,Cisco,CVE-2017-0199,,,,,,,"AE, BH, DZ, EG, IQ, KW, LB, LY, MA, OM, SA, SY, TN, YE",FALSE,"Malicious Documents, Exploit Vulnerability",JhoneRAT,,,, 2020-01-16,APT40 is run by the Hainan department of the Chinese Ministry of State Security,,https://intrusiontruth.wordpress.com/2020/01/16/apt40-is-run-by-the-hainan-department-of-the-chinese-ministry-of-state-security/,Intrusion Truth,,,,apt40,CN,"Espionage, Information theft and espionage",2013,,,,,,,, 2020-01-17,Is It Wrong to Try to Find APT Techniques in Ransomware Attack,,https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf,SecureWorks,,,,,,,,,FALSE,"Phishing, Credential Reuse, Exploit Vulnerability","Emotet, TrickBot, Ryuk, RDP, MS16-032, NLBrute, Advanced IP Scanner, AmmyAdmin, NetworkShare.exe, Matrix, Advanced Port Scanner, ProcessHacker, Phobos, PCHunter, Mimikatz, KPortScan3, SoftPerfect Network Scanner, Powertools, mRemoteNG, Bruttoline, Putty, GandCrab, xDedicLogCleaner, VPN, PsExec, Batch file about DomainUser listing, rsa.exe, pslog.exe, sdelete.exe, GlobeImposter 2.0, Hyena, WMIexec, reGeorg, Samsam, Mail, Dridex, Empire, BitPaymer, Cob",,,, 2020-01-20,Dustman APT Art of Copy-Paste,,https://swapcontext.blogspot.com/2020/01/dustman-apt-art-of-copy-paste.html,The Vault Blog,,S0364:N/A,,,,,,,FALSE,,"Dustman, ZeroCleare, Eldos RawDisk, TDL (Furutaka)",,,, 2020-01-20,ASEC_REPORT_vol.97_ENG,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/Report/AhnLab/ASEC_REPORT_vol.97_ENG.pdf,AhnLab,CVE-2018-8453,,,,,,,KR,TRUE,,"GandCrab, V3 Lite",Corporations and Businesses,,, 2020-01-31,welivesecurity.com-Winnti Group targeting universities in Hong Kong,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.01.31.Winnti_universities_in_HK/welivesecurity.com-Winnti%20Group%20targeting%20universities%20in%20Hong%20Kong.pdf,ESET,,"T1056:Input Capture, T1065:Uncommonly Used Port, T1095:Standard Non-Application Layer Protocol, T1140:Deobfuscate/Decode Files or Information, T1043:Commonly Used Port, T1073:DLL Side-Loading, T1071:Standard Application Layer Protocol, T1022:Data Encrypted, T1113:Screen Capture, T1050:New Service, T1055:Process Injection, T1027:Obfuscated Files or Information, T1143:Hidden Window, T1024:Custom Cryptographic Protocol, T1083:File and Directory Discovery, T1010:Application Window Discovery",,apt41,CN,"Financial crime, Information theft and espionage",2010,HK,,,"ShadowPad, Winnti malware, skip-2.0","Healthcare, Education and Research Institutions",2019-10-15,2019-11-15,31.0 2020-02-03,Actors Still Exploiting SharePoint Vulnerability to Attack Middle East Government Organizations,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.02.03.SharePoint_Vulnerability_Middle_East/Actors%20Still%20Exploiting%20SharePoint%20Vulnerability%20to%20Attack%20Middle%20East%20Government%20Organizations.pdf,Palo Alto,CVE-2019-0604,"T1003:Credential Dumping, T1132:Data Encoding, T1033:System Owner/User Discovery, T1087:Account Discovery, T1100:Web Shell, T1069:Permission Groups Discovery, T1075:Pass the Hash, T1190:Exploit Public-Facing Application, T1083:File and Directory Discovery, T1018:Remote System Discovery, T1016:System Network Configuration Discovery",,emissary panda,CN,"Espionage, Information theft and espionage",2010,,FALSE,Exploit Vulnerability,"Mimikatz, Impacket's atexec tool, Dumpert, AntSword webshell, cURL tool",Government and Defense Agencies,2019-04-15,2020-01-10,270.0 2020-02-10,Suspected Sapphire Mushroom (APT-C-12) malicious LNK files,,https://bitofhex.com/2020/02/10/sapphire-mushroom-lnk-files/,Bit of Hex Blog,,,"rule LNK_Based_on_SID\n{\n meta:\n sample = ""70b6961af57bce72b89103197c8897a4ae3ce5fdb835ccd050f24acbac52900d""\n author = ""@mattnotmax""\n date = ""2020-01-23""\n \n strings:\n $SID = ""S-1-5-21-768223713-132671932-3453716105"" wide\n \n condition:\n filesize > 400KB and \n uint16(0) == 0x4c and \n $SID\n}",apt-c-12,,Espionage,,CN,,"Spear Phishing, Malicious Documents",,"Government and Defense Agencies, Corporations and Businesses",,, 2020-02-12,Goblin Panda APT Recent infrastructure and RAT analysis,,https://meltx0r.github.io/tech/2020/02/12/goblin-panda-apt.html,MeltX0R Security,CVE-2017-11882,,,goblin panda,CN,Information theft and espionage,2013,VN,FALSE,"Exploit Vulnerability, Malicious Documents","QcConsole.exe, QcLite.dll, stdole.tlb, wd32PrvSE.wmf","Government and Defense Agencies, Energy and Utilities",,, 2020-02-13,"New Cyber Espionage Campaigns Targeting Palestinians - Part 2_ The Discovery of the New, Mysterious Pierogi Backdoor",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.02.13.PIEROGI_BACKDOOR_APT/New%20Cyber%20Espionage%20Campaigns%20Targeting%20Palestinians%20-%20Part%202_%20The%20Discovery%20of%20the%20New%2C%20Mysterious%20Pierogi%20Backdoor.pdf,Cybereason,,,,molerats,PS,Information theft and espionage,2012,PS,FALSE,"Spear Phishing, Social Engineering, Malicious Documents",Pierogi backdoor,"Government and Defense Agencies, Individuals",,, 2020-02-17,ClearSky-Fox-Kitten-Campaign-v1,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.02.17_Fox_Kitten_Campaign/ClearSky-Fox-Kitten-Campaign-v1.pdf,ClearSky Cyber Security ltd,"CVE-2018-13379, CVE-2019-11510, CVE-2019-1579","T1064:Scripting, T1068:Exploitation for Privilege Escalation, T1090:Connection Proxy, T1059:Command-Line Interface, T1002:Data Compressed, TA0001:Initial Access, T1021:Remote Services, TA0005:Defense Evasion, T1076:Remote Desktop Protocol, T1100:Web Shell, TA0007:Discovery, T1015:Accessibility Features, T1075:Pass the Hash, T1086:PowerShell, S0002:N/A, TA0008:Lateral Movement, T1081:Credentials in Files, TA0010:Exfiltration, T1133:External Remote Services, T1074:Data Staged, T1046:Network Service Scanning, TA0003:Persistence, T1065:Uncommonly Used Port, T1094:Custom Command and Control Protocol, T1136:Create Account, T1105:Remote File Copy, TA0011:Command and Control, T1102:Web Service, TA0006:Credential Access, T1003:Credential Dumping, TA0004:Privilege Escalation, TA0002:Execution",,apt34,IR,Espionage,,"AE, AT, AU, DE, FI, FR, HU, IL, IT, KW, LB, PL, SA, US",TRUE,Exploit Vulnerability,", STSRCheck, POWSSHNET, VBScript, Socket-based backdoor over cs.exe, Port.exe, Invoke the Hash, JuicyPotato","Corporations and Businesses, Energy and Utilities, Government and Defense Agencies, Critical Infrastructure",,, 2020-02-17,Cyberwarfare_ A deep dive into the latest Gamaredon Espionage Campaign,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.02.17.Cyberwarfare_Gamaredon_Campaign/Cyberwarfare_%20A%20deep%20dive%20into%20the%20latest%20Gamaredon%20Espionage%20Campaign.pdf,Yoroi,,,"rule Gamaredon_Campaign_January_2020_SFX_Stage_2 { \n \nmeta: \n \ndescription = ""Yara Rule for Gamaredon SFX stage 2"" \n \nauthor = ""Cybaze Zlab_Yoroi"" \n \nlast_updated = ""2020-02-14"" \n2/24/2020\nCyberwarfare: A deep dive into the latest Gamaredon Espionage Campaign – Yoroi Blog\nhttps://blog.yoroi.company/research/cyberwarfare-a-deep-dive-into-the-latest-gamaredon-espionage-campaign/\n15/15\n \ntlp = ""white"" \n \ncategory = ""informational"" \n \n \nstrings: \n \n $a1 = { 4D 5A } \n \n $a2 = { 00 E9 07 D4 FD FF 8B 4D F0 81 } \n \n $a3 = { B7 AB FE B2 B1 B5 FA 9B 11 80 } \n \n $a4 = { 81 21 25 E0 38 03 FA F0 AF 11 } \n \n $a5 = { 0A 39 DF F7 40 8D 7B 44 52 } \n \n condition: \n \n all of them \n}, rule Gamaredon_Campaign_January_2020_Second_Stage { \n \nmeta: \n \ndescription = ""Yara Rule for Gamaredon_apu_dot"" \n \nauthor = ""Cybaze Zlab_Yoroi"" \n \nlast_updated = ""2020-02-14"" \n \ntlp = ""white"" \n \ncategory = ""informational"" \n \n \nstrings: \n \n $a1 = ""Menu\\\\Programs\\\\Startup\\\\\\"""" \n \n $a2 = ""RandStrinh"" \n \n $a3 = "".txt"" \n \n $a4 = ""templates.vbs"" \n \n $a5 = ""GET"" \n \n $a6 = ""Encode = 1032"" \n \n $a7 = ""WShell=CreateObject(\\""WScript.Shell\\"")"" \n \n $a8 = ""Security"" \n \n $a9 = ""AtEndOfStream"" \n \n $a10 = ""GenRandom"" \n \n $a11 = ""SaveToFile"" \n \n $a12 = ""Sleep"" \n \n $a13 = ""WinMgmts:{(Shutdown,RemoteShutdown)}!"" \n \n $a14 = ""Scripting"" \n \n $a15 = ""//autoindex.php"" \n \n condition: \n \n 11 of ($a*) \n}, rule Gamaredon_Campaign_January_2020_SFX_Stage_1 { \n \nmeta: \n \ndescription = ""Yara Rule for Gamaredon SFX stage 1"" \n \nauthor = ""Cybaze Zlab_Yoroi"" \n \nlast_updated = ""2020-02-14"" \n \ntlp = ""white"" \n \ncategory = ""informational"" \n \n \nstrings: \n \n $a1 = { 4D 5A } \n \n $a2 = { FF 75 FC E8 F2 22 01 00 } \n \n $a3 = { FE DE DB DB FE D5 D5 D6 F8 } \n \n $a4 = { 22 C6 24 A8 BE 81 DE 63 } \n \n $a5 = { CF 4F D0 C3 C0 91 B0 0D } \n \n condition: \n \n all of them \n}, rule Gamaredon_Campaign_January_2020_dot_NET_stage { \n \nmeta: \n \ndescription = ""Yara Rule for Gamaredon dot NET stage"" \n \nauthor = ""Cybaze Zlab_Yoroi"" \n \nlast_updated = ""2020-02-14"" \n \ntlp = ""white"" \n \ncategory = ""informational"" \n \n \nstrings: \n \n $a1 = { 4D 5A } \n \n $a2 = ""AssemblyCompanyAttribute"" \n \n $a3 = ""GetDrives"" \n \n $a4 = ""Aversome"" \n \n $a5 = ""TotalMilliseconds"" \n \n $s1 = { 31 01 C6 01 F2 00 29 01 5C 03 76 } \n \n $s2 = { 79 02 38 03 93 03 B5 03 } \n \n $s3 = { 00 07 00 00 11 00 00 72 01 } \n \n $s4 = { CD DF A6 EF 66 0E 44 D7 } \n \n condition: \n \n all of ($a*) and 2 of ($s*) \n}, rule Gamaredon_Campaign_January_2020_Initial_Dropper { \n \nmeta: \n \ndescription = ""Yara Rule for Gamaredon_f_doc"" \n \nauthor = ""Cybaze Zlab_Yoroi"" \n \nlast_updated = ""2020-02-14"" \n \ntlp = ""white"" \n \ncategory = ""informational"" \n \n \nstrings: \n \n $a1 = { 4B 03 } \n \n $a2 = { 8E DA 30 14 DD 57 EA 3F } \n \n $a3 = { 3B 93 46 0F AF B0 2B 33 } \n \n $a4 = { 50 4B 03 04 14 00 06 00 08 } \n \n condition: \n \n all of them \n}",gamaredon group,RU,Information theft and espionage,2013,UA,FALSE,"Spear Phishing, Malicious Documents, Exploit Vulnerability","Pteranodon (also known as Pterodo), Weaponized Office documents, Office template injection, SFX archives, WMI, VBA macros, .Net component","Government and Defense Agencies, Critical Infrastructure",,, 2020-02-17,CLAMBLING - A New Backdoor Base On Dropbox (EN),,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.02.17_CLAMBLING_Dropbox_Backdoor/CLAMBLING%20-%20A%20New%20Backdoor%20Base%20On%20Dropbox%20%28EN%29.pdf,Trend Micro,,,,,,,,,FALSE,,"Dropbox API, mimikatz, UAC bypass tools, Windows Defender Core Process MsMpEng.exe, mpsvc.dll, RtlDecompressBuffer, mpsvc.mui","Corporations and Businesses, Media and Entertainment Companies",2019-07-15,2019-09-20,67.0 2020-02-21,[KR]Analysis Report_MyKings Botnet,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.02.21_MyKings_Botnet/%5BKR%5DAnalysis%20Report_MyKings%20Botnet.pdf,AhnLab,,,,mykings,,,,,,Exploit Vulnerability,"PowerShell, item.dat, cab.exe, msinfo.exe, WMInjector","Corporations and Businesses, Education and Research Institutions, Manufacturing, Media and Entertainment Companies",,, 2020-02-22,Weaponizing a Lazarus Group Implant,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.02.22_Lazarus_Group_Weaponizing/Weaponizing%20a%20Lazarus%20Group%20Implant.pdf,Objective-See,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,,,,unioncryptoupdater,Individuals,,, 2020-02-25,CloudSnooper_report,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.02.25_Cloud_Snooper/CloudSnooper_report.pdf,Sophos,,,,,,,,,,Exploit Vulnerability,"snd_floppy, snoopy, vsftpd, ips, snort, javad, Gh0st RAT",,,, 2020-03-02,apt34-aka-oilrig-attacks-lebanon-government-entities-with-maildropper-implant,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.03.02_APT34_MAILDROPPER/apt34-aka-oilrig-attacks-lebanon-government-entities-with-maildropper-implant.pdf,Telsy,,,,apt34,IR,Espionage,,LB,FALSE,"Spear Phishing, Malicious Documents","MailDropper, ISMAgent, ISMDoor, ISMInjector, TwoFace","Government and Defense Agencies, Financial Institutions, Energy and Utilities, Critical Infrastructure",,, 2020-03-02,Karkoff 2020 a new APT34 espionage operation involves Lebanon Government,,https://blog.yoroi.company/research/karkoff-2020-a-new-apt34-espionage-operation-involves-lebanon-government/,Yoroi,,,"rule Karkoff_Campaign_2020 {\n meta:\n description = ""Yara Rule for new APT34 Karkoff campaign""\n author = ""Cybaze Zlab_Yoroi""\n last_updated = ""2020-03-02""\n tlp = ""white""\n category = ""informational""\n strings:\n \n $a1 = ""SystemExchangeService"" ascii wide\n $a2 = ""getWindowsVersion"" ascii wide\n $a3 = ""GetCommands"" ascii wide\n $s1 = {0A 7A 1E 02 7B 9C 12 00 04 2A}\n condition:\n uint16(0) == 0x5A4D and all of them\n}, rule Karkoff_Attack_2020_Excel_macro {\n meta:\n description = ""Yara Rule for new APT34 Karkoff campaign excel malicious \nmacro""\n author = ""Cybaze Zlab_Yoroi""\n last_updated = ""2020-03-02""\n tlp = ""white""\n category = ""informational""\n strings:\n \n $a1 = ""EncodedData0""\n $a2 = ""NewTask9""\n $a3 = ""EAAMYEKwUAAEsEWQUAAMYEnQUAAMYEqAUAAJwSrgU""\n $a4 = ""TVqQAAMAAAAEAAAA""\n condition:\n all of them\n}",apt34,IR,Espionage,,LB,FALSE,"Malicious Documents, Credential Reuse","Karkoff macro loader, JASON tool",Government and Defense Agencies,,, 2020-03-03,New Perl Botnet (Tuyul) Found with Possible Indonesian Attribution,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.03.03_Tuyul_Botnet_Indonesian/New%20Perl%20Botnet%20%28Tuyul%29%20Found%20with%20Possible%20Indonesian%20Attribution.pdf,F5,CVE-2017-9841,,,,,,,"GB, US",FALSE,,"PHPUnit, CVE-2017-9841, inject, inject.php, libc6.so, hook.php, join, tuyul, unix.so, cache.php, dis.so",,,, 2020-03-03,The North Korean Kimsuky APT keeps threatening South Korea evolving its TTPs,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.03.03_Kimsuky_APT/The%20North%20Korean%20Kimsuky%20APT%20keeps%20threatening%20South%20Korea%20evolving%20its%20TTPs.pdf,Yoroi,,,"rule injectedDLL { \n meta: \n description = ""Yara rule for the injected DLL"" \n author = ""Yoroi - ZLab"" \n last_updated = ""2020-03-02"" \n tlp = ""white"" \n category = ""informational"" \n \nstrings: \n $a1 = {41 80 3E 5E 89 45 A4 75 08 49} \n \n \n$a2 = {60 03 50 02 30 58 68 01 00 70} \n \n \n$a3 = {98 F7 02 00 7B 44 00 00 91 44} \n \n \n$a4 = ""/?m=b&p1="" \n \n \n$a5 = ""&p2=b"" \n3/4/2020\nThe North Korean Kimsuky APT keeps threatening South Korea evolving its TTPs – Yoroi Blog\nhttps://blog.yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/\n12/12\n \n \n$a6 = ""/?m=a&p1="" \n \n \n$a7 = ""AUAVAWH"" \n \n \n condition: \n uint16(0) == 0x5A4D and pe.number_of_sections == 6 and (4 of ($a*)) \n}, rule AutoUpdate_dll { \n meta: \n description = ""Yara rule for the AutoUpdate_dll"" \n author = ""Yoroi - ZLab"" \n last_updated = ""2020-03-02"" \n tlp = ""white"" \n category = ""informational"" \n \nstrings: \n $a1 = {48 8B 3F 48 83 78 18 10 72} \n \n \n$a2 = {36 42 35 45 35 41 42 33 42 41 39} \n \n \n$a3 = { DD E7 FE DA C6 F7 F9 8D 7D F9 } \n \n \n$a4 = ""1#SNAN"" \n \n \n$a5 = ""d$4D9L$t"" \n \n \n$a6 = ""DllRegisterServer"" \n \n \n$a7 = ""DllUnregisterServer"" \n \n \n condition: \n uint16(0) == 0x5A4D and pe.number_of_sections == 6 and (4 of ($a*)) \n}, rule legit_DOC { \n meta: \n description = ""Yara rule for the Legit DOC"" \n author = ""Yoroi - ZLab"" \n last_updated = ""2020-03-02"" \n tlp = ""white"" \n category = ""informational"" \n \nstrings: \n $a1 = ""HWP Document File"" \n \n \n$a2 = ""UPcfZrc"" \n \n \n$a3 = {D1 A9 30 1A 5D C1 16 41 15 DA DF 54} \n \n \n$a4 = {B4 D5 31 1B F9 66 7C 56 5A 15} \n \n \n$a5 = {30 30 F8 18 18 F8 00 00 E0 00 00 C8} \n \n \n$a6 = {DC 66 43 0C 53 00 65 00 63 00} \n \n \n$a7 = {05 00 48 00 77 00 70 00 53 00 75 00 6D 00 6D} \n \n \n condition: \n all of them \n}, rule loader { \n meta: \n description = ""Yara rule for the initial loader SRC"" \n author = ""Yoroi - ZLab"" \n last_updated = ""2020-03-02"" \n tlp = ""white"" \n category = ""informational"" \n \nstrings: \n $a1 = "" goto Repeat1"" \n \n \n$a2 = {84 58 43 F4 39 1B 96 32 E4 2D 63} \n \n \n$a3 = {89 04 4D 30 7A 05 10 41 EB E8 8B} \n \n \n$a4 = {80 A1 B2 F7 15 DE F0 7E 35 75} \n \n \n$a5 = {9C 0E 57 4C 77 B1 0E 06 08 5E} \n \n \n \n condition: \n uint16(0) == 0x5A4D and pe.number_of_sections == 5 and 3 of ($a*) \n}",kimsuky,KP,"Espionage, Information theft and espionage",2012,KR,FALSE,,,,,, 2020-03-05,Guildma_ The Devil drives electric _ WeLiveSecurity,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.03.05_Guildma/Guildma_%20The%20Devil%20drives%20electric%20_%20WeLiveSecurity.pdf,ESET,,"T1064:Scripting, T1082:System Information Discovery, T1096:NTFS File Attributes, T1214:Credentials in Registry, T1197:BITS Jobs, T1024:Custom Cryptographic Protocol, T1063:Security Software Discovery, T1497:Virtualization/Sandbox Evasion, T1220:XSL Script Processing, T1081:Credentials in Files, T1010:Application Window Discovery, T1073:DLL Side-Loading, T1060:Registry Run Keys / Startup Folder, T1055:Process Injection, T1083:File and Directory Discovery, T1193:Spearphishing Attachment, T1140:Deobfuscate/Decode Files or Information, T1041:Exfiltration Over Command and Control Channel, T1047:Windows Management Instrumentation, T1113:Screen Capture, T1089:Disabling Security Tools",,,,,,BR,FALSE,Spear Phishing,"BITSAdmin, certutil, rundll32.exe, WMIC.exe",Financial Institutions,,, 2020-03-10,2020_03_Threat_Alert_Hacking_the_Hackers,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.03.10.WHO_HACKING_THE_HACKERS/2020_03_Threat_Alert_Hacking_the_Hackers.pdf,Cybereason,,,,,,,,,,Exploit Vulnerability,"njRat, WordPress",Individuals,,, 2020-03-11,Tech Brief_Operation Overtrap Targets Japanese Online Banking Users,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.03.11.Operation_Overtrap/Tech%20Brief_Operation%20Overtrap%20Targets%20Japanese%20Online%20Banking%20Users.pdf,Trend Micro,"CVE-2018-15982, CVE-2018-8174",,,,,,,JP,FALSE,"Phishing, Exploit Vulnerability","Trojan.VBS.CVE20188174.AMT, Trojan.SWF.CVE201815982.AK, TrojanSpy.Win32.CINOBI.A, CVE-2018-8174 (used by BottleEK), CVE-2018-15982 (used by BottleEK)","Financial Institutions, Individuals",,, 2020-03-12,Tracking Turla_ New backdoor delivered via Armenian watering holes _ WeLiveSecurity,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.03.12_Tracking_Turla/Tracking%20Turla_%20New%20backdoor%20delivered%20via%20Armenian%20watering%20holes%20_%20WeLiveSecurity.pdf,ESET,,"T1065:Uncommonly Used Port, T1043:Commonly Used Port, T1204:User Execution, T1082:System Information Discovery, T1041:Exfiltration Over Command and Control Channel, T1071:Standard Application Layer Protocol, T1032:Standard Cryptographic Protocol, T1189:Drive-by Compromise, T1057:Process Discovery, T1053:Scheduled Task, T1016:System Network Configuration Discovery",,turla,RU,"Espionage, Information theft and espionage",1996,AM,FALSE,"Watering Hole, Social Engineering","DropperMSIL/T urla.D, PyFlash, NetFlash, Win32/T urla.EM, Win32/T urla.EJ","Government and Defense Agencies, Education and Research Institutions",,, 2020-03-15,"APT36 jumps on the coronavirus bandwagon, delivers Crimson RAT _ Malwarebytes Labs",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.03.15_APT36_Crimson_RAT/APT36%20jumps%20on%20the%20coronavirus%20bandwagon%2C%20delivers%20Crimson%20RAT%20_%20Malwarebytes%20Labs.pdf,Malwarebytes,CVE-2017-0199,S0115:N/A,,apt36,PK,Information theft and espionage,2013,IN,,"Spear Phishing, Watering Hole, Malicious Documents",Crimson RAT,Government and Defense Agencies,,, 2020-03-19,Is APT 27 Abusing COVID-19 To Attack People !,,https://marcoramilli.com/2020/03/19/is-apt27-abusing-covid-19-to-attack-people/,Yoroi,,,,apt27,CN,"Espionage, Information theft and espionage",2010,,,Spear Phishing,,,,, 2020-03-20,Analysis Of Exploitation CVE-2020-10189 ( exploited by APT41),,https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/,RECON InfoSec,"CVE-2019-3396, CVE-2020-10189",,,apt41,CN,"Financial crime, Information theft and espionage",2010,,FALSE,Exploit Vulnerability,"Cobalt Strike, KAPE",,,, 2020-03-24,WildPressure targets industrial-related entities in the Middle East _ Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.03.24_WildPressure/WildPressure%20targets%20industrial-related%20entities%20in%20the%20Middle%20East%20_%20Securelist.pdf,Kaspersky,,,,,,,,,,,Milum Trojan,Critical Infrastructure,2019-05-31,2019-09-15,107.0 2020-03-25,This Is Not a Test_ APT41 Initiates Global Intrusion Campaign Using Multiple Exploits _ FireEye Inc,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.03.25_APT41-initiates-global-intrusion-campaign/This%20Is%C2%A0Not%20a%20Test_%20APT41%20Initiates%20Global%20Intrusion%20Campaign%20Using%20Multiple%20Exploits%20_%20FireEye%20Inc.pdf,FireEye,"CVE-2019-1652, CVE-2019-19781, CVE-2020-10189, CVE-2020-10198","T1065:Uncommonly Used Port, T1064:Scripting, T1094:Custom Command and Control Protocol, T1132:Data Encoding, T1068:Exploitation for Privilege Escalation, T1105:Remote File Copy, T1071:Standard Application Layer Protocol, T1050:New Service, T1197:BITS Jobs, T1055:Process Injection, T1190:Exploit Public-Facing Application, T1086:PowerShell, T1133:External Remote Services, T1436:N/A","rule ExportEngine_xArch\n{\n\xa0\xa0\xa0 meta:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 author = ""@stvemillertime""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 description = ""This looks for Win PEs where Export DLL name is a something like\nx32.dat""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 strings:\n\xa0\xa0\xa0 \xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $pcre = /\\x00-\\x7F{1,}x(32|64|86)\\.dat\\x00/\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 condition:\n\xa0\xa0\xa0 \xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at\npe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directoriespe.IMAGE_DIRECTO‐\nRY_ENTRY_EXPORT.virtual_address) + 12))\n}, rule ConventionEngine_Anomaly_MultiPDB_Double\n{\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 meta:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 author = ""@stvemillertime""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 description = ""Searching for PE files with PDB path keywords, terms or\nanomalies.""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 sample_md5 = ""013f3bde3f1022b6cf3f2e541d19353c""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 ref_blog = ""https://www.fireeye.com/blog/threat-research/2019/08/de‐\nfinitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 strings:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $pcre = /RSDS\\x00-\\xFF{20}a-zA-Z:\\\\\\x00-\\xFF{0,200}\\.pdb\\x00/\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 condition:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and\n#pcre == 2\n3/27/2020\nThis Is\xa0Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits | FireEye Inc\nhttps://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\n16/16\n}, rule RareEquities_LibTomCrypt\n{\n\xa0\xa0\xa0 meta:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 author = ""@stvemillertime""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 description = ""This looks for executables with strings from LibTomCrypt as seen\nby some APT41-esque actors https://github.com/libtom/libtomcrypt - might catch every‐\nthing BEACON as well. You may want to exclude Golang and UPX packed samples.""\n\xa0\xa0\xa0 strings:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $a1 = ""LibTomMath""\n\xa0\xa0\xa0 condition:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $a1\n}, rule ExportEngine_ShortName\n{\n\xa0\xa0\xa0 meta:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 author = ""@stvemillertime""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 description = ""This looks for Win PEs where Export DLL name is a single\ncharacter""\n\xa0\xa0\xa0 strings:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $pcre = /A-Za-z0-9{1}\\.(dll|exe|dat|bin|sys)/\n\xa0\xa0\xa0 condition:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.r‐\nva_to_offset(uint32(pe.rva_to_offset(pe.data_directoriespe.IMAGE_DIRECTORY_EN‐\nTRY_EXPORT.virtual_address) + 12))\n3/27/2020\nThis Is\xa0Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits | FireEye Inc\nhttps://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\n13/16\n}, rule RareEquities_KCP\n{\n\xa0\xa0\xa0 meta:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 author = ""@stvemillertime""\n3/27/2020\nThis Is\xa0Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits | FireEye Inc\nhttps://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\n14/16\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 description = ""This is a wide catchall rule looking for executables with equities for\na transport library called KCP, https://github.com/skywind3000/kcp Matches on this rule\nmay have built-in KCP transport ability.""\n\xa0\xa0\xa0 strings:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $a01 = ""RO %ld bytes""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $a02 = ""recv sn=%lu""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $a03 = ""RI %d bytes""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $a04 = ""input ack: sn=%lu rtt=%ld rto=%ld""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $a05 = ""input psh: sn=%lu ts=%lu""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $a06 = ""input probe""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $a07 = ""input wins: %lu""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $a08 = ""rcv_nxt=%lu\\\\n""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $a09 = ""snd(buf=%d, queue=%d)\\\\n""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $a10 = ""rcv(buf=%d, queue=%d)\\\\n""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $a11 = ""rcvbuf""\n\xa0\xa0\xa0 condition:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize <\n5MB and 3 of ($a*)\n}, rule ConventionEngine_Term_Desktop\n{\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 meta:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 author = ""@stvemillertime""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 description = ""Searching for PE files with PDB path keywords, terms or\nanomalies.""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 sample_md5 = ""71cdba3859ca8bd03c1e996a790c04f9""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 ref_blog = ""https://www.fireeye.com/blog/threat-research/2019/08/de‐\nfinitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 strings:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $pcre = /RSDS\\x00-\\xFF{20}a-zA-Z:\\\\\\x00-\\xFF{0,200}Desktop\\x00-\n\\xFF{0,200}\\.pdb\\x00/ nocase ascii\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 condition:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and\n$pcre\n}, rule ExportEngine_APT41_Loader_String\n{\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 meta:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 author = ""@stvemillertime""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 description ""This looks for a common APT41 Export DLL name in BEA‐\nCON shellcode loaders, such as loader_X86_svchost.dll""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 strings:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $pcre = /loader_\\x00-\\x7F{1,}\\x00/\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 condition:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and\n$pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directoriespe.IMAGE_DI‐\nRECTORY_ENTRY_EXPORT.virtual_address) + 12))\n}, rule ConventionEngine_Term_Users\n{\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 meta:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 author = ""@stvemillertime""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 description = ""Searching for PE files with PDB path keywords, terms or\nanomalies.""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 sample_md5 = ""09e4e6fa85b802c46bc121fcaecc5666""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 ref_blog = ""https://www.fireeye.com/blog/threat-research/2019/08/de‐\nfinitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 strings:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $pcre = /RSDS\\x00-\\xFF{20}a-zA-Z:\\\\\\x00-\\xFF{0,200}Users\\x00-\n\\xFF{0,200}\\.pdb\\x00/ nocase ascii\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 condition:\n3/27/2020\nThis Is\xa0Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits | FireEye Inc\nhttps://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\n15/16\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0 (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and\n$pcre\n}",apt41,CN,"Financial crime, Information theft and espionage",2010,"AE, AU, CA, CH, DK, FI, FR, GB, IN, IT, JP, MX, MY, PH, PL, QA, SA, SE, SG, US",TRUE,Exploit Vulnerability,"Backdoor.Meterpreter, DTI.Callback, Exploit.CitrixNetScaler, Trojan.METASTAGE, Exploit.ZohoManageEngine.CVE-2020-10198.Pwner, Exploit.ZohoManageEngine.CVE-2020-10198.mdmLogUploader, Cobalt Strike BEACON, storesyncsvc.dll, install.bat, 2.exe, TzGG","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Healthcare, Energy and Utilities, Manufacturing, Education and Research Institutions, Media and Entertainment Companies, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2020-03-26,iOS exploit chain deploys 'LightSpy' feature-rich malware _ Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.03.26_LightSpy_TwoSail_Junk_APT/iOS%20exploit%20chain%20deploys%20%E2%80%9CLightSpy%E2%80%9D%20feature-rich%20malware%20_%20Securelist.pdf,Kaspersky,,,,twosail junk,,,,HK,,Watering Hole,"LightSpy, Lotus Elise, Evora backdoor, Vue.js, Webpack",Corporations and Businesses,2020-01-20,2020-03-05,45.0 2020-03-30,The 'Spy Cloud' Operation Geumseong121 group carries out the APT attack disguising the evidence of North Korean defection,,https://blog.alyac.co.kr/attachment/cfile8.uf@9977CF405E81A09B1C4CE2.pdf,EST Security,,,,geumseong 121,,,,KR,,"Spear Phishing, Malicious Documents","Google Drive, pCloud, EXE malicious module, obfuscated malicious VBA macro",Government and Defense Agencies,,, 2020-04-02,Catching APT41 exploiting a zero-day vulnerability,,https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/,Darktrace,CVE-2020-10189,T1566:N/A,,apt41,CN,"Financial crime, Information theft and espionage",2010,,TRUE,Exploit Vulnerability,"Zoho ManageEngine, Microsoft BITSAdmin, Meterpreter, Cobalt Strike Beacon",Corporations and Businesses,2020-03-08,2020-03-22,14.0 2020-04-07,200407-MWB-COVID-White-Paper_Final,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.04.07_APTs_COVID-19/200407-MWB-COVID-White-Paper_Final.pdf,Malwarebytes,"CVE-2017-0199, CVE-2017-11882, CVE-2018-0798, CVE-2018-0802","S0013:N/A, S0012:N/A, S0354:N/A",,bitter,IN,Information theft and espionage,2013,"AU, BD, BN, CN, DE, GB, ID, IN, JP, KH, KW, LA, LK, MM, MY, NP, PH, PK, RO, RU, SG, TH, US, VN",FALSE,Malicious Documents,"Crimson RAT, Dridex, GlobeImposter, Banker Malware, Royal Road","Corporations and Businesses, Healthcare, Manufacturing",,, 2020-04-07,New Ursnif campaign_ a shift from PowerShell to Mshta,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.04.07_New_Ursnif_Campaign/New%20Ursnif%20campaign_%20a%20shift%20from%20PowerShell%20to%20Mshta.pdf,Zscaler,,,,,,,,,FALSE,Malicious Documents,"Ursnif (aka Gozi aka Dreambot), Microsoft HTML Applications (HTAs), PowerShell, Mshta.exe, ActiveX, XMLHTTP, regsvr32",Financial Institutions,,, 2020-04-08,ASEC_REPORT_vol.98_ENG,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/Report/AhnLab/ASEC_REPORT_vol.98_ENG.pdf,AhnLab,,,,kimsuky,KP,"Espionage, Information theft and espionage",2012,,,"Spear Phishing, Malicious Documents","sen.a, m1.a, list.dll, aka32.exe, Rundll32.exe","Government and Defense Agencies, Corporations and Businesses",,, 2020-04-08,How Cyber Adversaries are Adapting to Exploit the Global Pandemic,,https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic,SecureWorks,,,,kimsuky,KP,"Espionage, Information theft and espionage",2012,,,"Malicious Documents, Spear Phishing","PoisonIvy, TrickBot, REvil, AZORult, LokiBot, Gozi ISFB (Ursnif), Oski, SpyMax","Education and Research Institutions, Financial Institutions, Manufacturing, Critical Infrastructure, Healthcare",2020-01-01,2020-04-01,91.0 2020-04-15,Nation-state Mobile Malware Targets Syrians with COVID-19 Lures,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.04.15_COVID-19_Lures_Syrians/Nation-state%20Mobile%20Malware%20Targets%20Syrians%20with%20COVID-19%20Lures.pdf,Lookout,,,,silverhawk,,,,SY,FALSE,"Watering Hole, Website Equipping","AndoServer malware, SpyNote, SandroRat, SLRat, AndroRat, SJRat",Individuals,,, 2020-04-15,[TLP-White]20200415 Chimera_V4.1,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.04.15_Chimera_APT/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf,Kaspersky,,,,chimera,CN,,,TW,FALSE,Credential Reuse,"SkeletonKeyInjector, Dumpert, Mimikatz, Cobalt Strike, PowerShell, RAR, BaseClient.exe",Manufacturing,,, 2020-04-16,White Ops _ Inside the Largest Connected TV Botnet Attack,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.04.16_ICEBUCKET_TV_Bot_Attack/White%20Ops%20_%20Inside%20the%20Largest%20Connected%20TV%20Botnet%20Attack.pdf,White Ops,,,,,,,,US,FALSE,Covert Channels,,Media and Entertainment Companies,,, 2020-04-20,WINNTI GROUP_ Insights From the Past,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.04.20_Winnti_from_the_past/WINNTI%20GROUP_%20Insights%20From%20the%20Past.pdf,QuoIntelligence,,"T1116:Code Signing, T1009:Binary Padding, T1068:Exploitation for Privilege Escalation, T1022:Data Encrypted, T1014:Rootkit, T1048:Exfiltration Over Alternative Protocol, T1215:Kernel Modules and Extensions",,apt41,CN,"Financial crime, Information theft and espionage",2010,DE,,Exploit Vulnerability,"Cobalt Strike, Meterpreter","Corporations and Businesses, Financial Institutions, Government and Defense Agencies, Manufacturing",,, 2020-04-21,Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.04.21.evil-eye-threat-actor/Evil%20Eye%20Threat%20Actor%20Resurfaces%20with%20iOS%20Exploit%20and%20Updated%20Implant.pdf,Volexity,,,,evil eye,,Information theft and espionage,2018,,FALSE,Watering Hole,"INSOMNIA, IRONSQUIRREL","Education and Research Institutions, Individuals",,, 2020-04-24,PoshC2_APT_jp,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.04.24_PoshC2_APT/PoshC2_APT_jp.pdf,Rack,CVE-2019-9489,"T1082:System Information Discovery, T1031:Modify Existing Service, T1059:Command-Line Interface, T1021:Remote Services, T1076:Remote Desktop Protocol, T1038:DLL Search Order Hijacking, T1015:Accessibility Features, T1195:Supply Chain Compromise, T1086:PowerShell, T1127:Trusted Developer Utilities, T1060:Registry Run Keys / Startup Folder, T1055:Process Injection, T1107:File Deletion, T1035:Service Execution, T1140:Deobfuscate/Decode Files or Information, T1049:System Network Connections Discovery, T1135:Network Share Discovery, T1047:Windows Management Instrumentation, T1050:New Service, S0378:N/A, T1057:Process Discovery, T1003:Credential Dumping, T1089:Disabling Security Tools",,blacktech,CN,Information theft and espionage,2010,"JP, TW",FALSE,Exploit Vulnerability,"PoshC2, frp, plink, MITRE ATT&CK, MSBuild, RasAuto","Corporations and Businesses, Cloud/IoT Services",,, 2020-04-27,ESET_Threat_Report_Q12020,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/Report/ESET/ESET_Threat_Report_Q12020.pdf,ESET,"CVE-2012-5687, CVE-2014-2962, CVE-2014-4019, CVE-2014-8361, CVE-2014-9583, CVE-2015-0554, CVE-2015-7254, CVE-2017-11882, CVE-2017-6190, CVE-2019-15126","T1516:N/A, T1505:N/A, T1517:N/A, S0397:N/A",,apt41,CN,"Financial crime, Information theft and espionage",2010,"CZ, DE, ES, PT, TW",FALSE,Watering Hole,"LightNeuron, LoJax, ShadowPad, Winnti","Education and Research Institutions, Energy and Utilities",,, 2020-04-28,Grandoreiro_ How engorged can an EXE get_ _ WeLiveSecurity,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.04.28.Grandoreiro/Grandoreiro_%20How%20engorged%20can%20an%20EXE%20get_%20_%20WeLiveSecurity.pdf,ESET,,"T1056:Input Capture, T1064:Scripting, T1082:System Information Discovery, T1088:Bypass User Account Control, T1009:Binary Padding, T1483:Domain Generation Algorithms, T1106:Execution through API, T1063:Security Software Discovery, T1497:Virtualization/Sandbox Evasion, T1081:Credentials in Files, T1192:Spearphishing Link, T1112:Modify Registry, T1071:Standard Application Layer Protocol, T1060:Registry Run Keys / Startup Folder, T1222:File Permissions Modification, T1083:File and Directory Discovery, T1036:Masquerading, T1140:Deobfuscate/Decode Files or Information, T1041:Exfiltration Over Command and Control Channel, T1503:N/A, T1057:Process Discovery, T1010:Application Window Discovery, T1089:Disabling Security Tools",,,,,,"BR, ES, MX, PE",FALSE,Spear Phishing,"Grandoreiro, EASendMail SDK",Financial Institutions,,, 2020-04-28,yoroi.company-Outlaw is Back a New Crypto-Botnet Targets European Organizations,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.04.28_Outlaw_is_Back/yoroi.company-Outlaw%20is%20Back%20a%20New%20Crypto-Botnet%20Targets%20European%20Organizations.pdf,Yoroi,,,"rule TSM_FasterThanLite_Outlaw_Apr20 \n{\nmeta:\n description = ""TSM ssh bruteforce component of Outlaw Botnet April 2020""\n hash32 = ""3eef8c27ad8458af84dcb52dfa01295c427908a0"" // for tsm32 (32 bit)\n hash64 = ""a1da0566193f30061f69b057c698dc7923d2038c"" // for tsm64 (64 bit)\n \n author = ""Cybaze - Yoroi ZLab""\n last_updated = ""2020-04-27""\n tlp = ""white""\n category = ""informational""\n strings:\n $s1= {63 73 2D 64 76 63 00 69 64 2D 73 6D 69 6D 65 2D\n61 6C 67 2D 45 53 44 48 77 69 74 68 33 44 45 53\n00 69 64 2D 73 6D 69 6D 65 2D 61 6C 67 2D 45 53\n44 48 77 69 74 68 52 43 32 00 69 64 2D 73 6D 69\n6D 65 2D 61 6C 67 2D 33 44 45 53 77 72 61 70 00\n69 64 2D 73 6D 69 6D 65 2D 61 6C 67 2D 52 43 32\n77 72 61 70 00 69 64 2D 73 6D 69 6D 65 2D 61 6C\n67 2D 45 53 44 48 00 69 64 2D 73 6D 69 6D 65 2D\n61 6C 67 2D 43 4D 53 33}\n $s2= {2D 70 6C 61 63 65 4F 66 42 69 72 74 68 00 69 64\n2D 70 64 61 2D 67 65 6E 64 65 72 00 69 64 2D 70\n64 61 2D 63 6F 75 6E 74 72 79 4F 66 43 69 74 69\n7A 65 6E 73 68 69 70}\n $s3 =""brainpoolP384r1"" wide ascii\n $s4= ""getpwnam"" wide ascii //mutex\n $s5 = ""dup2"" wide ascii //mutex\n $s6 = ""_ITM_deregisterTMCloneTable"" wide ascii //mutex\n $elf = { 7f 45 4c 46 } //ELF file’s magic numbers\n condition:\n $elf in (0..4) and all of them and elf.number_of_sections > 25 \n \n}",outlaw,RO,,,"CN, DE, FR, IT, US",,Exploit Vulnerability,"IRC bot, SSH scanner, bruteforce tool, XMRIG crypto-miner, Shellbot, pscan, ssh-scan",,,, 2020-04-29,cta-2020-0429,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.04.29.Chinese_Influence_Operations_Taiwanese_Elections_Hong_Kong_Protests/cta-2020-0429.pdf,Recorded Future,,,,,,,,"HK, TW",,Social Engineering,,"Education and Research Institutions, Media and Entertainment Companies, Individuals",,, 2020-04-30,Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center,,https://www.anomali.com/blog/anomali-suspects-that-china-backed-apt-pirate-panda-may-be-seeking-access-to-vietnam-government-data-center,Anomali,,,,pirate panda,CN,Information theft and espionage,2011,VN,FALSE,"Phishing, Malicious Documents","Excel document, Utilman.exe, MsMpEng.exe, Mpsvc.dll, exile-RAT, keyboy",Government and Defense Agencies,,, 2020-04-30,Lazarus APT organization uses information such as recruitment of a Western aviation giant to analyze targeted attack incidents in specific countries,,https://ti.qianxin.com/blog/articles/analysis-of-lazarus-apt-oriented-attack-event/,QiAnXin,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,,,Malicious Documents,,Corporations and Businesses,,, 2020-05-05,Nazar_ Spirits of the Past - Check Point Research,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.05.05.Nazar_APT/Nazar_%20Spirits%20of%20the%20Past%20-%20Check%20Point%20Research.pdf,Check Point,,,"rule apt_nazar_svchost_commands\n{\nmeta:\n5/6/2020\nNazar: Spirits of the Past - Check Point Research\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\n16/22\ndescription = ""Detect Nazar\s svchost based on supported commands""\nauthor = ""Itay Cohen""\ndate = ""2020-04-26""\nreference = """"\nhash = ""2fe9b76496a9480273357b6d35c012809bfa3ae8976813a7f5f4959402e3fbb6""\nhash = ""be624acab7dfe6282bbb32b41b10a98b6189ab3a8d9520e7447214a7e5c27728""\nstrings:\n$str1 = { 33 31 34 00 36 36 36 00 33 31 33 00 }\n$str2 = { 33 31 32 00 33 31 35 00 35 35 35 00 }\n$str3 = { 39 39 39 00 35 39 39 00 34 39 39 00 }\n$str4 = { 32 30 39 00 32 30 31 00 32 30 30 00 }\n$str5 = { 31 39 39 00 31 31 39 00 31 38 39 00 31 33 39 00 33 31 31 00 }\ncondition:\n4 of them\n}, rule apt_nazar_component_guids\n{\nmeta:\ndescription = ""Detect Nazar Components by COM Objects\ GUID""\nauthor = ""Itay Cohen""\ndate = ""2020-04-27""\nreference = """"\nhash = ""1110c3e34b6bbaadc5082fabbdd69f492f3b1480724b879a3df0035ff487fd6f""\nhash = ""1afe00b54856628d760b711534779da16c69f542ddc1bb835816aa92ed556390""\nhash = ""2caedd0b2ea45761332a530327f74ca5b1a71301270d1e2e670b7fa34b6f338e""\nhash = ""2fe9b76496a9480273357b6d35c012809bfa3ae8976813a7f5f4959402e3fbb6""\nhash = ""460eba344823766fe7c8f13b647b4d5d979ce4041dd5cb4a6d538783d96b2ef8""\n5/6/2020\nNazar: Spirits of the Past - Check Point Research\nhttps://research.checkpoint.com/2020/nazar-spirits-of-the-past/\n17/22\nhash = ""4d0ab3951df93589a874192569cac88f7107f595600e274f52e2b75f68593bca""\nhash = ""75e4d73252c753cd8e177820eb261cd72fecd7360cc8ec3feeab7bd129c01ff6""\nhash = ""8fb9a22b20a338d90c7ceb9424d079a61ca7ccb7f78ffb7d74d2f403ae9fbeec""\nhash = ""967ac245e8429e3b725463a5c4c42fbdf98385ee6f25254e48b9492df21f2d0b""\nhash = ""be624acab7dfe6282bbb32b41b10a98b6189ab3a8d9520e7447214a7e5c27728""\nhash = ""d34a996826ea5a028f5b4713c797247913f036ca0063cc4c18d8b04736fa0b65""\nhash = ""d9801b4da1dbc5264e83029abb93e800d3c9971c650ecc2df5f85bcc10c7bd61""\nhash = ""eb705459c2b37fba5747c73ce4870497aa1d4de22c97aaea4af38cdc899b51d3""\nstrings:\n$guid1_godown = { 98 B3 E5 F6 DF E3 6B 49 A2 AD C2 0F EA 30 DB FE } // Godown.dll IID\n$guid2_godown = { 31 4B CB DB B8 21 0F 4A BC 69 0C 3C E3 B6 6D 00 } // Godown.dll CLSID\n$guid3_godown = { AF 94 4E B6 6B D5 B4 48 B1 78 AF 07 23 E7 2A B5 } // probably Godown\n$guid4_filesystem = { 79 27 AB 37 34 F2 9D 4D B3 FB 59 A3 FA CB 8D 60 } // Filesystem.dll\nCLSID\n$guid6_filesystem = { 2D A1 2B 77 62 8A D3 4D B3 E8 92 DA 70 2E 6F 3D } // Filesystem.dll\nTypeLib IID\n$guid5_filesystem = { AB D3 13 CF 1C 6A E8 4A A3 74 DE D5 15 5D 6A 88 } // Filesystem.dll\ncondition:\nany of them\n}",nazar,CN,"Espionage, Information theft and espionage",2010,,,,"Nazar, Territorial Dispute (TeDi), Godown.dll, Conficker",,,, 2020-05-06,039 Deconstructing the Dukes A Researcher's Retrospective of APT29,,https://blog.f-secure.com/podcast-dukes-apt29/,F-Secure,,,,apt29,RU,"Espionage, Information theft and espionage",2008,RU,,Phishing,"HammerDuke or Hammertoss, MiniDuke, CozyDuke",Government and Defense Agencies,,, 2020-05-06,Prevailion Blog_ Phantom in the Command Shell,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.05.06_Phantom_EVILNUM/Prevailion%20Blog_%20Phantom%20in%20the%20Command%20Shell.pdf,Prevailion,,"T1043:Commonly Used Port, T1085:Rundll32, T1204:User Execution, T1192:Spearphishing Link, T1112:Modify Registry, T1539:N/A, T1105:Remote File Copy, T1102:Web Service, T1070:Indicator Removal on Host, T1060:Registry Run Keys / Startup Folder, T1041:Exfiltration Over Command and Control Channel, T1143:Hidden Window, T1099:Timestomp, T1074:Data Staged, T1005:Data from Local System",,,,,,"CA, FI, GB",FALSE,Spear Phishing,"EVILNUM, Windows Management Instrumentation (WMI), Windows Script Component (.sct), rundll32, Python 2.7, headless Javascript.","Financial Institutions, Cloud/IoT Services",,, 2020-05-06,LeeryTurtleThreatReport_05_20,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.05.06_Leery_Turtle/LeeryTurtleThreatReport_05_20.pdf,ESET,,"T1131:Authentication Package, T1064:Scripting, T1192:Spearphishing Link, T1170:Mshta, T1071:Standard Application Layer Protocol, T1082:System Information Discovery, T1060:Registry Run Keys / Startup Folder, T1047:Windows Management Instrumentation, T1001:Data Obfuscation, T1107:File Deletion, T1057:Process Discovery, T1016:System Network Configuration Discovery",,leery turtle,,,,,FALSE,Spear Phishing,"Mshta (T1170), VBS (VBScript)","Corporations and Businesses, Financial Institutions",,, 2020-05-07,Naikon APT_ Cyber Espionage Reloaded - Check Point Research,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.05.07_Naikon_APT_Reloaded/Naikon%20APT_%20Cyber%20Espionage%20Reloaded%20-%20Check%20Point%20Research.pdf,Check Point,,,,naikon,CN,"Espionage, Information theft and espionage",2005,"AU, BN, ID, MM, PH, TH, VN",FALSE,Malicious Documents,"RoyalRoad weaponizer, Aria-body backdoor, DLL hijacking technique, Maltego",Government and Defense Agencies,,, 2020-05-07,Blue Mockingbird activity mines Monero cryptocurrency,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.05.07_Blue_Mockingbird/Blue%20Mockingbird%20activity%20mines%20Monero%20cryptocurrency.pdf,Red Canary,,"T1559:N/A, T1068:Exploitation for Privilege Escalation, T1218:Signed Binary Proxy Execution, T1090:Connection Proxy, T1569:N/A, T1543:N/A, T1059:Command-Line Interface, T1496:Resource Hijacking, T1190:Exploit Public-Facing Application, T1021:Remote Services, T1053:Scheduled Task, T1003:Credential Dumping, T1036:Masquerading",,blue mockingbird,,,,,FALSE,Exploit Vulnerability,"XMRIG, Telerik UI for ASP.NET AJAX",Corporations and Businesses,2019-12-19,2020-04-29,132.0 2020-05-11,zscaler.com-Attack on Indian Government Financial Institutions,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.05.11.JsOutProx_RAT_Targeted_Attacks/zscaler.com-Attack%20on%20Indian%20Government%20Financial%20Institutions.pdf,Zscaler,,"T1529:N/A, T1065:Uncommonly Used Port, T1045:Software Packing, T1170:Mshta, T1060:Registry Run Keys / Startup Folder, T1047:Windows Management Instrumentation, T1027:Obfuscated Files or Information, T1083:File and Directory Discovery, T1113:Screen Capture",,,,,,IN,,"Spear Phishing, Malicious Documents","JsOutProx RAT, HTA file, Java-based RAT","Government and Defense Agencies, Financial Institutions",2019-12-15,2020-04-15,122.0 2020-05-13,Ramsay_ A cyber-espionage toolkit tailored for air-gapped networks _ WeLiveSecurity,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.05.13.Ramsay/Ramsay_%20A%20cyber%E2%80%91espionage%20toolkit%20tailored%20for%20air%E2%80%91gapped%20networks%20_%20WeLiveSecurity.pdf,ESET,"CVE-2017-0199, CVE-2017-1188, CVE-2017-11882, CVE-2017-8759, CVE-2018-0802, CVE-2018-8174","T1045:Software Packing, T1025:Data from Removable Media, T1204:User Execution, T1203:Exploitation for Client Execution, T1002:Data Compressed, T1088:Bypass User Account Control, T1129:Execution through Module Load, T1106:Execution through API, T1210:Exploitation of Remote Services, T1038:DLL Search Order Hijacking, T1119:Automated Collection, T1055:Process Injection, T1107:File Deletion, T1083:File and Directory Discovery, T1053:Scheduled Task, T1005:Data from Local System, T1103:AppInit DLLs, T1035:Service Execution, T1091:Replication Through Removable Media, T1094:Custom Command and Control Protocol, T1092:Communication Through Removable Media, T1105:Remote File Copy, T1050:New Service, T1039:Data from Network Shared Drive, T1057:Process Discovery, T1113:Screen Capture",,darkhotel,KR,"Espionage, Information theft and espionage",2007,"CN, JP",FALSE,"Malicious Documents, Exploit Vulnerability, Removable Media","Retro backdoor, Ramsay",Government and Defense Agencies,,, 2020-05-14,dl-20200511-lolsnif-appendix-b-en,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.05.14.LOLSnif/dl-20200511-lolsnif-appendix-b-en.pdf,Microsoft,,,,,,,,,,,,,,, 2020-05-14,Cybersecurity_ Tool leaks are very interesting occurrences in cyber security. _ Deutsche Telekom,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.05.14.LOLSnif/Cybersecurity_%20Tool%20leaks%20are%20very%20interesting%20occurrences%20in%20cyber%20security.%20_%20Deutsche%20Telekom.pdf,Deutsche Telekom,CVE-2017-0144,,,ta505,RU,,,,FALSE,Phishing,"Cobalt Strike, TeamViewer, Ursnif Trojan",,2019-10-31,2020-04-07,159.0 2020-05-14,APT Group Planted Backdoors Targeting High Profile Networks in Central Asia - Avast Threat Labs,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.05.14.Central_Asia_APT/APT%20Group%20Planted%20Backdoors%20Targeting%20High%20Profile%20Networks%20in%20Central%20Asia%20-%20Avast%20Threat%20Labs.pdf,Avast,,,,,,,,"BY, KG, KZ, MN, RU, TJ, TM, UZ",,,"Mimikatz, Gh0st RAT, VMProtect, Management Instrumentation, RTF Weaponizer","Government and Defense Agencies, Corporations and Businesses, Energy and Utilities",,, 2020-05-14,dl-20200511-lolsnif-appendix-a-en,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.05.14.LOLSnif/dl-20200511-lolsnif-appendix-a-en.pdf,Microsoft,,,,,,,,,,,"Obfuscated Javascript, Packed LOLSnif, LOLSnif",,,, 2020-05-14,Vendetta-new-threat-actor-from-Europe,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.05.14.Vendetta_APT/Vendetta-new-threat-actor-from-Europe.pdf,360,,,,vendetta,TR,,,,,"Spear Phishing, Social Engineering, Malicious Documents","RoboSki, NanoCore, Remcos","Corporations and Businesses, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2020-05-14,COMpfun authors spoof visa application with HTTP status-based Trojan _ Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.05.14.COMpfun/COMpfun%20authors%20spoof%20visa%20application%20with%20HTTP%20status-based%20Trojan%20_%20Securelist.pdf,Kaspersky,,,,turla,RU,"Espionage, Information theft and espionage",1996,,FALSE,Spear Phishing,COMPFun,Government and Defense Agencies,,, 2020-05-14,RATicate_ an attacker's waves of information-stealing malware - Sophos News,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.05.14.RATicate/RATicate_%20an%20attacker%E2%80%99s%20waves%20of%20information-stealing%20malware%20%E2%80%93%20Sophos%20News.pdf,Sophos,,,,raticate,,,,"CH, GB, JP, KR, KW, RO",,Spear Phishing,"Betabot, Formbook, Lokibot, Netwire, AgentTesla, Nullsoft Scriptable Install System (NSIS)","Critical Infrastructure, Manufacturing",2019-11-15,2020-01-15,61.0 2020-05-14,The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey,,https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/,Lab52,,,,apt10,CN,Espionage,,TR,FALSE,Exploit Vulnerability,"China Chopper, JspSpy, hTran, QuarksPWdump, Mimikatz, PlugX, CobaltStrike, QuasarRAT, Cobalt Strike (mentioned twice with slight variation)","Government and Defense Agencies, Energy and Utilities, Healthcare, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2020-05-18,APT-C-23.cn,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.05.18_APT-C-23/APT-C-23.cn.pdf,360,,,,apt-c-23,PS,,,,,Phishing,"MygramIM application, Firebase Cloud Messaging (FCM)","Government and Defense Agencies, Education and Research Institutions",,, 2020-05-19,Sophisticated Espionage Group Turns Attention to Telecom Providers in South Asia _ Symantec Blogs,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.05.19.Greenbug_South_Asia/Sophisticated%20Espionage%20Group%20Turns%20Attention%20to%20Telecom%20Providers%20in%20South%20Asia%20_%20Symantec%20Blogs.pdf,Symantec,,,,greenbug,IR,"Espionage, Information theft and espionage",2016,,FALSE,"Malicious Documents, Spear Phishing","Covenant, Mimikatz, Cobalt Strike, Plink, Bitvise command line tunneling client, webshells","Government and Defense Agencies, Corporations and Businesses, Education and Research Institutions",2019-04-15,2020-04-15,366.0 2020-05-20,Latest Version of Amadey Introduces Screen Capturing and Pushes the Remcos RAT,,https://www.zscaler.com/blogs/security-research/latest-version-amadey-introduces-screen-capturing-and-pushes-remcos-rat,Zscaler,,,,,,,,CA,,,"Remcos RAT, Amadey, DoublePulsar backdoor, EternalBlue exploit, RIG Exploit Kit (RIG EK)",,,, 2020-05-21,Blox Tales #6 Subpoena-Themed Phishing With CAPTCHA Redirect,,https://www.armorblox.com/blog/blox-tales-6-subpoena-themed-phishing-with-captcha-redirect/,Armorblox,,,,,,,,,,,,,,, 2020-05-21,Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia,,https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf,Bitdefender,,"T1136:Create Account, T1045:Software Packing, T1090:Connection Proxy, T1050:New Service, T1059:Command-Line Interface, T1053:Scheduled Task, T1003:Credential Dumping, T1036:Masquerading, T1016:System Network Configuration Discovery",,chafer,IR,Information theft and espionage,2014,"KW, SA",,Spear Phishing,"xnet.exe, shareo.exe, mnl.exe, mimi32.exe, CrackMapExec, psexec, step-1.exe, RDP protocol, rdpwinst.exe, wehsvc.exe (modified Plink), imjpuexa.exe, mfevtpse.exe, mini.exe, Navicat, Winscp, SmartFtpPasswordDecryptor, etblscanner.exe, snmp.exe, reverse_tcp (from Metasploit framework), PLINK","Government and Defense Agencies, Critical Infrastructure",,, 2020-05-21,No 'Game over' for the Winnti Group _ WeLiveSecurity,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.05.21.No_Game_Over_Winnti/No%20%E2%80%9CGame%20over%E2%80%9D%20for%20the%20Winnti%20Group%20_%20WeLiveSecurity.pdf,ESET,,"T1063:Security Software Discovery, T1095:Standard Non-Application Layer Protocol, T1116:Code Signing, T1043:Commonly Used Port, T1008:Fallback Channels, T1134:Access Token Manipulation, T1112:Modify Registry, T1032:Standard Cryptographic Protocol, T1055:Process Injection, T1027:Obfuscated Files or Information, T1088:Bypass User Account Control, T1013:Port Monitors, T1057:Process Discovery, T1502:N/A, T1113:Screen Capture",,apt41,CN,"Financial crime, Information theft and espionage",2010,"KR, TW",FALSE,,"Win64/PipeMon.A, Win64/PipeMon.B, Win64/PipeMon.C, Win64/PipeMon.D, Win64/PipeMon.E, ShadowPad, Winnti malware",Media and Entertainment Companies,,, 2020-05-21,The Evolution of APT15's Codebase 2020,,https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/,Intezer,,,,apt15,CN,"Espionage, Information theft and espionage",2010,,,,"Ketrum, Ketrican, Okrum, TidePool, Mirage, BS2005.",Government and Defense Agencies,,, 2020-05-22,ThreatConnect Research Roundup Possible APT33 Infrastructure,,https://threatconnect.com/blog/threatconnect-research-roundup-possible-apt33-infrastructure/,ThreatConnect,,,,,,,,,,,,,,, 2020-05-25,mpressioncss_ta_report_2019_4,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/Report/2019.H2_macnica_TeamT5/mpressioncss_ta_report_2019_4.pdf,Team T5,"CVE-2019-18187, CVE-2019-9489","T1035:Service Execution, T1009:Binary Padding, T1085:Rundll32, T1073:DLL Side-Loading, T1060:Registry Run Keys / Startup Folder, T1050:New Service, T1043:Commonly Used Port, T1048:Exfiltration Over Alternative Protocol, T1089:Disabling Security Tools",,blacktech,CN,Information theft and espionage,2010,,,Spear Phishing,,,,, 2020-05-26,ESET_Turla_ComRAT,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.05.26_From_Agent.BTZ_to_ComRAT/ESET_Turla_ComRAT.pdf,ESET,,"T1033:System Owner/User Discovery, T1082:System Information Discovery, T1022:Data Encrypted, T1002:Data Compressed, T1027:Obfuscated Files or Information, T1048:Exfiltration Over Alternative Protocol, T1016:System Network Configuration Discovery, T1102:Web Service, T1024:Custom Cryptographic Protocol, T1086:PowerShell, T1213:Data from Information Repositories, T1112:Modify Registry, T1087:Account Discovery, T1071:Standard Application Layer Protocol, T1069:Permission Groups Discovery, T1120:Peripheral Device Discovery, T1055:Process Injection, T1083:File and Directory Discovery, T1053:Scheduled Task, T1135:Network Share Discovery, T1043:Commonly Used Port",,turla,RU,"Espionage, Information theft and espionage",1996,"KG, KZ, TJ, TM, UZ",,"Spear Phishing, Watering Hole, Exploit Vulnerability",", Metasploit, Carbon, Gazer, DarkNeuron, RPC Backdoor, Snake rootkit, Outlook backdoor, LightNeuron",Government and Defense Agencies,,, 2020-05-27,Alert Number MI-000148-MW APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity,,https://www.ic3.gov/Media/News/2021/210527.pdf,FBI,"CVE-2018-13379, CVE-2019-5591",,,,,,,,FALSE,Exploit Vulnerability,"Mimikatz, MinerGate, WinPEAS, SharpWMI, BitLocker, WinRAR, FileZilla",Government and Defense Agencies,,, 2020-05-28,The zero-day exploits of Operation WizardOpium _ Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.05.28_Operation_WizardOpium/The%20zero-day%20exploits%20of%20Operation%20WizardOpium%20_%20Securelist.pdf,Kaspersky,"CVE-2010-2744, CVE-2016-7255, CVE-2019-0859, CVE-2019-13720, CVE-2019-1458",,,,,,,,TRUE,"Watering Hole, Exploit Vulnerability",,,,, 2020-06-01,Cryptocurrency-Miners-XMRig-Based-CoinMiner-by-Blue-Mockingbird-Group,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.06.01.Blue_Mockingbird_Group/Cryptocurrency-Miners-XMRig-Based-CoinMiner-by-Blue-Mockingbird-Group.pdf,LIFARS,CVE-2019-18935,,,blue mockingbird,,,,,FALSE,Exploit Vulnerability,"CVE-2019-18935 Exploitation, Schtasks Backdoor, XMRig-based CoinMiner",,,, 2020-06-03,New LNK attack tied to Higaisa APT discovered,,https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/,Malwarebytes,,"T1012:Query Registry, T1140:Deobfuscate/Decode Files or Information, T1064:Scripting, T1204:User Execution, T1082:System Information Discovery, T1106:Execution through API, T1060:Registry Run Keys / Startup Folder, T1059:Command-Line Interface, T1053:Scheduled Task, T1016:System Network Configuration Discovery",,higaisa,KR,,,KP,FALSE,,"Officeupdate.exe, 34fDFkfSD38.js, certutil, expand.exe, IPCONFIG.EXE, WinRAR, Malwarebytes (Nebula business version)","Government and Defense Agencies, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2020-06-03,Cycldek_ Bridging the (air) gap _ Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.06.03.Cycldek/Cycldek_%20Bridging%20the%20%28air%29%20gap%20_%20Securelist.pdf,Kaspersky,"CVE-2012-0158, CVE-2017-11882, CVE-2018-0802",,,cycldek,CN,Information theft and espionage,2013,"LA, TH, VN",FALSE,Malicious Documents,"Custom HDoor, NewCore RAT, Royal Road builder, BrowserHistoryView, ProcDump, Nbtscan, PsExec","Corporations and Businesses, Government and Defense Agencies",,, 2020-06-08,TA410_ The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware _ Proofpoint US,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.06.08.TA410/TA410_%20The%20Group%20Behind%20LookBack%20Attacks%20Against%20U.S.%20Utilities%20Sector%20Returns%20with%20New%20Malware%20_%20Proofpoint%20US.pdf,Proofpoint,,,,ta410,CN,Information theft and espionage,2019,US,FALSE,"Spear Phishing, Malicious Documents","FlowCloud malware, LookBack malware, Quasar RAT",Energy and Utilities,,, 2020-06-08,Schrodinger's Threat - MagBo Adapts Access Control Policies,,https://ke-la.com/schrodingers-threat-magbo-adapts-access-control-policies/,KELA,,,,,,,,,,,,,,, 2020-06-08,"GuLoader_ No, CloudEyE. - Check Point Research",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.06.08.GuLoader_CloudEyE/GuLoader_%20No%2C%20CloudEyE.%20-%20Check%20Point%20Research.pdf,Check Point,,,,,,,,,FALSE,"Spear Phishing, Social Engineering, Website Equipping","GuLoader, CloudEyE, DarkEyE",Individuals,,, 2020-06-11,The Return of the Higaisa APT,,https://www.zscaler.com/blogs/research/return-higaisa-apt,Zscaler,,"T1095:Standard Non-Application Layer Protocol, T1064:Scripting, T1132:Data Encoding, T1033:System Owner/User Discovery, T1204:User Execution, T1082:System Information Discovery, T1090:Connection Proxy, T1022:Data Encrypted, T1032:Standard Cryptographic Protocol, T1059:Command-Line Interface, T1002:Data Compressed, T1027:Obfuscated Files or Information, T1016:System Network Configuration Discovery, T1020:Automated Exfiltration, T1043:Commonly Used Port, T1060:Registry Run Keys / Startup Folder, T1053:Scheduled Task, T1036:Masquerading, T1193:Spearphishing Attachment, T1140:Deobfuscate/Decode Files or Information, T1094:Custom Command and Control Protocol, T1041:Exfiltration Over Command and Control Channel, T1008:Fallback Channels","rule ZS_LNK_SID\n{\n strings:\n $a = ""S-1-5-21-1624688396-48173410-756317185-1001"" wide\n condition:\n $a\n}",higaisa,KR,,,CN,FALSE,Spear Phishing,"FakeTLS, LNK.Dropper.Higaisa, LECmd tool, YARA, Zscaler Cloud Sandbox",Education and Research Institutions,2020-03-15,2020-05-15,61.0 2020-06-11,Gamaredon group grows its game _ WeLiveSecurity,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.06.11.Gamaredon_group/Gamaredon%20group%20grows%20its%20game%20_%20WeLiveSecurity.pdf,ESET,,"T1064:Scripting, T1025:Data from Removable Media, T1204:User Execution, T1027:Obfuscated Files or Information, T1534:N/A, T1116:Code Signing, T1199:Trusted Relationship, T1085:Rundll32, T1106:Execution through API, T1137:Office Application Startup, T1020:Automated Exfiltration, T1500:Compile After Delivery, T1221:Template Injection, T1112:Modify Registry, T1071:Standard Application Layer Protocol, T1060:Registry Run Keys / Startup Folder, T1080:Taint Shared Content, T1119:Automated Collection, T1083:File and Directory Discovery, T1005:Data from Local System, T1053:Scheduled Task, T1193:Spearphishing Attachment, T1140:Deobfuscate/Decode Files or Information, T1039:Data from Network Shared Drive, T1113:Screen Capture",,gamaredon group,RU,Information theft and espionage,2013,JP,,"Spear Phishing, Social Engineering","MSIL/Pterodo.C, MSIL/Pterodo.CA, Win32/Pterodo.XC, MSIL/Pterodo.DP, Win32/Pterodo.YE",,,, 2020-06-14,Deep-dive The DarkHotel APT,,https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html,Bushido Token,"CVE-2017-11882, CVE-2018-8174, CVE-2018-8373, CVE-2019-1367, CVE-2019-13720, CVE-2019-1458, CVE-2019-17026, CVE-2020-0674",,,darkhotel,KR,"Espionage, Information theft and espionage",2007,"CN, JP, KP, KR, PL, RU",TRUE,"Spear Phishing, Watering Hole, Exploit Vulnerability, Malicious Documents","Asruex, Parastic Beast, Inexsmar, Retro backdoor, Gh0st RAT, Ramsay toolkit","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Manufacturing, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2020-06-15,India_ Human Rights Defenders Targeted by a Coordinated Spyware Operation _ Amnesty International,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.06.15.india-human-rights-defenders-targeted/India_%20Human%20Rights%20Defenders%20Targeted%20by%20a%20Coordinated%20Spyware%20Operation%20_%20Amnesty%20International.pdf,Amnesty International,,,,nso group,IL,,,,,Spear Phishing,"NetWire, Firefox Send, VBS script, RAR archive, Task Scheduler, SFX archive, dllhost.exe, rundll32.exe","Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",,, 2020-06-17,AcidBox_ Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.06.17.AcidBox/AcidBox_%20Rare%20Malware%20Repurposing%20Turla%20Group%20Exploit%20Targeted%20Russian%20Organizations.pdf,Palo Alto,CVE-2008-3431,,,turla,RU,"Espionage, Information theft and espionage",1996,RU,TRUE,Exploit Vulnerability,AcidBox,,,, 2020-06-17,ESET_Operation_Interception,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.06.17.Operation_Interception/ESET_Operation_Interception.pdf,Novetta,,"T1078:Valid Accounts, T1204:User Execution, T1082:System Information Discovery, T1059:Command-Line Interface, T1194:Spearphishing via Service, T1002:Data Compressed, T1048:Exfiltration Over Alternative Protocol, T1018:Remote System Discovery, T1116:Code Signing, T1012:Query Registry, T1085:Rundll32, T1106:Execution through API, T1117:Regsvr32, T1537:N/A, T1086:PowerShell, T1220:XSL Script Processing, T1087:Account Discovery, T1071:Standard Application Layer Protocol, T1070:Indicator Removal on Host, T1053:Scheduled Task, T1005:Data from Local System, T1036:Masquerading, T1035:Service Execution, T1140:Deobfuscate/Decode Files or Information, T1114:Email Collection, T1110:Brute Force, T1047:Windows Management Instrumentation, T1050:New Service",,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,,FALSE,Spear Phishing,"Custom downloader (Stage 1), Custom backdoor (Stage 2), Modified PowerShdll, Custom DLL loaders, Beacon DLL, dbxcli, Inception.dll",Government and Defense Agencies,2019-09-15,2019-12-15,91.0 2020-06-18,#ThreatThursday - APT33,,https://www.scythe.io/library/threatthursday-apt33,SCYTHE,,"T1078:Valid Accounts, T1132:Data Encoding, T1204:User Execution, T1068:Exploitation for Privilege Escalation, T1040:Network Sniffing, T1032:Standard Cryptographic Protocol, T1203:Exploitation for Client Execution, T1059:Command-Line Interface, T1002:Data Compressed, T1027:Obfuscated Files or Information, T1048:Exfiltration Over Alternative Protocol, T1086:PowerShell, T1480:Execution Guardrails, T1192:Spearphishing Link, T1071:Standard Application Layer Protocol, T1060:Registry Run Keys / Startup Folder, T1053:Scheduled Task, T1065:Uncommonly Used Port, T1110:Brute Force, T1043:Commonly Used Port, T1003:Credential Dumping",,apt33,IR,"Espionage, Sabotage and destruction, Information theft and espionage",2013,"KR, SA, US",FALSE,Spear Phishing,,"Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Manufacturing, Education and Research Institutions, Critical Infrastructure",,, 2020-06-19,Targeted Attack Leverages India-China Border Dispute,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.06.19.India-China_Border_Dispute_APT/Targeted%20Attack%20Leverages%20India-China%20Border%20Dispute.pdf,Zscaler,,"T1193:Spearphishing Attachment, T1140:Deobfuscate/Decode Files or Information, T1008:Fallback Channels, T1204:User Execution, T1071:Standard Application Layer Protocol, T1027:Obfuscated Files or Information, T1043:Commonly Used Port, T1086:PowerShell, T1036:Masquerading",,oceanlotus,VN,"Espionage, Financial gain, Information theft and espionage",2012,,FALSE,"Spear Phishing, Malicious Documents","DKMC framework, Cobalt Strike, Automated macro obfuscation tool, .NET payload, Win32.Backdoor.CobaltStrike",,,, 2020-06-19,BitterAPT Revisited the Untold Evolution of an Android Espionage Tool,,https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf,Bitdefender,,,,bitter,IN,Information theft and espionage,2013,"CN, PK",,Watering Hole,"ArtraDownloader, AndroRAT, BitterRAT",Corporations and Businesses,,, 2020-06-23,WastedLocker_ A New Ransomware Variant Developed By The Evil Corp Group - NCC Group Research,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.06.23.WastedLocker_Evil_Corp_Group/WastedLocker_%20A%20New%20Ransomware%20Variant%20Developed%20By%20The%20Evil%20Corp%20Group%20%E2%80%93%20NCC%20Group%20Research.pdf,NCC Group,,,,evil corp,,,,,,Drive-by Download,"Dridex botnet 501, CobaltStrike loader, Empire PowerShell framework, SocGholish JavaScript bot, WastedLocker","Corporations and Businesses, Financial Institutions, Cloud/IoT Services",,, 2020-06-24,BRONZE VINEWOOD Targets Supply Chains _ Secureworks,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.06.24.BRONZE_VINEWOOD/BRONZE%20VINEWOOD%20Targets%20Supply%20Chains%20_%20Secureworks.pdf,SecureWorks,CVE-2017-0005,,,bronze vinewood,CN,Information theft and espionage,2016,US,,Credential Reuse,"HanaRAT, Meterpreter, Trochilus, DropboxAES RAT, PowerShell-Github-Shell, Mimikatz, HanaLoader, Sysinternals tools, ProcDump, NetSess, LG.exe","Government and Defense Agencies, Corporations and Businesses",,, 2020-06-25,A close look at the advanced techniques used in a Malaysian-focused APT campaign,,https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign,Elastic,,"T1129:Execution through Module Load, T1221:Template Injection, T1193:Spearphishing Attachment, T1140:Deobfuscate/Decode Files or Information, T1073:DLL Side-Loading, T1060:Registry Run Keys / Startup Folder, T1059:Command-Line Interface, T1055:Process Injection, T1107:File Deletion","rule APT_APT40_Implant_June2020 {\n meta:\n version = ""1.0""\n author = ""Elastic Security""\n date_added = ""2020-06-19""\n description = ""APT40 second stage implant""\n strings:\n $a = ""/list_direction"" fullword wide\nMITRE ATT&CK® techniques\nIndicators of Compromise (IOCs)\nFile names and paths\nRegistry keys\nURLs\nIPs\nHTTPS certificate\nHashes\nYARA\nShare this article\nTwitter\nFacebook\nLinkedIn\nReddit\nSitemap\nElastic.co\n@elasticseclabs\n© 2024. Elasticsearch B.V. All Rights Reserved.\n $b = ""/post_document"" fullword wide\n $c = ""/postlogin"" fullword wide\n $d = ""Download Read Path Failed %s"" fullword ascii\n $e = ""Open Pipe Failed %s"" fullword ascii\n $f = ""Open Remote File %s Failed For: %s"" fullword ascii\n $g = ""Download Read Path Failed %s"" fullword ascii\n $h = ""\\\\cmd.exe"" fullword wide\n condition:\n all of them\n}",apt40,CN,"Espionage, Information theft and espionage",2013,MY,,"Spear Phishing, Malicious Documents","Bubar Parlimen.zip, Bubar Parlimen.docx, RemoteLoad.dotm, LogiMailApp.exe, LogiMail.dll",,,, 2020-06-26,WastedLocker_ Symantec Identifies Wave of Attacks Against U.S. Organizations _ Symantec Blogs,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.06.26_WastedLocker_Attack/WastedLocker_%20Symantec%20Identifies%20Wave%20of%20Attacks%20Against%20U.S.%20Organizations%20_%20Symantec%20Blogs.pdf,Symantec,,,,evil corp,,,,US,FALSE,Watering Hole,"SocGholish, Cobalt Strike, ProcDump, PsExec, PowerView, WastedLocker ransomware","Corporations and Businesses, Manufacturing, Media and Entertainment Companies",,, 2020-06-29,Talos Blog __ Cisco Talos Intelligence Group - Comprehensive Threat Intelligence_ PROMETHIUM extends global reach with StrongPity3 APT,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.06.29.PROMETHIUM_StrongPity3_APT/Talos%20Blog%20__%20Cisco%20Talos%20Intelligence%20Group%20-%20Comprehensive%20Threat%20Intelligence_%20PROMETHIUM%20extends%20global%20reach%20with%20StrongPity3%20APT.pdf,Cisco,,,,promethium,TR,Information theft and espionage,2012,,FALSE,,"FinSpy, StrongPity2",,,, 2020-06-30,"StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure",,https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf,Bitdefender,,,,strongpity,TR,Information theft and espionage,2012,"SY, TR",FALSE,Watering Hole,", 7-zip, WinRAR, McAfee Security Scan Plus, Recuva",Critical Infrastructure,,, 2020-06-30,GoldenSpy Chapter Two - The Uninstaller,,https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-two-the-uninstaller/,Trustwave,,,"rule Goldenspy_Uninstaller\n{\nmeta:\n author = ""SpiderLabs""\n malware_family = ""GoldenSpy""\n filetype = ""exe_dll""\n \nstrings:\n $str1 = ""taskkill /IM svm.exe /IM svmm.exe /F"" ascii //Kill the running process\n $str1 = ""taskkill /IM svm.exe /IM svmm.exe /F"" ascii //Kill the running process\n $str2 = ""\\\\svm.exe -stopProtect"" ascii //Stop the service\n $str3 = ""\\\\svmm.exe -u"" ascii //Uninstall the malware\n $str4 = ""\\\\VCProject\\\\dgs\\\\Release\\\\"" ascii //Project path\n $str5 = ""dGFza2tpbGwgL0lNIHN2bS5leGUgL0lNIHN2bW0uZXhlIC9GIA"" ascii\n $str6 = ""c3ZtLmV4ZSAtc3RvcFByb3RlY3Q"" ascii\n $str7 = ""XHN2bW0uZXhlIC11"" ascii\n $str8 = ""Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\svm"" ascii\n $str9 = ""U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxsXHN2bQ"" ascii\ncondition: \n (uint16(0) == 0x5A4D) and 4 of ($str*) \n \n}",goldenspy,,,,,,,"GoldenSpy, svm.exe, svmm.exe, AWX.EXE",Government and Defense Agencies,2020-06-25,2020-06-29,4.0 2020-07-02,ASEC_REPORT_vol.99_ENG,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/Report/AhnLab/ASEC_REPORT_vol.99_ENG.pdf,AhnLab,CVE-2017-8291,,,,,,,,FALSE,"Malicious Documents, Exploit Vulnerability",,"Government and Defense Agencies, Corporations and Businesses, Financial Institutions",,, 2020-07-05,APT 41,,https://www.cfr.org/cyber-operations/apt-41,Council on Foreign Relations,,,,apt41,CN,"Financial crime, Information theft and espionage",2010,"FR, GB, HK, JP, SG, US",,,,"Healthcare, Corporations and Businesses",,, 2020-07-06,North Korean hackers are skimming US and European shoppers - Sansec,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.07.06_North_Korean_Magecart/North%20Korean%20hackers%20are%20skimming%20US%20and%20European%20shoppers%20%E2%80%93%20Sansec.pdf,Sansec,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,US,,"Spear Phishing, Malicious Documents","Remote access software, malicious Korean office documents",Corporations and Businesses,2019-05-15,2020-05-15,366.0 2020-07-08,"Copy cat of APT Sidewinder _. In tweeter this weekend,@Timele9527... _ by Sebdraven _ Medium",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.07.08.Copy_Cat_of_Sidewinder/Copy%20cat%20of%20APT%20Sidewinder%20_.%20In%20tweeter%20this%20weekend%2C%40Timele9527%E2%80%A6%20_%20by%20Sebdraven%20_%20Medium.pdf,Google,,,,apt sidewinder,,,,"AF, PK",,"Spear Phishing, Malicious Documents, Watering Hole",Allakore_Remote,"Government and Defense Agencies, Education and Research Institutions",2019-07-09,, 2020-07-08,Operation 'Honey Trap'_ APT36 Targets Defense Organizations in India,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.07.08_Operation_Honey_Trap/Operation%20%E2%80%98Honey%20Trap%E2%80%99_%20APT36%20Targets%20Defense%20Organizations%20in%20India.pdf,Seqrite,,,,apt36,PK,Information theft and espionage,2013,IN,FALSE,"Spear Phishing, Social Engineering, Malicious Documents",Crimson RAT,Government and Defense Agencies,,, 2020-07-08,Operation 'Honey Trap' APT36 Targets Defense Organizations in India,,https://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/,Seqrite,,,,apt36,PK,Information theft and espionage,2013,IN,FALSE,"Spear Phishing, Malicious Documents","Crimson RAT, MSIL based Crimson RAT","Government and Defense Agencies, Critical Infrastructure",,, 2020-07-09,acid-agari-cosmic-lynx,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.07.09_Cosmic_Lynx/acid-agari-cosmic-lynx.pdf,Agari,,,,cosmic lynx,,Business Email Compromise,,"AE, AR, AU, BE, BR, CA, CH, CL, CN, CZ, DE, DK, DO, ES, FR, GB, HK, ID, IE, IN, IT, JO, JP, KW, LK, MA, MN, MX, NA, NL, PA, PH, PL, PT, SA, SE, SG, SI, SV, TH, TR, TW, UA, US, VN, ZA",FALSE,"Spear Phishing, Social Engineering","Emotet, Trickbot",Corporations and Businesses,,, 2020-07-09,More evil_ A deep look at Evilnum and its toolset _ WeLiveSecurity,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.07.09_Evilnum_Toolset/More%20evil_%20A%20deep%20look%20at%20Evilnum%20and%20its%20toolset%20_%20WeLiveSecurity.pdf,ESET,,"T1056:Input Capture, T1064:Scripting, T1132:Data Encoding, T1204:User Execution, T1090:Connection Proxy, T1082:System Information Discovery, T1022:Data Encrypted, T1032:Standard Cryptographic Protocol, T1059:Command-Line Interface, T1027:Obfuscated Files or Information, T1088:Bypass User Account Control, T1048:Exfiltration Over Alternative Protocol, T1129:Execution through Module Load, T1116:Code Signing, T1012:Query Registry, T1219:Remote Access Tools, T1117:Regsvr32, T1038:DLL Search Order Hijacking, T1102:Web Service, T1086:PowerShell, T1063:Security Software Discovery, T1061:Graphical User Interface, T1220:XSL Script Processing, T1497:Virtualization/Sandbox Evasion, T1518:N/A, T1043:Commonly Used Port, T1192:Spearphishing Link, T1218:Signed Binary Proxy Execution, T1112:Modify Registry, T1071:Standard Application Layer Protocol, T1060:Registry Run Keys / Startup Folder, T1107:File Deletion, T1539:N/A, T1074:Data Staged, T1005:Data from Local System, T1036:Masquerading, T1191:CMSTP, T1140:Deobfuscate/Decode Files or Information, T1008:Fallback Channels, T1104:Multi-Stage Channels, T1114:Email Collection, T1105:Remote File Copy, T1041:Exfiltration Over Command and Control Channel, T1108:Redundant Access, T1047:Windows Management Instrumentation, T1503:N/A, T1143:Hidden Window, T1003:Credential Dumping, T1113:Screen Capture, T1179:Hooking",,evilnum,,Information theft and espionage,2018,"AU, CA, GB",FALSE,Spear Phishing,"Evilnum, ChromeCookiesView, TerraLoader, PythonProxy, junction, plink, stunnel, pysoxy, LaZagne, TeamViewer",Financial Institutions,,, 2020-07-09,IoCs,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.07.09_Evilnum_Toolset/IoCs.pdf,ESET,,,,,,,,,,,"Golden Chickens, TerraStealer, TerraTV, TerraPreter, More_eggs",Financial Institutions,,, 2020-07-14,Turla Venomous Bear updates its arsenal 'NewPass' appears on the APT threat scene,,https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/,Telsy,,"T1132:Data Encoding, T1204:User Execution, T1041:Exfiltration Over Command and Control Channel, T1073:DLL Side-Loading, T1060:Registry Run Keys / Startup Folder, T1543:N/A, T1001:Data Obfuscation, T1053:Scheduled Task",,turla,RU,"Espionage, Information theft and espionage",1996,,,,,,,, 2020-07-14,Turla _ Venomous Bear updates its arsenal_ _NewPass_ appears on the APT threat scene - Telsy,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.07.14_Turla_VENOMOUS_BEAR/Turla%20_%20Venomous%20Bear%20updates%20its%20arsenal_%20_NewPass_%20appears%20on%20the%20APT%20threat%20scene%20-%20Telsy.pdf,Telsy,,"T1132:Data Encoding, T1204:User Execution, T1041:Exfiltration Over Command and Control Channel, T1073:DLL Side-Loading, T1060:Registry Run Keys / Startup Folder, T1543:N/A, T1001:Data Obfuscation, T1053:Scheduled Task",,turla,RU,"Espionage, Information theft and espionage",1996,,,,"NewPass, Adobe Reader, Windows Mixed Reality, JSON",Government and Defense Agencies,,, 2020-07-14,Welcome Chat as a secure messaging app_ Nothing could be further from the truth _ WeLiveSecurity,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.07.14_Molerats_Middle_East_APT/Welcome%20Chat%20as%20a%20secure%20messaging%20app_%20Nothing%20could%20be%20further%20from%20the%20truth%20_%20WeLiveSecurity.pdf,ESET,,"T1426:N/A, T1533:N/A, T1437:N/A, T1412:N/A, T1432:N/A, T1430:N/A, T1429:N/A, T1444:N/A, T1433:N/A, T1402:N/A",,molerats,PS,Information theft and espionage,2012,"AE, SA",,Website Equipping,Android/Spy.Agent.ALY,Individuals,,, 2020-07-15,2020-07-the-fake-cisco,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.07.15_the_Fake_CISCO/2020-07-the-fake-cisco.pdf,F-Secure,,,,,,,,,TRUE,Exploit Vulnerability,,"Corporations and Businesses, Critical Infrastructure, Manufacturing",,, 2020-07-16,New Research Exposes Iranian Threat Group (APT35ITG18) Operations,,https://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/,SecurityIntelligence,CVE-2023-20269,,,itg18,,,,"GR, US",,Phishing,"Gamma malware, Grandoreiro banking trojan, Akira ransomware","Government and Defense Agencies, Healthcare, Individuals",,, 2020-07-16,Advisory-APT29-targets-COVID-19-vaccine-development,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.07.16.apt29-targets-covid-19-vaccine-development/Advisory-APT29-targets-COVID-19-vaccine-development.pdf,NCSC,"CVE-2018-13379, CVE-2019-11510, CVE-2019-19781, CVE-2019-9670",,"rule sorefang_encryption_key_schedule { \n meta: \n description = ""Rule to detect SoreFang based on the key schedule used \nfor encryption"" \n author = ""NCSC"" \n hash = \n""58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"" \n strings: \n $ = {C7 05 ?? ?? ?? ?? 63 51 E1 B7 B8 ?? ?? ?? ?? 8B 48 FC 81 E9 47 \n86 C8 61 89 08 83 C0 04 3D ?? ?? ?? ?? 7E EB 33 D2 33 C9 B8 2C 00 00 00 \n89 55 D4 33 F6 89 4D D8 33 DB 3B F8 0F 4F C7 8D 04 40 89 45 D0 83 F8 01 \n7C 4F 0F 1F 80 00 00 00 00} \n condition: \n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of \nthem \n}, rule wellmess_botlib_function_names { \n meta: \n description = ""Rule to detect WellMess Golang samples based on the \nfunction names used by the actor"" \n author = ""NCSC"" \n hash = \n""8749c1495af4fd73ccfc84b32f56f5e78549d81feefb0c1d1c3475a74345f6a8"" \n strings: \n $s1 = ""botlib.wellMess"" ascii wide \n $s2 = ""botlib.saveFile"" ascii wide \n $s3 = ""botlib.reply"" ascii wide \n $s4 = ""botlib.init"" ascii wide \n $s5 = ""botlib.generateRandomString"" ascii wide \n $s6 = ""botlib.encrypt"" ascii wide \n $s7 = ""botlib.deleteFile"" ascii wide \n $s8 = ""botlib.convertFromString"" ascii wide \n $s9 = ""botlib.chunksM"" ascii wide \n $s10 = ""botlib.Work"" ascii wide \n $s11 = ""botlib.UnpackB"" ascii wide \n $s12 = ""botlib.Unpack"" ascii wide \n $s13 = ""botlib.UDFile"" ascii wide \n $s14 = ""botlib.Split"" ascii wide \n $s15 = ""botlib.Service"" ascii wide \n $s16 = ""botlib.SendMessage"" ascii wide \n $s17 = ""botlib.Send.func1"" ascii wide \n $s18 = ""botlib.Send"" ascii wide \n $s19 = ""botlib.ReceiveMessage"" ascii wide \n $s20 = ""botlib.RandStringBytes"" ascii wide \n $s21 = ""botlib.RandInt"" ascii wide \n $s22 = ""botlib.Post"" ascii wide \n $s23 = ""botlib.Parse"" ascii wide \n $s24 = ""botlib.Pad"" ascii wide \n $s25 = ""botlib.Pack"" ascii wide \n $s26 = ""botlib.New"" ascii wide \n $s27 = ""botlib.KeySizeError.Error"" ascii wide \n $s28 = ""botlib.Key"" ascii wide \n $s29 = ""botlib.Join"" ascii wide \n $s30 = ""botlib.GetRandomBytes"" ascii wide \n $s31 = ""botlib.GenerateSymmKey"" ascii wide \n $s32 = ""botlib.FromNormalToBase64"" ascii wide \n $s33 = ""botlib.EncryptText"" ascii wide \n $s34 = ""botlib.Download"" ascii wide \n $s35 = ""botlib.Decipher"" ascii wide \n $s36 = ""botlib.Command"" ascii wide \n $s37 = ""botlib.Cipher"" ascii wide \n $s38 = ""botlib.CalculateMD5Hash"" ascii wide \n $s39 = ""botlib.Base64ToNormal"" ascii wide \n $s40 = ""botlib.AES_Encrypt"" ascii wide \n $s41 = ""botlib.AES_Decrypt"" ascii wide \n $s42 = ""botlib.(*rc6cipher).Encrypt"" ascii wide \n $s43 = ""botlib.(*rc6cipher).Decrypt"" ascii wide \n $s44 = ""botlib.(*rc6cipher).BlockSize"" ascii wide \n $s45 = ""botlib.(*KeySizeError).Error"" ascii wide \n $s46 = ""botlib.DownloadDNS"" ascii wide \n $s47 = ""botlib.JoinDnsChunks"" ascii wide \n $s48 = ""botlib.SendDNS"" ascii wide \n $s49 = ""botlib.CreateDNSName"" ascii wide \n condition: \n ((uint16(0) == 0x5a4d and uint16(uint16(0x3c)) == 0x4550) or \nuint32(0) == 0x464c457f) and any of them \n}, rule sorefang_add_random_commas_spaces { \n meta: \n description = ""Rule to detect SoreFang based on function that adds \ncommas and spaces"" \n author = ""NCSC"" \n hash = \n""58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"" \n strings: \n $ = {E8 ?? ?? ?? ?? B9 06 00 00 00 99 F7 F9 8B CE 83 FA 04 7E 09 6A \n02 68 ?? ?? ?? ?? EB 07 6A 01 68 ?? ?? ?? ??} \n condition: \n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of \nthem \n}, rule sorefang_remove_chars_comma_space_dot { \n meta: \n description = ""Rule to detect SoreFang based on function that removes \ncommas, spaces and dots"" \n author = ""NCSC"" \n hash = \n""58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"" \n strings: \n $ = {8A 18 80 FB 2C 74 03 88 19 41 42 40 3B D6 75 F0 8B 5D 08} \n $ = {8A 18 80 FB 2E 74 03 88 19 41 42 40 3B D6 75 F0 8B 5D 08} \n $ = {8A 18 80 FB 20 74 03 88 19 41 42 40 3B D6 75 F0 8B 5D 08} \n condition: \n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all \nof them \n}, rule sorefang_command_elem_cookie_ga_boundary_string { \n meta: \n description = ""Rule to detect SoreFang based on scheduled task \nelement and Cookie header/boundary strings"" \n author = ""NCSC"" \n hash = \n""58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"" \n strings: \n $ = """" wide \n $ = ""Cookie:_ga="" \n $ = ""------974767299852498929531610575"" \n condition: \n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and 2 of \nthem \n}, rule wellmess_certificate_base64_snippets { \n meta: \n description = ""Rule for detection of WellMess based on base64 \nsnippets of certificates used"" \n author = ""NCSC"" \n hash = \n""8749c1495af4fd73ccfc84b32f56f5e78549d81feefb0c1d1c3475a74345f6a8"" \n strings: \n $a1 = ""BgNVHQ4EBwQFAQIDBA"" \n $a2 = ""YDVR0OBAcEBQECAwQG"" \n $a3 = ""GA1UdDgQHBAUBAgMEB"" \n $b1 = ""BgNVBAYTBVR1bmlzMQswCQYDVQQKEwJJVD"" \n $b2 = ""YDVQQGEwVUdW5pczELMAkGA1UEChMCSVQx"" \n $b3 = ""GA1UEBhMFVHVuaXMxCzAJBgNVBAoTAklUM"" \n condition: \n ((uint16(0) == 0x5a4d and uint16(uint16(0x3c)) == 0x4550) or \nuint32(0) == 0x464c457f) and any of ($a*) and any of ($b*) \n}, rule wellmess_dotnet_unique_strings { \n meta: \n description = ""Rule to detect WellMess .NET samples based on unique \nstrings and function/variable names"" \n author = ""NCSC"" \n hash = \n""2285a264ffab59ab5a1eb4e2b9bcab9baf26750b6c551ee3094af56a4442ac41"" \n strings: \n $s1 = ""MaxPostSize"" wide \n $s2 = ""HealthInterval"" wide \n $s3 = ""Hello from Proxy"" wide \n $s4 = ""Start bot:"" wide \n $s5 = ""Choise"" ascii wide \n $s7 = ""FromNormalToBase64"" ascii \n $s8 = ""FromBase64ToNormal"" ascii \n $s9 = ""ConvBytesToWords"" ascii \n $s10 = ""WellMess"" ascii \n $s11 = ""chunksM"" ascii \n condition: \n uint16(0) == 0x5a4d and uint16(uint16(0x3c)) == 0x4550 and 3 of them \n}, rule sorefang_encryption_round_function { \n meta: \n description = ""Rule to detect SoreFang based on the encryption round \nfunction"" \n author = ""NCSC"" \n hash = \n""58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"" \n strings: \n $ = {8A E9 8A FB 8A 5D 0F 02 C9 88 45 0F FE C1 0F BE C5 88 6D F3 8D \n14 45 01 00 00 00 0F AF D0 0F BE C5 0F BE C9 0F AF C8 C1 FA 1B C0 E1 05 \n0A D1 8B 4D EC 0F BE C1 89 55 E4 8D 14 45 01 00 00 00 0F AF D0 8B C1} \n condition: \n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of \nthem \n}, rule sorefang_custom_encode_decode { \n meta: \n description = ""Rule to detect SoreFang based on the custom \nencoding/decoding algorithm function"" \n author = ""NCSC"" \n hash = \n""58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"" \n strings: \n $ = {55 8B EC 8B D1 53 56 8B 75 08 8B DE 80 42 62 FA 8A 4A 62 66 D3 \nEB 57 3A 5A 5C 74 0F} \n \n \n $ = {3A 5A 5D 74 0A 3A 5A 58 74 05 3A 5A 59 75 05 FE C1 88 4A 62 8A \n4A 62 B8 01 00 00 00} \n $ = {8A 46 62 84 C0 74 3E 3C 06 73 12 0F B6 C0 B9 06 00 00 00 2B C8 \nC6 46 62 06 66 D3 66 60 0F B7 4E 60} \n $ = {80 3C 38 0D 0F 84 93 01 00 00 C6 42 62 06 8B 56 14 83 FA 10 72 \n04 8B 06} \n $ = {0F BE 0C 38 8B 45 EC 0F B6 40 5B 3B C8 75 07 8B 55 EC B3 3E} \n $ = {0F BE 0C 38 8B 45 EC 0F B6 40 5E 3B C8 75 0B 8B 55 EC D0 EB C6 \n42 62 05} \n $ = {8B 55 EC 0F BE 04 38 0F B6 DB 0F B6 4A 5F 3B C1 B8 3F 00 00 00 \n0F 44 D8} \n $ = {8A 4A 62 66 8B 52 60 66 D3 E2 0F B6 C3 66 0B D0 8B 45 EC 66 89 \n50 60 8A 45 F3 02 C1 88 45 F3 3C 08 72 2E 04 F8 8A C8 88 45 F3 66 D3 EA \n8B 4D 08 0F B6 C2 50} \n $ = {3A 5A 5C 74 0F 3A 5A 5D 74 0A 3A 5A 58 74 05 3A 5A 59 75 05 FE \nC1 88 4A 62} \n \n condition: \n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of \nthem \n}, rule wellmail_unique_strings { \n \n meta: \n description = ""Rule for detection of WellMail based on unique strings \ncontained in the binary"" \n author = ""NCSC"" \n hash = \n""0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494"" \n strings: \n $a = ""C:\\\\Server\\\\Mail\\\\App_Data\\\\Temp\\\\agent.sh\\\\src"" \n $b = ""C:/Server/Mail/App_Data/Temp/agent.sh/src/main.go"" \n $c = ""HgQdbx4qRNv"" \n $d = ""042a51567eea19d5aca71050b4535d33d2ed43ba"" \n $e = ""main.zipit"" \n $f = ""@^\\\\s+?\\\\s(?P.*?)\\\\s"" \n condition: \n uint32(0) == 0x464C457F and 3 of them \n}, rule sorefang_encryption_key_2b62 { \n meta: \n description = ""Rule to detect SoreFang based on hardcoded encryption \nkey"" \n author = ""NCSC"" \n hash = \n""58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"" \n strings: \n $ = ""2b6233eb3e872ff78988f4a8f3f6a3ba"" \n condition: \n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of \nthem \n}, rule sorefang_directory_enumeration_output_strings { \n meta: \n description = ""Rule to detect SoreFang based on formatted string \noutput for directory enumeration"" \n author = ""NCSC"" \n hash = \n""58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"" \n \n \n strings: \n $ = ""----------All usres directory----------"" \n $ = ""----------Desktop directory----------"" \n $ = ""----------Documents directory----------"" \n condition: \n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of \nthem \n}, rule sorefang_disk_enumeration_strings { \n meta: \n description = ""Rule to detect SoreFang based on disk enumeration \nstrings"" \n author = ""NCSC"" \n hash = \n""a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064"" \nstrings: \n $ = ""\\x0D\\x0AFree on disk: "" \n $ = ""Total disk: "" \n $ = ""Error in GetDiskFreeSpaceEx\\x0D\\x0A"" \n $ = ""\\x0D\\x0AVolume label: "" \n $ = ""Serial number: "" \n $ = ""File system: "" \n $ = ""Error in GetVolumeInformation\\x0D\\x0A"" \n $ = ""I can not het information about this disk\\x0D\\x0A"" \n condition: \n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of \nthem \n}, rule wellmess_regex_used_for_parsing_beacons { \n meta: \n description = ""Detects WellMess Golang and .NET samples based on the \nregex they used to parse commands and beacon information"" \n author = ""NCSC"" \n hash = \n""8749c1495af4fd73ccfc84b32f56f5e78549d81feefb0c1d1c3475a74345f6a8"" \n strings: \n $a = ""fileName:(?.*?)\\\\sargs:(?.*)\\\\snotwait:(?.*)"" \nascii wide \n $b = ""<;(?^;*?);>(?^<*?)<;^;*?;>"" ascii wide \n condition: \n ((uint16(0) == 0x5a4d and uint16(uint16(0x3c)) == 0x4550) or \nuint32(0) == 0x464c457f) and any of them \n}, rule wellmail_certificate_base64_snippets { \n meta: \n description = ""Rule for detection of WellMail based on base64 \nsnippets of certificates used"" \n author = ""NCSC"" \n hash = \n""0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494"" \n strings: \n $a1 = ""BgNVHQ4EBwQFAQIDBA"" \n $a2 = ""YDVR0OBAcEBQECAwQG"" \n $a3 = ""GA1UdDgQHBAUBAgMEB"" \n $b1 = ""BgNVBAoTE0dNTyBHbG9iYWxTaWduLCBJbm"" \n $b2 = ""YDVQQKExNHTU8gR2xvYmFsU2lnbiwgSW5j"" \n $b3 = ""GA1UEChMTR01PIEdsb2JhbFNpZ24sIEluY"" \n condition: \n uint32(0) == 0x464C457F and any of ($a*) and any of ($b*) \n}, rule sorefang_modify_alphabet_custom_encode { \n meta: \n description = ""Rule to detect SoreFang based on arguments passed into \ncustom encoding algorithm function"" \n author = ""NCSC"" \n hash = \n""58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"" \n strings: \n $ = {33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 \n64} \n condition: \n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of \nthem \n}",apt29,RU,"Espionage, Information theft and espionage",2008,"CA, GB, US",FALSE,Exploit Vulnerability,"WellMess, WellMail, SoreFang","Government and Defense Agencies, Healthcare, Energy and Utilities, Education and Research Institutions",,, 2020-07-17,CERTFR-2020-CTI-008,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.07.17.DRIDEX/CERTFR-2020-CTI-008.pdf,CrowdStrike,CVE-2017-0199,,,ta505,RU,,,"AT, AU, DE, FR, GB, IT, US",,"Watering Hole, Phishing","ZeusVM, KINS, Chthonic, NetSupport, Spelevo, IcedID, Dridex, Gozi ISFB, Vawtrak, GozNim, TrickBot, Gootkit, Emotet, GandCrab, Danabot","Financial Institutions, Education and Research Institutions, Energy and Utilities",,, 2020-07-22,MATA_ Multi-platform targeted malware framework _ Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.07.22_MATA_APT/MATA_%20Multi-platform%20targeted%20malware%20framework%20_%20Securelist.pdf,Kaspersky,CVE-2019-3396,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,"DE, IN, JP, KR, PL, TR",,,"MATA malware framework, Manuscrypt",Corporations and Businesses,,, 2020-07-22,OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.07.22.OilRig_Middle_Eastern_Telecommunication/OilRig%20Targets%20Middle%20Eastern%20Telecommunications%20Organization%20and%20Adds%20Novel%20C2%20Channel%20with%20Steganography%20to%20Its%20Inventory.pdf,Palo Alto,,,,apt34,IR,Espionage,,,,"Website Equipping, Covert Channels","RDAT, Mimikatz, Bitvise client, PowerShell",Critical Infrastructure,,, 2020-07-28,Group-IB_PATRIOT_EN,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.07.28.black-jack/Group-IB_PATRIOT_EN.pdf,Group-IB,,,,jolly roger’s patrons,,,,"BR, IN, TH",,,,"Media and Entertainment Companies, Individuals",,, 2020-07-28,cta-2020-0728,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.07.28.RedDelta_APT/cta-2020-0728.pdf,Recorded Future,,,,reddelta,,Information theft and espionage,2020,"AT, AU, CH, DE, ET, HK, ID, IN, IT, MM, PK, VA",FALSE,Malicious Documents,"Hex.dll, Adobeupdate.dat, RedDelta PlugX, Poison Ivy, Cobalt Strike, DotNetLoader40.exe","Government and Defense Agencies, Non-Governmental Organizations (NGOs) and Nonprofits, Critical Infrastructure",2020-05-12,2020-07-21,70.0 2020-07-29,mcafee.com-Operation North Star A Job Offer Thats Too Good to be True,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.07.29.Operation_North_Star/mcafee.com-Operation%20%EB%85%B8%EC%8A%A4%20%EC%8A%A4%ED%83%80%20North%20Star%20A%20Job%20Offer%20Thats%20Too%20Good%20to%20be%20True.pdf,McAfee,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,,FALSE,Malicious Documents,"EvilClippy, MITRE ATT&CK, SQLITE","Corporations and Businesses, Media and Entertainment Companies",,, 2020-08-03,MAR-10292089-1.v2 - Chinese Remote Access Trojan_ TAIDOOR _ CISA,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.08.03.TAIDOOR/MAR-10292089-1.v2%20%E2%80%93%20Chinese%20Remote%20Access%20Trojan_%20TAIDOOR%20_%20CISA.pdf,CISA,,,"rule CISA_10292089_01 : rat loader TAIDOOR\n{\n\xa0\xa0\xa0meta:\n\xa0\xa0\xa0 \xa0\xa0\xa0Author = ""CISA Code & Media Analysis""\n\xa0\xa0\xa0 \xa0\xa0\xa0Incident = ""10292089""\n\xa0\xa0\xa0 \xa0\xa0\xa0Date = ""2020-06-18"" \xa0\xa0\xa0\n\xa0\xa0\xa0 \xa0\xa0\xa0Last_Modified = ""20200616_1530""\n\xa0\xa0\xa0 \xa0\xa0\xa0Actor = ""n/a""\n\xa0\xa0\xa0 \xa0\xa0\xa0Category = ""Trojan Loader Rat""\n\xa0\xa0\xa0 \xa0\xa0\xa0Family = ""TAIDOOR""\n\xa0\xa0\xa0 \xa0\xa0\xa0Description = ""Detects Taidoor Rat Loader samples""\n\xa0\xa0\xa0 \xa0\xa0\xa0MD5_1 = ""8cf683b7d181591b91e145985f32664c""\n\xa0\xa0\xa0 \xa0\xa0\xa0SHA256_1 =\n""363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90""\n\xa0\xa0\xa0 \xa0\xa0\xa0MD5_2 = ""6627918d989bd7d15ef0724362b67edd""\n\xa0\xa0\xa0 \xa0\xa0\xa0SHA256_2 =\n""0d0ccfe7cd476e2e2498b854cef2e6f959df817e52924b3a8bcdae7a8faaa686""\n\xa0\xa0\xa0strings:\n\xa0\xa0\xa0 \xa0\xa0\xa0$s0 = { 8A 46 01 88 86 00 01 00 00 8A 46 03 88 86 01 01 00 00 8A 46 05 88 86 02 01\n00 00 8A 46 07 88 86 03 01 00 00 }\n\xa0\xa0\xa0 \xa0\xa0\xa0$s1 = { 88 04 30 40 3D 00 01 00 00 7C F5 }\n\xa0\xa0\xa0 \xa0\xa0\xa0$s2 = { 0F BE 04 31 0F BE 4C 31 01 2B C3 2B CB C1 E0 04 0B C1 }\n\xa0\xa0\xa0 \xa0\xa0\xa0$s3 = { 8A 43 01 48 8B 6C 24 60 88 83 00 01 00 00 8A 43 03 }\n\xa0\xa0\xa0 \xa0\xa0\xa0$s4 = { 88 83 01 01 00 00 8A 43 05 88 83 02 01 00 00 8A 43 07 88 83 03 01 00 00 }\n\xa0\xa0\xa0 \xa0\xa0\xa0$s5 = { 41 0F BE 14 7C 83 C2 80 41 0F BE 44 7C 01 83 C0 80 C1 E2 04 0B D0 }\n\xa0\xa0\xa0 \xa0\xa0\xa0$s6 = { 5A 05 B2 CB E7 45 9D C2 1D 60 F0 4C 04 01 43 85 3B F9 8B 7E }\n\xa0\xa0\xa0condition:\n\xa0\xa0\xa0 \xa0\xa0\xa0($s0 and $s1 and $s2) or ($s3 and $s4 and $s5) or ($s6)\n}",,,,,,,"Spear Phishing, Removable Media, Website Equipping","TAIDOOR, cmd.exe, ml.dll, MemoryLoad.pdb",Government and Defense Agencies,,, 2020-08-10,Gorgon APT targeting MSME sector in India,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.08.10.Gorgon_APT/Gorgon%20APT%20targeting%20MSME%20sector%20in%20India.pdf,Quick Heal,CVE-2017-11882,,,gorgon group,PK,Information theft and espionage,2017,IN,FALSE,"Spear Phishing, Malicious Documents","CVE-2017-11882, ServerCrypted.vbs, PowerShell, Agent Tesla, RegAsm.exe",Manufacturing,2020-04-15,2020-07-15,91.0 2020-08-12,Internet Explorer and Windows zero-day exploits used in Operation PowerFall _ Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.08.12.Operation_PowerFall/Internet%20Explorer%20and%20Windows%20zero-day%20exploits%20used%20in%20Operation%20PowerFall%20_%20Securelist.pdf,Kaspersky,"CVE-2019-0676, CVE-2019-1429, CVE-2020-0674, CVE-2020-0986, CVE-2020-1380",,,darkhotel,KR,"Espionage, Information theft and espionage",2007,,TRUE,Exploit Vulnerability,,Corporations and Businesses,,, 2020-08-13,CactusPete APT group's updated Bisonal backdoor _ Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.08.13.CactusPete_APT/CactusPete%20APT%20group%E2%80%99s%20updated%20Bisonal%20backdoor%20_%20Securelist.pdf,FireEye,CVE-2018-8174,,,cactuspete,CN,Information theft and espionage,2009,"JP, TW, US",FALSE,"Spear Phishing, Malicious Documents",,"Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Manufacturing, Education and Research Institutions",,, 2020-08-13,Dream-Job-Campaign,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.08.13.Operation_Dream_Job/Dream-Job-Campaign.pdf,ClearSky,CVE-2018-20250,"T1560:N/A, T1547:N/A, T1064:Scripting, T1204:User Execution, T1308:N/A, T1203:Exploitation for Client Execution, T1002:Data Compressed, T1027:Obfuscated Files or Information, T1219:Remote Access Tools, T1543:N/A, T1497:Virtualization/Sandbox Evasion, T1221:Template Injection, S0239:N/A, S0174:N/A, T1555:N/A, T1268:N/A, T1071:Standard Application Layer Protocol, T1055:Process Injection, T1566:N/A, T1574:N/A, T1341:N/A, T1564:N/A, T1041:Exfiltration Over Command and Control Channel, T1102:Web Service, TA0021:N/A",,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,US,TRUE,"Spear Phishing, Social Engineering, Malicious Documents","DBLL Dropper, DRATzarus, Chrome password extractor","Financial Institutions, Corporations and Businesses",,, 2020-08-18,f-secureLABS-tlp-white-lazarus-threat-intel-report2,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.08.18.LAZARUS_GROUP/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf,F-Secure,,"T1547:N/A, T1078:Valid Accounts, T1218:Signed Binary Proxy Execution, T1112:Modify Registry, T1071:Standard Application Layer Protocol, T1083:File and Directory Discovery, T1070:Indicator Removal on Host, T1543:N/A, T1059:Command-Line Interface, T1055:Process Injection, T1566:N/A, T1027:Obfuscated Files or Information, T1021:Remote Services, T1053:Scheduled Task, T1003:Credential Dumping, T1552:N/A","rule lazarus_lssvc_ntuser_unpacked \n{ \n meta: \n \nauthor=""f-secure"" \n \ndescription=""Detects unpacked variant of Lazarus Group implant"" \n \ndate=""2020-06-10"" \n \n strings: \n $str_curl = ""CLIENT libcurl"" ascii \n $str_mask = ""%s%s\\\\%s"" ascii wide fullword \n $str_exe_1 = ""explorer.exe"" ascii wide nocase \n $str_exe_2 = ""lsass.exe"" ascii wide nocase \n $str_misc_ext = "".cid"" ascii wide \n $str_misc_debug = ""SeDebugPrivilege"" ascii wide \n $str_misc_ntdll = ""NtProtectVirtualMemory"" ascii \n condition: \n $str_curl \n and $str_mask \n and 1 of ($str_exe*) \n and 2 of ($str_misc*) \n}, rule lazarus_network_backdoor_unpacked \n{ \n meta: \n \nauthor=""f-secure"" \n \ndescription=""Detects unpacked variant of Lazarus Group network backdoor"" \n \ndate=""2020-06-10"" \n \n strings: \n $str_netsh_1 = ""netsh firewall add portopening TCP %d"" ascii wide nocase \n $str_netsh_2 = ""netsh firewall delete portopening TCP %d"" ascii wide nocase \n $str_mask_1 = ""cmd.exe /c \\""%s >> %s 2>&1\\"""" ascii wide \n \n \n \nF-Secure.com | © F-Secure LABS \n \n23 \n $str_mask_2 = ""cmd.exe /c \\""%s 2>> %s\\"""" ascii wide \n $str_mask_3 = ""%s\\\\%s\\\\%s"" ascii wide \n $str_other_1 = ""perflog.dat"" ascii wide nocase \n $str_other_2 = ""perflog.evt"" ascii wide nocase \n $str_other_3 = ""cbstc.log"" ascii wide nocase \n $str_other_4 = ""LdrGetProcedureAddress"" ascii \n $str_other_5 = ""NtProtectVirtualMemory"" asci \n \n condition: \n int16(0) == 0x5a4d \n and filesize < 3000KB \n and 1 of ($str_netsh*) \n and 1 of ($str_mask*) \n and 1 of ($str_other*) \n}, rule lazarus_rc4_loop \n{ \n meta: \n \n \n \nF-Secure.com | © F-Secure LABS \n \n22 \n \nauthor=""f-secure "" \n \ndescription=""Detects RC4 loop in Lazarus Group implant"" \n \ndate=""2020-06-10"" \n strings: \n $str_rc4_loop = { 41 FE 8? 00 01 00 00 45 0F B6 ?? 00 01 00 00 48 FF C? 43 0F \nB6 0? ?? 41 00 8? 01 01 00 00 41 0F B6 ?? 01 01 00 00 } \n \n condition: \n \nint16(0) == 0x5a4d \n and filesize < 3000KB \n \nand $str_rc4_loop \n}",lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,"AR, CA, CN, DE, EE, GB, HK, JP, KR, NL, PH, RU, SG, US",FALSE,"Spear Phishing, Malicious Documents","Mimikatz, VMProtect, Themida","Corporations and Businesses, Financial Institutions",,, 2020-08-20,Kaspersky_Transparent-Tribe-Evolution-analysis-part1(08-20-2020),"Transparent Tribe: Evolution analysis, part 1",https://app.box.com/s/ujm0zncu4yslx1tvu6aes0qzm5nhvjyg,Kaspersky,,,,transparent tribe,PK,Information theft and espionage,2013,"AF, IN",,Malicious Documents,"Crimson RAT, Peppy RAT, USBWorm",Government and Defense Agencies,,, 2020-08-24,"Lifting the veil on DeathStalker, a mercenary triumvirate _ Securelist",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.08.24_DeathStalker/Lifting%20the%20veil%20on%20DeathStalker%2C%20a%20mercenary%20triumvirate%20_%20Securelist.pdf,Kaspersky,,,,deathstalker,,Information theft and espionage,2018,"AE, AR, CH, CN, CY, GB, IL, IN, JO, LB, RU, TR, TW",,Spear Phishing,"DeathStalker, Evilnum, Powersing, Janicab, Loader Script",Financial Institutions,,, 2020-08-26,Kasperskty_Transparent-Tribe-Evolution-analysis-part-2(08-26-2020),"Transparent Tribe: Evolution analysis, part 2",https://app.box.com/s/2cpsj31ackb2zx5mzayhds76mcndofxr,Kaspersky,,,,transparent tribe,PK,Information theft and espionage,2013,IN,FALSE,"Spear Phishing, Phishing, Social Engineering, Malicious Documents","Frame.exe, ObliqueRAT, Crimson RAT, Desi-porn.apk, AhMyth Android RAT",Government and Defense Agencies,,, 2020-09-01,Chinese APT TA413 Resumes Targeting of Tibet Following COVID-19 Themed Economic Espionage Campaign,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.09.01.Chinese_APT_TA413/Chinese%20APT%20TA413%20Resumes%20Targeting%20of%20Tibet%20Following%20COVID-19%20Themed%20Economic%20Espionage%20Campaign%20Delivering%20Sepulcher%20Malware%20Targeting%20Europe%20_%20Proofpoint%20US.pdf,Proofpoint,,,,ta413,,Information theft and espionage,2019,,FALSE,"Spear Phishing, Malicious Documents, Social Engineering","ShadowNet, Duojeen, PubSab (OS X), LuckyCat, ExileRAT, Sepulcher","Government and Defense Agencies, Financial Institutions, Education and Research Institutions",2020-03-16,2020-07-27,133.0 2020-09-03,Evilnum IOCs,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.09.03.Evilnum_Pyvil/Evilnum%20IOCs.pdf,Blog,,,,,,,,,,,,"Corporations and Businesses, Financial Institutions",,, 2020-09-03,No Rest for the Wicked_ Evilnum Unleashes PyVil RAT,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.09.03.Evilnum_Pyvil/No%20Rest%20for%20the%20Wicked_%20Evilnum%20Unleashes%20PyVil%20RAT.pdf,Cybereason,,,,evilnum,,Information theft and espionage,2018,GB,FALSE,"Spear Phishing, Malicious Documents",", LaZagne, PyVil RAT, JavaScript Trojan, Golden Chickens (malware-as-a-service), C# Trojans",Financial Institutions,,, 2020-09-07,swift_bae_report_Follow-The Money,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/Report/2020.09.07_Follow_the_Money/swift_bae_report_Follow-The%20Money.pdf,BAE Systems,,,,,,,,,,Spear Phishing,,Financial Institutions,2019-09-15,2020-02-02,140.0 2020-09-08,TeamTNT activity targets Weave Scope deployments - Microsoft Tech Community - 1645968,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.09.08.TeamTNT_Weave-Scope/TeamTNT%20activity%20targets%20Weave%20Scope%20deployments%20-%20Microsoft%20Tech%20Community%20-%201645968.pdf,Microsoft,,,,teamtnt,,,,,FALSE,Exploit Vulnerability,"Coin miner, UPX (packer), Weave Scope, Docker API servers, iplogger.org",Cloud/IoT Services,2020-05-15,2020-09-15,123.0 2020-09-11,2020.09.11_Talos_-_The_art_and_science_of_detecting_Cobalt_Strike,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.09.11_Talos_-_The_art_and_science_of_detecting_Cobalt_Strike/2020.09.11_Talos_-_The_art_and_science_of_detecting_Cobalt_Strike.pdf,Cisco,"CVE-2011-3544, CVE-2012-4681, CVE-2013-2460, CVE-2013-2465",,,,,,,,FALSE,"Website Equipping, Social Engineering, Exploit Vulnerability","Cobalt Strike, Snort, ClamAV",,,, 2020-09-11,Research Roundup Activity on Previously Identified APT33 Domains,,https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/,ThreatConnect,,,,apt33,IR,"Espionage, Sabotage and destruction, Information theft and espionage",2013,,,Phishing,RedDelta PlugX,"Corporations and Businesses, Media and Entertainment Companies",2020-07-15,2020-09-09,56.0 2020-09-16,Partners in crime_ North Koreans and elite Russian-speaking cybercriminals - Intel 471,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.09.16.Partners_in_crime/Partners%20in%20crime_%20North%20Koreans%20and%20elite%20Russian-speaking%20cybercriminals%20-%20Intel%20471.pdf,Intel 471,,,,ta505,RU,,,,,"Phishing, Social Engineering, Malicious Documents","TrickBot, PowerRatankba, ApplicationPDF.exe, Hermes, Ryuk, Emotet, PowerBrace, Jaff, Bart, Rocketloader, Dridex",Financial Institutions,,, 2020-09-16,"Seven International Cyber Defendants, Including 'Apt41' Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally",,https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer,Department of Justice,"CVE-2019-11510, CVE-2019-16278, CVE-2019-1653, CVE-2019-16920, CVE-2019-19781, CVE-2020-10189",,,apt41,CN,"Financial crime, Information theft and espionage",2010,"AU, BR, CL, GB, HK, ID, IN, JP, KR, MY, PK, SG, TH, TW, US, VN",,Exploit Vulnerability,"The specific vulnerabilities and exposures mentioned are CVE-2019-19781, CVE-2019-11510, CVE-2019-16920, CVE-2019-16278, CVE-2019-1652/CVE-2019-1653, and CVE-2020-10189. No specific malware, tool names, or software frameworks are mentioned outside of these CVEs.","Corporations and Businesses, Education and Research Institutions, Media and Entertainment Companies, Non-Governmental Organizations (NGOs) and Nonprofits, Government and Defense Agencies",,, 2020-09-17,"FBI FLASH ME-000134-MW Indicators of Compromise Associated with Rana Intelligence Computing, also known as APT39, Chafer, Cadelspy, Remexi, and ITG07",,https://www.ic3.gov/media/news/2020/200917-2.pdf,FBI,,,"rule Depot_dat_2 { \nmeta: \ndescription = ""rules for Bootmgr.dll"" \nstrings: \n$fname = ""mlp.dat"" wide ascii nocase \n$fname2 = ""bootui.dll"" wide ascii nocase \n$callnext1 = ""BootUI"" wide ascii \n$callnext2 = ""GetProcAddress"" wide ascii \n \ncondition: \nall of them \n}, rule Python_2 { \nstrings: \n$string1 = ""ma.exe.manifest"" \n \ncondition: \nall of them \n}, rule Python_1 { \nstrings: \n$string1 = ""ImageVeiwer"" \n$hex_string2 = { E2 80 AE } \n$string3 = ""ma.py"" \n$string4 = ""tipe exit to end it"" \n$string5 = ""BTW This is working only on windows"" \n \ncondition: \n3 of them \n}, rule BITS_1_0_4 { \nstrings: \n$a = ""HCK.cab"" wide ascii nocase \n$b = ""SExe.cab"" wide ascii nocase \n \ncondition: \n1 of them \n}, rule BITS_1_0_5 { \nstrings: \n$a = ""nyKTudhkoIfxohEisnZeVaRuY"" wide ascii nocase \n$b = ""readUploadFilesLineByLineAndUpload"" wide ascii \n$c = ""abe2869f-9b47-4cd9-a358-c22904dba7f7"" wide ascii \n$d = ""Software\\\\Microsoft\\\\Internet Explorer\\\\IntelliForms\\\\Storage2"" wide \nascii \n$e = ""D:\\\\Release\\\\KLSource\\\\thread_command.c"" wide ascii \n$f = ""YmaxUpFileSizeKByte:"" wide ascii \nTLP:WHITE \n \n \n \n \n \n \nTLP:WHITE \n$g = ""readUploadFilesLineByLineAndUpload=>"" wide ascii \n \ncondition: \n3 of them \n}, rule Firefox_1 { \nstrings: \n$string1 = ""Mozilla\\\\fort.vbs"" wide ascii nocase \n$string2 = ""Main Returned."" wide ascii nocase \n$string3 = ""\\\\Mozilla\\\\ReadMe.txt"" wide ascii nocase \n$string4 = ""Mozillafox"" wide ascii nocase \n$string5 = ""MozillaSciencedent.vbs"" wide ascii nocase \n$string6 = ""MozillaFirefox.exe"" wide ascii nocase \n$string7 = ""Hello World"" wide ascii nocase \n$a9 = ""C:\\\\Users\\\\RS01212M\\\\AppData\\\\Roaming\\\\generator\\\\proj1-\nFTPCenter\\\\FTPCenter\\\\Release\\\\Task.pdb"" wide ascii nocase \n \ncondition: \n4 of them \n}, rule Firefox_5 { \nstrings: \n$a1 = ""CrachReport.exe"" wide ascii nocase \n$a2 = ""u_ex"" wide ascii nocase \n$a3 = ""Hello World"" wide ascii nocase \n$a4 = "".gzn"" wide ascii nocase \n$a5 = ""--PICE--"" wide ascii nocase \n$a6 = ""--PICS--"" wide ascii nocase \n$a7 = ""\\\\MozillaFirefox\\\\Cache"" wide ascii nocase \n$a9 = ""Logging.dll"" wide ascii nocase \n$a10 = \n""C:\\\\Users\\\\RS01212M\\\\AppData\\\\Roaming\\\\generator\\\\Proj1\\\\autoGetKbd\\\\Release\\\\\nautoScreenShot.pdb"" wide ascii nocase \n \ncondition: \n4 of them \n}, rule Firefox_4 { \nstrings: \n$a1 = ""1.txt"" wide ascii nocase \n$a2 = ""2.txt"" wide ascii nocase \n$a3 = ""CrachReport.exe"" wide ascii nocase \n$a4 = ""MuttiSSDERF23"" wide ascii nocase \n$a5 = ""\\\\MozillaFirefox\\\\SystemExtensionsDev\\\\"" wide ascii nocase \n$a6 = ""MozillaFirefox\\\\Config"" wide ascii nocase \n$a7 = ""\\\\MozillaFirefox\\\\SystemExtensionsDev\\\\u_ex"" wide ascii nocase \n$a8 = ""Logging.dll"" wide ascii nocase \n$a9 = \n""C:\\\\Users\\\\RS01212M\\\\AppData\\\\Roaming\\\\generator\\\\Proj1\\\\autoGetKbd\\\\Release\\\\\nLogging.pdb"" wide ascii nocase \n \nTLP:WHITE \n \n \n \n \n \n \nTLP:WHITE \ncondition: \n4 of them \n}, rule BITS_1_0_6 { \nstrings: \n$a = ""config.ini"" wide \n$b = ""YZipPass:"" wide \n$c = ""captureScreenQC:"" wide \n$d = ""captureActiveQC:"" wide \n$e = ""maxUpFileSizeKByte:"" wide \n$f = ""image/jpeg"" wide \n$g = ""S.zip"" wide \n$h = ""upped.txt"" wide \n \ncondition: \n3 of them \n}, rule BITS_1_0_3 { \nstrings: \n$a = ""expand.exe"" wide ascii nocase \n$b = ""EmptyProject.exe"" wide ascii nocase \n$c = ""events.exe"" wide ascii nocase \n$d = ""SExe.cab"" wide ascii nocase \n$e = ""HCK.cab"" wide ascii nocase \n \ncondition: \n3 of them \n}, rule Depot_dat_1 { \nmeta: \ndescription = ""rules for the dropper"" \nstrings: \n$format1 = ""MSCF"" wide ascii \n$format2 = ""2640"" wide ascii \n$format3 = ""2300"" wide ascii \n$fnames = ""depot.dat"" wide ascii nocase \nTLP:WHITE \n \n \n \n \n \n \nTLP:WHITE \n$fnames2 = ""tfd.log"" wide ascii nocase \n$cabinet = ""Cabinet.dll"" wide ascii nocase \n \ncondition: \nall of ($format*) and (1 of ($fnames*)) and $cabinet \n}, rule AutoIt_Malware_2 { \nstrings: \n$dns1 = ""join ((65..90) + (48..57) + (97..122)"" \n$dns2 = ""upload data host name:"" \n$dns3 = ""get control value and batch & normal file existence"" \n$dns4 = ""check if hostlen is Ok ?"" \n$dns5 = ""\\\\dn"" \n$dns6 = ""\\\\up"" \n$dns7 = ""\\\\te"" \n \ncondition: \n4 of them \n}, rule AutoIt_Malware_4 { \nstrings: \n$s1 = ""%dntxu.ps1%"" \n$s2 = ""\\\\dnr"" \n$s3 = ""Software\\\\Microsoft\\\\Windows\\\\CurrentVersion).UN"" \n$s4 = ""u_"" \n$s5 = ""upload folder content"" \n \ncondition: \nall of them / \n}, rule BITS_2_0_1 { \nstrings: \n$a = ""checkupdate.asp"" wide ascii \n$b = ""classour"" wide ascii \n$c = ""OKKK"" wide ascii \n$d = ""%s%s.zak"" wide ascii \n$e = "".rmrm.dat"" wide ascii \n$f = "".cmcm.dst"" wide ascii \n$g = ""--||))((++__::"" wide ascii \n \ncondition: \n4 of them \n}, rule BITS_1_0_8 { \nstrings: \n$a = ""/IM bitsadmin.exe /F"" \n$b = ""googleyou"" \n$c = ""/TRANSFER HelpCenterDownload /DOWNLOAD"" wide \n$d = ""downCommand"" wide \n$e = ""/PRIORITY normal"" wide \n$f = ""Cache00"" \n \ncondition: \n4 of them \n}, rule vbs_malware { \n \nstrings: \n$a = ""$powIndex=.* ==> .* reminded"" \n$b = ""then .* throw exception"" \n$c = ""then no require padding"" \n$d = ""must be extend to"" \n$e = ""need add padding to reminded"" \n$f = ""& SERVER & \\""&m=b\,\\\"""" \n$g = ""$sendData = \\""(rd|bd)_\\"".*-minimum 1 -maximum 10000.*"" \n$h = ""$sendData = \\""(rne|bne)_\\"".*Get-Random.*"" \n$i = ""$sendData = \\""(rne|bne|rd|bd)_\\"".*-minimum 1 -maximum 10001.*"" \ncondition: \n2 of them \n \n}, rule AutoIt_Malware_1 { \nstrings: \n$s1 = ""\\\\appdata\\\\local\\\\microsoft\\\\Taskbar"" \n$comm2 = ""&m=u"" \n$comm1 = ""&m=d"" \n$comm3 = ""&m=b"" \n$old1 = ""dnip.p"" \n$old2 = ""dntx.p"" \n$new1 = ""dntxu"" \n$new2 = ""dnipu"" \n$regs1 = ""HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion"" \n$regs2 = ""UMe"" \n$regs3 = ""UN"" \n$regs4 = ""UT"" \n \ncondition: \nall of ($comm*) and all of ($regs*) and (all of ($old*) or ($new1 and $new2)) \nand $s1 \n}, rule BITS_1_0_2 { \nstrings: \n$a = ""Error in LOID Type"" wide ascii \n$b = ""LOID is no-space and no-empty String"" wide ascii \n$c = ""Register By LOID"" wide ascii \n$d = ""Please Input Your LOID"" wide ascii \n$e = ""Please Select a LOID:"" wide ascii \n \ncondition: \n3 of them \n}, rule Python_4 { \nstrings: \n$string1 = ""x86_64-posix-sjlj"" \n$string2 = ""tedtools"" \n$string3 = ""teddumper"" \n$string4 = ""teddumper.exe.manifest"" \n \ncondition: \n3 of them \n \n \nTLP:WHITE \n \n \n \n \n \n \nTLP:WHITE \n \nAndroid Malware Overview/Analysis \n \nThe FBI identified Android malware used by Rana named optimizer.apk. This Android Package (APK) \nsupported several different functionalities that indicated it to be a malware implant for Android devices. \n \nMalware metadata \nFilename \nOptimizer.apk \nPackage Name \ncom.android.providers.optimizer \nand com.android.providers.optimizer-1 \nLast \nModification/ \nCompile Date: \n12/24/2018, 05:46 \n \nFile Type: \nAndroid Package Kit / Android Application Package (APK) \nFile Size: \n185.6 KB \nMD5: \n426351383DFE8F88A0959A9D5E8C43C7 \nSHA1: \n0C23F62BA98EBFA2C062C485E5704F193909E421 \nSHA256: \nA1481B251328B50D268B815DEBD614F539039E6E7012C90B66DAEE717712D524 \nEntropy: \n7.966 \nCertificate: \n \nSerial Number: 763faa62 \nValid from: Sun Dec 23 18:47:57 EST 2018 \nUntil: Mon Sep 25 19:47:57 EDT 2073 \nCertificate Fingerprints: \nMD5: 7C:B5:E0:3A:4F:A2:7F:E1:0E:9A:81:A2:66:66:1F:6C \nSHA1: \nC4:D9:9E:F0:CB:CF:CA:B4:0A:B9:BE:4F:5A:68:5A:DC:00:6E:8D:49 \nSHA256: \n53:1F:74:0C:51:9A:BD:1B:96:0F:E4:FF:E2:39:E3:DC:23:5C:99:41:D0: \nD1:21:12:65:57:B3:CD:85:43:B0:D0 \n \nThe APK implant was a variant of Android malware. The implant was coded to communicate with a C2 \nServer, saveingone.com (domain saveingone.com previously resolved to the Iranian IP address \n185.165.116.47). The APK implant had information stealing and remote access functionality which \ngained root access on an Android device without the user’s knowledge. The main capabilities include \nretrieving HTTP GET requests from the C2 server (typically updates or commands for the device), obtaining \ndevice data, compressing and AES-encrypting the collected data, and sending it via HTTP POST requests to \nthe malicious C2 server. The APK implant also had permissions to record audio and take photos, using the \nmicrophone and camera on the compromised device. \nThe Optimizer APK implant was decompressed and contained the following folders/files: lib, META-\nINF, res, AndroidManifest.xml, classes.dex, and resources.arsc. The \nTLP:WHITE \n \n \n \n \n \n \nTLP:WHITE \nAndroidManifest.xml file listed the SDK versions the Optimizer implant required: minimum 8, target \n22, and maximum 23. \nThe file classes.dex contained binary Dalvik bytecode, which was originally the Java source code \ncompiled to run inside a Dalvik Virtual Machine on an Android device. The file classes.dex was converted to \nSmali language for a more readable format, then converted to Java source code with the open-source tools \nDex2jar and Androguard. This file defined four packages, 185 classes, 570 methods, and referenced 1,068 \nmethods once converted to Java source code. \nThe APK implant collected detailed device data and sends the data in AES-encrypted zip files to the C2 as \nHTTP POST requests which is covered in the Dynamic Analysis section below. It was evident that the code \nwas configured to collect specific device information. The following code snippets display collected device \ndata, HTTP requests, and encryption method: \nThe package shares, class ai, and method a, or shares .ai.a, comprises code that makes up an HTTP \nPOST request that is used by the implant to send obtained device data to the malicious C2 server. The \npackage a, class m, method a, or a.m.a, contained a 96-byte string that appeared to be a base64-encoded \nkey. Upon further analysis, the Optimizer APK implant did not use the string ""JXsItS7…"" in a.m.a. The \na.aj.a and a.al.a methods contained encryption mechanisms using the AES/ECB/PKCS5 padding cipher \nto encrypt and decrypt data contained APK’s res folder files and collected device information. The a.a.a \nmethod contained mechanisms which used base64-decoding, UTF-8, and the AES cipher in a.aj.a. The \ncode also calls the configuration file cng.cn that is located in the APK’s res/raw folder. \n \nThe file libOptimizer.so contained within the APK file path \\Optimizer\\lib\\x86\\, contained the \nencryption key for the malware’s network communication in the form of a stack string which was manually \ncreated and stored in package a, class m, and method a (a.m.a). The variables of the key are defined in the \n.so file starting at functions doAll and as.StartService. The ""JXsITS7JIWI..."" string initially found in \nthe same a.m.a method during static analysis is a decoy and is not referenced during runtime. \n \nThe file libOptimizer.so also built the filename tmp.tmp, which was originally stored in the APK’s \nres/raw folder. Then the functions fopen and fclose were used to open the file tmp.tmp contents. The \ncontents of tmp.tmp appeared to be binary. Both of the files libOptimizer.so and tmp.tmp were identified \nas being loaded onto the device during dynamic analysis. The functionality of the loaded tmp.tmp contents \nwas not determined. \n \nDynamic analysis was conducted on the Optimizer APK implant, including running the implant on an \nemulated Android device and debugging/reverse-engineering. Analysis concluded that the implant’s main \nfunctionality was to retrieve updates or commands from the C2 saveingone.com through HTTP GET \nrequests and to collect device information, which was transmitted to the C2 in AES-encrypted zip files. \n \nUpon initial installation, the Optimizer APK implant did not generate an application (app) icon that was \nvisible on the android emulator’s Apps screen. The API Platforms 19, 22, and 26, were used to deploy the \nAPK implant onto the emulator device. The App settings for the APK implant did not provide an option to \nTLP:WHITE \n \n \n \n \n \n \nTLP:WHITE \nForce Stop or Uninstall the application. The APK implant did not start any services or processes upon \ninstallation, only after the device was rebooted did the APK start and maintain persistence in the infected \ndevice. \n \nWhen the emulator device was rebooted after installation, the Optimizer APK implant app initiated an \ninstance of itself on the device with three running processes: \n\uf0b7 Optimizer (com.android.providers.optimizer) \n\uf0b7 Android Core Apps (android.process.acore) \n\uf0b7 Calendar Storage (com.android.providers.calendar) \nand two running services: \n\uf0b7 Optimizer (Started by app) \n\uf0b7 Helper (Started by app) \n \nThe device administrative (admin) privileges settings contained an option to give the Optimizer implant the \nability to, Monitor screen-unlock attempts. \n \nThe following steps can be followed on an Android device to detect if the Optimizer implant application was \nrunning on a device: Settings -> Apps -> Running. The implant sent a Domain Name Service \n(DNS) request to resolve the C2 domain, saveingone.com. Then HTTP GET requests were formed to \nretrieve an unidentified type of data from the malicious C2. Finally, the implant used HTTP POST requests to \nsend AES-encrypted zipped data to the C2. The POST requests were coded into a loop and continuously \ncollected the device data. \n \nThe Optimizer APK implant created several folders on the device and saved the HTTP POST requests contents \nlocally. The folders and files can be found on the device image named userdata-qemu.img, at directory \npath: Root ->Data -> com.android.providers.optimizer -> files. The HTTP POSTS \nrequests were saved into the upsls folder in this instance. The resource files were also loaded on the \ndevice, and the libOptimizer.so file mentioned earlier was present on the device at directory path: \nRoot ->app-lib -> com.android.providers.optimizer-1. \n \nThe configured Optimizer APK implant code used decoys to thwart reverse-engineering of the implant such \nas the ""JXsITS7JIWItp…"" string stored statically in a.m.a. The decoy string only acts as a place holder to \nstore the new 96-byte base64 string ""aEpAayM4V..."" built in the libOptimizer.so file. Before the encryption \nmethod begins in a.a.a, the value it calls in a.m.a contains the 96-byte ""aEpAayM4V…"" string. That 96-\nbyte string is then base64-decoded to a 72-byte key ""hJ@k#8V%}H*&Yds2..."" and stored into the variable 1, \na.m.a,. Only the first 16-bytes of the generated 72-byte key is required AES-decrypt the configuration file \ncng.cn. The cng.cn file contains an additional 72-byte key within which is the ""e2&njk%Nsfn&*Ysd…"" \nused to AES-decrypt the compressed zip files sent via HTTP POST requests to the malicious C2 server. The key \nTLP:WHITE \n \n \n \n \n \n \nTLP:WHITE \nalso decrypts a file in the res/raw folder named odr.od, along with other files generated and saved onto \nthe Android device by the implant. \n \nAndroid Malware YARA Rules \n \nThe FBI developed the following YARA rules to detect the Android malware’s presence: \n \nrule APK_Optimizer_1 { \nmeta: \ndescription = ""Optimizer APK Malware"" \nhash1 = ""426351383DFE8F88A0959A9D5E8C43C7"" /* MD5 */ \nhash2 = ""0C23F62BA98EBFA2C062C485E5704F193909E421"" /* SHA1 */ \ncategory = ""Android Application Package Malware"" \n \nstrings: \n$x1 = \n""JXsITS7JIWItpoSkBrf8wz5JVOXgrSCJVoKmYlbSjpmmmIsU3y0zRlIwbWmZhGZ4n5mrN2O\npajXGiYqIypzVMWQkNUbYHpW1"" fullword wide ascii \n$x2 = ""Contatcts"" fullword wide ascii \n$x3 = ""cng.cn"" fullword wide ascii \n$x4 = ""odr.od"" fullword wide ascii \n$x5 = ""Content-Disposition: form-data; name=\\""InputFile\\"";filename=\\"""" \nfullword wide ascii \ncondition: \n3 of them /* any string in the rule */ \n}, rule Depot_dat_4 { \nmeta: \ndescription = ""rule for prng"" \nstrings: \n$s1 = {af 00 2c 15}/*""0x152c00af""*/ \n$s2 = {6d 4e c6 41} /*""0x41c64ed""*/ \n$s3 = {45 69 c9 24 0d 00 00} /* imul r9d, r9d, 0xd24 */ \n$s4 = {69 d2 da 2e 18 00} /* imul edx, edx, 0x182eda */ \n$s5 = {b5 81 4e 1b} /*""0x1b4e81b5""*/ \n \ncondition: \n3 of them \n}, rule BITS_2_0_2 { \nstrings: \n$a = ""ID:"" wide ascii \n$b = ""ECODE:"" wide ascii \n$c = ""RTIME:"" wide ascii \n$d = ""UNAME:"" wide ascii \n$e = ""MAC:"" wide ascii \n$f = ""RESP:"" wide ascii \n \ncondition: \nTLP:WHITE \n \n \n \n \n \n \nTLP:WHITE \nall of them \n}, rule Firefox_6 { \nstrings: \n$string = ""RS01212M"" wide ascii nocase \n \ncondition: \nall of them \n}, rule Depot_dat_3 { \nmeta: \ndescription = ""rules for bootui"" \nstrings: \n$format1 = "" 20KB and any of them\n}, rule costaricto_vm_dropper_pdb_path\n{\n meta:\n description = ""Rule to detect samples with CostaRicto PDB path""\n author = ""BlackBerry Threat Hunting and Intelligence Team""\n pdb_string = ""C:\\\\Wokrflow\\\\CostaRicto\\\\Release\\\\CostaBricks.pdb""\n strings:\n $a = ""CostaRicto"" ascii wide nocase\n $b = ""CostaBricks.pdb"" ascii wide nocase\n11/13/2020\nThe CostaRicto Campaign: Cyber-Espionage Outsourced\nhttps://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced\n30/36\n $c1 = ""C:\\\\Wokrflow\\\\"" ascii wide nocase\n $c2 = ""Release"" ascii wide nocase\n $c3 = "".pdb"" ascii wide nocase \n condition:\n uint16(0) == 0x5a4d and filesize < 5MB and filesize > 20KB and ($a or $b or all of ($c*))\n}, rule costaricto_sombrat_unpacked\n{\n meta:\n description = ""Rule to detect unpacked SombRAT backdoor""\n author = ""BlackBerry Threat Hunting and Intelligence Team""\n strings:\n // class names\n $a1 = ""PEHeadersBackup""\n $a2 = ""PeLoaderDummy""\n $a3 = ""PeLoaderLocal""\n11/13/2020\nThe CostaRicto Campaign: Cyber-Espionage Outsourced\nhttps://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced\n32/36\n $a4 = ""PeLoaderBaseClass""\n $a5 = ""PDTaskman""\n $a6 = ""PDMessageParamArray""\n $a7 = ""NetworkDriverLayerWebsockets""\n $a8 = ""NetworkDriverLayerDNSReader""\n $a9 = ""WaitForPluginIOCPFullyClosed""\n // substitution-encrypted strings\n $b1 = ""~ydcv{{rs{~|r"" // installedlike\n $b2 = ""~yg{vcqxez"" // winplatform\n $b3 = ""~yqxezvc~xyvttrgcrs"" // informationaccepted\n $b4 = ""xvsqexzdcxevpr"" // loadfromstorage\n $b5 = ""xvsqexzzrzxen"" // loadfrommemory\n $b7 = ""xgrydcxevpr"" // openstorage\n $b8 = ""g{bp~y{xvstxzg{rcr"" // pluginloadcomplete\n $b9 = ""g{bp~yby{xvs"" // pluginunload\n // AES-encrypted strings\n $c1 = {44 5B 7F 52 0C 13 52 1A 16 45 4C 75 65 72 60 53}\n // RSA public key\n $d1 = {EF C9 77 B9 A3 8E 48 92 77 C8 E1 E1 0C 46 35 2B}\n condition:\n uint16(0) == 0x5a4d and filesize < 5MB and filesize > 20KB and any of them\n}, rule costaricto_rich_header\n{\n meta:\n description = ""Rule to detect Rich header associated with CostaRicto campaign""\n author = ""BlackBerry Threat Hunting and Intelligence Team""\n condition:\n pe.rich_signature.toolid(0xf1, 40116) and\n pe.rich_signature.toolid(0xf3, 40116) and\n pe.rich_signature.toolid(0xf2, 40116) and\n pe.rich_signature.toolid(0x105, 26706) and\n pe.rich_signature.toolid(0x104, 26706) and\n pe.rich_signature.toolid(0x103, 26706) and\n pe.rich_signature.toolid(0x93, 30729) and\n pe.rich_signature.toolid(0x109, 27023) and \n pe.rich_signature.toolid(0xff, 27023) and\n11/13/2020\nThe CostaRicto Campaign: Cyber-Espionage Outsourced\nhttps://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced\n31/36\n pe.rich_signature.toolid(0x97, 0) and\n pe.rich_signature.toolid(0x102, 27023)\n}, rule costaricto_rich_header_august\n{\n meta:\n description = ""Rule to detect Rich header associated with CostaRicto campaign""\n author = ""BlackBerry Threat Hunting and Intelligence Team""\n condition:\n pe.rich_signature.toolid(0xf1, 40116) and\n pe.rich_signature.toolid(0xf2, 40116) and\n pe.rich_signature.toolid(0xf3, 40116) and\n pe.rich_signature.toolid(0x102, 26428) and\n pe.rich_signature.toolid(0x103, 26131) and\n pe.rich_signature.toolid(0x104, 26131) and\n pe.rich_signature.toolid(0x105, 26131) and\n pe.rich_signature.toolid(0x103, 26433) and\n pe.rich_signature.toolid(0x104, 26433) and\n pe.rich_signature.toolid(0x109, 26428) and\n pe.rich_signature.toolid(0x93, 30729) and\n pe.rich_signature.toolid(0xff, 26428)\n}, rule costaricto_pcheck_proxy\n{\n meta:\n description = ""Rule to detect a custom proxy tool related to the CostaRicto campaign""\n author = ""BlackBerry Threat Hunting and Intelligence Team"" \n strings:\n $a = ""exe.exe host host_port proxy_host proxy_port""\n $b = ""Tool jobs done""\n condition:\n uint16(0) == 0x5a4d and filesize < 500KB and filesize > 10KB and ($a or $b)\n}, rule costaricto_sobmrat_pdb_path\n{\n meta:\n description = ""Rule to detect samples with SombRAT PDB path""\n author = ""BlackBerry Threat Hunting and Intelligence Team""\n pdb_string = ""C:\\\\Projects\\\\Sombra\\\\_Bin\\\\x64\\\\Release\\\\Sombra.pdb""\n pdb_string_2 = ""c:\\\\projects\\\\sombra\\\\libraries""\n strings:\n $a = ""\\\\Projects\\\\Sombra\\\\"" ascii wide nocase\n $b = ""Sombra.pdb"" ascii wide nocase\n condition:\n uint16(0) == 0x5a4d and filesize < 5MB and filesize > 20KB and ($a or $b)\n}, rule costaricto_rich_xor_key\n{\n meta:\n description = ""Rule to detect Rich header associated with CostaRicto campaign""\n author = ""BlackBerry Threat Hunting and Intelligence Team"" \n condition:\n // x86 droppers\n pe.rich_signature.key == 0x2e8d923f or\n pe.rich_signature.key == 0x97d94c45 or\n // x86 payload\n pe.rich_signature.key == 0xef257087 or\n pe.rich_signature.key == 0x4f257087 or\n pe.rich_signature.key == 0x1e816e7e or\n // x64 payload\n pe.rich_signature.key == 0xd1e5ae6c or\n pe.rich_signature.key == 0x5df9c60b\n}, rule costaricto_pscan_port_scanner\n{\n meta:\n description = ""Rule to detect a custom proxy tool related to the CostaRicto campaign""\n author = ""BlackBerry Threat Hunting and Intelligence Team"" \n strings:\n $a1 = ""Invalid arguments count (ver ""\n $a2 = ""Example: ./pscan""\n $a3 = ""127-130.0.0.1""\n $b1 = ""output.txt""\n $b2 = ""Invalid ip address range""\n condition:\n uint16(0) == 0x5a4d and filesize < 500KB and filesize > 10KB and any of ($a*) or all of ($b*)\n}, rule costaricto_backdoored_blink\n{ \n meta:\n description = ""Rule to detect backdoored Blink application""\n author = ""BlackBerry Threat Hunting and Intelligence Team""\n strings:\n $a1 = ""Failed to open target application process!""\n $a2 = ""Machine architecture mismatch between target application and this application!""\n $a3 = ""Failed to create new communication pipe!""\n $b = ""Plauger, licensed by Dinkumware, Ltd.""\n condition:\n uint16(0) == 0x5a4d and filesize < 5MB and filesize > 50KB and ($b and 1 of ($a*))\n}",costaricto,,,,"AT, AU, BD, BS, CN, CZ, FR, IN, MZ, NL, PT, SG, US",,Credential Reuse,"SombRAT, CostaBricks, PowerSploit, HTTP payload stagers, reverse-DNS payload stagers",Financial Institutions,,, 2020-11-12,"Hungry for data, ModPipe backdoor hits POS software used in hospitality sector _ WeLiveSecurity",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.11.12.ModPipe_POS_Hospitality-Sector/Hungry%20for%20data%2C%20ModPipe%20backdoor%20hits%20POS%20software%20used%20in%20hospitality%20sector%20_%20WeLiveSecurity.pdf,ESET,,"T1012:Query Registry, T1547:N/A, T1134:Access Token Manipulation, T1033:System Owner/User Discovery, T1573:N/A, T1071:Standard Application Layer Protocol, T1041:Exfiltration Over Command and Control Channel, T1205:Port Knocking, T1543:N/A, T1059:Command-Line Interface, T1055:Process Injection, T1029:Scheduled Transfer, T1057:Process Discovery, T1552:N/A",,,,,,US,,,"ModPipe, PrintSpoofer, RES 3700 POS, Windows Data Protection API (DPAPI)",Corporations and Businesses,,, 2020-11-16,TA505_ A Brief History Of Their Time - Fox-IT International blog,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.11.16.TA505_History/TA505_%20A%20Brief%20History%20Of%20Their%20Time%20%E2%80%93%20Fox-IT%20International%20blog.pdf,Fox-IT,,,,ta505,RU,,,,,"Phishing, Malicious Documents","Get2/GetandGo, SDBbot, Clop ransomware",Corporations and Businesses,2019-10-14,2020-01-13,91.0 2020-11-17,Iranian APT Utilizing Commercial VPN Services,,https://spur.us/iranian-apt-utilizing-commercial-vpn-services/,SPUR,,,,,,,,,,Exploit Vulnerability,,Government and Defense Agencies,,, 2020-11-17,chaes-malware-iocs,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.11.17.CHAES/chaes-malware-iocs.pdf,Cybereason,,,,,,,,,,,Chaes Malware,"Corporations and Businesses, Individuals",,, 2020-11-17,11-2020-Chaes-e-commerce-malware-research,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.11.17.CHAES/11-2020-Chaes-e-commerce-malware-research.pdf,Cybereason,,,,,,,,BR,,"Spear Phishing, Malicious Documents",".MSI files, Delphi, LOLBins, Microsoft Word, Uninstall.dll, engine.bin",Corporations and Businesses,,, 2020-11-17,Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign _ Symantec Blogs,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.11.17.Cicada_Japan/Japan-Linked%20Organizations%20Targeted%20in%20Long-Running%20and%20Sophisticated%20Attack%20Campaign%20_%20Symantec%20Blogs.pdf,Symantec,CVE-2020-1472,,,apt10,CN,Espionage,,,FALSE,Exploit Vulnerability,", RAR archiving, Certutil, Adfind, Csvde, Ntdsutil, WMIExec, PowerShell, ConfuserEx v1.0.0","Corporations and Businesses, Government and Defense Agencies, Manufacturing",2019-10-15,2020-10-15,366.0 2020-11-18,2020.11.18_Zooming_into_Darknet_Threats_Targeting_Japanese_Organizations,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/Report/2020.11.18_Zooming_into_Darknet_Threats_Targeting_Japanese_Organizations/2020.11.18_Zooming_into_Darknet_Threats_Targeting_Japanese_Organizations.pdf,KELA,CVE-2019-11510,,,kelvinsecurityteam,,,,JP,FALSE,,,"Corporations and Businesses, Government and Defense Agencies, Manufacturing, Education and Research Institutions, Financial Institutions",,, 2020-11-19,2020.11.19_-_Cybereason_vs_MedusaLocker_Ransomware,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.11.19.MedusaLocker_Ransomware/2020.11.19_-_Cybereason_vs_MedusaLocker_Ransomware.pdf,Cybereason,,,,,,,,,FALSE,,"MedusaLocker, Powershell, vssadmin.exe, CMSTP.exe",Healthcare,,, 2020-11-19,APT Exploits Microsoft Zerologon Bug Targets Japanese Companies,,https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/,Threatpost,CVE-2020-1472,,,apt10,CN,Espionage,,"JP, US",TRUE,Exploit Vulnerability,"Zerologon, DLL side-loading, RAR archiving, WMIExec, Certutil, QuasarRAT, Backdoor.Hartip, CppHostCLR, .NET Loader, ConfuserEx v1.0.0, PowerShell",Corporations and Businesses,2019-10-15,2020-10-15,366.0 2020-11-23,[S2W LAB] Analysis of Clop Ransomware suspiciously related to the Recent Incident (English),,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.11.23.Clop_Campaign/%5BS2W%20LAB%5D%20Analysis%20of%20Clop%20Ransomware%20suspiciously%20related%20to%20the%20Recent%20Incident%20%28English%29.pdf,S2W LAB,,,,,,,,,,"Exploit Vulnerability, Credential Reuse, Spear Phishing, Malicious Documents",,,,, 2020-11-26,Bandook_ Signed & Delivered - Check Point Research,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.11.26.Bandook/Bandook_%20Signed%20%26%20Delivered%20-%20Check%20Point%20Research.pdf,Check Point,,,,,,,,"CH, CL, CY, DE, ID, IT, SG, TR, US",FALSE,Malicious Documents,"Bandook Trojan, Microsoft Word, PowerShell","Government and Defense Agencies, Financial Institutions, Energy and Utilities, Healthcare, Education and Research Institutions, Corporations and Businesses",,, 2020-11-27,Investigation with a twist_ an accidental APT attack and averted data destruction,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.11.27.Twist_APT27/Investigation%20with%20a%20twist_%20an%20accidental%20APT%20attack%20and%20averted%20data%20destruction.pdf,Positive Technologies,,"T1560:N/A, T1547:N/A, T1078:Valid Accounts, T1132:Data Encoding, T1068:Exploitation for Privilege Escalation, T1082:System Information Discovery, T1059:Command-Line Interface, T1021:Remote Services, T1570:N/A, T1573:N/A, T1199:Trusted Relationship, T1210:Exploitation of Remote Services, T1486:Data Encrypted for Impact, T1190:Exploit Public-Facing Application, T1020:Automated Exfiltration, T1087:Account Discovery, T1071:Standard Application Layer Protocol, T1070:Indicator Removal on Host, T1119:Automated Collection, T1574:N/A, T1053:Scheduled Task, T1005:Data from Local System, T1140:Deobfuscate/Decode Files or Information, T1049:System Network Connections Discovery, T1041:Exfiltration Over Command and Control Channel, T1047:Windows Management Instrumentation, T1039:Data from Network Shared Drive, T1003:Credential Dumping",,apt27,CN,"Espionage, Information theft and espionage",2010,,FALSE,"Exploit Vulnerability, Credential Reuse",SysUpdate backdoor,"Media and Entertainment Companies, Government and Defense Agencies",,, 2020-11-30,yoroi.company-Shadows From the Past Threaten Italian Enterprises,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.11.30.UNC1945/yoroi.company-Shadows%20From%20the%20Past%20Threaten%20Italian%20Enterprises.pdf,Yoroi,CVE-2020-14871,"T1404:N/A, T1218:Signed Binary Proxy Execution, TA0011:Command and Control, T1261:N/A, T1557:N/A, T1003:Credential Dumping",,unc1945,,,,IT,TRUE,Exploit Vulnerability,", QEMU, LaZagne, Mimikatz, Responder, sysinternal tools like “procdump”, linux utilities like “winexe”, “find”, “touch”, “grep”, “head”, “less”, “wget”, seabios (bios.bin), Tiny Linux (core), efi-e1000.rom, hda.mini.qcow2",Financial Institutions,,, 2020-11-30,Threat actor leverages coin miner techniques to stay under the radar - here's how to spot them - Microsoft Security,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.11.30.BISMUTH_CoinMiner/Threat%20actor%20leverages%20coin%20miner%20techniques%20to%20stay%20under%20the%20radar%20%E2%80%93%20here%E2%80%99s%20how%20to%20spot%20them%20-%20Microsoft%20Security.pdf,Microsoft,,"T1053:Scheduled Task, T1041:Exfiltration Over Command and Control Channel",,bismuth,VN,"Espionage, Financial gain, Information theft and espionage",2012,"FR, VN",FALSE,"Spear Phishing, Social Engineering, Malicious Documents","Cobalt Strike beacon, McOds.exe (McAfee on-demand scanner), Sysinternals DebugView tool, Empire PowerDump command","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Education and Research Institutions, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2020-12-02,Turla Crutch_ Keeping the 'back door' open _ WeLiveSecurity,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.12.02.Turla_Crutch/Turla%20Crutch_%20Keeping%20the%20%E2%80%9Cback%20door%E2%80%9D%20open%20_%20WeLiveSecurity.pdf,ESET,,"T1560:N/A, T1078:Valid Accounts, T1008:Fallback Channels, T1025:Data from Removable Media, T1074:Data Staged, T1071:Standard Application Layer Protocol, T1041:Exfiltration Over Command and Control Channel, T1102:Web Service, T1119:Automated Collection, T1120:Peripheral Device Discovery, T1567:N/A, T1574:N/A, T1020:Automated Exfiltration, T1053:Scheduled Task, T1036:Masquerading",,turla,RU,"Espionage, Information theft and espionage",1996,,FALSE,Credential Reuse,"Crutch, Gazer (also known as WhiteBear), Crutch v3, Crutch v4",Government and Defense Agencies,,, 2020-12-03,ATR_82599-1,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.12.03.Adversary_Tracking_Report/ATR_82599-1.pdf,Telsy,,"T1056:Input Capture, T1564:N/A, T1547:N/A, T1562:N/A, T1140:Deobfuscate/Decode Files or Information, T1132:Data Encoding, T1204:User Execution, T1041:Exfiltration Over Command and Control Channel, T1071:Standard Application Layer Protocol, T1566:N/A, T1125:Video Capture, T1113:Screen Capture",,ozie team,,,,IT,,"Phishing, Malicious Documents","AgentTesla, VBA (Visual Basic for Applications)","Corporations and Businesses, Energy and Utilities, Manufacturing, Individuals",2020-10-15,2020-12-01,47.0 2020-12-08,Norway says Russian hacking group APT28 is behind August 2020 Parliament hack,,https://www.zdnet.com/article/norway-says-russian-hacking-group-apt28-is-behind-august-2020-parliament-hack/,ZDNet,,,,apt28,RU,"Espionage, Information theft and espionage",2004,"DE, NO, US",,"Credential Reuse, Exploit Vulnerability",,"Government and Defense Agencies, Cloud/IoT Services",,, 2020-12-09,Russian APT Uses COVID-19 Lures to Deliver Zebrocy - Intezer,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.12.09.Sofacy_APT/Russian%20APT%20Uses%20COVID-19%20Lures%20to%20Deliver%20Zebrocy%20-%20Intezer.pdf,Intezer,,,,apt28,RU,"Espionage, Information theft and espionage",2004,"AF, AZ, BA, CH, CN, EG, GE, IR, JP, KG, KR, KZ, MN, RS, RU, SA, TJ, TM, TR, UA, UY, ZW",FALSE,"Spear Phishing, Malicious Documents","Gobfuscator, Zebrocy, MD5","Government and Defense Agencies, Corporations and Businesses",,, 2020-12-09,"SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.12.09.SideWinder/SideWinder%20Uses%20South%20Asian%20Issues%20for%20Spear%20Phishing%2C%20Mobile%20Attacks.pdf,Trend Micro,"CVE-2017-11882, CVE-2019-2215",,,sidewinder,,Information theft and espionage,2012,"AF, NP",FALSE,"Spear Phishing, Malicious Documents","Binder exploit, LNK file, RTF file, JavaScript file, ZIP file, HTA file, PDF file, DOCX file, OLE object, Newtonsoft_Json library",Government and Defense Agencies,,, 2020-12-09,A Zebra in Gopher's Clothing Russian APT Uses COVID-19 Lures to Deliver Zebrocy,,https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/,Intezer,,,,apt28,RU,"Espionage, Information theft and espionage",2004,"AZ, BA, CH, CN, EG, GE, IR, JP, KG, KR, KZ, MN, RS, RU, SA, TJ, TM, TR, UA, UY, ZW",FALSE,"Spear Phishing, Malicious Documents","Zebrocy, BlackEnergy, GreyEnergy, Sandworm, Go downloader, Delphi downloader, Blackrota malware, Microsoft Office, Hyper-V",Corporations and Businesses,2020-10-20,2020-11-20,31.0 2020-12-13,fireeye.com-Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/fireeye.com-Highly%20Evasive%20Attacker%20Leverages%20SolarWinds%20Supply%20Chain%20to%20Compromise%20Multiple%20Global%20Victims%20With%20.pdf,FireEye,,"T1012:Query Registry, T1132:Data Encoding, T1518:N/A, T1568:N/A, T1071:Standard Application Layer Protocol, T1083:File and Directory Discovery, T1105:Remote File Copy, T1070:Indicator Removal on Host, T1569:N/A, T1543:N/A, T1027:Obfuscated Files or Information, T1195:Supply Chain Compromise, T1553:N/A, T1057:Process Discovery, T1584:N/A",,apt29,RU,"Espionage, Information theft and espionage",2008,,,Credential Reuse,"TEARDROP, BEACON, SUNBURST, Cobalt Strike, SolarWinds Orion","Corporations and Businesses, Government and Defense Agencies",,, 2020-12-15,Finding APTX Attacks via MITRE TTPs,,https://documents.trendmicro.com/assets/white_papers/wp-finding-APTX-attributing-attacks-via-MITRE-TTPs.pdf,Trend Micro,,"T1560:N/A, T1547:N/A, T1078:Valid Accounts, T1033:System Owner/User Discovery, T1025:Data from Removable Media, T1082:System Information Discovery, T1059:Command-Line Interface, T1021:Remote Services, T1048:Exfiltration Over Alternative Protocol, T1505:N/A, T1543:N/A, T1020:Automated Exfiltration, T1087:Account Discovery, T1069:Permission Groups Discovery, T1574:N/A, T1083:File and Directory Discovery, T1005:Data from Local System, T1053:Scheduled Task, T1046:Network Service Scanning, T1136:Create Account, T1047:Windows Management Instrumentation, T1039:Data from Network Shared Drive, T1571:N/A, T1029:Scheduled Transfer, T1057:Process Discovery, T1003:Credential Dumping",,oceanlotus,VN,"Espionage, Financial gain, Information theft and espionage",2012,,,,"TROJ_CHINOXY.ZAGK, Procdump, Mimikatz, HackTool.Win32.NBTScam.A, BKDR64_HANNOTOG.ZAGK, BKDR_HANNOTOG.ZBGK, BKDR_HANNOTOG.ZCGK, TROJ64_SAGRUNEX.SMZTGD-A, BKDR64_METREVHTTPS.ZCGK, HKTL_FILEDOWNLD, HackTool.Win32.NBTScan.A, BKDR64_WYZINA.ZBGK, TROJ_CMDINJECT, TROJ64_CMDINJECT, 15.",,,, 2020-12-15,APT-C-47_ClickOnce_Operation.CN_version,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.12.15.APT-C-47_ClickOnce/APT-C-47_ClickOnce_Operation.CN_version.pdf,360,,,,apt-c-47,,,,,FALSE,Spear Phishing,"ClickOnce, C#, Go","Government and Defense Agencies, Individuals",,, 2020-12-16,Mapping out AridViper Infrastructure Using Augury's Malware Module - Team Cymru,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.12.16.AridViper_Augury/Mapping%20out%20AridViper%20Infrastructure%20Using%20Augury%E2%80%99s%20Malware%20Module%20%E2%80%93%20Team%20Cymru.pdf,Team Cymru,,,,aridviper,PS,,,IL,FALSE,"Malicious Documents, Phishing",,Government and Defense Agencies,,, 2020-12-17,Operation SignSight_ Supply-chain attack against a certification authority in Southeast Asia _ WeLiveSecurity,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.12.17.Operation_SignSight/Operation%20SignSight_%20Supply%E2%80%91chain%20attack%20against%20a%20certification%20authority%20in%20Southeast%20Asia%20_%20WeLiveSecurity.pdf,ESET,,"T1033:System Owner/User Discovery, T1204:User Execution, T1082:System Information Discovery, T1090:Connection Proxy, T1071:Standard Application Layer Protocol, T1573:N/A, T1543:N/A, T1195:Supply Chain Compromise, T1053:Scheduled Task",,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,VN,FALSE,Meta Data Monitoring,"PhantomNet, SnowballS, Invoke-Mimikatz, SSPI functions",Government and Defense Agencies,,, 2020-12-19,blog.vincss.net-RE018-1 Analyzing new malware of China Panda hacker group used to attack supply chain against Vietnam,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2020.12.19.Panda_Vietnam/blog.vincss.net-RE018-1%20Analyzing%20new%20malware%20of%20China%20Panda%20hacker%20group%20used%20to%20attack%20supply%20chain%20against%20Vietnam.pdf,ESET,,,,comment panda,CN,"Espionage, Information theft and espionage",2006,VN,,Exploit Vulnerability,"eToken.exe, SafeNet, UniExtract, sigcheck","Government and Defense Agencies, Corporations and Businesses",2020-07-20,2020-12-17,150.0 2020-12-21,Truesec_Collaboration-Between-FIN7-RYUK-Group(12-21-2020),Collaboration Between FIN7 and the RYUK Group,https://app.box.com/s/l5qo26svapfgstgy4xv6i9flqpubn6h2,Truesec,,,,fin7,RU,"Financial gain, Financial crime",2013,,,Phishing,"JavaScript backdoor, CARBANAK RAT, Cobalt Strike, SmartFTP Client, IObit Unlocker, RYUK Ransomware",Corporations and Businesses,,, 2020-12-23,Kaspersky_Lazarus-covets-COVID-19-related-intelligence(12-23-2020),Lazarus covets COVID-19-related intelligence,https://app.box.com/s/ytn76ij5ch9dccabwmbbbr6jb68n6294,Kaspersky,,"T1547:N/A, T1140:Deobfuscate/Decode Files or Information, T1132:Data Encoding, T1033:System Owner/User Discovery, T1049:System Network Connections Discovery, T1082:System Information Discovery, T1041:Exfiltration Over Command and Control Channel, T1071:Standard Application Layer Protocol, T1569:N/A, T1070:Indicator Removal on Host, T1543:N/A, T1059:Command-Line Interface, T1055:Process Injection, T1027:Obfuscated Files or Information, T1021:Remote Services, T1003:Credential Dumping",,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,,,,"Bookcode malware, ADFind, WakeMeOnLan, wAgent malware cluster","Healthcare, Education and Research Institutions, Government and Defense Agencies",2020-09-25,2020-10-27,32.0 2020-12-31,StrongPity APT Extends Global Reach with New Infrastructure,,https://cybleinc.com/2020/12/31/strongpity-apt-extends-global-reach-with-new-infrastructure/,cyble,,,,,,,,,,,,,,, 2021-01-04,nao-sec.org-Royal Road ReDive,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.01.04.Royal_Road_ReDive/nao-sec.org-Royal%20Road%20ReDive.pdf,nao_sec,"CVE-2017-11882, CVE-2018-0798",,,vicious panda,CN,Information theft and espionage,2015,"MN, RU, US, VN",,,"AttackBot, Enfal, BYEBY","Government and Defense Agencies, Energy and Utilities, Education and Research Institutions",,, 2021-01-04,APT27+turns+to+ransomware,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.01.04.APT27_Ransomware/APT27%2Bturns%2Bto%2Bransomware.pdf,Kaspersky,CVE-2017-0213,,"rule clambling_backdoor {\n meta:\n author = ""Daniel Bunce | SecurityJoes""\n description = ""Detect Clambling Backdoor through Strings and \nKeylogger Encryption Algorithm""\n strings:\n $str0 = ""%02d:%02d:%02d %04d-%02d-%02d |%s | %s | %s"" wide\n $str1 = ""%s | %04d-%02d-%02d %02d:%02d:%02d | %s | %s "" wide\n $str2 = ""%s\\\\*.log"" wide\n $str3 = ""GetRawInputData""\n $str4 = ""RegisterRawInputDevices""\n $str5 = ""WTSEnumerateSessionsW""\n $str6 = ""CreateEnvironmentBlock""\n $str7 = ""abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ""\n $str8 = ""Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run"" wide\n $rtti1 = ""PortMap"" nocase\n $rtti2 = ""KeyLog"" nocase\n $rtti3 = ""Telnet"" nocase\n $rtti4 = ""Screen"" nocase\n $rtti5 = ""Shell"" nocase\n $rtti6 = ""FileManager"" nocase\n $rtti7 = ""Plugin"" nocase\n $re1 = /\\x80(\\xC0-\\xFF)(.)\\x80(\\xC0-\\xFF)(.)\\x80(\\xC0-\\xFF)\n(.)/\n condition:\n uint16(0) == 0x5A4D and 3 of ($str*) and any of ($rtti*) and $re1\n}",apt27,CN,"Espionage, Information theft and espionage",2010,,FALSE,Exploit Vulnerability,"BitLocker, ASPXSpy webshell, PlugX, Clambling, Google Updater (vulnerable to DLL Side-Loading), Mimikatz, UAC bypass exploits","Corporations and Businesses, Media and Entertainment Companies",,, 2021-01-05,quointelligence.eu-ReconHellcat Uses NIST Theme as Lure To Deliver New BlackSoul Malware,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.01.05.ReconHellcat_APT_BlackSoul_Malware/quointelligence.eu-ReconHellcat%20Uses%20NIST%20Theme%20as%20Lure%20To%20Deliver%20New%20BlackSoul%20Malware.pdf,Microsoft,,"T1572:N/A, T1555:N/A, T1132:Data Encoding, T1204:User Execution, T1082:System Information Discovery, T1041:Exfiltration Over Command and Control Channel, T1105:Remote File Copy, T1566:N/A, T1027:Obfuscated Files or Information, T1020:Automated Exfiltration, T1005:Data from Local System",,reconhellcat,RU,,,TM,FALSE,Spear Phishing,"BlackSoul, BlackWater, libcurl, Strapi, Cloudflare Workers Service",Government and Defense Agencies,2020-11-27,, 2021-01-05,trendmicro.com-Earth Wendigo Injects JavaScript Backdoor for Mailbox Exfiltration,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.01.05.Earth_Wendigo_Mailbox_Exfiltration/trendmicro.com-Earth%20Wendigo%20Injects%20JavaScript%20Backdoor%20for%20Mailbox%20Exfiltration.pdf,Trend Micro,,,,earth wendigo,CN,Information theft and espionage,2019,TW,FALSE,Spear Phishing,"Cobalt Strike, Python (for malware variants)","Education and Research Institutions, Government and Defense Agencies, Individuals",,, 2021-01-06,blog.talosintelligence.com-A Deep Dive into Lokibot Infection Chain,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.01.06.Lokibot_Infection_Chain/blog.talosintelligence.com-A%20Deep%20Dive%20into%20Lokibot%20Infection%20Chain.pdf,Cisco,,,,,,,,,,"Phishing, Social Engineering, Malicious Documents","Lokibot, Advanced Malware Protection (AMP), Cisco Cloud Web Security (CWS), Web Security Appliance (WSA), Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), Meraki MX, Threat Grid, Umbrella, Firepower Management Center, Open Source Snort Subscriber Rule Set.",,,, 2021-01-06,blog.malwarebytes.com-Retrohunting APT37 North Korean APT used VBA self decode technique to inject RokRat,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.01.06.APT37_North_Korean_APT_RokRat/blog.malwarebytes.com-Retrohunting%20APT37%20North%20Korean%20APT%20used%20VBA%20self%20decode%20technique%20to%20inject%20RokRat.pdf,Malwarebytes,,,,apt37,KP,Information theft and espionage,2012,KR,FALSE,"Spear Phishing, Malicious Documents",RokRat,,2020-01-23,2020-12-07,319.0 2021-01-07,Lazarus APT37 IOCs,,https://github.com/hvs-consulting/ioc_signatures/tree/main/Lazarus_APT37,Github (hvs-consulting),,,,,,,,,,,,,,, 2021-01-07,BrunHilda_DaaS,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.01.07.Brunhilda_DaaS_Malware/BrunHilda_DaaS.pdf,PRODAFT,,,,,,,,"ES, FR",,Phishing,"Alien malware, Brunhilda DaaS (Distribution as a Service) framework",Financial Institutions,,, 2021-01-08,Charming Kitten's Christmas Gift - Certfa Lab,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.01.08.Charming_Kitten_Christmas_Gift/Charming%20Kitten%E2%80%99s%20Christmas%20Gift%20-%20Certfa%20Lab.pdf,Certfa Lab,,,,charming kitten,IR,Espionage,,"BH, KW, OM, QA, US",,Phishing,,"Education and Research Institutions, Media and Entertainment Companies, Government and Defense Agencies, Individuals",,, 2021-01-11,ASEC_REPORT_vol.101_ENG,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/Report/AhnLab/ASEC_REPORT_vol.101_ENG.pdf,AhnLab,,,,,,,,,,,"Smoke Loader, CoinMiner, Ransomware, DDoS botnet, Remote management tool",Corporations and Businesses,,, 2021-01-11,unit42.paloaltonetworks.com-xHunt Campaign New BumbleBee Webshell and SSH Tunnels Used for Lateral Movement,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2021.01.11.xHunt_Campaign/unit42.paloaltonetworks.com-xHunt%20Campaign%20New%20BumbleBee%20Webshell%20and%20SSH%20Tunnels%20Used%20for%20Lateral%20Movement.pdf,Symantec,,"T1560:N/A, T1572:N/A, T1033:System Owner/User Discovery, T1082:System Information Discovery, T1059:Command-Line Interface, T1570:N/A, T1021:Remote Services, T1018:Remote System Discovery, T1016:System Network Configuration Discovery, T1505:N/A, T1124:System Time Discovery, T1213:Data from Information Repositories, T1087:Account Discovery, T1070:Indicator Removal on Host, T1069:Permission Groups Discovery, T1083:File and Directory Discovery, T1005:Data from Local System, T1046:Network Service Scanning, T1135:Network Share Discovery, T1047:Windows Management Instrumentation, T1039:Data from Network Shared Drive",,,,,,"BE, DE, GB, IE, IT, LU, NL, PL, PT, SE",FALSE,,"BumbleBee webshell, Plink (RTQ.exe), SSH tunnels, Windows Management Instrumentation (WMI), RDP, Virtual Private Networks (VPNs) provided by Private Internet Access, Mozilla Firefox, Google Chrome, Cortex XDR",Corporations and Businesses,2020-02-01,2020-09-16,228.0 2021-01-11,securelist.com-Sunburst backdoor code overlaps with Kazuar,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.01.11.Sunburst_Kazuar/securelist.com-Sunburst%20backdoor%20%20code%20overlaps%20with%20Kazuar.pdf,Kaspersky,,,,apt29,RU,"Espionage, Information theft and espionage",2008,,,,"Sunburst, Kazuar, Carbon, Epic Turla",,,, 2021-01-11,crowdstrike.com-SUNSPOT An Implant in the Build Process,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2021.01.11.SUNSPOT/crowdstrike.com-SUNSPOT%20An%20Implant%20in%20the%20Build%20Process.pdf,CrowdStrike,,"T1480:Execution Guardrails, T1140:Deobfuscate/Decode Files or Information, T1592:N/A, T1565:N/A, T1587:N/A, T1027:Obfuscated Files or Information, T1057:Process Discovery, T1053:Scheduled Task, T1036:Masquerading","rule CrowdStrike_SUNSPOT_01 : artifact stellarparticle sunspot {\n meta:\n \n copyright = ""(c) 2021 CrowdStrike Inc.""\n \n description = ""Detects RC4 and AES key encryption material in SUNSPOT""\n version = ""202101081448""\n last_modified = ""2021-01-08""\n \n actor = ""StellarParticle""\n \n malware_family = ""SUNSPOT""\n strings:\n $key = {fc f3 2a 83 e5 f6 d0 24 a6 bf ce 88 30 c2 48 e7}\n \n $iv = {81 8c 85 49 b9 00 06 78 0b e9 63 60 26 64 b2 da}\n condition:\n \n all of them and filesize < 32MB\n}, rule CrowdStrike_SUNSPOT_02 : artifact stellarparticle sunspot\n \n{\n meta:\n \n copyright = ""(c) 2021 CrowdStrike Inc.""\n \n description = ""Detects mutex names in SUNSPOT""\n \n version = ""202101081448""\n last_modified = ""2021-01-08""\n \n actor = ""StellarParticle""\n \n malware_family = ""SUNSPOT""\n strings:\n \n $mutex_01 = ""{12d61a41-4b74-7610-a4d8-3028d2f56395}"" wide ascii\n \n $mutex_02 = ""{56331e4d-76a3-0390-a7ee-567adf5836b7}"" wide ascii\n condition:\n \n any of them and filesize < 10MB\n}, rule CrowdStrike_SUNSPOT_03 : artifact logging stellarparticle sunspot \n{\n meta:\n \n copyright = ""(c) 2021 CrowdStrike Inc.""\n \n description = ""Detects log format lines in SUNSPOT""\n \n version = ""202101081443""\n6/7\n last_modified = ""2021-01-08""\n actor = ""StellarParticle""\n malware_family = ""SUNSPOT""\n strings:\n $s01 = ""ERROR ***Step1(\%ls\,\%ls\) fails with error %#x***\\x0A"" ascii\n $s02 = ""ERROR Step2 fails\\x0A"" ascii\n $s03 = ""ERROR Step3 fails\\x0A"" ascii\n $s04 = ""ERROR Step4(\%ls\) fails\\x0A"" ascii\n $s05 = ""ERROR Step5(\%ls\) fails\\x0A"" ascii\n $s06 = ""ERROR Step6(\%ls\) fails\\x0A"" ascii\n $s07 = ""ERROR Step7 fails\\x0A"" ascii\n $s08 = ""ERROR Step8 fails\\x0A"" ascii\n $s09 = ""ERROR Step9(\%ls\) fails\\x0A"" ascii\n $s10 = ""ERROR Step10(\%ls\,\%ls\) fails with error %#x\\x0A"" ascii\n $s11 = ""ERROR Step11(\%ls\) fails\\x0A"" ascii\n $s12 = ""ERROR Step12(\%ls\,\%ls\) fails with error %#x\\x0A"" ascii\n $s13 = ""ERROR Step30 fails\\x0A"" ascii\n $s14 = ""ERROR Step14 fails with error %#x\\x0A"" ascii\n $s15 = ""ERROR Step15 fails\\x0A"" ascii\n $s16 = ""ERROR Step16 fails\\x0A"" ascii\n $s17 = ""%d Step17 fails with error %#x\\x0A"" ascii\n $s18 = ""%d Step18 fails with error %#x\\x0A"" ascii\n $s19 = ""ERROR Step19 fails with error %#x\\x0A"" ascii\n $s20 = ""ERROR Step20 fails\\x0A"" ascii\n $s21 = ""ERROR Step21(%d,%s,%d) fails\\x0A"" ascii\n $s22 = ""ERROR Step22 fails with error %#x\\x0A"" ascii\n $s23 = ""ERROR Step23 fails with error %#x\\x0A"" ascii\n $s24 = ""%d Solution directory: %ls\\x0A"" ascii\n $s25 = ""%d %04d-%02d-%02d %02d:%02d:%02d:%03d %ls\\x0A"" ascii\n $s26 = ""%d + \%s\ "" ascii\n condition:\n 2 of them and filesize < 10MB\n}",apt29,RU,"Espionage, Information theft and espionage",2008,,,,"SUNSPOT, SUNBURST, SolarWinds Orion",Corporations and Businesses,2020-02-20,2020-12-15,299.0 2021-01-12,Confucius APT deploys Warzone RAT,,https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat,Uptycs,CVE-2018-0802,,"rule upt_Confucius_apt_dll {\n meta:\n description=""DLL used by Confucius""\n author = ""abhijit mohanta""\n date = ""January 2021""\n strings:\n $upt_APT_10 = { 61 00 00 ?? 61 00 00 ?? 67 00 00 ?? 66 00 00}\n $upt_APT_11= { 62 00 00 ED 61 00 00 99 66 00 00 77 66 00 00}\n $upt_APT_21 = "".gfids"" ascii wide \n condition:\n (any of ($upt_APT_1*)) and $upt_APT_21\n}",confucius,,,,,FALSE,Malicious Documents,"Warzone RAT, bing.dll, osquery, Uptycs EDR",Government and Defense Agencies,2020-10-15,2021-01-12,89.0 2021-01-12,yoroi.company-Opening STEELCORGI A Sophisticated APT Swiss Army Knife,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.01.12.STEELCORGI/yoroi.company-Opening%20STEELCORGI%20A%20Sophisticated%20APT%20Swiss%20Army%20Knife.pdf,Yoroi,CVE-2014-0160,,,th-239,,,,IT,,,", STEELCORGI, SShock, bleach, clean, md5, sha1, mac2vendor, xxd, cmd, netbackup, ip2country, ipgen, ipsort, ipcalc, range2class, crunch, words.pl, passgen, passcheck, getpass, wmon, pmon, pty, exec, nsexec, nsexec2, setns, dumpkcore, dumpmem, pcregrep, strings, sstrip, shred, md5sum, sha1sum, sha256sum",Corporations and Businesses,,, 2021-01-12,welivesecurity.com-Operation Spalax Targeted malware attacks in Colombia,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.01.12.Operation_Spalax/welivesecurity.com-Operation%20Spalax%20Targeted%20malware%20attacks%20in%20Colombia.pdf,ESET,,"T1056:Input Capture, T1095:Standard Non-Application Layer Protocol, T1547:N/A, T1132:Data Encoding, T1033:System Owner/User Discovery, T1204:User Execution, T1082:System Information Discovery, T1113:Screen Capture, T1059:Command-Line Interface, T1027:Obfuscated Files or Information, T1125:Video Capture, T1021:Remote Services, T1573:N/A, T1018:Remote System Discovery, T1016:System Network Configuration Discovery, T1012:Query Registry, T1106:Execution through API, T1123:Audio Capture, T1497:Virtualization/Sandbox Evasion, T1555:N/A, T1518:N/A, T1112:Modify Registry, T1070:Indicator Removal on Host, T1120:Peripheral Device Discovery, T1115:Clipboard Data, T1055:Process Injection, T1566:N/A, T1083:File and Directory Discovery, T1053:Scheduled Task, T1005:Data from Local System, T1140:Deobfuscate/Decode Files or Information, T1562:N/A, T1091:Replication Through Removable Media, T1548:N/A, T1049:System Network Connections Discovery, T1041:Exfiltration Over Command and Control Channel, T1007:System Service Discovery, T1571:N/A, T1057:Process Discovery, T1010:Application Window Discovery",,,,,,CO,,Spear Phishing,"Remcos, njRAT, AsyncRAT, CyaX packer","Government and Defense Agencies, Corporations and Businesses",,, 2021-01-13,A Global Perspective of the SideWinder APT,,https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf,AlienVault,"CVE-2017-0199, CVE-2017-11882, CVE-2019-2215, CVE-2020-0674","TA0043:N/A, T1078:Valid Accounts, T1589:N/A, T1204:User Execution, T1082:System Information Discovery, T1025:Data from Removable Media, T1203:Exploitation for Client Execution, TA0001:Initial Access, T1059:Command-Line Interface, TA0005:Defense Evasion, TA0007:Discovery, T1591:N/A, T1583:N/A, T1124:System Time Discovery, T1020:Automated Exfiltration, T1518:N/A, T1087:Account Discovery, T1071:Standard Application Layer Protocol, T1119:Automated Collection, T1069:Permission Groups Discovery, T1120:Peripheral Device Discovery, T1566:N/A, T1574:N/A, TA0009:Collection, T1602:N/A, TA0010:Exfiltration, T1083:File and Directory Discovery, T1005:Data from Local System, T1074:Data Staged, TA0003:Persistence, T1041:Exfiltration Over Command and Control Channel, TA0011:Command and Control, T1039:Data from Network Shared Drive, TA0042:N/A, T1057:Process Discovery, T1007:System Service Discovery, TA0004:Privilege Escalation, TA0002:Execution","rule SideWinder_loader_dll \n{ \n meta: \n author = ""AT&T Alien Labs"" \n description = ""Detects SideWinder first dll loader"" \n hash = ""113c1c5e176cebe42e452e7ec6ded434c8f620372cef7ae7bfdc6b9469c1b3a4"" \n reference = ""https://otx.alienvault.com/pulse/5f21d5b84d529ed134127a66"" \n strings: \n $code = {06 0A 06 8E 69 1F 20 59 8D (0E | 10) 00 00 01 0B 12 00 1F 20 12 01 \n07 8E 69 28 04 00 00 06 16 0C 2B 16 07 08 8F (0E | 10) 00 00 01 25 47 06 08 1F 20 \n5D 91 61 D2 52 08 17 58 0C 08 07 8E 69 32 E4 07 28 03 00 00 06 80 01 00 00 04 2A} \n //$tmp = {2E 00 74 00 6D 00 70 00 20 00 20 00 20 00 20 00 20 00} \n $tmp = "".tmp "" wide \n condition: \n uint16(0) == 0x5A4D and all of them \n}, rule SideWinder_implant \n{ \n meta: \n author = ""AT&T Alien Labs"" \n description = ""Detects SideWinder final payload"" \n hash = ""c568238dcf1e30d55a398579a4704ddb8196b685"" \n reference = ""https://otx.alienvault.com/pulse/5f21d5b84d529ed134127a66"" \n strings: \n $code = {1B 30 05 00 C7 00 00 00 00 00 00 00 02 28 03 00 00 06 7D 12 00 00 \n04 02 02 FE 06 23 00 00 06 73 5B 00 00 0A 14 20 88 13 00 00 15 73 5C 00 00 0A 7D 13 \n00 00 04 02 02 FE 06 24 00 00 06 73 5B 00 00 0A 14 20 88 13 00 00 15 73 5C 00 00 0A \n7D 15 00 00 04 02 7B 12 00 00 04 6F 0E 00 00 06 2C 1D 02 28 1F 00 00 06 02 7B 12 00 \n00 04 16 6F 0F 00 00 06 02 7B 12 00 00 04 6F 06 00 00 06 02 7B 12 \n 00 00 04 6F 10 00 00 06 2C 23 02 28 20 00 00 06 02 28 21 00 00 06 \n02 7B 12 00 00 04 16} \n $strings = {2E 00 73 00 69 00 66 00 00 09 2E 00 66 00 6C 00 63 00 00 1B 73 \n00 65 00 6C 00 65 00 63 00 74 00 65 00 64 00 46 00 69 00 6C 00 65 00 73} \n condition: \n uint16(0) == 0x5A4D and all of them \n}, rule SideWinderRTF { \n meta: \n author = ""AT&T Alien Labs"" \n description = ""Detects SideWinder RTF Files"" \n reference = ""https://otx.alienvault.com/pulse/5f21d5b84d529ed134127a66"" \n strings: \n $s1 = \n{4231304346313330354139373337464545333630353636383742443139424436333144393535453639\n44463146453045314235373143434143463342373741433630434538314341463630303332354234443\n131384336363441313543344637454637} \n $s2 = \n{303036313030303130353030303030303030303030307D7B5C726573756C7420207D7D7B5C6F626A65\n63745C6F626A} \n $s3 = \n{4433433043373132394239423235374642394243414238363836463646394338454139424436453835\n45333338463235313331433734344334423039414133464430434131444633433038413043463738393\n0364537304531334543353846303933} \n condition: \n uint16(0) == 0x5c7b and all of them \n}",sidewinder,,Information theft and espionage,2012,"AF, BD, CN, LK, MM, NP, PK, QA",FALSE,"Spear Phishing, Malicious Documents, Exploit Vulnerability","Royal Road Weaponizer, CVE-2019-2215, CVE-2020-0674","Government and Defense Agencies, Corporations and Businesses, Energy and Utilities, Education and Research Institutions",,, 2021-01-20,A Deep Dive Into Patchwork APT Group _ Cyble,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.01.20.Deep_Dive_Patchwork/A%20Deep%20Dive%20Into%20Patchwork%20APT%20Group%20_%20Cyble.pdf,Cyble,CVE-2019-0808,"T1560:N/A, T1547:N/A, T1548:N/A, T1119:Automated Collection, T1203:Exploitation for Client Execution, T1566:N/A",,patchwork,IN,"Espionage, Information theft and espionage",2013,"AU, BD, CN, LK, PK, TW, US, UY",FALSE,"Spear Phishing, Exploit Vulnerability, Malicious Documents","MSBuild.exe, RAT (Remote Access Trojan)","Government and Defense Agencies, Education and Research Institutions",,, 2021-01-20,Commonly Known Tools Used by Lazarus - JPCERT_CC Eyes _ JPCERT Coordination Center official Blog,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.01.20.Commonly_Known_Tools_Lazarus/Commonly%20Known%20Tools%20Used%20by%20Lazarus%20-%20JPCERT_CC%20Eyes%20_%20JPCERT%20Coordination%20Center%20official%20Blog.pdf,JPCERT,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,,,,"AdFind, SMBMap, Responder-Windows, XenArmor Email Password Recovery Pro, XenArmor Browser Password Recovery Pro, WinRAR, TightVNC Viewer, ProcDump, tcpdump, wget",,,, 2021-01-25,A detailed analysis of ELMER Backdoor used by APT16 - CYBER GEEKS,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.01.25.APT16_Elmer_backdoor/A%20detailed%20analysis%20of%20ELMER%20Backdoor%20used%20by%20APT16%20%E2%80%93%20CYBER%20GEEKS.pdf,Cyber Geeks,,,,apt16,CN,"Espionage, Information theft and espionage",2015,"JP, TW",,,ELMER Backdoor,"Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Media and Entertainment Companies",,, 2021-01-28,Lebanese-Cedar-APT,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.01.28.Lebanese_Cedar_APT/Lebanese-Cedar-APT.pdf,ClearSky,"CVE-2012-3152, CVE-2019-11581, CVE-2019-3396","T1247:N/A, T1213:Data from Information Repositories, T1505:N/A, T1260:N/A, TA0008:Lateral Movement, T1008:Fallback Channels, TA0024:N/A, T1351:N/A, TA0007:Discovery, TA0001:Initial Access, TA0015:N/A, T1190:Exploit Public-Facing Application, TA0009:Collection, T1083:File and Directory Discovery, T1005:Data from Local System, TA0004:Privilege Escalation, TA0003:Persistence",,lebanese cedar,LB,Information theft and espionage,2012,"AE, EG, IL, JO, PS, SA, US",FALSE,Exploit Vulnerability,"Caterpillar 2.0, Explosive, GoBuster, DirBuster, ASPXspy","Corporations and Businesses, Government and Defense Agencies, Education and Research Institutions",,, 2021-01-31,JSAC2021_202_niwa-yanagishita_en,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.01.31.A41APT/JSAC2021_202_niwa-yanagishita_en.pdf,Kaspersky,,"T1560:N/A, T1140:Deobfuscate/Decode Files or Information, T1518:N/A, T1482:Domain Trust Discovery, T1132:Data Encoding, T1087:Account Discovery, T1071:Standard Application Layer Protocol, T1070:Indicator Removal on Host, T1047:Windows Management Instrumentation, T1059:Command-Line Interface, T1053:Scheduled Task, T1574:N/A, T1021:Remote Services, T1133:External Remote Services, T1003:Credential Dumping",,a41apt,CN,,,JP,,Exploit Vulnerability,"SSL-VPN, RDP, SigLoader, Pulse Connect Secure, SodaMaster, xRAT, QuasarRAT, CPPHostDLR loader",Manufacturing,2019-03-15,2021-01-15,672.0 2021-02-01,VinCSS Blog_ [RE020] ElephantRAT (Kunming version)_ our latest discovered RAT of Panda and the similarities with recently Smanager RAT,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.02.01.ElephantRAT/VinCSS%20Blog_%20%5BRE020%5D%20ElephantRAT%20%28Kunming%20version%29_%20our%20latest%20discovered%20RAT%20of%20Panda%20and%20the%20similarities%20with%20recently%20Smanager%20RAT.pdf,VinCSS,,,,panda,CN,Information theft and espionage,2013,VN,,Exploit Vulnerability,"ElephantRat, UpdatePackageSilence.exe, VVSup.exe, extrac32.exe, CCabinet class, LBTServ.dll, Delphi, Embarcadero RAD Studio 10.4 Sydney","Corporations and Businesses, Government and Defense Agencies",2020-08-26,2021-01-23,150.0 2021-02-01,operation-nightscout-supply-chain-attack-online-gaming-asia,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.02.01.Operation_NightScout/operation-nightscout-supply-chain-attack-online-gaming-asia.pdf,ESET,,"T1056:Input Capture, T1095:Standard Non-Application Layer Protocol, T1140:Deobfuscate/Decode Files or Information, T1090:Connection Proxy, T1573:N/A, T1041:Exfiltration Over Command and Control Channel, T1569:N/A, T1195:Supply Chain Compromise, T1574:N/A, T1053:Scheduled Task",,apt41,CN,"Financial crime, Information theft and espionage",2010,"HK, LK, TW",,Meta Data Monitoring,"PoisonIvy RAT, Gh0st RAT, SandboxieBITS.exe, SbieDll.dll, SbieIni.dat, delself.bat, wmkawe_3636071.data","Media and Entertainment Companies, Education and Research Institutions",2020-09-15,2021-01-25,132.0 2021-02-02,ESET_Kobalos,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.02.02.Kobalos/ESET_Kobalos.pdf,ESET,,"T1090:Connection Proxy, T1205:Port Knocking, T1070:Indicator Removal on Host, T1027:Obfuscated Files or Information, T1554:N/A, T1573:N/A","rule kobalos\n{\n\t\nmeta:\n\t\n\t\ndescription = “Kobalos malware”\n\t\n\t\nauthor = “Marc-Etienne M.Léveillé”\n\t\n\t\ndate = “2020-11-02”\n\t\n\t\nreference = “http://www.welivesecurity.com”\n\t\n\t\nsource = “https://github.com/eset/malware-ioc/”\n\t\n\t\nlicense = “BSD 2-Clause”\n\t\n\t\nversion = “1”\n\t\nstrings:\n\t\n\t\n$encrypted_strings_sizes = {\n\t\n\t\n\t\n05 00 00 00 09 00 00 00 04 00 00 00 06 00 00 00\n\t\n\t\n\t\n08 00 00 00 08 00 00 00 02 00 00 00 02 00 00 00\n\t\n\t\n\t\n01 00 00 00 01 00 00 00 05 00 00 00 07 00 00 00\n\t\n\t\n\t\n05 00 00 00 05 00 00 00 05 00 00 00 0A 00 00 00\n\t\n\t\n}\n\t\n\t\n$password_md5_digest = { 3ADD48192654BD558A4A4CED9C255C4C }\n\t\n\t\n$rsa_512_mod_header = { 10 11 02 00 09 02 00 }\n\t\n\t\n$strings_RC4_key = { AE0E05090F3AC2B50B1BC6E91D2FE3CE }\n\t\ncondition:\n\t\n\t\nany of them\n}, rule kobalos_ssh_credential_stealer {\n\t\nmeta:\n\t\n\t\ndescription = “Kobalos SSH credential stealer seen in OpenSSH client”\n\t\n\t\nauthor = “Marc-Etienne M.Léveillé”\n\t\n\t\ndate = “2020-11-02”\n\t\n\t\nreference = “http://www.welivesecurity.com”\n\t\n\t\nsource = “https://github.com/eset/malware-ioc/”\n\t\n\t\nlicense = “BSD 2-Clause”\n\t\n\t\nversion = “1”\n\t\nstrings:\n\t\n\t\n$ = “user: %.128s host: %.128s port %05d user: %.128s password: %.128s”\n\t\ncondition:\n\t\n\t\nany of them\n}",,,,,,FALSE,Exploit Vulnerability,"Kobalos, OpenSSH (compromised by Kobalos)","Education and Research Institutions, Corporations and Businesses, Government and Defense Agencies, Individuals",,, 2021-02-03,Hildegard_ New TeamTNT Malware Targeting Kubernetes,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.02.03.Hildegard/Hildegard_%20New%20TeamTNT%20Malware%20Targeting%20Kubernetes.pdf,Palo Alto,CVE-2019-5736,,,teamtnt,,,,,,Exploit Vulnerability,"xmrig, MoneroOcean, xmr.sh, tmate, pei.sh, pei64/32, xmr3.assi, aws2.sh, t.sh, x86_64.so, xmrig.so, Hildegard, bioset, LD_PRELOAD, IRC (Internet Relay Chat)",,,, 2021-02-04,Connecting the dots inside the Italian APT Landscape,,https://yoroi.company/research/connecting-the-dots-inside-the-italian-apt-landscape/,Yoroi,,"T1056:Input Capture, T1547:N/A, T1071:Standard Application Layer Protocol, T1105:Remote File Copy, T1059:Command-Line Interface, T1001:Data Obfuscation, TA0010:Exfiltration, T1113:Screen Capture, T1036:Masquerading",,,,,,,FALSE,Malicious Documents,"cftmon.exe, Igfxtray","Government and Defense Agencies, Critical Infrastructure",,, 2021-02-08,research.checkpoint.com-Domestic Kitten An Inside Look at the Iranian Surveillance Operations,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.02.08.Domestic_Kitten/research.checkpoint.com-Domestic%20Kitten%20%20An%20Inside%20Look%20at%20the%20Iranian%20Surveillance%20Operations.pdf,Check Point,,,,apt-c-50,,Information theft and espionage,2016,"AF, GB, IR, PK, TR, US",,"Phishing, Watering Hole, Covert Channels",FurBall,Individuals,,, 2021-02-09,unit42.paloaltonetworks.com-BendyBear Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.02.09.BendyBear/unit42.paloaltonetworks.com-BendyBear%20Novel%20Chinese%20Shellcode%20Linked%20With%20Cyber%20Espionage%20Group%20BlackTech.pdf,Palo Alto,,"T1497:Virtualization/Sandbox Evasion, T1012:Query Registry, T1082:System Information Discovery, T1106:Execution through API, T1105:Remote File Copy, T1027:Obfuscated Files or Information, T1573:N/A",,blacktech,CN,Information theft and espionage,2010,,,Phishing,"WaterBear malware, DbgPrint malware, ELF_PLEAD Linux malware, Cortex XDR, App-ID",Government and Defense Agencies,,, 2021-02-10,blog.lookout.com-Lookout Discovers Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2021.02.10.Confucius_India-Pakistan/blog.lookout.com-Lookout%20Discovers%20Novel%20Confucius%20APT%20Android%20Spyware%20Linked%20to%20India-Pakistan%20Conflict.pdf,Lookout,,,,confucius,,,,"IN, KZ, PK",,"Phishing, Malicious Documents","SunBird, Hornbill, MobileSpy","Government and Defense Agencies, Individuals",,, 2021-02-10,Lookout Discovers Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict,,https://blog.lookout.com/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict,Lookout,,,,confucius,,,,"AE, IN, KZ, PK, US",FALSE,"Phishing, Social Engineering","SunBird, Hornbill, MobileSpy","Government and Defense Agencies, Individuals",,, 2021-02-17,Confucius APT Android Spyware Targets Pakistani and Other South Asian Regions - Cyble,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.02.17.Confucius_Pakistani_South_Asian/Confucius%20APT%20Android%20Spyware%20Targets%20Pakistani%20and%20Other%20South%20Asian%20Regions%20%E2%80%94%20Cyble.pdf,Cyble,,,,confucius,,,,PK,,,,,,, 2021-02-17,cybleinc.com-Confucius APT Android Spyware Targets Pakistani and Other South Asian Regions,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2020/2021.02.17.Confucius_Pakistani_South_Asian/cybleinc.com-Confucius%20APT%20Android%20Spyware%20Targets%20Pakistani%20and%20Other%20South%20Asian%20Regions.pdf,Cyble,,,,confucius,,,,"IN, PK",,Malicious Documents,"Confucius malware, RTF exploit, bing.dll, linknew.dll, update.lnk, update.exe",Government and Defense Agencies,,, 2021-02-22,research.checkpoint.com-The Story of Jian How APT31 Stole and Used an Unknown Equation Group 0-Day,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.02.22.APT31_Equation_Group/research.checkpoint.com-The%20Story%20of%20Jian%20%20How%20APT31%20Stole%20and%20Used%20an%20Unknown%20Equation%20Group%200-Day.pdf,Lockheed Martin,"CVE-2011-3402, CVE-2013-3128, CVE-2013-3894, CVE-2017-0005, CVE-2019-0803",,,apt31,CN,Information theft and espionage,2016,,TRUE,,"DanderSpritz, Jian, tools.dll, 2008.dll, Houston Disk, PrivLib",,,, 2021-02-24,amnesty.org-Click and Bait Vietnamese Human Rights Defenders Targeted with Spyware Attacks,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.02.24.Click_and_Bait/amnesty.org-Click%20and%20Bait%20Vietnamese%20Human%20Rights%20Defenders%20Targeted%20with%20Spyware%20Attacks.pdf,Amnesty International,,,,ocean lotus,VN,"Espionage, Financial gain, Information theft and espionage",2012,VN,,Watering Hole,"Kerrdown, Cobalt Strike","Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",,, 2021-02-24,LazyScripter,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.02.24.LazyScripter/LazyScripter.pdf,Malwarebytes,,"T1547:N/A, T1132:Data Encoding, T1033:System Owner/User Discovery, T1204:User Execution, T1082:System Information Discovery, T1059:Command-Line Interface, T1027:Obfuscated Files or Information, T1016:System Network Configuration Discovery, T1106:Execution through API, T1546:N/A, T1543:N/A, T1124:System Time Discovery, T1112:Modify Registry, T1218:Signed Binary Proxy Execution, T1071:Standard Application Layer Protocol, T1222:File Permissions Modification, T1566:N/A, T1001:Data Obfuscation, T1053:Scheduled Task, T1562:N/A, T1140:Deobfuscate/Decode Files or Information, T1104:Multi-Stage Channels, T1548:N/A, T1041:Exfiltration Over Command and Control Channel, T1047:Windows Management Instrumentation, T1057:Process Discovery",,lazyscripter,,,,CA,FALSE,Spear Phishing,"Nishang, Quasar, Remcos, njRAT, RMS, LuminosityLink, Adwind, PowerShell Empire, Koadic RAT, Octopus RAT, Invoke-Ngrok.","Corporations and Businesses, Individuals",,, 2021-02-25,proofpoint.com-TA413 Leverages New FriarFox Browser Extension to Target the Gmail Accounts of Global Tibetan Organiz,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.02.25.TA413_FriarFox/proofpoint.com-TA413%20Leverages%20New%20FriarFox%20Browser%20Extension%20to%20Target%20the%20Gmail%20Accounts%20of%20Global%20Tibetan%20Organiz.pdf,Microsoft,,,,ta413,,Information theft and espionage,2019,"CN, IN, PK",FALSE,"Watering Hole, Phishing","Royal Road, winor.wll, FriarFox browser extension, Scanbox malware, Sepulcher malware, Lucky Cat malware, Exile Rat malware","Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",,, 2021-02-25,kaspersky-ics-cert-lazarus-targets-defense-industry-with-threatneedle-en-20210225,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.02.25.Lazarus_ThreatNeedle/kaspersky-ics-cert-lazarus-targets-defense-industry-with-threatneedle-en-20210225.pdf,Kaspersky,,"T1560:N/A, T1547:N/A, T1572:N/A, T1132:Data Encoding, T1033:System Owner/User Discovery, T1204:User Execution, T1082:System Information Discovery, T1090:Connection Proxy, T1059:Command-Line Interface, T1021:Remote Services, T1016:System Network Configuration Discovery, T1569:N/A, T1543:N/A, T1112:Modify Registry, T1071:Standard Application Layer Protocol, T1070:Indicator Removal on Host, T1566:N/A, T1083:File and Directory Discovery, T1036:Masquerading, T1140:Deobfuscate/Decode Files or Information, T1104:Multi-Stage Channels, T1049:System Network Connections Discovery, T1041:Exfiltration Over Command and Control Channel, T1135:Network Share Discovery, T1557:N/A, T1057:Process Discovery, T1007:System Service Discovery",,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,,,Spear Phishing,"Responder, ThreatNeedle","Government and Defense Agencies, Financial Institutions, Education and Research Institutions",2020-05-19,2020-09-27,131.0 2021-03-02,Microsoft_New nation-state cyberattacks(03-02-2021),New nation-state cyberattacks,https://app.box.com/s/5mz8kyhvzxks9walmcq2ofsdtk1ics3h,Microsoft,,,,hafnium,CN,Information theft and espionage,2021,US,TRUE,Exploit Vulnerability,,"Healthcare, Education and Research Institutions, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2021-03-02,HAFNIUM targeting Exchange Servers with 0-day exploits - Microsoft Security,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.03.02.HAFNIUM_APT/HAFNIUM%20targeting%20Exchange%20Servers%20with%200-day%20exploits%20-%20Microsoft%20Security.pdf,Microsoft,"CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065",,,hafnium,CN,Information theft and espionage,2021,US,TRUE,Exploit Vulnerability,"Exploit:Script/Exmann.A!dha, Behavior:Win32/Exmann.A, Backdoor:ASP/SecChecker.A, Backdoor:JS/Webshell, Trojan:JS/Chopper!dha, Behavior:Win32/DumpLsass.A!attk, Backdoor:HTML/TwoFaceVar.B, Procdump, Nishang, PowerCat, 7-Zip","Education and Research Institutions, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2021-03-02,Operation Exchange Marauder_ Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities _ Volexity,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.03.02.Operation_Exchange_Marauder/Operation%20Exchange%20Marauder_%20Active%20Exploitation%20of%20Multiple%20Zero-Day%20Microsoft%20Exchange%20Vulnerabilities%20_%20Volexity.pdf,Volexity,"CVE-2021-26855, CVE-2021-27065",,"rule\xa0webshell_aspx_reGeorgTunnel\xa0:\xa0Webshell\xa0Commodity\n{\nmeta:\nauthor= “threatintel@volexity.com”\ndate= “2021-03-01”\ndescription= “variation on reGeorgtunnel”\nhash= “406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928”\nreference= “https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx”\nstrings:\n$s1= “System.Net.Sockets”\n$s2=\n“System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get”\n$t1 = “.Split(‘|’)”\n$t2= “Request.Headers.Get”\n$t3= “.Substring(“\n$t4= “new Socket(“\n$t5= “IPAddress ip;”\ncondition:\nall of ($s*) or\nall of ($t*)\n}, rule webshell_aspx_sportsball : Webshell\n{\nmeta:\nauthor= “threatintel@volexity.com”\ndate= “2021-03-01”\ndescription= “The SPORTSBALL webshell allows attackers to upload files or execute\ncommands on the system.”\nhash= “2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a”\nstrings:\n$uniq1= “HttpCookie newcook = new HttpCookie(\\”fqrspt\\”,\nHttpContext.Current.Request.Form”\n$uniq2= “ZN2aDAB4rXsszEvCLrzgcvQ4oi5J1TuiRULlQbYwldE=”\n$var1= “Result.InnerText = string.Empty;”\n$var2= “newcook.Expires = DateTime.Now.AddDays(”\n$var3= “System.Diagnostics.Process process = new System.Diagnostics.Process()”\n$var4= “process.StandardInput.WriteLine(HttpContext.Current.Request.Form\\””\n$var5= “else if (!string.IsNullOrEmpty(HttpContext.Current.Request.Form\\””\n$var6= “”\ncondition:\nany of ($uniq*) or\nall of ($var*)\n}, rule webshell_aspx_simpleseesharp : Webshell Unclassified\n{\nmeta:\nauthor= “threatintel@volexity.com”\ndate= “2021-03-01”\ndescription= “A simple ASPX Webshell that allows an attacker to write further files to\ndisk.”\nhash= “893cd3583b49cb706b3e55ecb2ed0757b977a21f5c72e041392d1256f31166e2”\nstrings:\n$header= “<%@ Page Language=\\”C#\\” %>”\n$body= “<% HttpPostedFile thisFile = Request.Files0;thisFile.SaveAs(Path.Combine”\ncondition:\n$header at 0 and\n$body and\nfilesize < 1KB\n}",,,,,,TRUE,Exploit Vulnerability,"rundll32, PsExec, ProcDump, WinRar Command Line Utility, Webshells (ASPX and PHP), SIMPLESEESHARP, SPORTSBALL, China Chopper, ASPXSPY, antSword/v2.1",,,, 2021-03-10,Linux Backdoor RedXOR Likely Operated by Chinese Nation-State,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.03.10.RedXOR/Linux%20Backdoor%20RedXOR%20Likely%20Operated%20by%20Chinese%20Nation-State.pdf,Intezer,,,,apt41,CN,"Financial crime, Information theft and espionage",2010,"ID, TW",,,"Rinetd, RedXOR, Adore-ng, PWNLNX backdoor, XOR.DDOS, Groundhog",,,, 2021-03-18,SilverFish_TLPWHITE,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.03.18.SilverFish_Group/SilverFish_TLPWHITE.pdf,FireEye,,"T1547:N/A, T1559:N/A, T1078:Valid Accounts, T1132:Data Encoding, T1572:N/A, T1068:Exploitation for Privilege Escalation, T1090:Connection Proxy, T1204:User Execution, T1530:N/A, T1059:Command-Line Interface, T1027:Obfuscated Files or Information, T1072:Third-party Software, T1021:Remote Services, T1570:N/A, T1018:Remote System Discovery, T1212:Exploitation for Credential Access, T1129:Execution through Module Load, T1012:Query Registry, T1586:N/A, T1199:Trusted Relationship, T1219:Remote Access Tools, T1484:Group Policy Modification, T1568:N/A, T1106:Execution through API, T1098:Account Manipulation, T1210:Exploitation of Remote Services, T1546:N/A, T1569:N/A, T1583:N/A, T1124:System Time Discovery, T1190:Exploit Public-Facing Application, T1195:Supply Chain Compromise, T1552:N/A, T1127:Trusted Developer Utilities, T1518:N/A, T1555:N/A, T1598:N/A, T1112:Modify Registry, T1087:Account Discovery, T1071:Standard Application Layer Protocol, T1218:Signed Binary Proxy Execution, T1211:Exploitation for Defense Evasion, T1069:Permission Groups Discovery, T1587:N/A, T1595:N/A, T1001:Data Obfuscation, T1202:Indirect Command Execution, T1566:N/A, T1053:Scheduled Task, T1005:Data from Local System, T1083:File and Directory Discovery, T1036:Masquerading, T1133:External Remote Services, T1585:N/A, T1564:N/A, T1140:Deobfuscate/Decode Files or Information, T1538:N/A, T1104:Multi-Stage Channels, T1134:Access Token Manipulation, T1049:System Network Connections Discovery, T1482:Domain Trust Discovery, T1041:Exfiltration Over Command and Control Channel, T1114:Email Collection, T1548:N/A, T1135:Network Share Discovery, T1588:N/A, T1039:Data from Network Shared Drive, T1047:Windows Management Instrumentation, T1571:N/A, T1102:Web Service, T1003:Credential Dumping, T1007:System Service Discovery",,silver fish,,,,"AT, AU, CA, DE, DK, ES, FR, GB, IT, MX, NL, PT, US",,,"TrickBot, Dridex, WastedLocker, Cobalt Strike, Empire Beacons, NetSupport Remote Control","Government and Defense Agencies, Corporations and Businesses, Healthcare, Education and Research Institutions, Critical Infrastructure, Energy and Utilities",,, 2021-03-23,"Websites Hosting Cracks Spread Malware, Adware",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.03.23.CopperStealer/Websites%20Hosting%20Cracks%20Spread%20Malware%2C%20Adware.pdf,Trend Micro,,,,,,,,,,"Drive-by Download, Website Equipping","CopperStealer, LNKR, NSIS (Nullsoft Scriptable Install System)",Individuals,,, 2021-03-24,APT Encounters of the Third Kind,,https://igor-blue.github.io/2021/03/24/apt1.html,Igor's Blog,,,,,,,,,TRUE,,"GOlang app, libfsalvfs.so, NFS-ganesha",Corporations and Businesses,,, 2021-03-30,BadBlood_ TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns _ Proofpoint US,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.03.30.BadBlood_TA453/BadBlood_%20TA453%20Targets%20US%20and%20Israeli%20Medical%20Research%20Personnel%20in%20Credential%20Phishing%20Campaigns%20_%20Proofpoint%20US.pdf,Proofpoint,,,,ta453,IR,,,"IL, US",FALSE,"Phishing, Malicious Documents",,"Healthcare, Education and Research Institutions",,, 2021-04-02,Joint CSA AA21-092A APT Actors Exploit Vulnerabilitiesto Gain Initial Access for Future Attacks,,https://www.ic3.gov/Media/News/2021/210402.pdf,CISA,"CVE-2018-13379, CVE-2019-5591, CVE-2020-12812",,,,,,,,FALSE,"Exploit Vulnerability, Spear Phishing",,"Government and Defense Agencies, Corporations and Businesses, Critical Infrastructure",,, 2021-04-06,Threat Group Uses Voice Changing Software in Espionage Attempt - Cado Security _ Cloud Native Digital Forensics,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.04.06.APT-C-23_Voice_Changing/Threat%20Group%20Uses%20Voice%20Changing%20Software%20in%20Espionage%20Attempt%20-%20Cado%20Security%20_%20Cloud%20Native%20Digital%20Forensics.pdf,Cado Security,,,,molerats,PS,Information theft and espionage,2012,"IL, PS",,"Spear Phishing, Social Engineering","H-Worm backdoor, SipVicious, ZoomEye internet scanning service, MSHTA/VBScript Downloaders",Government and Defense Agencies,,, 2021-04-07,Cisco Talos Intelligence Group - Comprehensive Threat Intelligence_ Sowing Discord_ Reaping the benefits of collaboration app abuse,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.04.07.Sowing_Discord/Cisco%20Talos%20Intelligence%20Group%20-%20Comprehensive%20Threat%20Intelligence_%20Sowing%20Discord_%20Reaping%20the%20benefits%20of%20collaboration%20app%20abuse.pdf,Cisco,,,,,,,,,FALSE,"Social Engineering, Malicious Documents","Remcos, AsyncRAT",Corporations and Businesses,,, 2021-04-08,Iran's APT34 Returns with an Updated Arsenal - Check Point Research,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.04.08.APT34_Returns/Iran%E2%80%99s%20APT34%20Returns%20with%20an%20Updated%20Arsenal%20-%20Check%20Point%20Research.pdf,Check Point,,,,apt34,IR,Espionage,,LB,FALSE,"Malicious Documents, Social Engineering","SideTwist backdoor, Karkoff backdoor",Individuals,,, 2021-04-08,"(Are you) afreight of the dark_ Watch out for Vyveva, new Lazarus backdoor _ WeLiveSecurity",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.04.08.Vyveva_Lazarus/%28Are%20you%29%20afreight%20of%20the%20dark_%20Watch%20out%20for%20Vyveva%2C%20new%20Lazarus%20backdoor%20_%20WeLiveSecurity.pdf,ESET,,"T1560:N/A, T1033:System Owner/User Discovery, T1025:Data from Removable Media, T1082:System Information Discovery, T1027:Obfuscated Files or Information, T1573:N/A, T1016:System Network Configuration Discovery, T1106:Execution through API, T1569:N/A, T1543:N/A, T1124:System Time Discovery, T1112:Modify Registry, T1070:Indicator Removal on Host, T1083:File and Directory Discovery, T1005:Data from Local System, T1036:Masquerading, T1140:Deobfuscate/Decode Files or Information, T1041:Exfiltration Over Command and Control Channel, T1057:Process Discovery",,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,ZA,,,"Vyveva, Tor network, TorSocket.dll, Win32/NukeSped.HX, Win64/NukeSped.EQ, MITRE ATT&CK",Corporations and Businesses,2018-12-15,2020-06-15,548.0 2021-04-09,Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.04.09.Iron_Tiger_SysUpdate/Iron%20Tiger%20APT%20Updates%20Toolkit%20With%20Evolved%20SysUpdate%20Malware.pdf,SecureWorks,"CVE-2017-15303, CVE-2018-0798, CVE-2019-0604, CVE-2020-0688, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858",,,iron tiger,CN,"Espionage, Information theft and espionage",2010,,FALSE,"Exploit Vulnerability, Malicious Documents, Watering Hole","thumb.dat, FRP tool, RCSession, SysUpdate, dlpumgr32.exe, DLPPREM32.DLL, DLPPREM32.bin, data.res, config.res","Government and Defense Agencies, Financial Institutions, Energy and Utilities, Non-Governmental Organizations (NGOs) and Nonprofits",2019-07-15,2021-01-15,550.0 2021-04-13,"eSentire _ Hackers Flood the Web with 100,000 Malicious Pages",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.04.13.Hackers_Flood/eSentire%20_%20Hackers%20Flood%20the%20Web%20with%20100%2C000%20Malicious%20Pages%2C%E2%80%A6.pdf,eSentire,,,,solar marker,,,,,FALSE,"Drive-by Download, Watering Hole, Malicious Documents","Jupyter, Yellow Cockatoo, SolarMarker, Polazert, .NET software framework, docx2rtf.exe, photodesigner7_x86-64.exe, Expert_PDF.exe, Slim PDF Reader",Financial Institutions,2020-10-15,2021-04-13,180.0 2021-04-13,Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild _ Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.04.13.CVE-2021-28310_APT/Zero-day%20vulnerability%20in%20Desktop%20Window%20Manager%20%28CVE-2021-28310%29%20used%20in%20the%20wild%20_%20Securelist.pdf,Kaspersky,"CVE-2021-1732, CVE-2021-28310",,,bitter,IN,Information theft and espionage,2013,,TRUE,Exploit Vulnerability,,,,, 2021-04-16,Transparent Tribe APT Infrastructure Mapping Part 1 A High-Level Study of CrimsonRAT Infrastructure October 2020 - March 2021,,https://team-cymru.com/blog/2021/04/16/transparent-tribe-apt-infrastructure-mapping/,Team Cymru,,,,,,,,,,,,,,, 2021-04-16,XCSSET Quickly Adapts to macOS 11 and M1-based Macs,,https://www.trendmicro.com/en_us/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html,Trend Micro,,,,,,,,,,Exploit Vulnerability,"agent.php, Rosetta 2, Pods, cat",Financial Institutions,,, 2021-04-19,2021.04.19.Lazarus_APT_conceals_malicious_code_within_BMP_image_to_drop_its_RAT,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.04.19.Lazarus_APT_conceals_malicious_code_within_BMP_image_to_drop_its_RAT/2021.04.19.Lazarus_APT_conceals_malicious_code_within_BMP_image_to_drop_its_RAT.pdf,Microsoft,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,"JP, KR, US",FALSE,"Spear Phishing, Malicious Documents","HTA file, BMP files, Loader, BISTROMATH RAT, Base64, RC4, Destover, Mshta.exe",,2021-03-31,2021-04-13,13.0 2021-04-19,2021.04.19.A_Deep_Dive_into_Zebrocys_Dropper_Docs,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.04.19.A_Deep_Dive_into_Zebrocys_Dropper_Docs/2021.04.19.A_Deep_Dive_into_Zebrocys_Dropper_Docs.pdf,SentinelOne,,,"rule apt_RU_delphocy_encStrings { \n meta: \n desc = ""Hex strings in Delphocy drops"" \n author = ""JAG-S @ SentinelLabs"" \n version = ""1.0"" \n TLP = ""White"" \n last_modified = ""04.09.2021"" \n hash0 = ""ee7cfc55a49b2e9825a393a94b0baad18ef5bfced67531382e572ef8a9ecda4b"" \n hash1 = ""07b2d21f4ef077ccf16935e44864b96fa039f2e88c73b518930b6048f6baad74"" \n strings: \n $enc_keylogger2 = ""5B4241434B53504143455D"" ascii wide \n $enc_keylogger3 = ""5B5441425D"" ascii wide \n $enc_keylogger4 = ""5B53484946545D"" ascii wide \n $enc_keylogger5 = ""5B434F4E54524F4C5D"" ascii wide \n $enc_keylogger6 = ""5B4553434150455D"" ascii wide \n $enc_keylogger7 = ""5B454E445D"" ascii wide \n $enc_keylogger8 = ""5B484F4D455D"" ascii wide \n $enc_keylogger9 = ""5B4C4546545D"" ascii wide \n $enc_keylogger10 = ""5B55505D"" ascii wide \n $enc_keylogger11 = ""5B52494748545D"" ascii wide \n $enc_keylogger12 = ""5B444F574E5D"" ascii wide \n $enc_keylogger13 = ""5B434150534C4F434B5D"" ascii wide \n $cnc1 = \n""68747470733A2F2F7777772E786268702E636F6D2F646F6D696E61726772656174617369616E6F6479\nascii wide \n $cnc2 = \n""68747470733A2F2F7777772E63346373612E6F72672F696E636C756465732F736F75726365732F6665\nascii wide \n condition: \n uint16(0) == 0x5a4d and (any of ($cnc*) or all of ($enc_keylogger*)) \n}, rule apt_RU_Delphocy_Maldocs { \n meta: \n desc = ""Delphocy dropper docs"" \n author = ""JAG-S @ SentinelLabs"" \n version = ""1.0"" \n TLP = ""White"" \n last_modified = ""04.09.2021"" \n hash1 = ""3b548a851fb889d3cc84243eb8ce9cbf8a857c7d725a24408934c0d8342d5811"" \n hash2 = ""c213b60a63da80f960e7a7344f478eb1b72cee89fd0145361a088478c51b2c0e"" \n hash3 = ""d9e7325f266eda94bfa8b8938de7b7957734041a055b49b94af0627bd119c51c"" \n hash4 = ""1e8261104cbe4e09c19af7910f83e9545fd435483f24f60ec70c3186b98603cc"" \n strings: \n $required1 = ""_VBA_PROJECT"" ascii wide \n $required2 = ""Normal.dotm"" ascii wide \n $required3 = ""bin.base64"" ascii wide \n $required4 = ""ADODB.Stream$"" ascii wide \n $author1 = ""Dinara Tanmurzina"" ascii wide \n $author2 = ""Hewlett-Packard Company"" ascii wide \n $specific = ""Caption = \\""\\\\wininition.exe\\"""" ascii wide \n $builder1 = ""Begin {C62A69F0-16DC-11CE-9E98-00AA00574A4F} UserForm1"" ascii \nwide \n $builder2 = ""{02330CFE-305D-431C-93AC-29735EB37575}{33D6B9D9-9757-485A-89F4-\n4F27E5959B10}"" ascii wide \n $builder3 = ""VersionCompatible32=\\""393222000\\"""" ascii wide \n $builder4 = ""CMG=\\""1517B95BC9F7CDF7CDF3D1F3D1\\"""" ascii wide \n $builder5 = \n""DPB=\\""ADAF01C301461E461EB9E2471E616F01D06093C59A7C4D30F64A51BDEDDA98EC1590C9B191FF\nascii wide \n $builder6 = ""GC=\\""4547E96B19021A021A02\\"""" ascii wide \n condition: \n uint32(0) == 0xE011CFD0 and all of ($required*) and (all of ($author*) or \n$specific or 5 of ($builder*)) \n}",apt28,RU,"Espionage, Information theft and espionage",2004,RU,,Malicious Documents,"Delphocy, IDR (Interactive Delphi Reconstructor), Ghidra, dhrake’s plugin","Government and Defense Agencies, Corporations and Businesses, Manufacturing",,, 2021-04-20,Check Your Pulse Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day,,https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html,FireEye,"CVE-2021-20021, CVE-2021-22893","T1592:N/A, T1082:System Information Discovery, T1059:Command-Line Interface, T1027:Obfuscated Files or Information, T1048:Exfiltration Over Alternative Protocol, T1021:Remote Services, T1016:System Network Configuration Discovery, T1505:N/A, T1556:N/A, T1569:N/A, T1190:Exploit Public-Facing Application, T1554:N/A, T1518:N/A, T1071:Standard Application Layer Protocol, T1070:Indicator Removal on Host, T1111:Two-Factor Authentication Interception, T1574:N/A, T1133:External Remote Services, T1053:Scheduled Task, T1036:Masquerading, T1140:Deobfuscate/Decode Files or Information, T1562:N/A, T1136:Create Account, T1134:Access Token Manipulation, T1049:System Network Connections Discovery, T1105:Remote File Copy, T1600:N/A, T1057:Process Discovery, T1003:Credential Dumping, T1098:Account Manipulation",,apt5,,Information theft and espionage,2007,US,TRUE,Exploit Vulnerability,"SLIGHTPULSE, SLOWPULSE, LOCKPICK","Government and Defense Agencies, Corporations and Businesses",,, 2021-04-23,APT35 'Charming Kitten' discovered in a pre-infected environment _ Blog _ Darktrace,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.04.23.Charming_Kitten/APT35%20%E2%80%98Charming%20Kitten%27%20discovered%20in%20a%20pre-infected%20environment%20_%20Blog%20_%20Darktrace.pdf,Darktrace,,,,apt35,IR,Information theft and espionage,2012,,,Spear Phishing,,Corporations and Businesses,,, 2021-04-23,Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.04.23.NAIKON/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf,Bitdefender,,"T1095:Standard Non-Application Layer Protocol, T1547:N/A, T1572:N/A, T1078:Valid Accounts, T1033:System Owner/User Discovery, T1025:Data from Removable Media, T1082:System Information Discovery, T1113:Screen Capture, T1059:Command-Line Interface, T1567:N/A, T1027:Obfuscated Files or Information, T1570:N/A, T1021:Remote Services, T1018:Remote System Discovery, T1016:System Network Configuration Discovery, T1569:N/A, T1543:N/A, T1020:Automated Exfiltration, T1112:Modify Registry, T1071:Standard Application Layer Protocol, T1070:Indicator Removal on Host, T1222:File Permissions Modification, T1055:Process Injection, T1574:N/A, T1001:Data Obfuscation, T1083:File and Directory Discovery, T1053:Scheduled Task, T1074:Data Staged, T1036:Masquerading, T1046:Network Service Scanning, T1005:Data from Local System, T1564:N/A, T1049:System Network Connections Discovery, T1041:Exfiltration Over Command and Control Channel, T1047:Windows Management Instrumentation, T1057:Process Discovery, T1003:Credential Dumping, T1007:System Service Discovery",,naikon,CN,"Espionage, Information theft and espionage",2005,,,,"RainyDay backdoor, SandboxieBITS.exe, sbiedll.dll, FoundCore",Government and Defense Agencies,,, 2021-04-27,Lazarus Group Recruitment_ Threat Hunters vs Head Hunters,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.04.27.Lazarus_Group_Recruitment/Lazarus%20Group%20Recruitment_%20Threat%20Hunters%20vs%20Head%20Hunters.pdf,PT ESC,CVE-2017-0199,"T1547:N/A, T1132:Data Encoding, T1033:System Owner/User Discovery, T1082:System Information Discovery, T1059:Command-Line Interface, T1027:Obfuscated Files or Information, T1021:Remote Services, T1016:System Network Configuration Discovery, T1012:Query Registry, T1106:Execution through API, T1543:N/A, T1218:Signed Binary Proxy Execution, T1087:Account Discovery, T1071:Standard Application Layer Protocol, T1070:Indicator Removal on Host, T1069:Permission Groups Discovery, T1566:N/A, T1564:N/A, T1136:Create Account, T1135:Network Share Discovery, T1047:Windows Management Instrumentation, T1057:Process Discovery",,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,"BR, FR, JP, KR, NL, US",FALSE,Spear Phishing,"MemoryCompressor64.exe, CommsCacher, ApplicationCacher-f0182c1a4.rb, VEST algorithm, MSSqlite3Svc.lnk",Corporations and Businesses,2020-09-14,2020-09-29,15.0 2021-04-28,unc1151-ghostwriter-update-report,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.04.28.Ghostwriter_UNC1151/unc1151-ghostwriter-update-report.pdf,FireEye,,"T1056:Input Capture, T1547:N/A, T1140:Deobfuscate/Decode Files or Information, T1559:N/A, T1218:Signed Binary Proxy Execution, T1071:Standard Application Layer Protocol, T1105:Remote File Copy, T1059:Command-Line Interface",,unc1151,BY,,,"CH, CO, DE, EE, FR, HU, IE, KW, LT, PL, UA",FALSE,"Spear Phishing, Phishing","RADIOSTAR, VIDEOKILLER, HALFSHELL, SMTP2GO, Gophish","Government and Defense Agencies, Corporations and Businesses, Education and Research Institutions, Media and Entertainment Companies, Individuals",,, 2021-04-28,Water Pamola Attacked Online Shops Via Malicious Orders,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.04.28.Water_Pamola/Water%20Pamola%20Attacked%20Online%20Shops%20Via%20Malicious%20Orders.pdf,Trend Micro,,,,water pamola,,,,JP,,"Phishing, Exploit Vulnerability","EC-CUBE, Gh0stRat, XSS.ME",Corporations and Businesses,,, 2021-04-29,Chimera APT updates on its OwlProxy malware,,https://lab52.io/blog/chimera-apt-updates-on-its-owlproxy-malware/,Lab52,,,,chimera,CN,,,,,,"OwlProxy, VMProtect",,,, 2021-04-30,Cybereason_PortDoor -ChineseAPT-Targets-Russian-Defense-Sector(04-30-2021),PortDoor: New Chinese APT Backdoor Attack Targets Russian Defense Sector,https://app.box.com/s/ktld8f7rvgtwn8g6zgx2stx26xypr7ck,Cybereason,"CVE-2018-0798, CVE-2018-0802",,,tonto team,CN,Information theft and espionage,2009,RU,FALSE,Spear Phishing,"RoyalRoad, PortDoor","Government and Defense Agencies, Education and Research Institutions",,, 2021-05-01,CryptoCore-Lazarus-Clearsky,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.05.01.CryptoCore-Lazarus/CryptoCore-Lazarus-Clearsky.pdf,Kaspersky,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,"IL, JP, US",,Social Engineering,"RATs (Remote Access Trojans), STEALERs, msomain.sdb, Base64 decryption algorithm, Malware Command Parser",Financial Institutions,,, 2021-05-01,MuddyWater Binder Project Part 1,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.05.01.MuddyWater_Binder_1/MuddyWater%20Binder%20Project%20Part%201.pdf,ClearSky,,,,muddywater,IR,"Espionage, Information theft and espionage",2017,,,,"MuddyWater, Binder, RA T (Remote Access Trojan)",,,, 2021-05-06,Operation TunnelSnake _ Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.05.06.Operation_TunnelSnake/Operation%20TunnelSnake%20_%20Securelist.pdf,FireEye,CVE-2017-7269,,,,,,,,,,"China Chopper, BOUNCER, Termite, Earthworm, Moriya",Government and Defense Agencies,,, 2021-05-07,Advisory Further TTPs associated with SVR cyber actors,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.05.07.SVR_TTPs/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf,NCSC,"CVE-2018-13379, CVE-2019-11510, CVE-2019-1653, CVE-2019-19781, CVE-2019-2725, CVE-2019-7609, CVE-2019-9670, CVE-2020-14882, CVE-2020-4006, CVE-2020-5902, CVE-2021-21972, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065","T1505:N/A, T1078:Valid Accounts, T1199:Trusted Relationship, T1114:Email Collection, T1071:Standard Application Layer Protocol, T1190:Exploit Public-Facing Application, T1595:N/A, T1059:Command-Line Interface, T1195:Supply Chain Compromise, T1573:N/A, T1552:N/A","rule sliver_github_file_paths_function_names { \n meta: \n author = ""NCSC UK"" \n description = ""Detects Sliver Windows and Linux implants based on paths \nand function names within the binary"" \n strings: \n $p1 = ""/sliver/"" \n $p2 = ""sliverpb."" \n $fn1 = ""RevToSelfReq"" \n $fn2 = ""ScreenshotReq"" \n $fn3 = ""IfconfigReq"" \n $fn4 = ""SideloadReq"" \n $fn5 = ""InvokeMigrateReq"" \n $fn6 = ""KillSessionReq"" \n $fn7 = ""ImpersonateReq"" \n $fn8 = ""NamedPipesReq"" \n condition: \n (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and \nuint16(uint32(0x3c)) == 0x4550)) and (all of ($p*) or 3 of ($fn*)) \n}, rule sliver_proxy_isNotFound_retn_cmp_uniq { \n meta: \n author = ""NCSC UK"" \n description = ""Detects Sliver implant framework based on some unique \nCMPs within the Proxy isNotFound function. False positives may occur"" \n strings: \n $ = {C644241800C381F9B3B5E9B2} \n $ = {8B481081F90CAED682} \n condition: \n (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and \nuint16(uint32(0x3c)) == 0x4550)) and all of them \n}, rule sliver_nextCCServer_calcs { \n meta: \n author = ""NCSC UK"" \n description = ""Detects Sliver implant framework based on instructions \nfrom the nextCCServer function. False positives may occur"" \n strings: \n $ = {4889D3489948F7F94839CA????48C1E204488B0413488B4C1308} \n condition: \n (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and \nuint16(uint32(0x3c)) == 0x4550)) and all of them \n}",apt29,RU,"Espionage, Information theft and espionage",2008,"GB, US",FALSE,Exploit Vulnerability,"Sliver, WellMess, WellMail","Government and Defense Agencies, Healthcare, Energy and Utilities, Education and Research Institutions",,, 2021-05-13,blog.talosintelligence.com-Transparent Tribe APT expands its Windows malware arsenal,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.05.13.Transparent_Tribe_APT/blog.talosintelligence.com-Transparent%20Tribe%20APT%20expands%20its%20Windows%20malware%20arsenal.pdf,Cisco,,,,transparent tribe,PK,Information theft and espionage,2013,"AF, IN, IR, PK",FALSE,"Phishing, Malicious Documents","CrimsonRAT, ObliqueRAT",Government and Defense Agencies,,, 2021-05-25,evol-agrius,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.05.25.AGRIUSAuthor/evol-agrius.pdf,SentinelOne,CVE-2018-13379,S0073:N/A,"rule Agrius_Function_Names\n{\n meta:\n description = ""Detects malware used by Agrius threat actor based on unique function names""\n author = ""Amitai B @ SentinelOne""\n version = ""1.0""\n TLP = ""White""\n last_modified = ""2021-05-11""\n strings:\n\t\n$s1 = ""GetWindowsTempPath"" ascii\n\t\n$s2 = ""GetCurrentProcess"" ascii\n \t\n$s3 = ""GetOwnPath"" ascii\n\t\n$s4 = ""PublicFunction"" ascii\n\t\n$s5 = ""SelfDelete"" ascii\n $s6 = ""IsFirstInstance"" ascii\n condition:\n ( filesize > 1KB and filesize < 300KB and 3 of ($s*))\n}, rule Agrius_Webshells \n{\n meta:\n description = ""Detects variations of webshells used by Agrius""\n author = ""Amitai B @ SentinelOne""\n version = ""1.0""\n TLP = ""White""\n last_modified = ""2021-05-11""\n strings:\n $s1 = ""public string base64ToStr(string instr)"" ascii\n $s2 = ""Process prcsss=new Process()"" ascii\n $s3 = ""
"" ascii\n condition:\n ( filesize > 1KB and filesize < 150KB and any of them )\n}",agrius,IR,,,"AE, IL",FALSE,Exploit Vulnerability,"ASPXSpy, FortiOS CVE-2018-13379, SQL injection, RDP (Remote Desktop Protocol)",Critical Infrastructure,2020-11-29,2021-05-15,167.0 2021-05-27,New sophisticated email-based attack from NOBELIUM - Microsoft Security,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.05.27.NOBELIUM_New/New%20sophisticated%20email-based%20attack%20from%20NOBELIUM%20-%20Microsoft%20Security.pdf,Microsoft,CVE-2021-1879,"T1610:N/A, T1204:User Execution, T1071:Standard Application Layer Protocol, T1566:N/A",,apt29,RU,"Espionage, Information theft and espionage",2008,,TRUE,Spear Phishing,"EnvyScout, BoomBox, NativeZone, VaporRage, Cobalt Strike Beacon, Firebase, api.ipify.org","Government and Defense Agencies, Healthcare, Non-Governmental Organizations (NGOs) and Nonprofits, Education and Research Institutions",,, 2021-05-27,Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns,,https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/,Volexity,CVE-2024-3400,,"rule trojan_win_cobaltstrike : Commodity\n{\nmeta:\nauthor = ""threatintel@volexity.com""\ndate = ""2021-05-25""\ndescription = ""The CobaltStrike malware family.""\nhash = ""b041efb8ba2a88a3d172f480efa098d72eef13e42af6aa5fb838e6ccab500a7c""\n \nstrings:\n$s1 = ""%s (admin)"" fullword\n$s2 = {48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6F 63 74 65 74\n2D 73 74 72 65 61 6D 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 25 64 0D 0A 0D 0A 00}\n$s3 = ""%02d/%02d/%02d %02d:%02d:%02d"" fullword\n$s4 = ""%s as %s\\\\%s: %d"" fullword\n$s5 = ""%s&%s=%s"" fullword\n$s6 = ""rijndael"" fullword\n$s7 = ""(null)""\n \ncondition:\nall of them\n}, rule apt_win_freshfire : APT29\n{\nmeta:\nauthor = ""threatintel@volexity.com""\ndate = ""2021-05-27""\ndescription = ""The FRESHFIRE malware family. The malware acts as a downloader, pulling down an encrypted snippet of code from a remote source, executing\nit, and deleting it from the remote server.""\nhash = ""ad67aaa50fd60d02f1378b4155f69cffa9591eaeb80523489a2355512cc30e8c""\n \nstrings:\n$uniq1 = ""UlswcXJJWhtHIHrVqWJJ""\n$uniq2 = ""gyibvmt\\x00""\n$path1 = ""root/time/%d/%s.json""\n$path2 = ""C:\\\\dell.sdr""\n$path3 = ""root/data/%d/%s.json""\n \ncondition:\n(\npe.number_of_exports == 1 and\npe.exports(""WaitPrompt"")\n) or\nany of ($uniq*) or\n2 of ($path*)\n}, rule apt_win_flipflop_ldr : APT29\n{\nmeta:\nauthor = ""threatintel@volexity.com""\ndate = ""2021-05-25""\ndescription = ""A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to\nexecuting the resulting payload.""\nhash = ""ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330""\n \nstrings:\n$s1 = ""irnjadle""\n$s2 = ""BADCFEHGJILKNMPORQTSVUXWZY""\n$s3 = ""iMrcsofo taBesC yrtpgoarhpciP orived r1v0.""\n \ncondition:\nall of ($s*)\n}",apt29,RU,"Espionage, Information theft and espionage",2008,US,TRUE,Spear Phishing,"CobaltStrike, Firebase, Constant Contact","Non-Governmental Organizations (NGOs) and Nonprofits, Education and Research Institutions, Government and Defense Agencies",,, 2021-06-04,APT Attacks on Domestic Companies Using Library Files,,https://asec.ahnlab.com/en/23717/,AhnLab,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,"BE, KR, NL",,,,Corporations and Businesses,,, 2021-06-08,PuzzleMaker attacks with Chrome zero-day exploit chain _ Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.06.08.PuzzleMaker_APT/PuzzleMaker%20attacks%20with%20Chrome%20zero-day%20exploit%20chain%20_%20Securelist.pdf,Kaspersky,"CVE-2021-21220, CVE-2021-21224, CVE-2021-31955, CVE-2021-31956",,,puzzlemaker,,,,,TRUE,Exploit Vulnerability,"CHAINSHOT, PuzzleMaker",,2021-04-14,2021-06-08,55.0 2021-06-10,Big airline heist_ APT41 likely behind massive supply chain attack,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.06.10.Big_airline_heist/Big%20airline%20heist_%20APT41%20likely%20behind%20massive%20supply%20chain%20attack.pdf,Group-IB,,,,apt41,CN,"Financial crime, Information theft and espionage",2010,IN,,,"Cobalt Strike, install.bat, SecurityHealthSystray.dll, SecurityHealthSystray.ocx, BadPotatoNet4.exe, COMSysUpdate.dll",Corporations and Businesses,2021-02-23,2021-05-21,87.0 2021-06-11,Story of the 'Phisherman' -Dissecting Phishing Techniques of CloudDragon APT (slides),,https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf,Team T5,,,,clouddragon,,,,"KR, US",,Phishing,,"Government and Defense Agencies, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2021-06-16,Ferocious Kitten_ 6 years of covert surveillance in Iran _ Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.06.16.Ferocious_Kitten/Ferocious%20Kitten_%206%20years%20of%20covert%20surveillance%20in%20Iran%20_%20Securelist.pdf,Kaspersky,,,,ferocious kitten,,,,IR,,"Malicious Documents, Website Equipping","Chrome, Telegram, Psiphon, MarkiRat, Visual Studio 2013, Visual Studio 2015, Visual Studio 2017",Individuals,,, 2021-06-19,"Alert (AA21-200A) Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China's MSS Hainan State Security Department",,https://us-cert.cisa.gov/ncas/alerts/aa21-200a,CISA,,"T1560:N/A, T1572:N/A, S0183:N/A, TA0043:N/A, T1078:Valid Accounts, T1532:N/A, T1589:N/A, T1204:User Execution, T1090:Connection Proxy, T1203:Exploitation for Client Execution, TA0001:Initial Access, T1059:Command-Line Interface, T1027:Obfuscated Files or Information, TA0005:Defense Evasion, T1534:N/A, TA1505:N/A, T1586:N/A, S0020:N/A, S0228:N/A, TA0007:Discovery, S0229:N/A, T1583:N/A, T1190:Exploit Public-Facing Application, S0363:N/A, S0154:N/A, TA0008:Lateral Movement, S0021:N/A, T1189:Drive-by Compromise, T1001:Data Obfuscation, T1566:N/A, TA0009:Collection, TA0010:Exfiltration, T1133:External Remote Services, T1074:Data Staged, TA0003:Persistence, T1041:Exfiltration Over Command and Control Channel, TA0011:Command and Control, TA0042:N/A, S0032:N/A, S0233:N/A, S0194:N/A, TA0006:Credential Access, T1585:N/A, TA0004:Privilege Escalation, TA0002:Execution",,apt40,CN,"Espionage, Information theft and espionage",2013,"CA, HK, ID, MY, PH, TW, US",FALSE,"Spear Phishing, Watering Hole, Credential Reuse, Exploit Vulnerability, Drive-by Download","BADFLICK/Greencrash, China Chopper, Cobalt Strike, Derusbi/PHOTO, Gh0stRAT, GreenRAT, jjdoor/Transporter, jumpkick, Murkytop (mt.exe), NanHaiShu, Orz/AirBreak, PowerShell Empire, PowerSploit, Web Shell","Government and Defense Agencies, Corporations and Businesses, Healthcare, Manufacturing, Education and Research Institutions, Critical Infrastructure",,, 2021-06-24,Operation Eagle Eye - Securifera,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.06.24.Operation_Eagle_Eye/Operation%20Eagle%20Eye%20%E2%80%93%20Securifera.pdf,Securifera,"CVE-2017-12542, CVE-2021-35047, CVE-2021-35048, CVE-2021-35049, CVE-2021-35050",,,,,,,,TRUE,Exploit Vulnerability,,"Corporations and Businesses, Financial Institutions",,, 2021-07-01,Russian GRU (APT28) Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments,,https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF,CISA,"CVE-2020-0688, CVE-2020-17144","T1036:Masquerading, T1505:N/A, T1560:N/A, T1213:Data from Information Repositories, T1078:Valid Accounts, T1030:Data Transfer Size Limits, T1114:Email Collection, T1048:Exfiltration Over Alternative Protocol, T1110:Brute Force, T1039:Data from Network Shared Drive, T1115:Clipboard Data, T1190:Exploit Public-Facing Application, T1021:Remote Services, T1005:Data from Local System, T1003:Credential Dumping, T1098:Account Manipulation, T1074:Data Staged",,"85th gtsss, apt28",NaN; RU,"NaN; Espionage, Information theft and espionage",NaN; 2004,US,FALSE,Exploit Vulnerability,", WinRAR, certutil.exe, outlookconfiguration.aspx (web shell)","Government and Defense Agencies, Corporations and Businesses, Education and Research Institutions, Media and Entertainment Companies",,, 2021-07-05,Tracking Cobalt Strike_ A Trend Micro Vision One Investigation,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.07.05.cobalt_strike_tracking/Tracking%20Cobalt%20Strike_%20A%20Trend%20Micro%20Vision%20One%20Investigation.pdf,Trend Micro,,,,,,,,,,"Spear Phishing, Social Engineering, Malicious Documents","Cobalt Strike, IcedID, Bloodhound, ADfind.exe, Pass-the-Hash (PtH), MS Office Application Command Execution Via DDE",,,, 2021-07-06,Lazarus campaign TTPs and evolution _ AT&T Alien Labs,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.07.06.Lazarus_TTPs_evolution/Lazarus%20campaign%20TTPs%20and%20evolution%20_%20AT%26T%20Alien%20Labs.pdf,AT&T Alien Labs,,"T1140:Deobfuscate/Decode Files or Information, T1132:Data Encoding, T1204:User Execution, TA0011:Command and Control, TA0001:Initial Access, T1059:Command-Line Interface, T1566:N/A, TA0005:Defense Evasion, T1036:Masquerading, TA0002:Execution","rule LazarusCampaign_MacroDoc_Jun2021 : WindowsMalware {\n\n meta:\n\n author = ""AlienLabs""\n\n description = ""Detects Lazarus campaign macro document Jun2021.""\n\n reference = \n""https://otx.alienvault.com/pulse/294acafed42c6a4f546486636b4859c074e53d74be049df99932804be048f42c""\n\n SHA256 = ""294acafed42c6a4f546486636b4859c074e53d74be049df99932804be048f42c""\n\n\n strings:\n\n\n $a1 = ""ZSBydW4gaW4gRE9TIG1vZGUuDQ0KJA"" ascii //run in DOS mode. - base64 encoded\n\n $a2 = ""c:\\\\Drivers""\n\n $a3 = ""AAAAAAAAAA="" ascii // base64 content\n\n $a4 = ""CreateObject(\\""Scripting.FileSystemObject\\"").CreateTextFile""\n\n $a5 = ""cmd /c copy""\n\n $a6 = {73 79 73 74 65 6d 33 32 5c 2a 65 72 74 75 74 2a 2e 65 78 65} // system32\\*ertut*.exe\n\n $a7 = {25 73 79 73 74 65 6d 72 6f 6f 74 25 5c 65 78 70 2a 2e 65 78 65} // %systemroot%\\exp*.exe\n\n $a8 = ""sleep 1000""\n\n $a9 = ""cmd /c explorer.exe /root""\n\n $a10 = ""-decode ""\n\n $b = ""tAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5v"" ascii //This program cannot - base64 encoded\n\n7/28/2021\nLazarus campaign TTPs and evolution | AT&T Alien Labs\nhttps://cybersecurity.att.com/blogs/labs-research/lazarus-campaign-ttps-and-evolution\n12/16\n\n\n condition:\n\n uint16(0) == 0xCFD0 and\n\n filesize < 2000KB and\n\n $b and\n\n 5 of ($a*)\n\n}, rule LazarusCampaign_Payload_Jun2021 : WindowsMalware {\n\n meta:\n\n author = ""AlienLabs""\n\n description = ""Detects Lazarus campaign downloader Jun2021.""\n\n reference = \n""https://otx.alienvault.com/pulse/294acafed42c6a4f546486636b4859c074e53d74be049df99932804be048f42c""\n\n SHA256 = ""f5563f0e63d9deed90b683a15ebd2a1fda6b72987742afb40a1202ddb9e867d0""\n\n\n strings:\n\n\n $a1 = ""Office ClickToRun"" wide ascii\n\n $a2 = ""C:\\\\Drivers\\\\""\n\n\n condition:\n\n\n uint16(0) == 0x5A4D and all of them\n\n}",lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,US,FALSE,"Spear Phishing, Malicious Documents",,"Corporations and Businesses, Manufacturing",,, 2021-07-07,Talos_InSideCopy(07-07-2021),InSideCopy: How this APT continues to evolve its arsenal,https://app.box.com/s/6cqbzi2d8nerurekjgw9e7e0pgi828ni,Cisco,,,,sidecopy,PK,Information theft and espionage,2019,IN,,"Spear Phishing, Social Engineering, Malicious Documents","Nodachi, CetaRAT, ReverseRAT, MargulasRAT, Allakore, ActionRAT, Lilith","Government and Defense Agencies, Education and Research Institutions",,, 2021-07-09,BIOPASS RAT New Malware Sniffs Victims via Live Streaming,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.07.09.BIOPASS_RAT/BIOPASS%20RAT%20New%20Malware%20Sniffs%20Victims%20via%20Live%20Streaming.pdf,Trend Micro,,,,apt41,CN,"Financial crime, Information theft and espionage",2010,CN,,Watering Hole,"BIOPASS RAT, Cobalt Strike, Python","Corporations and Businesses, Education and Research Institutions, Individuals",2021-07-09,2021-10-05,88.0 2021-07-12,#NoFilter_ Exposing the Tactics of Instagram Account Hackers,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.07.12.NoFilter/%23NoFilter_%20Exposing%20the%20Tactics%20of%20Instagram%20Account%20Hackers.pdf,Trend Micro,,,,,,,,,FALSE,"Phishing, Social Engineering",,"Individuals, Media and Entertainment Companies",,, 2021-07-13,ASEC_REPORT_vol.103_ENG,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/Report/AhnLab/ASEC_REPORT_vol.103_ENG.pdf,AhnLab,,,,ta505,RU,,,,,"Phishing, Malicious Documents","Cobalt Strike, FickerStealer, svchost.exe, python36.exe, msvcp140_3.dll, HTTPS beacon, System.Executetime.Local.dll, System.PrintServices.tlb, Ryuk ransomware, BazarLoader, BazarBackdoor","Government and Defense Agencies, Healthcare, Energy and Utilities, Education and Research Institutions, Corporations and Businesses",,, 2021-07-14,How we protect users from 0-day attacks,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.07.14.Candiru_0Day/How%20we%20protect%20users%20from%200-day%20attacks.pdf,Google,"CVE-2021-1844, CVE-2021-1879, CVE-2021-21166, CVE-2021-26411, CVE-2021-30551, CVE-2021-33742",,,,,,,AM,TRUE,"Spear Phishing, Social Engineering, Malicious Documents, Exploit Vulnerability",Cobalt Strike,Government and Defense Agencies,,, 2021-07-14,Kaspersky-LuminousMothAPT-Sweeping-attackspdf(07-14-2021),LuminousMoth APT: Sweeping attacks for the chosen few,https://app.box.com/s/v7po0a45ua8rz0vhbb7pnc6gocrs3lfq,Kaspersky,,,,luminousmoth,CN,,,"MM, PH",,"Spear Phishing, Removable Media","Cobalt Strike, Zoom (fake version), version.dll, wwlib.dll, igfxem.exe (sllauncher.exe), winword.exe",Government and Defense Agencies,2019-10-29,2021-03-02,490.0 2021-07-19,"U.S., allies accuse China of hacking Microsoft and condoning other cyberattacks (APT40)",,https://www.washingtonpost.com/national-security/microsoft-hack-china-biden-nato/2021/07/19/a90ac7b4-e827-11eb-84a2-d93bc0b50294_story.html,Washington Post,,,,,,,,"CA, GB, US",TRUE,Exploit Vulnerability,webshells,Corporations and Businesses,,, 2021-07-21,StrongPity APT Group Deploys Android Malware for the First Time,,https://www.trendmicro.com/en_us/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html,Trend Micro,,,,strongpity,TR,Information theft and espionage,2012,,,Watering Hole,,Government and Defense Agencies,,, 2021-07-22,DoNot APT Group Delivers A Spyware Variant Of Chat App,,https://blog.cyble.com/2021/07/22/donot-apt-group-delivers-a-spyware-variant-of-chat-app/,cyble,,"T1426:N/A, T1433:N/A, T1532:N/A, T1507:N/A, T1409:N/A, T1412:N/A, T1424:N/A, T1432:N/A, T1418:N/A, T1571:N/A, T1430:N/A, T1429:N/A, T1406:N/A, T1573:N/A, T1421:N/A",,donot team,IN,Information theft and espionage,2016,"AR, IN, PK",,"Spear Phishing, Malicious Documents","Mecaller.apk, MSBuild",Government and Defense Agencies,,, 2021-07-26,FM 3-12 Cyberspace Operations and Electromagnetic Warfare 20,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/Report/FM%203-12%20Cyberspace%20Operations%20and%20Electromagnetic%20Warfare%2020.pdf,RSA,,,,,,,,,,,,"Government and Defense Agencies, Corporations and Businesses, Critical Infrastructure",,, 2021-07-27,THOR_ Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.07.27.THOR_PKPLUG_Group/THOR_%20Previously%20Unseen%20PlugX%20Variant%20Deployed%20During%20Microsoft%20Exchange%20Server%20Attacks%20by%20PKPLUG%20Group.pdf,Palo Alto,CVE-2021-26855,,,pkplug,CN,,,,TRUE,Exploit Vulnerability,"PlugX, ARO 2012, Cortex XDR, Next-Generation Firewall, WildFire, Threat Prevention, AutoFocus, Unit 42 ATOM Viewer",,,, 2021-07-28,I Knew You Were Trouble_ TA456 Targets Defense Contractor with Alluring Social Media Persona _ Proofpoint US,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.07.28.TA456/I%20Knew%20You%20Were%20Trouble_%20TA456%20Targets%20Defense%20Contractor%20with%20Alluring%20Social%20Media%20Persona%20_%20Proofpoint%20US.pdf,Proofpoint,,,,ta456,IR,Information theft and espionage,2018,US,FALSE,"Social Engineering, Malicious Documents","LEMPO, Liderc","Corporations and Businesses, Government and Defense Agencies",,, 2021-07-29,GhostEmperor Chinese-speaking APT targets high-profile victims using unknown rootkit,,https://www.kaspersky.com/about/press-releases/2021_ghostemperor-chinese-speaking-apt-targets-high-profile-victims-using-unknown-rootkit,Kaspersky,,,,ghostemperor,CN,,,,TRUE,Exploit Vulnerability,"Moses, PuzzleMaker, Pulse Secure, WildPressure, GhostEmperor","Government and Defense Agencies, Corporations and Businesses, Critical Infrastructure",,, 2021-08-02,TG1021 - Praying Mantis Threat Actor,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.08.02.TG1021_Praying_Mantis/TG1021%20-%20Praying%20Mantis%20Threat%20Actor.pdf,Sygnia,"CVE-2017-11317, CVE-2019-18935, CVE-2021-27852","T1056:Input Capture, T1572:N/A, T1078:Valid Accounts, T1592:N/A, T1132:Data Encoding, T1068:Exploitation for Privilege Escalation, T1090:Connection Proxy, T1059:Command-Line Interface, T1027:Obfuscated Files or Information, T1021:Remote Services, T1570:N/A, T1573:N/A, T1505:N/A, T1210:Exploitation of Remote Services, T1190:Exploit Public-Facing Application, T1550:N/A, T1071:Standard Application Layer Protocol, T1070:Indicator Removal on Host, T1587:N/A, T1595:N/A, T1055:Process Injection, T1001:Data Obfuscation, T1083:File and Directory Discovery, T1005:Data from Local System, T1036:Masquerading, T1140:Deobfuscate/Decode Files or Information, T1562:N/A, T1134:Access Token Manipulation, T1135:Network Share Discovery, T1590:N/A",,praying mantis,,,,AU,TRUE,Exploit Vulnerability,"NodeIISWeb malware, Telerik UI for ASP.NET AJAX",,,, 2021-08-03,The Art of Cyberwarfare,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.08.03.Chinese_APTs_attackRussia/The%20Art%20of%20Cyberwarfare.pdf,Solar JSOC,,,"rule webdavo_rat\n{\n meta:\n author = ""Dmitry Kupin""\n company = ""Group-IB""\n family = ""webdavo.rat""\n description = ""Suspected Webdav-O RAT (YaDisk)""\n sample = ""7874c9ab2828bc3bf920e8cdee027e745ff059237c61b7276bbba5311147ebb6"" // x86\n sample = ""849e6ed87188de6dc9f2ef37e7c446806057677c6e05a367abbd649784abdf77"" // x64\n severity = 9\n date = ""2021-06-10""\n\n strings:\n $rc4_key_0 = { 8A 4F 01 47 34 C9 75 F8 2B C8 C1 E9 D2 F3 A5 8B }\n $rc4_key_1 = { C3 02 03 04 05 DD EE 08 09 10 11 12 1F D2 15 16 }\n $s0 = ""y_dll.dll"" fullword ascii\n $s1 = ""test3.txt"" fullword ascii\n $s2 = ""DELETE"" fullword wide\n $s3 = ""PROPFIND"" fullword wide\n\n condition:\n (any of ($rc4_key*) or 3 of ($s*)) or\n (\n pe.imphash() == ""43021febc8494d66a8bc60d0fa953473"" or\n pe.imphash() == ""68320a454321f215a3b6fcd7d585626b""\n )\n}, rule albaniiutas_rat_dll\n{\n meta:\n author = ""Dmitry Kupin""\n company = ""Group-IB""\n family = ""albaniiutas.rat""\n description = ""Suspected Albaniiutas RAT (fileless)""\n sample = ""fd43fa2e70bcc3b602363667560494229287bf4716638477889ae3f816efc705"" // dumped\n severity = 9\n date = ""2021-07-06""\n\n strings:\n $rc4_key = { 00 4C 21 51 40 57 23 45 24 52 25 54 5E 59 26 55 2A 41 7C 7D 74 7E 6B 00 } // L!Q@W#E$R%T^Y&U*A|}t~k\n $aes256_str_seed = { 00 30 33 30 34 32 37 36 63 66 34 66 33 31 33 34 35 00 } // 0304276cf4f31345\n $s0 = ""http://%s/%s/%s/"" fullword ascii\n $s1 = ""%s%04d/%s"" fullword ascii\n $s2 = ""GetRemoteFileData error!"" fullword ascii\n $s3 = ""ReadInjectFile error!"" fullword ascii\n $s4 = ""%02d%02d"" fullword ascii\n $s5 = ""ReadInject succeed!"" fullword ascii\n $s6 = ""/index.htm"" fullword ascii\n $s7 = ""commandstr"" fullword ascii\n $s8 = ""ClientX.dll"" fullword ascii\n $s9 = ""GetPluginObject"" fullword ascii\n $s10 = ""D4444 0k!"" fullword ascii\n $s11 = ""D5555 E00r!"" fullword ascii\n $s12 = ""U4444 0k!"" fullword ascii\n $s13 = ""U5555 E00r!"" fullword ascii\n\n condition:\n 5 of them\n}, rule albaniiutas_dropper_exe\n{\n meta:\n author = ""Dmitry Kupin""\n company = ""Group-IB""\n family = ""albaniiutas.dropper""\n description = ""Suspected Albaniiutas dropper""\n sample = ""2a3c8dabdee7393094d72ce26ccbce34bff924a1be801f745d184a33119eeda4"" // csrss.exe dropped from 83b619f65...\n sample = ""71750c58eee35107db1a8e4d583f3b1a918dbffbd42a6c870b100a98fd0342e0"" // csrss.exe dropped from 690bf6b83...\n sample = ""83b619f65d49afbb76c849c3f5315dbcb4d2c7f4ddf89ac93c26977e85105f32"" // dropper_stage_0 with decoy\n sample = ""690bf6b83cecbf0ac5c5f4939a9283f194b1a8815a62531a000f3020fee2ec42"" // dropper_stage_0 with decoy\n severity = 9\n date = ""2021-07-06""\n\n strings:\n $eventname = /0-9A-F{8}-0-9A-F{4}-4551-8F84-08E738AEC0-9A-F{3}/ fullword ascii wide\n $rc4_key = { 00 4C 21 51 40 57 23 45 24 52 25 54 5E 59 26 55 2A 41 7C 7D 74 7E 6B 00 } // L!Q@W#E$R%T^Y&U*A|}t~k\n $aes256_str_seed = { 00 65 34 65 35 32 37 36 63 30 30 30 30 31 66 66 35 00 } // e4e5276c00001ff5\n $s0 = ""Release Entery Error"" fullword ascii\n $s1 = ""FileVJCr error"" fullword ascii\n $s2 = ""wchWSMhostr error"" fullword ascii\n $s3 = ""zlib err0r"" fullword ascii\n $s4 = ""De err0r"" fullword ascii\n $s5 = ""CreateFileW_CH error!"" fullword ascii\n $s6 = ""GetConfigOffset error!"" fullword ascii\n\n condition:\n 5 of them or\n8/8/2021\nThe Art of Cyberwarfare\nhttps://blog.group-ib.com/task\n34/34\n (\n pe.imphash() == ""222e118fa8c0eafeef102e49953507b9"" or\n pe.imphash() == ""7210d5941678578c0a31adb5c361254d"" or\n pe.imphash() == ""41e9907a6c468b4118e968a01461a45b""\n )\n}",ta428,CN,Information theft and espionage,2013,RU,,,"Webdav-O, Mail-O, Smanager, Tmanger","Government and Defense Agencies, Education and Research Institutions",,, 2021-08-04,Cloudy with a Chance of APTNovel Microsoft 365 Attacks in the Wild,,https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Cloudy-With-A-Chance-Of-APT-Novel-Microsoft-365-Attacks-In-The-Wild.pdf,FireEye,,,,,,,,,,,,,,, 2021-08-05,Detecting Cobalt Strike Government-Sponsored Threat Groups (APT32),,https://www.secureworks.com/blog/detecting-cobalt-strike-government-sponsored-threat-groups,SecureWorks,,,,tin woodlawn,VN,"Espionage, Financial gain, Information theft and espionage",2012,,FALSE,Spear Phishing,"Cobalt Strike, PowerShell, Windows mshta utility",Corporations and Businesses,,, 2021-08-09,APT Cobalt Strike Campaign targeting Slovakia (DEF CON talk),,https://www.istrosec.com/blog/apt-sk-cobalt/,IstroSec,,,,apt29,RU,"Espionage, Information theft and espionage",2008,"CZ, SK",,Phishing,"Cobalt Strike Beacon, Metasploit","Government and Defense Agencies, Education and Research Institutions",2021-02-15,2021-06-15,120.0 2021-08-09,Cinobi Banking Trojan Targets Users of Cryptocurrency Exchanges with New Malvertising Campaign,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.08.09.Cinobi_Banking_Trojan/Cinobi%20Banking%20Trojan%20Targets%20Users%20of%20Cryptocurrency%20Exchanges%20with%20New%20Malvertising%20Campaign.pdf,Trend Micro,"CVE-2020-1380, CVE-2021-26411",,,water kappa,,,,JP,FALSE,"Social Engineering, Exploit Vulnerability","Trojan.Win32.SHELLOAD, Cinobi banking trojan, Bottle exploit kit","Financial Institutions, Individuals",,, 2021-08-12,Uncovering Tetris - a Full Surveillance Kit Running in your Browser - imp0rtp3,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.08.12.Full-Surveillance-Kit-China/Uncovering%20Tetris%20%E2%80%93%20a%20Full%20Surveillance%20Kit%20Running%20in%20your%20Browser%20%E2%80%93%20imp0rtp3.pdf,EFF,,"T1564:N/A, T1518:N/A, T1005:Data from Local System, T1046:Network Service Scanning, T1016:System Network Configuration Discovery",,,,,,CN,FALSE,Watering Hole,Jetriz and Swid,"Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",,, 2021-08-14,Indra - Hackers Behind Recent Attacks on Iran - Check Point Research,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.08.14.Indra_Iran/Indra%20%E2%80%94%20Hackers%20Behind%20Recent%20Attacks%20on%20Iran%20-%20Check%20Point%20Research.pdf,Check Point,,,"rule ZZ_breakwin_config {\nmeta:\ndescription = ""Detects the header of the encrypted config files, assuming known encryption key.""\nauthor = ""Check Point Research""\ndate = ""22-07-2021""\nhash = ""948febaab71727217303e0aabb9126f242aa51f89caa7f070a3da76c4f5699ed""\nhash = ""2d35bb7c02062ff2fba4424a267c5c83351405281a1870f52d02f3712a547a22""\nhash = ""68e95a3ccde3ea22b8eb8adcf0ad53c7993b2ea5316948e31d9eadd11b5151d7""\nstrings:\n$conf_header = {1A 69 45 47 5E 46 4A 06 03 E4 34 0B 06 1D ED 2F 02 15 02 E5 57 4D 59 59 D1 40 20 22}\ncondition:\n$conf_header at 0\n}, rule ZZ_breakwin_meteor_batch_files {\nmeta:\ndescription = ""Detect the batch files used in the attacks""\nauthor = ""Check Point Research""\ndate = ""22-07-2021""\nstrings:\n$filename_0 = ""mscap.bmp""\n$filename_1 = ""mscap.jpg""\n$filename_2 = ""msconf.conf""\n$filename_3 = ""msmachine.reg""\n$filename_4 = ""mssetup.exe""\n$filename_5 = ""msuser.reg""\n$filename_6 = ""msapp.exe""\n$filename_7 = ""bcd.rar""\n$filename_8 = ""bcd.bat""\n$filename_9 = ""msrun.bat""\n$command_line_0 = ""powershell -Command \\""%exclude_command% \%defender_exclusion_folder%""\n$command_line_1 = ""start /b \\""\\"" update.bat hackemall""\n8/16/2021\nIndra — Hackers Behind Recent Attacks on Iran - Check Point Research\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\n27/27\ncondition:\n4 of ($filename_*) or\nany of ($command_line_*)\n}, rule ZZ_breakwin_stardust_vbs {\nmeta:\ndescription = ""Detect the VBS files that where found in the attacks on targets in Syria""\nauthor = ""Check Point Research""\ndate = ""22-07-2021""\nhash = ""38a419cd9456e40961c781e16ceee99d970be4e9235ccce0b316efe68aba3933""\nhash = ""62a984981d14b562939294df9e479ac0d65dfc412d0449114ccb2a0bc93769b0""\nhash = ""4d994b864d785abccef829d84f91d949562d0af934114b65056315bf59c1ef58""\nhash = ""eb5237d56c0467b5def9a92e445e34eeed9af2fee28f3a2d2600363724d6f8b0""\nhash = ""5553ba3dc141cd63878a7f9f0a0e67fb7e887010c0614efd97bbc6c0be9ec2ad""\nstrings:\n8/16/2021\nIndra — Hackers Behind Recent Attacks on Iran - Check Point Research\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\n26/27\n$url_template = ""progress.php?hn=\\"" & CN & \\""&dt=\\"" & DT & \\""&st=""\n$compression_password_1 = ""YWhZMFU1VlZGdGNFNWlhMVlVMnhTMWtOVlJVWWNGTk9iVTQxVW10V0ZFeFJUMD0r""\n$compression_password_2 = ""YWlvcyBqQCNAciNxIGpmc2FkKnIoOUZURjlVSjBSRjJRSlJGODlKSDIzRmloIG8""\n$uninstall_kaspersky = ""Shell.Run \\""msiexec.exe /x \\"" & productcode & \\"" KLLOGIN=""\n$is_avp_running = ""isProcessRunning(\\"".\\"", \\""avp.exe\\"") Then""\ncondition:\nany of them\n}, rule ZZ_breakwin_wiper {\nmeta:\ndescription = ""Detects the BreakWin wiper that was used in attacks in Syria""\nauthor = ""Check Point Research""\ndate = ""22-07-2021""\nhash = ""2aa6e42cb33ec3c132ffce425a92dfdb5e29d8ac112631aec068c8a78314d49b""\nhash = ""6709d332fbd5cde1d8e5b0373b6ff70c85fee73bd911ab3f1232bb5db9242dd4""\nhash = ""d71cc6337efb5cbbb400d57c8fdeb48d7af12a292fa87a55e8705d18b09f516e""\nstrings:\n$debug_str_meteor_1 = ""the program received an invalid number of arguments"" wide\n$debug_str_meteor_2 = ""End interval logger. Resuming writing every log"" wide\n$debug_str_meteor_0 = ""failed to initialize configuration from file"" wide\n$debug_str_meteor_3 = ""Meteor is still alive."" wide\n$debug_str_meteor_4 = ""Exiting main function because of some error"" wide\n$debug_str_meteor_5 = ""Meteor has finished. This shouldn\t be possible because of the is-alive loop."" wide\n$debug_str_meteor_6 = ""Meteor has started."" wide\n$debug_str_meteor_7 = ""Could not hide current console."" wide\n$debug_str_meteor_8 = ""Could not get the window handle used by the console."" wide\n$debug_str_meteor_9 = ""Failed to find base-64 data size"" wide\n$debug_str_meteor_10 = ""Running locker thread"" wide\n$debug_str_meteor_11 = ""Failed to encode wide-character string as Base64"" wide\n$debug_str_meteor_12 = ""Wiper operation failed."" wide\n$debug_str_meteor_13 = ""Screen saver disable failed."" wide\n$debug_str_meteor_14 = ""Failed to generate password of length %s. Generating a default one."" wide\n$debug_str_meteor_15 = ""Failed to delete boot configuration"" wide\n$debug_str_meteor_16 = ""Could not delete all BCD entries."" wide\n8/16/2021\nIndra — Hackers Behind Recent Attacks on Iran - Check Point Research\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\n22/27\n$debug_str_meteor_17 = ""Finished deleting BCD entries."" wide\n$debug_str_meteor_18 = ""Failed to change lock screen"" wide\n$debug_str_meteor_19 = ""Boot configuration deleted successfully"" wide\n$debug_str_meteor_20 = ""Failed to kill all winlogon processes"" wide\n$debug_str_meteor_21 = ""Changing passwords of all users to"" wide\n$debug_str_meteor_22 = ""Failed to change the passwords of all users"" wide\n$debug_str_meteor_23 = ""Failed to run the locker thread"" wide\n$debug_str_meteor_24 = ""Screen saver disabled successfully."" wide\n$debug_str_meteor_25 = ""Generating random password failed"" wide\n$debug_str_meteor_26 = ""Locker installation failed"" wide\n$debug_str_meteor_27 = ""Failed to set auto logon."" wide\n$debug_str_meteor_28 = ""Failed to initialize interval logger. Using a dummy logger instead."" wide\n$debug_str_meteor_29 = ""Succeeded setting auto logon for"" wide\n$debug_str_meteor_30 = ""Failed disabling the first logon privacy settings user approval."" wide\n$debug_str_meteor_31 = ""Failed disabling the first logon animation."" wide\n$debug_str_meteor_32 = ""Waiting for new winlogon process"" wide\n$debug_str_meteor_33 = ""Failed to isolate from domain"" wide\n$debug_str_meteor_34 = ""Failed creating scheduled task for system with name %s."" wide\n$debug_str_meteor_35 = ""Failed to get the new token of winlogon."" wide\n$debug_str_meteor_36 = ""Failed adding new admin user."" wide\n$debug_str_meteor_37 = ""Failed changing settings for the created new user."" wide\n$debug_str_meteor_38 = ""Failed disabling recovery mode."" wide\n$debug_str_meteor_39 = ""Logging off users on Windows version 8 or above"" wide\n$debug_str_meteor_40 = ""Succeeded setting boot policy to ignore all errors."" wide\n$debug_str_meteor_41 = ""Succeeded creating scheduled task for system with name"" wide\n$debug_str_meteor_42 = ""Succeeded disabling recovery mode"" wide\n8/16/2021\nIndra — Hackers Behind Recent Attacks on Iran - Check Point Research\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\n23/27\n$debug_str_meteor_43 = ""Failed to log off all sessions"" wide\n$debug_str_meteor_44 = ""Failed to delete shadowcopies."" wide\n$debug_str_meteor_45 = ""Failed logging off session: "" wide\n$debug_str_meteor_46 = ""Failed setting boot policy to ignore all errors."" wide\n$debug_str_meteor_47 = ""Successfully logged off all local sessions, except winlogon."" wide\n$debug_str_meteor_48 = ""Succeeded creating scheduled task with name %s for user %s."" wide\n$debug_str_meteor_49 = ""Killing all winlogon processes"" wide\n$debug_str_meteor_50 = ""Logging off users in Windows 7"" wide\n$debug_str_meteor_51 = ""Failed logging off all local sessions, except winlogon."" wide\n$debug_str_meteor_52 = ""Failed creating scheduled task with name %s for user %s."" wide\n$debug_str_meteor_53 = ""Succeeded deleting shadowcopies."" wide\n$debug_str_meteor_54 = ""Logging off users in Windows XP"" wide\n$debug_str_meteor_55 = ""Failed changing settings for the created new user."" wide\n$debug_str_meteor_56 = ""Could not open file %s. error message: %s"" wide\n$debug_str_meteor_57 = ""Could not write to file %s. error message: %s"" wide\n$debug_str_meteor_58 = ""tCould not tell file pointer location on file %s."" wide\n$debug_str_meteor_59 = ""Could not set file pointer location on file %s to offset %s."" wide\n$debug_str_meteor_60 = ""Could not read from file %s. error message: %s"" wide\n$debug_str_meteor_61 = ""Failed to wipe file %s"" wide\n$debug_str_meteor_62 = ""attempted to access encrypted file in offset %s, but it only supports offset 0"" wide\n$debug_str_meteor_63 = ""Failed to create thread. Error message: %s"" wide\n$debug_str_meteor_64 = ""Failed to wipe file %s"" wide\n$debug_str_meteor_65 = ""failed to get configuration value with key %s"" wide\n$debug_str_meteor_66 = ""failed to parse the configuration from file %s"" wide\n$debug_str_meteor_67 = ""Failed posting to server, received unknown exception"" wide\n$debug_str_meteor_68 = ""Failed posting to server, received std::exception"" wide\n8/16/2021\nIndra — Hackers Behind Recent Attacks on Iran - Check Point Research\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\n24/27\n$debug_str_meteor_69 = ""Skipping %s logs. Writing log number %s:"" wide\n$debug_str_meteor_70 = ""Start interval logger. Writing logs with an interval of %s logs."" wide\n$debug_str_meteor_71 = ""failed to write message to log file %s"" wide\n$debug_str_meteor_72 = ""The log message is too big: %s/%s characters."" wide\n$debug_str_stardust_0 = ""Stardust has started."" wide\n$debug_str_stardust_1 = ""0Vy0qMGO"" ascii wide\n$debug_str_comet_0 = ""Comet has started."" wide\n$debug_str_comet_1 = ""Comet has finished."" wide\n$str_lock_my_pc = ""Lock My PC 4"" ascii wide\n$config_entry_0 = ""state_path"" ascii\n$config_entry_1 = ""state_encryption_key"" ascii\n$config_entry_2 = ""log_server_port"" ascii\n$config_entry_3 = ""log_file_path"" ascii\n$config_entry_4 = ""log_encryption_key"" ascii\n$config_entry_5 = ""log_server_ip"" ascii\n$config_entry_6 = ""processes_to_kill"" ascii\n$config_entry_7 = ""process_termination_timeout"" ascii\n$config_entry_8 = ""paths_to_wipe"" ascii\n$config_entry_9 = ""wiping_stage_logger_interval"" ascii\n$config_entry_10 = ""locker_exe_path"" ascii\n$config_entry_11 = ""locker_background_image_jpg_path"" ascii\n$config_entry_12 = ""auto_logon_path"" ascii\n$config_entry_13 = ""locker_installer_path"" ascii\n$config_entry_14 = ""locker_password_hash"" ascii\n$config_entry_15 = ""users_password"" ascii\n$config_entry_16 = ""locker_background_image_bmp_path"" ascii\n8/16/2021\nIndra — Hackers Behind Recent Attacks on Iran - Check Point Research\nhttps://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/\n25/27\n$config_entry_17 = ""locker_registry_settings_files"" ascii\n$config_entry_18 = ""cleanup_script_path"" ascii\n$config_entry_19 = ""is_alive_loop_interval"" ascii\n$config_entry_20 = ""cleanup_scheduled_task_name"" ascii\n$config_entry_21 = ""self_scheduled_task_name"" ascii\n$encryption_asm = {33 D2 8B C3 F7 75 E8 8B 41 04 8B 4E 04 8A 04 02 02 C3 32 04 1F 88 45 F3 39 4E 08}\n$random_string_generation = {33 D2 59 F7 F1 83 ?? ?? 08 66 0F BE 82 ?? ?? ?? 00 0F B7 C8 8B C7}\ncondition:\nuint16(0) == 0x5A4D and\n(\n6 of them or\n$encryption_asm or\n$random_string_generation\n)\n}",indra,,"Sabotage and destruction, Sabotage",2019,"IR, SY",,,"Trojan.Win32.BreakWin, Helper script to decrypt the log file","Government and Defense Agencies, Critical Infrastructure",,, 2021-08-17,volexity.com-North Korean APT InkySquid Infects Victims Using Browser Exploits,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.08.17.NK_APT_InkySquid/volexity.com-North%20Korean%20APT%20InkySquid%20Infects%20Victims%20Using%20Browser%20Exploits.pdf,Volexity,"CVE-2020-1380, CVE-2021-26411",,,apt37,KP,Information theft and espionage,2012,,FALSE,"Watering Hole, Exploit Vulnerability","Cobalt Strike, BLUELIGHT",,2021-03-15,2021-06-15,92.0 2021-08-17,Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.08.17.Confucius_Pegasus/Confucius%20Uses%20Pegasus%20Spyware-related%20Lures%20to%20Target%20Pakistani%20Military.pdf,Trend Micro,,,,confucius,,,,,FALSE,"Spear Phishing, Social Engineering, Malicious Documents","Trojan.W97M.CONFUCIUS.A, Trojan.W97M.CONFUCIUS.B, Trojan.W97M.CONFUCIUS.C, Trojan.Win32.DLOADR.TIOIBELQ, Trend Micro™ Deep Discovery™ Email Inspector, Pegasus spyware",Government and Defense Agencies,,, 2021-08-19,Shadowpad,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.08.19.ShadowPad/Shadowpad.pdf,SentinelOne,"CVE-2019-9489, CVE-2020-8468",,,apt41,CN,"Financial crime, Information theft and espionage",2010,"HK, IN, TW, US",TRUE,,"ShadowPad, Mimikatz, VBScript command execution tool, VMProtect","Education and Research Institutions, Government and Defense Agencies, Media and Entertainment Companies, Corporations and Businesses, Non-Governmental Organizations (NGOs) and Nonprofits, Healthcare",,, 2021-08-23,Inquest_Kimsuky-Espionage-Campaign(08-23-2021),Kimsuky Espionage Campaign,https://app.box.com/s/t7evyuuhbdiqo9q3mtowy9exwn9flner,Inquest,,,,kimsuky,KP,"Espionage, Information theft and espionage",2012,,FALSE,Malicious Documents,,Government and Defense Agencies,,, 2021-08-24,wp-earth-baku-an-apt-group-targeting-indo-pacific-countries,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.08.24.Earth_Baku_Returns/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf,Trend Micro,CVE-2021-26855,"T1562:N/A, T1574:N/A, T1218:Signed Binary Proxy Execution, T1573:N/A, T1071:Standard Application Layer Protocol, T1090:Connection Proxy, T1569:N/A, T1105:Remote File Copy, T1059:Command-Line Interface, T1055:Process Injection, T1566:N/A, T1190:Exploit Public-Facing Application, T1027:Obfuscated Files or Information, T1053:Scheduled Task, T1036:Masquerading",,apt41,CN,"Financial crime, Information theft and espionage",2010,"ID, IN, MY, PH, TW, VN",TRUE,"Exploit Vulnerability, Malicious Documents","StealthVector, StealthMutant, ScrambleCross, sqlmap","Corporations and Businesses, Media and Entertainment Companies, Critical Infrastructure",,, 2021-08-24,volexity.com-North Korean BLUELIGHT Special InkySquid Deploys RokRAT,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.08.24.NK_APT_InkySquid_RokRAT/volexity.com-North%20Korean%20BLUELIGHT%20Special%20InkySquid%20Deploys%20RokRAT.pdf,Volexity,,,,inkysquid,KP,Information theft and espionage,2012,,,"Watering Hole, Exploit Vulnerability","RokRAT, BLUELIGHT, Python 2.7, Ruby",Individuals,,, 2021-09-02,Anomali_FIN7-Windows11-Themed-Drop-Javascript-Backdoor(09-02-2021),FIN7 Using Windows 11 Alpha-Themed Docs to Drop Javascript Backdoor,https://app.box.com/s/33zj46v2nv1cxiging8hc1w4j4zy05ip,Anomali,,"T1497:Virtualization/Sandbox Evasion, T1140:Deobfuscate/Decode Files or Information, T1204:User Execution, T1087:Account Discovery, T1047:Windows Management Instrumentation, T1059:Command-Line Interface, T1027:Obfuscated Files or Information",,fin7,RU,"Financial gain, Financial crime",2013,,FALSE,"Phishing, Spear Phishing, Malicious Documents",,"Corporations and Businesses, Financial Institutions",,, 2021-09-02,North Korean Cyberattacks A Dangerous and Evolving Threat 2,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/Report/North%20Korean%20Cyberattacks%20%20A%20Dangerous%20and%20Evolving%20Threat%202.pdf,Heritage.org,,"S/2020:N/A, S/2019:N/A",,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,"AU, FR, GB, IL, IN, KR, RU, SK, TR, ZA",,"Spear Phishing, Watering Hole, Malicious Documents",,"Government and Defense Agencies, Financial Institutions, Healthcare, Energy and Utilities, Education and Research Institutions, Media and Entertainment Companies, Critical Infrastructure",,, 2021-09-02,Juniper Breach Mystery Starts to Clear With New Details on Hackers and U.S. Role (APT5),,https://www.bloomberg.com/news/features/2021-09-02/juniper-mystery-attacks-traced-to-pentagon-role-and-chinese-hackers,Bloomberg,,,,,,,,,,,,,,, 2021-09-08,Pro-PRC Influence Campaign Expands to Dozens of Social Media Platforms Attempted to Mobilize Protesters in the U.S,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.09.08.Pro-PRC_Campaign/Pro-PRC%20Influence%20Campaign%20Expands%20to%20Dozens%20of%20Social%20Media%20Platforms%2C%20Websites%2C%20and%20Forums%20in%20at%20Least%20Seven%20Languages%2C%20Attempted%20to%20Physically%20Mobilize%20Protesters%20in%20the%20U.S.%20_%20FireEye%20Inc.pdf,FireEye,,,,,,,,,FALSE,,,,2019-06-15,2021-04-24,679.0 2021-09-13,FORCEDENTRY NSO Group iMessage Zero-Click Exploit Captured in the Wild (CVE-2021-30860),,https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/,Citizen Lab,CVE-2021-30860,,,nso group,IL,,,,TRUE,"Exploit Vulnerability, Malicious Documents",Pegasus spyware,"Individuals, Media and Entertainment Companies, Non-Governmental Organizations (NGOs) and Nonprofits",2021-02-15,2021-09-13,210.0 2021-09-13,APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs),,https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt,Trend Micro,,,,,,,,,,,,,,, 2021-09-14,Cyble_APT-Targets-Indian-Defense-Enhanced-TTPs(09-14-2021),APT Group Targets Indian Defense Officials Through Enhanced TTPs,https://app.box.com/s/x6otivaxer0pf3hmkfzgwchig41xr7ac,Cyble,,"T1095:Standard Non-Application Layer Protocol, T1547:N/A, T1033:System Owner/User Discovery, T1204:User Execution, T1082:System Information Discovery, T1571:N/A, T1124:System Time Discovery, T1057:Process Discovery","rule win32_csdmalware\n{ \nmeta: \n author= ""Cyble Research"" \n date= ""2021-09-14"" \n description= ""Coverage for CSD_Application.exe & IntelWifi.exe"" \n csd_application_hash= ""84841490ea2b637494257e9fe23922e5f827190ae3e4c32134cadb81319ebc34 \n""\n intelwifi_hash= ""124023c0cf0524a73dabd6e5bb3f7d61d42dfd3867d699c59770846aae1231ce""\nstrings: \n $header= ""MZ"" \n $sig1 = ""CreateNonStop"" wide ascii \n $sig2 = ""LocIp"" wide ascii \n $sig3 = ""MacType"" wide ascii \n $sig4 = ""45.147.228.195"" wide ascii \n $sig5 = ""qmquqsqiqcq.qmqpq3q"" wide ascii \n $sig6 = ""secure256.net"" wide ascii \n $sig7 = ""ver4.mp3"" wide ascii \n $sig8 = ""x33117"" wide ascii \ncondition: \n $header at 0 and (3 of ($sig*)) \n}",transparent tribe,PK,Information theft and espionage,2013,IN,,Phishing,,Government and Defense Agencies,,, 2021-09-21,Capturing and Detecting AndroidTester Remote Access Trojan with the Emergency VPN,,https://www.civilsphereproject.org/blog/2021/9/21/capturing-and-detecting-androidtester-remote-access-trojan-with-the-emergency-vpn,civilsphereproject,,,,,,,,,,,"AndroidTester RAT, Emergency VPN, Stratosphere Linux IPS",Education and Research Institutions,,, 2021-09-23,FamousSparrow_ A suspicious hotel guest _ WeLiveSecurity,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.09.23.FamousSparrow/FamousSparrow_%20A%C2%A0suspicious%20hotel%20guest%20_%20WeLiveSecurity.pdf,ESET,,"T1547:N/A, T1005:Data from Local System, T1134:Access Token Manipulation, T1574:N/A, T1082:System Information Discovery, T1573:N/A, T1071:Standard Application Layer Protocol, T1041:Exfiltration Over Command and Control Channel, T1588:N/A, T1583:N/A, T1203:Exploitation for Client Execution, T1059:Command-Line Interface, T1543:N/A, T1055:Process Injection, T1190:Exploit Public-Facing Application, T1027:Obfuscated Files or Information, T1083:File and Directory Discovery, T1003:Credential Dumping",,famoussparrow,CN,,,"BF, BR, CA, FR, GB, GT, IL, LT, SA, TH, TW, ZA",FALSE,Exploit Vulnerability,"Mimikatz, ProcDump, Nbtscan, SparrowDoor, Microsoft Exchange, Microsoft SharePoint, Oracle Opera, cmd.exe","Corporations and Businesses, Government and Defense Agencies, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2021-09-23,Talos-OperationArmorPiercer(09-23-2021),Operation Armor Piercer: Targeted attacks in the Indian subcontinent using commercial RATs,https://app.box.com/s/5zr8u8h2xy4tbllcxhashoq48cyetlfk,Cisco,,,,apt36,PK,Information theft and espionage,2013,IN,,"Spear Phishing, Watering Hole, Malicious Documents","maldocs, RA Ts, TeamCC ninjaMailer v1.3.3.7, Leaf PHPMailer 2.7, Leaf PHPMailer 2.8",Government and Defense Agencies,,, 2021-09-27,FoggyWeb_ Targeted NOBELIUM malware leads to persistent backdoor _ Microsoft Security Blog,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.09.27.FoggyWeb/FoggyWeb_%20Targeted%20NOBELIUM%20malware%20leads%20to%20persistent%20backdoor%20_%20Microsoft%20Security%20Blog.pdf,Microsoft,,,,apt29,RU,"Espionage, Information theft and espionage",2008,,,,"FoggyWeb, NOBELIUM, SUNBURST, TEARDROP, GoldMax, GoldFinder, Sibot",,,, 2021-09-28,4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan,,https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/,Recorded Future,,,,,,,,AF,FALSE,"Spear Phishing, Malicious Documents",,Critical Infrastructure,,, 2021-10-04,Malware Gh0stTimes Used by BlackTech - JPCERT_CC Eyes _ JPCERT Coordination Center official Blog,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.10.04.Gh0stTimes_BlackTech/Malware%20Gh0stTimes%20Used%20by%20BlackTech%20-%20JPCERT_CC%20Eyes%20_%20JPCERT%20Coordination%20Center%20official%20Blog.pdf,JPCERT,"CVE-2018-2628, CVE-2021-1472, CVE-2021-1473, CVE-2021-2135, CVE-2021-21975, CVE-2021-21983, CVE-2021-28149, CVE-2021-28152, CVE-2021-28482, CVE-2021-3019",,,blacktech,CN,Information theft and espionage,2010,,FALSE,,"Gh0stTimes, Gh0st RAT, downloader, backdoor, ELF Bifrose, Citrix exploit tool, MikroTik exploit tool, Exploit for CVE-2021-28482, Exploit for CVE-2021-1472/CVE-2021-1473, Exploit for CVE-2021-28149/CVE-2021-28152, Exploit for CVE-2021-21975/CVE-2021-21983, Exploit for CVE-2018-2628, Exploit for CVE-2021-2135",,,, 2021-10-05,UEFI threats moving to the ESP_ Introducing ESPecter bootkit _ WeLiveSecurity,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.10.05.ESPecter_bootkit/UEFI%20threats%20moving%20to%20the%20ESP_%20Introducing%20ESPecter%20bootkit%20_%20WeLiveSecurity.pdf,ESET,,"T1056:Input Capture, T1095:Standard Non-Application Layer Protocol, T1547:N/A, T1601:N/A, T1025:Data from Removable Media, T1082:System Information Discovery, T1113:Screen Capture, T1027:Obfuscated Files or Information, T1573:N/A, T1542:N/A, T1012:Query Registry, T1106:Execution through API, T1124:System Time Discovery, T1553:N/A, T1020:Automated Exfiltration, T1497:Virtualization/Sandbox Evasion, T1112:Modify Registry, T1071:Standard Application Layer Protocol, T1119:Automated Collection, T1120:Peripheral Device Discovery, T1055:Process Injection, T1083:File and Directory Discovery, T1074:Data Staged, T1036:Masquerading, T1564:N/A, T1140:Deobfuscate/Decode Files or Information, T1562:N/A, T1104:Multi-Stage Channels, T1041:Exfiltration Over Command and Control Channel, T1105:Remote File Copy, T1029:Scheduled Transfer, T1057:Process Discovery, T1010:Application Window Discovery",,,,,,,,,"ESPecter, Client.dll, WinSys.dll",,,, 2021-10-13,CetaRAT APT Group - Targeting the Government Agencies,,https://blogs.quickheal.com/cetarat-apt-group-targeting-the-government-agencies/,Quick Heal,,,,cetarat,,,,IN,,Spear Phishing,"HTA file, CetaRAT, JS/Batch Payload, Spear phishing mail, mshta.exe",Government and Defense Agencies,,, 2021-10-14,Analyzing Email Services Abused for Business Email Compromise,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.10.14.BEC_groups/Analyzing%20Email%20Services%20Abused%20for%20Business%20Email%20Compromise.pdf,Trend Micro,,,,,,,,"AU, CA, CZ, DE, FR, GB, IT, KR, NO, NZ, PL, PT, RU, UA, US",FALSE,"Spear Phishing, Credential Reuse, Social Engineering","Gammadyne Mailer, Email Extractor Lite, Advanced Spam Protection",Corporations and Businesses,,, 2021-10-14,Countering threats from Iran (APT35),,https://blog.google/threat-analysis-group/countering-threats-iran/,Google,,,,apt35,IR,Information theft and espionage,2012,,FALSE,"Phishing, Watering Hole, Social Engineering","Google Drive, App Scripts, Google Sites, Dropbox, Microsoft services, Telegram API sendMessage function",Education and Research Institutions,,, 2021-10-18,Global Advanced Persistent Threat (APT) Research Report for the First Half of 2021,,https://cert.360.cn/report/detail?id=6c9a1b56e4ceb84a8ab9e96044429adc,360,,,,apt-c-59,,,,CN,TRUE,"Phishing, Social Engineering, Exploit Vulnerability",,"Government and Defense Agencies, Education and Research Institutions, Healthcare, Media and Entertainment Companies, Critical Infrastructure",,, 2021-10-18,Harvester_ Nation-state-backed group uses new toolset to target victims in South Asia _ Symantec Blogs,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.10.18.Harvester_South_Asia/Harvester_%20Nation-state-backed%20group%20uses%20new%20toolset%20to%20target%20victims%20in%20South%20Asia%20_%20Symantec%20Blogs.pdf,Symantec,,,,harvester,,,,AF,,,"Backdoor.Graphon, Custom Downloader, Custom Screenshotter, Cobalt Strike Beacon, Metasploit.","Corporations and Businesses, Government and Defense Agencies",2021-06-15,2021-10-15,122.0 2021-10-19,"Whatta TA_ TA505 Ramps Up Activity, Delivers New FlawedGrace Variant _ Proofpoint US",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.10.19.TA505_New_FlawedGrace/Whatta%20TA_%20TA505%20Ramps%20Up%20Activity%2C%20Delivers%20New%20FlawedGrace%20Variant%20_%20Proofpoint%20US.pdf,Proofpoint,,,,ta505,RU,,,"AT, CA, DE, US",FALSE,"Spear Phishing, Malicious Documents","Excel macros, MSI files, KiXtart scripting language, Rebol interpreter, MirrorBlast, ReflectiveGnome, FlawedGrace RAT, Get2 (mentioned as a comparison)","Corporations and Businesses, Media and Entertainment Companies",,, 2021-10-19,PurpleFox Adds New Backdoor That Uses WebSockets,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.10.19.PurpleFox/PurpleFox%20Adds%20New%20Backdoor%20That%20Uses%20WebSockets.pdf,Trend Micro,"CVE-2019-0808, CVE-2019-1458, CVE-2020-1054, CVE-2021-1732",,,,,,,,FALSE,Exploit Vulnerability,"Backdoor.MSIL.PURPLEFOX.AA, Trend Micro Vision One, Trend Micro Managed XDR, WebSocket, Net.WebClient, PowerShell",,,, 2021-10-19,LightBasin_A-Roaming-Threat-to-Telecommunications-Companies_CrowdStrike,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.10.19.UNC1945_LightBasin/LightBasin_A-Roaming-Threat-to-Telecommunications-Companies_CrowdStrike.pdf,CrowdStrike,,,,unc1945,,,,,FALSE,,"STEELCORGI, SLAPSTICK, Fast Reverse Proxy, Microsocks Proxy, ProxyChains",Critical Infrastructure,,, 2021-10-25,AfricanCyberthreatAssessment_ENGLISH,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/Report/AfricanCyberthreatAssessment_ENGLISH.pdf,INTERPOL,,,,operation falcon,,,,"CF, EG, GA, KE, MA, MU, NG, TN, ZA",,"Phishing, Social Engineering","Agent Tesla, Loki, Azorult, Spartan, Nanocore, Remcos, Emotet, Lokibot, Fareit, Dorkbot","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Manufacturing, Critical Infrastructure, Healthcare",,, 2021-10-26,APT attacks on industrial organizations in H1 2021,,https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf,Kaspersky,,,,gelsemium,CN,Information theft and espionage,2014,"AF, CN, IN, JP, KP, KR, KZ, MN, TW",FALSE,"Social Engineering, Exploit Vulnerability","Cobalt Strike, GoldMax (aka Sunshuttle), Sibot, GoldFinder, ShadowPad loader (dubbed “ShadowShredder”), Delphocy, Sunspot, Raindrop",Critical Infrastructure,,, 2021-10-26,Malware WinDealer used by LuoYu Attack Group - JPCERT_CC Eyes _ JPCERT Coordination Center official Blog,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.10.26.WinDealer_LuoYu_Group/Malware%20WinDealer%20used%20by%20LuoYu%20Attack%20Group%20-%20JPCERT_CC%20Eyes%20_%20JPCERT%20Coordination%20Center%20official%20Blog.pdf,JPCERT,,,,luoyu,CN,,,"JP, KR",,,WinDealer,,,, 2021-10-26,Mercenary APTs - An Exploration,,https://www.cyjax.com/2021/10/26/mercenary-apts-an-exploration/,cyjax,"CVE-2021-31979, CVE-2021-33771",,,deathstalker,,Information theft and espionage,2018,"AE, AR, AZ, BD, BH, CH, CN, CY, GB, HU, IL, IN, JO, KZ, LB, MA, MX, QA, RW, SA, SG, TG, TR, TW, US, YE",TRUE,"Spear Phishing, Exploit Vulnerability","DevilsTongue, Pegasus, FORCEDENTRY","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Media and Entertainment Companies, Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",,, 2021-10-28,Solarmarker_v2,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/Report/Solarmarker_v2.pdf,PRODAFT,,,,,,,,"CA, US",,"Drive-by Download, Malicious Documents",".NET, Powershell","Government and Defense Agencies, Corporations and Businesses",,, 2021-11-04,Technical report Armagedon,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.11.04.Gamaredon_Armageddon_Group/Technical%20report%20Armagedon.pdf,CrowdStrike,"CVE-2017-0199, CVE-2018-20250","T1559:N/A, T1547:N/A, T1033:System Owner/User Discovery, T1204:User Execution, T1082:System Information Discovery, T1025:Data from Removable Media, T1059:Command-Line Interface, T1027:Obfuscated Files or Information, T1534:N/A, T1219:Remote Access Tools, T1106:Execution through API, T1137:Office Application Startup, T1497:Virtualization/Sandbox Evasion, T1221:Template Injection, T1112:Modify Registry, T1218:Signed Binary Proxy Execution, T1070:Indicator Removal on Host, T1119:Automated Collection, T1120:Peripheral Device Discovery, T1566:N/A, T1053:Scheduled Task, T1036:Masquerading, T1140:Deobfuscate/Decode Files or Information, T1091:Replication Through Removable Media, T1041:Exfiltration Over Command and Control Channel, T1105:Remote File Copy, T1047:Windows Management Instrumentation, T1003:Credential Dumping, T1113:Screen Capture",,armageddon,RU,Information theft and espionage,2013,UA,FALSE,Spear Phishing,"Pterodo/Pteranodon, RMS (Remote Manipulator System), UltraVNC, EvilGnome",Government and Defense Agencies,,, 2021-11-07,PaloAlto-Godzilla-Webshell(11-07-2021),"Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer",https://app.box.com/s/73oze0g532ngowz0wocvgw31o20u976u,Palo Alto,CVE-2021-40539,,,apt27,CN,"Espionage, Information theft and espionage",2010,US,FALSE,Exploit Vulnerability,"Godzilla webshell, NGLite backdoor, KdcSponge stealer, WinRar (masquerading as a different application), ME_ADManager.exe, ME_ADAudit.exe","Government and Defense Agencies, Corporations and Businesses, Healthcare, Energy and Utilities, Education and Research Institutions",2021-09-16,2021-10-15,29.0 2021-11-08,TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access - NCC Group Research,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.11.08.TA505_SolarWinds/TA505%20exploits%20SolarWinds%20Serv-U%20vulnerability%20%28CVE-2021-35211%29%20for%20initial%20access%20%E2%80%93%20NCC%20Group%20Research.pdf,NCC Group,CVE-2021-35211,"T1112:Modify Registry, T1053:Scheduled Task, T1059:Command-Line Interface, T1190:Exploit Public-Facing Application",,ta505,RU,,,"AT, BR, CA, CN, DE, DK, ES, FR, GB, HK, IN, IT, KR, NL, RU, SE, TW, UA, US, VN",FALSE,Exploit Vulnerability,"Cobalt Strike Beacon, FlawedGrace RAT",,2021-07-09,2021-07-15,6.0 2021-11-10,wp-void-balaur-tracking-a-cybermercenarys-activities (1),,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.11.10.Void_Balaur/wp-void-balaur-tracking-a-cybermercenarys-activities%20%281%29.pdf,Trend Micro,,,,rockethack,,Financial gain,2017,"AM, BY, FR, IL, IT, JP, KZ, NO, RU, SK, UA, US",,Phishing,"Z*Stealer, DroidWatcher, Acunetix, NetSparker, WPScan","Corporations and Businesses, Financial Institutions, Healthcare",,, 2021-11-11,Analyzing a watering hole campaign using macOS exploits,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.11.11.watering_hole_macOS_exploits/Analyzing%20a%20watering%20hole%20campaign%20using%20macOS%20exploits.pdf,Google,"CVE-2019-8506, CVE-2020-27932, CVE-2021-1789, CVE-2021-30869, CVE-2021-37976",,,,,,,,TRUE,Watering Hole,"Ironsquirrel, Capstone (capstone.js), Mac.js","Non-Governmental Organizations (NGOs) and Nonprofits, Media and Entertainment Companies",,, 2021-11-15,FINDING BEACONS IN THE DARK 1650728751599,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/Report/FINDING%20BEACONS%20IN%20THE%20DARK%201650728751599.pdf,BlackBerry,CVE-2021-40444,,,zebra2104,,,,,TRUE,Spear Phishing,"Cobalt Strike, StrongPity, MountLocker, Phobos",,,, 2021-11-16,UNC1151_Assessed-with-High-Confidence-to-have-Links-to-Belarus_Mandiant,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.11.16.UNC1115_Ghostwriter_Campaign/UNC1151_Assessed-with-High-Confidence-to-have-Links-to-Belarus_Mandiant.pdf,Mandiant,,,,unc1151,BY,,,"CH, CO, DE, FR, IE, KW, LT, LV, MT, PL, UA",FALSE,Phishing,"HIDDENVALUE, HALFSHELL","Government and Defense Agencies, Media and Entertainment Companies, Individuals",,, 2021-11-16,Strategic web compromises in the Middle East with a pinch of Candiru _ WeLiveSecurity,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.11.16.Pinch_of_Candiru/Strategic%20web%20compromises%20in%20the%20Middle%20East%20with%20a%20pinch%20of%20Candiru%20_%20WeLiveSecurity.pdf,Kaspersky,"CVE-2021-30551, CVE-2021-33742","T1608:N/A, T1071:Standard Application Layer Protocol, T1189:Drive-by Compromise, T1588:N/A, T1583:N/A, T1059:Command-Line Interface, T1566:N/A, T1584:N/A",,,,,,"AL, AM, RU, UZ",FALSE,"Spear Phishing, Watering Hole, Malicious Documents","Candiru implants, wp-embed.min.js, sliders.js","Government and Defense Agencies, Media and Entertainment Companies, Corporations and Businesses",2020-03-15,2020-08-15,153.0 2021-11-17,Alert (AA21-321A) Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities,,https://us-cert.cisa.gov/sites/default/files/publications/AA21-321A-Iranian%20Government-Sponsored%20APT%20Actors%20Exploiting%20Microsoft%20Exchange%20and%20Fortinet%20Vulnerabilities.pdf,CISA,"CVE-2018-13379, CVE-2019-5591, CVE-2020-12812, CVE-2021-34473","T1560:N/A, T1136:Create Account, TA0010:Exfiltration, TA0040:Impact, T1588:N/A, TA0001:Initial Access, T1486:Data Encrypted for Impact, TA0042:N/A, T1190:Exploit Public-Facing Application, TA0009:Collection, TA0003:Persistence, TA0006:Credential Access, T1053:Scheduled Task, TA0004:Privilege Escalation, TA0002:Execution",,,,,,"AU, US",FALSE,Exploit Vulnerability,"Mimikatz, WinPEAS, SharpWMI, WinRAR, FileZilla, MITRE ATT&CK",Critical Infrastructure,2021-03-15,2021-10-15,214.0 2021-11-18,TA406_triple-threat-N-Korea-aligned-TA406-steals-scams-spies_Proofpoint,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.11.18.TA406_North_Korea_aligned/TA406_triple-threat-N-Korea-aligned-TA406-steals-scams-spies_Proofpoint.pdf,Proofpoint,,,,ta406,KR,,,"CN, RU",,Phishing,"UPX, 7z","Government and Defense Agencies, Corporations and Businesses, Financial Institutions, Education and Research Institutions, Media and Entertainment Companies, Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",,, 2021-11-23,"Android APT spyware, targeting Middle East victims, enhances evasiveness",,https://news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/,Sophos,,,,c-23,PS,,,PS,,,"Android spyware, Firebase messaging, Laravel, Botim, Sophos Intercept X for Mobile, Andr/Spy-BFI",Individuals,,, 2021-11-25,A Deep Dive Into SoWaT APT31's Multifunctional Router Implant,,https://imp0rtp3.wordpress.com/2021/11/25/sowat/,imp0rtp3 blog,,,,apt31,CN,Information theft and espionage,2016,,,,"SoWaT, Buildroot",Government and Defense Agencies,,, 2021-11-29,Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.11.29.Safib_Assistant/Campaign%20Abusing%20Legitimate%20Remote%20Administrator%20Tools%20Uses%20Fake%20Cryptocurrency%20Websites.pdf,Trend Micro,,,,,,,,,FALSE,Social Engineering,"SpyAgent malware, Safib Assistant, TeamViewer",Individuals,,, 2021-12-02,"SideCopy APT Connecting lures to victims, payloads to infrastructure",,https://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/,Malwarebytes,,"T1012:Query Registry, T1547:N/A, T1140:Deobfuscate/Decode Files or Information, T1518:N/A, T1204:User Execution, T1082:System Information Discovery, T1218:Signed Binary Proxy Execution, T1071:Standard Application Layer Protocol, T1041:Exfiltration Over Command and Control Channel, T1119:Automated Collection, T1047:Windows Management Instrumentation, T1059:Command-Line Interface, T1566:N/A, T1574:N/A, T1005:Data from Local System",,sidecopy,PK,Information theft and espionage,2019,"AF, IN",,Spear Phishing,,"Government and Defense Agencies, Education and Research Institutions",,, 2021-12-03,conti-cyber-attack-on-the-hse-full-report,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.12.03.Conti_Attack_HSE/conti-cyber-attack-on-the-hse-full-report.pdf,PricewaterhouseCoopers,,,,unc2727,,,,"AU, NZ, US",FALSE,Phishing,Cobalt Strike,"Healthcare, Critical Infrastructure",2021-03-18,2021-05-14,57.0 2021-12-06,Complaint filed by Microsoft against NICKELAPT15,,https://noticeofpleadings.com/nickel/#,Notice of Pleadings,,,,,,,,,,,,Corporations and Businesses,,, 2021-12-10,Fortinet_Phishing-Targeting-Korean-Agent-Tesla-Variant(12-10-2021),Phishing Campaign Targeting Korean to Deliver Agent Tesla New Variant,https://app.box.com/s/03bx0kiz8yyy8x2k8qh0ravuucb6sapq,Fortinet,,,,soraj bear,,,,KR,FALSE,"Phishing, Malicious Documents","Agent Tesla, FortiMail, FortiGuard, FortiEDR, VBS (VBScript), PowerShell",Individuals,,, 2021-12-11,eset_jumping_the_air_gap_wp,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.12.11.Jumping_the_air_gap/eset_jumping_the_air_gap_wp.pdf,ESET,"CVE-2006-3439, CVE-2008-4250, CVE-2010-2568, CVE-2010-2729, CVE-2010-2743, CVE-2010-2772, CVE-2010-3338, CVE-2012-0158, CVE-2012-3015, CVE-2015-0096, CVE-2017-0144, CVE-2017-0199, CVE-2017-11882, CVE-2017-8464, CVE-2017-8570, CVE-2018-0802, CVE-2018-8345, CVE-2018-8346, CVE-2019-1188, CVE-2019-1280, CVE-2020-0684, CVE-2020-0729, CVE-2020-1299, CVE-2020-1421",T1547:N/A,,unclassified,,,,"BE, CN, IR, IT, RU, RW, SE",TRUE,"Spear Phishing, Exploit Vulnerability, Malicious Documents, Removable Media","Stuxnet, Fanny, miniFlame, Flame, Gauss, ProjectSauron, EZCheese, Emotional Simian, USB Thief, USBFerry, USBCulprit, Brutal Kangaroo, Retro, PlugX, Ramsay, USBStealer","Government and Defense Agencies, Education and Research Institutions, Corporations and Businesses, Financial Institutions, Individuals",,, 2021-12-16,New DarkHotel APT attack chain identified _ Zscaler,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.12.16.New_DarkHotel_APT/New%20DarkHotel%20APT%20attack%20chain%20identified%20_%20Zscaler.pdf,Zscaler,,,,darkhotel,KR,"Espionage, Information theft and espionage",2007,CN,,"Malicious Documents, Spear Phishing","Malicious document, Scriptlet file (googleofficechk.sct), Executables (msrvcd32.exe, qq3104.exe, qq2688.exe)","Education and Research Institutions, Government and Defense Agencies",,, 2021-12-19,EN-BlackTech_2021,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2021/2021.12.19.BlackTech_APT/EN-BlackTech_2021.pdf,NTT,,,,blacktech,CN,Information theft and espionage,2010,"JP, TW",,"Spear Phishing, Exploit Vulnerability","Flagpro, SelfMake Service, TSCookie, ELF_PLEAD, ELF_TSCookie",,,, 2021-12-20,India's Chief of Defence Staff Crashes SideCopy APT takes advantage of the fire,,https://ti.qianxin.com/blog/articles/SideCopy-APT-Group-Takes-Advantage-of-the-Fire/,QiAnXin,CVE-2017-0199,,,sidecopy,PK,Information theft and espionage,2019,,FALSE,"Malicious Documents, Exploit Vulnerability","C#, PowerShell, ab.vbs, bts.ps1",,,, 2021-12-22,APT Tracking Analytics Transparent Tribe Attack Activity,,https://www.4hou.com/posts/vLzM,Know Chuangyu,,,,,,,,,,,,,,, 2021-12-23,Hacker gains access to Hewlett-Packard 9000 EPYC server hardware to mine the cryptocurrency Raptoreum using Java exploit,,https://www.einnews.com/pr_news/558959060/hacker-gains-access-to-hewlett-packard-9000-epyc-server-hardware-to-mine-the-cryptocurrency-raptoreum-using-java-exploit,newswires,,,,,,,,,FALSE,Exploit Vulnerability,"Java exploit, Log4J",Corporations and Businesses,,, 2021-12-28,APT Attack Cases of Kimsuky Group (PebbleDash),,https://asec.ahnlab.com/en/30022/,AhnLab,,,,kimsuky,KP,"Espionage, Information theft and espionage",2012,,FALSE,"Spear Phishing, Malicious Documents","AppleSeed, Meterpreter, PebbleDash, VBS Downloader, VBS Malware, Win.LightShell, Win.PebbleDash.R458675, Downloader/VBS.Agent",,,, 2022-01-02,MMON (aka KAPTOXA),,http://reversing.fun/posts/2022/01/02/mmon.html,ReversingFun,,,,,,,,,,,MMON (aka KAPTOXA),Financial Institutions,,, 2022-01-03,Konni_targeting_Russian_diplomatic_sector,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2022/2022.01.03.KONNI_Targets_Russian_Diplomatic/Konni_targeting_Russian_diplomatic_sector.pdf,DuskRise Inc.,,"T1560:N/A, T1140:Deobfuscate/Decode Files or Information, T1132:Data Encoding, T1134:Access Token Manipulation, T1204:User Execution, T1082:System Information Discovery, T1033:System Owner/User Discovery, T1071:Standard Application Layer Protocol, T1569:N/A, T1119:Automated Collection, T1543:N/A, T1059:Command-Line Interface, T1566:N/A, T1020:Automated Exfiltration, T1057:Process Discovery, T1113:Screen Capture",,konni,KP,Information theft and espionage,2012,RU,,Phishing,"Konni RAT, CAB files, bat file",Government and Defense Agencies,2021-08-15,2021-12-20,127.0 2022-01-05,SIDECOPY APT From Windows to nix,,https://www.telsy.com/sidecopy-apt-from-windows-to-nix/,Telsy,,,,sidecopy,PK,Information theft and espionage,2019,IN,,Spear Phishing,"WSO version 4.2.5, BackNet, Pyinstaller",Government and Defense Agencies,,, 2022-01-07,Patchwork_Patchwork-APT-caught-in-its-own-web_MalwarebytesLabs,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2022/2022.01.07.Patchwork_APT_India/Patchwork_Patchwork-APT-caught-in-its-own-web_MalwarebytesLabs.pdf,Malwarebytes,,,,patchwork,IN,"Espionage, Information theft and espionage",2013,PK,TRUE,Malicious Documents,"Ragnatela RAT, jli.dll, MicroScMgmt.exe",Education and Research Institutions,,, 2022-01-11,CISA_AA22-011A_TLP-WHITE_01-10-22_v1(01-11-2022),Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure,https://app.box.com/s/koq21d7ksa28pr3oyq0cbyo1gdbho2u3,CISA,"CVE-2018-13379, CVE-2019-10149, CVE-2019-11510, CVE-2019-1653, CVE-2019-19781, CVE-2019-2725, CVE-2019-7609, CVE-2019-9670, CVE-2020-0688, CVE-2020-1472, CVE-2020-14882, CVE-2020-4006, CVE-2020-5902, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065","TA0043:N/A, T1078:Valid Accounts, T1090:Connection Proxy, TA0001:Initial Access, T1059:Command-Line Interface, T1212:Exploitation for Credential Access, T1558:N/A, T1195:Supply Chain Compromise, T1190:Exploit Public-Facing Application, T1552:N/A, T1555:N/A, T1598:N/A, T1587:N/A, T1595:N/A, TA0003:Persistence, TA0011:Command and Control, T1110:Brute Force, TA0042:N/A, TA0006:Credential Access, T1003:Credential Dumping, TA0002:Execution",,,,,,"UA, US",TRUE,"Exploit Vulnerability, Credential Reuse","ICS-focused destructive malware, KillDisk, CrashOverride, M.E.Doc accounting software, SolarWinds Orion","Government and Defense Agencies, Healthcare, Energy and Utilities, Critical Infrastructure",,, 2022-01-12,2021 Gorgon Group APT Operation,,https://guillaumeorlando.github.io/GorgonInfectionchain,Guillaume Orlando,,,"rule Alosh_Process_Hollowing_Mana_Campaign {\n meta:\n author = ""HomardBoy""\n description = ""Alosh RAT process hollowing program linked to the 2021 Gorgon Group APT""\n strings:\n $str1 = ""alosh"" ascii\n $str2 = ""projFUD"" ascii\n $str3 = ""ZwUnmapViewOfSec"" ascii\n $str4 = ""ResumeThread"" ascii\n $str5 = ""WriteProcessMem"" ascii\n $str6 = ""VirtualAll"" ascii\n $str7 = ""CreateProc"" ascii\n condition:\n (uint16(0) == 0x5a4d and all of ($str*))\n}",the gorgon group,PK,Information theft and espionage,2017,ID,,"Phishing, Malicious Documents","AgentTesla, PowerShell","Critical Infrastructure, Corporations and Businesses, Individuals",,, 2022-01-20,MoonBounce_ the dark side of UEFI firmware _ Securelist,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2022/2022.01.20.MoonBounce/MoonBounce_%20the%20dark%20side%20of%20UEFI%20firmware%20_%20Securelist.pdf,Kaspersky,,,,apt41,CN,"Financial crime, Information theft and espionage",2010,,,,"ScrambleCross, StealthVector, StealthMutant, CROSSWALK, Install.bat, InstallUtil",Corporations and Businesses,,, 2022-01-20,Zscaler_Molerats-APT-targeting-Middle-East(01-20-2022),New espionage attack by Molerats APT targeting users in the Middle East,https://app.box.com/s/rdyrweucsdh23c55ts8eohtmtw4h7n71,Zscaler,,"T1140:Deobfuscate/Decode Files or Information, T1204:User Execution, T1082:System Information Discovery, T1059:Command-Line Interface, T1567:N/A, T1566:N/A, T1083:File and Directory Discovery, T1005:Data from Local System, T1113:Screen Capture",,molerats,PS,Information theft and espionage,2012,"PS, TR",FALSE,"Spear Phishing, Malicious Documents","ConfuserEx, Themida, Dropbox API, RAR, Google Drive, Spark backdoor","Financial Institutions, Media and Entertainment Companies, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2022-01-24,Investigating APT36 or Earth Karkaddan's Attack Chain and Malware Arsenal (IOCs),,https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/IoCs_Investigating%20APT36%20or%20Earth%20Karkaddan%20Attack%20Chain%20and%20Malware%20Arsenal.rtf,Trend Micro,,,,earth karkaddan,PK,Information theft and espionage,2013,"IN, PK",,"Spear Phishing, Malicious Documents","ObliqueRAT, Crimson RAT, StealthAgent, AhMyth Android RAT, CapraRAT, AndroRAT","Government and Defense Agencies, Healthcare",,, 2022-01-25,Prime Minister's Office Compromised_ Details of Recent Espionage Campaign,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2022/2022.01.25.Prime_Minister_Compromised/Prime%20Minister%E2%80%99s%20Office%20Compromised_%20Details%20of%20Recent%20Espionage%20Campaign.pdf,Trellix,CVE-2021-40444,"T1136:Create Account, T1104:Multi-Stage Channels, T1546:N/A, T1620:N/A, T1587:N/A, T1583:N/A, T1588:N/A, T1203:Exploitation for Client Execution, T1059:Command-Line Interface, T1566:N/A, T1102:Web Service, T1573:N/A",,apt28,RU,"Espionage, Information theft and espionage",2004,PL,TRUE,"Spear Phishing, Malicious Documents, Exploit Vulnerability","Graphite malware, Empire",Government and Defense Agencies,,, 2022-01-26,[QuickNote] Analysis of malware suspected to be an APT attack targeting Vietnam,,https://kienmanowar.wordpress.com/2022/01/26/quicknote-analysis-of-malware-suspected-to-be-an-apt-attack-targeting-vietnam/,VinCSS,CVE-2017-0199,,,shadow chaser,,,,VN,FALSE,Malicious Documents,"Pandora ransomware, PlugX, Qakbot",,,, 2022-01-26,bfv_cyber-brief-Nr1(01-26-2022),BfV Cyber-Brief Nr. 01/2022,https://app.box.com/s/d4x8p8nu3658yhlwarws1b8tq3h80g6w,BfV,"CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-40539",S0398:N/A,"rule vftrace_loader {\n meta:\n id = “4eEDO8F3p27FeY5YLIPjrA”\n fingerprint = “b14d0c555f2908a31fefdfa23876d48589cd04dec9e7338a96bc85b0bf58b458”\n version = “1.0”\n first_imported = “2022-01-14”\n last_modified = “2022-01-14”\n status = “RELEASED”\n sharing = “TLP:WHITE”\n source = „BUNDESAMT FUER VERFASSUNGSSCHUTZ“\n author = „Bundesamt fuer Verfassungsschutz“\n description = “Yara rule to detect first Hyperbro Loader Stage, often called vftrace.dll. Detects decoding function.”\n category = “MALWARE”\n malware = “HYPERBRO”\n mitre_att = “S0398”\n reference = „Warnmeldung des BFV - Aktuelle APT27-Angriffskampagne gegen deutsche Wirtschaftsunternehmen“\n hash = “333B52C2CFAC56B86EE9D54AEF4F0FF4144528917BC1AA1FE1613EFC2318339A”\nstrings:\n $decoder_routine = { 8A ?? 41 10 00 00 8B ?? 28 ?? ?? 4? 3B ?? 72 ?? }\ncondition:\n $decoder_routine and pe.exports(“D_C_Support_SetD_File”) and (pe.characteristics & pe.DLL) and filesize < 5MB\n}, rule thumb_dat_shellcode_encoded\n{\n meta:\n id = “4xBEgDqWksKAhAycnr9yEX”\n fingerprint = “ed9d24bbb9d63a6c015d3d4c273b544b62483beb6f128e45d3d5d0900965d163”\n version = “1.0”\n first_imported = “2022-01-07”\n last_modified = “2022-01-07”\n status = “RELEASED”\n sharing = “TLP:WHITE”\n source = „BUNDESAMT FUER VERFASSUNGSSCHUTZ“\n author = „Bundesamt fuer Verfassungsschutz“\n description = “Yara rule to detect Hyperbro Loader Shellcode with all possible ADD/SUB encodings and in its decoded form at the \nstart of *thumb.dat* files. Tested against *thumb.dat* from 2019 and 2021.”\n category = “MALWARE”\n malware = “HYPERBRO”\n mitre_att = „S0398“\n reference = „Warnmeldung des BFV - Aktuelle APT27-Angriffskampagne gegen deutsche Wirtschaftsunternehmen“\n hash = “601A02B81E3BD134C2CF681AC03D696B446E10BF267B11B91517DB1B233FEC74”\nstrings:\n $thumb_dat_content1 = { E8 6B 09 00 00 C3 55 8B EC 51 51 83 65 F8 00 8B }\n $thumb_dat_content2 = { E9 6C 0A 01 01 C4 56 8C ED 52 52 84 66 F9 01 8C }\n $thumb_dat_content3 = { EA 6D 0B 02 02 C5 57 8D EE 53 53 85 67 FA 02 8D }\n $thumb_dat_content4 = { EB 6E 0C 03 03 C6 58 8E EF 54 54 86 68 FB 03 8E }\n $thumb_dat_content5 = { EC 6F 0D 04 04 C7 59 8F F0 55 55 87 69 FC 04 8F }\n $thumb_dat_content6 = { ED 70 0E 05 05 C8 5A 90 F1 56 56 88 6A FD 05 90 }\n $thumb_dat_content7 = { EE 71 0F 06 06 C9 5B 91 F2 57 57 89 6B FE 06 91 }\n $thumb_dat_content8 = { EF 72 10 07 07 CA 5C 92 F3 58 58 8A 6C 00 07 92 }\n $thumb_dat_content9 = { F0 73 11 08 08 CB 5D 93 F4 59 59 8B 6D 01 08 93 }\n $thumb_dat_content10 = { F1 74 12 09 09 CC 5E 94 F5 5A 5A 8C 6E 02 09 94 }\n $thumb_dat_content11 = { F2 75 13 0A 0A CD 5F 95 F6 5B 5B 8D 6F 03 0A 95 }\n $thumb_dat_content12 = { F3 76 14 0B 0B CE 60 96 F7 5C 5C 8E 70 04 0B 96 }\n $thumb_dat_content13 = { F4 77 15 0C 0C CF 61 97 F8 5D 5D 8F 71 05 0C 97 }\n $thumb_dat_content14 = { F5 78 16 0D 0D D0 62 98 F9 5E 5E 90 72 06 0D 98 }\n $thumb_dat_content15 = { F6 79 17 0E 0E D1 63 99 FA 5F 5F 91 73 07 0E 99 }\n $thumb_dat_content16 = { F7 7A 18 0F 0F D2 64 9A FB 60 60 92 74 08 0F 9A }\n $thumb_dat_content17 = { F8 7B 19 10 10 D3 65 9B FC 61 61 93 75 09 10 9B }\n $thumb_dat_content18 = { F9 7C 1A 11 11 D4 66 9C FD 62 62 94 76 0A 11 9C }\n $thumb_dat_content19 = { FA 7D 1B 12 12 D5 67 9D FE 63 63 95 77 0B 12 9D }\n $thumb_dat_content20 = { FB 7E 1C 13 13 D6 68 9E 00 64 64 96 78 0C 13 9E }\n $thumb_dat_content21 = { FC 7F 1D 14 14 D7 69 9F 01 65 65 97 79 0D 14 9F }\n $thumb_dat_content22 = { FD 80 1E 15 15 D8 6A A0 02 66 66 98 7A 0E 15 A0 }\n $thumb_dat_content23 = { FE 81 1F 16 16 D9 6B A1 03 67 67 99 7B 0F 16 A1 }\n $thumb_dat_content24 = { 00 82 20 17 17 DA 6C A2 04 68 68 9A 7C 10 17 A2 }\n $thumb_dat_content25 = { 01 83 21 18 18 DB 6D A3 05 69 69 9B 7D 11 18 A3 }\n $thumb_dat_content26 = { 02 84 22 19 19 DC 6E A4 06 6A 6A 9C 7E 12 19 A4 }\n $thumb_dat_content27 = { 03 85 23 1A 1A DD 6F A5 07 6B 6B 9D 7F 13 1A A5 }\n $thumb_dat_content28 = { 04 86 24 1B 1B DE 70 A6 08 6C 6C 9E 80 14 1B A6 }\n $thumb_dat_content29 = { 05 87 25 1C 1C DF 71 A7 09 6D 6D 9F 81 15 1C A7 }\n $thumb_dat_content30 = { 06 88 26 1D 1D E0 72 A8 0A 6E 6E A0 82 16 1D A8 }\n $thumb_dat_content31 = { 07 89 27 1E 1E E1 73 A9 0B 6F 6F A1 83 17 1E A9 }\n $thumb_dat_content32 = { 08 8A 28 1F 1F E2 74 AA 0C 70 70 A2 84 18 1F AA }\n $thumb_dat_content33 = { 09 8B 29 20 20 E3 75 AB 0D 71 71 A3 85 19 20 AB }\n $thumb_dat_content34 = { 0A 8C 2A 21 21 E4 76 AC 0E 72 72 A4 86 1A 21 AC }\n $thumb_dat_content35 = { 0B 8D 2B 22 22 E5 77 AD 0F 73 73 A5 87 1B 22 AD }\n $thumb_dat_content36 = { 0C 8E 2C 23 23 E6 78 AE 10 74 74 A6 88 1C 23 AE }\n $thumb_dat_content37 = { 0D 8F 2D 24 24 E7 79 AF 11 75 75 A7 89 1D 24 AF }\n $thumb_dat_content38 = { 0E 90 2E 25 25 E8 7A B0 12 76 76 A8 8A 1E 25 B0 }\n $thumb_dat_content39 = { 0F 91 2F 26 26 E9 7B B1 13 77 77 A9 8B 1F 26 B1 }\nBfV Cyber-Brief\n12\nBundesamt für Verfassungsschutz - Cyber-Brief Nr. 01/2022\nTLP:WHITE\nTLP:WHITE\n $thumb_dat_content40 = { 10 92 30 27 27 EA 7C B2 14 78 78 AA 8C 20 27 B2 }\n $thumb_dat_content41 = { 11 93 31 28 28 EB 7D B3 15 79 79 AB 8D 21 28 B3 }\n $thumb_dat_content42 = { 12 94 32 29 29 EC 7E B4 16 7A 7A AC 8E 22 29 B4 }\n $thumb_dat_content43 = { 13 95 33 2A 2A ED 7F B5 17 7B 7B AD 8F 23 2A B5 }\n $thumb_dat_content44 = { 14 96 34 2B 2B EE 80 B6 18 7C 7C AE 90 24 2B B6 }\n $thumb_dat_content45 = { 15 97 35 2C 2C EF 81 B7 19 7D 7D AF 91 25 2C B7 }\n $thumb_dat_content46 = { 16 98 36 2D 2D F0 82 B8 1A 7E 7E B0 92 26 2D B8 }\n $thumb_dat_content47 = { 17 99 37 2E 2E F1 83 B9 1B 7F 7F B1 93 27 2E B9 }\n $thumb_dat_content48 = { 18 9A 38 2F 2F F2 84 BA 1C 80 80 B2 94 28 2F BA }\n $thumb_dat_content49 = { 19 9B 39 30 30 F3 85 BB 1D 81 81 B3 95 29 30 BB }\n $thumb_dat_content50 = { 1A 9C 3A 31 31 F4 86 BC 1E 82 82 B4 96 2A 31 BC }\n $thumb_dat_content51 = { 1B 9D 3B 32 32 F5 87 BD 1F 83 83 B5 97 2B 32 BD }\n $thumb_dat_content52 = { 1C 9E 3C 33 33 F6 88 BE 20 84 84 B6 98 2C 33 BE }\n $thumb_dat_content53 = { 1D 9F 3D 34 34 F7 89 BF 21 85 85 B7 99 2D 34 BF }\n $thumb_dat_content54 = { 1E A0 3E 35 35 F8 8A C0 22 86 86 B8 9A 2E 35 C0 }\n $thumb_dat_content55 = { 1F A1 3F 36 36 F9 8B C1 23 87 87 B9 9B 2F 36 C1 }\n $thumb_dat_content56 = { 20 A2 40 37 37 FA 8C C2 24 88 88 BA 9C 30 37 C2 }\n $thumb_dat_content57 = { 21 A3 41 38 38 FB 8D C3 25 89 89 BB 9D 31 38 C3 }\n $thumb_dat_content58 = { 22 A4 42 39 39 FC 8E C4 26 8A 8A BC 9E 32 39 C4 }\n $thumb_dat_content59 = { 23 A5 43 3A 3A FD 8F C5 27 8B 8B BD 9F 33 3A C5 }\n $thumb_dat_content60 = { 24 A6 44 3B 3B FE 90 C6 28 8C 8C BE A0 34 3B C6 }\n $thumb_dat_content61 = { 25 A7 45 3C 3C 00 91 C7 29 8D 8D BF A1 35 3C C7 }\n $thumb_dat_content62 = { 26 A8 46 3D 3D 01 92 C8 2A 8E 8E C0 A2 36 3D C8 }\n $thumb_dat_content63 = { 27 A9 47 3E 3E 02 93 C9 2B 8F 8F C1 A3 37 3E C9 }\n $thumb_dat_content64 = { 28 AA 48 3F 3F 03 94 CA 2C 90 90 C2 A4 38 3F CA }\n $thumb_dat_content65 = { 29 AB 49 40 40 04 95 CB 2D 91 91 C3 A5 39 40 CB }\n $thumb_dat_content66 = { 2A AC 4A 41 41 05 96 CC 2E 92 92 C4 A6 3A 41 CC }\n $thumb_dat_content67 = { 2B AD 4B 42 42 06 97 CD 2F 93 93 C5 A7 3B 42 CD }\n $thumb_dat_content68 = { 2C AE 4C 43 43 07 98 CE 30 94 94 C6 A8 3C 43 CE }\n $thumb_dat_content69 = { 2D AF 4D 44 44 08 99 CF 31 95 95 C7 A9 3D 44 CF }\n $thumb_dat_content70 = { 2E B0 4E 45 45 09 9A D0 32 96 96 C8 AA 3E 45 D0 }\n $thumb_dat_content71 = { 2F B1 4F 46 46 0A 9B D1 33 97 97 C9 AB 3F 46 D1 }\n $thumb_dat_content72 = { 30 B2 50 47 47 0B 9C D2 34 98 98 CA AC 40 47 D2 }\n $thumb_dat_content73 = { 31 B3 51 48 48 0C 9D D3 35 99 99 CB AD 41 48 D3 }\n $thumb_dat_content74 = { 32 B4 52 49 49 0D 9E D4 36 9A 9A CC AE 42 49 D4 }\n $thumb_dat_content75 = { 33 B5 53 4A 4A 0E 9F D5 37 9B 9B CD AF 43 4A D5 }\n $thumb_dat_content76 = { 34 B6 54 4B 4B 0F A0 D6 38 9C 9C CE B0 44 4B D6 }\n $thumb_dat_content77 = { 35 B7 55 4C 4C 10 A1 D7 39 9D 9D CF B1 45 4C D7 }\n $thumb_dat_content78 = { 36 B8 56 4D 4D 11 A2 D8 3A 9E 9E D0 B2 46 4D D8 }\n $thumb_dat_content79 = { 37 B9 57 4E 4E 12 A3 D9 3B 9F 9F D1 B3 47 4E D9 }\n $thumb_dat_content80 = { 38 BA 58 4F 4F 13 A4 DA 3C A0 A0 D2 B4 48 4F DA }\n $thumb_dat_content81 = { 39 BB 59 50 50 14 A5 DB 3D A1 A1 D3 B5 49 50 DB }\n $thumb_dat_content82 = { 3A BC 5A 51 51 15 A6 DC 3E A2 A2 D4 B6 4A 51 DC }\n $thumb_dat_content83 = { 3B BD 5B 52 52 16 A7 DD 3F A3 A3 D5 B7 4B 52 DD }\n $thumb_dat_content84 = { 3C BE 5C 53 53 17 A8 DE 40 A4 A4 D6 B8 4C 53 DE }\n $thumb_dat_content85 = { 3D BF 5D 54 54 18 A9 DF 41 A5 A5 D7 B9 4D 54 DF }\n $thumb_dat_content86 = { 3E C0 5E 55 55 19 AA E0 42 A6 A6 D8 BA 4E 55 E0 }\n $thumb_dat_content87 = { 3F C1 5F 56 56 1A AB E1 43 A7 A7 D9 BB 4F 56 E1 }\n $thumb_dat_content88 = { 40 C2 60 57 57 1B AC E2 44 A8 A8 DA BC 50 57 E2 }\n $thumb_dat_content89 = { 41 C3 61 58 58 1C AD E3 45 A9 A9 DB BD 51 58 E3 }\n $thumb_dat_content90 = { 42 C4 62 59 59 1D AE E4 46 AA AA DC BE 52 59 E4 }\n $thumb_dat_content91 = { 43 C5 63 5A 5A 1E AF E5 47 AB AB DD BF 53 5A E5 }\n $thumb_dat_content92 = { 44 C6 64 5B 5B 1F B0 E6 48 AC AC DE C0 54 5B E6 }\n $thumb_dat_content93 = { 45 C7 65 5C 5C 20 B1 E7 49 AD AD DF C1 55 5C E7 }\n $thumb_dat_content94 = { 46 C8 66 5D 5D 21 B2 E8 4A AE AE E0 C2 56 5D E8 }\n $thumb_dat_content95 = { 47 C9 67 5E 5E 22 B3 E9 4B AF AF E1 C3 57 5E E9 }\n $thumb_dat_content96 = { 48 CA 68 5F 5F 23 B4 EA 4C B0 B0 E2 C4 58 5F EA }\n $thumb_dat_content97 = { 49 CB 69 60 60 24 B5 EB 4D B1 B1 E3 C5 59 60 EB }\n $thumb_dat_content98 = { 4A CC 6A 61 61 25 B6 EC 4E B2 B2 E4 C6 5A 61 EC }\n $thumb_dat_content99 = { 4B CD 6B 62 62 26 B7 ED 4F B3 B3 E5 C7 5B 62 ED }\n $thumb_dat_content100 = { 4C CE 6C 63 63 27 B8 EE 50 B4 B4 E6 C8 5C 63 EE }\n $thumb_dat_content101 = { 4D CF 6D 64 64 28 B9 EF 51 B5 B5 E7 C9 5D 64 EF }\n $thumb_dat_content102 = { 4E D0 6E 65 65 29 BA F0 52 B6 B6 E8 CA 5E 65 F0 }\n $thumb_dat_content103 = { 4F D1 6F 66 66 2A BB F1 53 B7 B7 E9 CB 5F 66 F1 }\n $thumb_dat_content104 = { 50 D2 70 67 67 2B BC F2 54 B8 B8 EA CC 60 67 F2 }\n $thumb_dat_content105 = { 51 D3 71 68 68 2C BD F3 55 B9 B9 EB CD 61 68 F3 }\n $thumb_dat_content106 = { 52 D4 72 69 69 2D BE F4 56 BA BA EC CE 62 69 F4 }\n $thumb_dat_content107 = { 53 D5 73 6A 6A 2E BF F5 57 BB BB ED CF 63 6A F5 }\n $thumb_dat_content108 = { 54 D6 74 6B 6B 2F C0 F6 58 BC BC EE D0 64 6B F6 }\n $thumb_dat_content109 = { 55 D7 75 6C 6C 30 C1 F7 59 BD BD EF D1 65 6C F7 }\nBfV Cyber-Brief\n13\nBundesamt für Verfassungsschutz - Cyber-Brief Nr. 01/2022\nTLP:WHITE\nTLP:WHITE\n $thumb_dat_content110 = { 56 D8 76 6D 6D 31 C2 F8 5A BE BE F0 D2 66 6D F8 }\n $thumb_dat_content111 = { 57 D9 77 6E 6E 32 C3 F9 5B BF BF F1 D3 67 6E F9 }\n $thumb_dat_content112 = { 58 DA 78 6F 6F 33 C4 FA 5C C0 C0 F2 D4 68 6F FA }\n $thumb_dat_content113 = { 59 DB 79 70 70 34 C5 FB 5D C1 C1 F3 D5 69 70 FB }\n $thumb_dat_content114 = { 5A DC 7A 71 71 35 C6 FC 5E C2 C2 F4 D6 6A 71 FC }\n $thumb_dat_content115 = { 5B DD 7B 72 72 36 C7 FD 5F C3 C3 F5 D7 6B 72 FD }\n $thumb_dat_content116 = { 5C DE 7C 73 73 37 C8 FE 60 C4 C4 F6 D8 6C 73 FE }\n $thumb_dat_content117 = { 5D DF 7D 74 74 38 C9 00 61 C5 C5 F7 D9 6D 74 00 }\n $thumb_dat_content118 = { 5E E0 7E 75 75 39 CA 01 62 C6 C6 F8 DA 6E 75 01 }\n $thumb_dat_content119 = { 5F E1 7F 76 76 3A CB 02 63 C7 C7 F9 DB 6F 76 02 }\n $thumb_dat_content120 = { 60 E2 80 77 77 3B CC 03 64 C8 C8 FA DC 70 77 03 }\n $thumb_dat_content121 = { 61 E3 81 78 78 3C CD 04 65 C9 C9 FB DD 71 78 04 }\n $thumb_dat_content122 = { 62 E4 82 79 79 3D CE 05 66 CA CA FC DE 72 79 05 }\n $thumb_dat_content123 = { 63 E5 83 7A 7A 3E CF 06 67 CB CB FD DF 73 7A 06 }\n $thumb_dat_content124 = { 64 E6 84 7B 7B 3F D0 07 68 CC CC FE E0 74 7B 07 }\n $thumb_dat_content125 = { 65 E7 85 7C 7C 40 D1 08 69 CD CD 00 E1 75 7C 08 }\n $thumb_dat_content126 = { 66 E8 86 7D 7D 41 D2 09 6A CE CE 01 E2 76 7D 09 }\n $thumb_dat_content127 = { 67 E9 87 7E 7E 42 D3 0A 6B CF CF 02 E3 77 7E 0A }\n $thumb_dat_content128 = { 68 EA 88 7F 7F 43 D4 0B 6C D0 D0 03 E4 78 7F 0B }\n $thumb_dat_content129 = { 69 EB 89 80 80 44 D5 0C 6D D1 D1 04 E5 79 80 0C }\n $thumb_dat_content130 = { 6A EC 8A 81 81 45 D6 0D 6E D2 D2 05 E6 7A 81 0D }\n $thumb_dat_content131 = { 6B ED 8B 82 82 46 D7 0E 6F D3 D3 06 E7 7B 82 0E }\n $thumb_dat_content132 = { 6C EE 8C 83 83 47 D8 0F 70 D4 D4 07 E8 7C 83 0F }\n $thumb_dat_content133 = { 6D EF 8D 84 84 48 D9 10 71 D5 D5 08 E9 7D 84 10 }\n $thumb_dat_content134 = { 6E F0 8E 85 85 49 DA 11 72 D6 D6 09 EA 7E 85 11 }\n $thumb_dat_content135 = { 6F F1 8F 86 86 4A DB 12 73 D7 D7 0A EB 7F 86 12 }\n $thumb_dat_content136 = { 70 F2 90 87 87 4B DC 13 74 D8 D8 0B EC 80 87 13 }\n $thumb_dat_content137 = { 71 F3 91 88 88 4C DD 14 75 D9 D9 0C ED 81 88 14 }\n $thumb_dat_content138 = { 72 F4 92 89 89 4D DE 15 76 DA DA 0D EE 82 89 15 }\n $thumb_dat_content139 = { 73 F5 93 8A 8A 4E DF 16 77 DB DB 0E EF 83 8A 16 }\n $thumb_dat_content140 = { 74 F6 94 8B 8B 4F E0 17 78 DC DC 0F F0 84 8B 17 }\n $thumb_dat_content141 = { 75 F7 95 8C 8C 50 E1 18 79 DD DD 10 F1 85 8C 18 }\n $thumb_dat_content142 = { 76 F8 96 8D 8D 51 E2 19 7A DE DE 11 F2 86 8D 19 }\n $thumb_dat_content143 = { 77 F9 97 8E 8E 52 E3 1A 7B DF DF 12 F3 87 8E 1A }\n $thumb_dat_content144 = { 78 FA 98 8F 8F 53 E4 1B 7C E0 E0 13 F4 88 8F 1B }\n $thumb_dat_content145 = { 79 FB 99 90 90 54 E5 1C 7D E1 E1 14 F5 89 90 1C }\n $thumb_dat_content146 = { 7A FC 9A 91 91 55 E6 1D 7E E2 E2 15 F6 8A 91 1D }\n $thumb_dat_content147 = { 7B FD 9B 92 92 56 E7 1E 7F E3 E3 16 F7 8B 92 1E }\n $thumb_dat_content148 = { 7C FE 9C 93 93 57 E8 1F 80 E4 E4 17 F8 8C 93 1F }\n $thumb_dat_content149 = { 7D 00 9D 94 94 58 E9 20 81 E5 E5 18 F9 8D 94 20 }\n $thumb_dat_content150 = { 7E 01 9E 95 95 59 EA 21 82 E6 E6 19 FA 8E 95 21 }\n $thumb_dat_content151 = { 7F 02 9F 96 96 5A EB 22 83 E7 E7 1A FB 8F 96 22 }\n $thumb_dat_content152 = { 80 03 A0 97 97 5B EC 23 84 E8 E8 1B FC 90 97 23 }\n $thumb_dat_content153 = { 81 04 A1 98 98 5C ED 24 85 E9 E9 1C FD 91 98 24 }\n $thumb_dat_content154 = { 82 05 A2 99 99 5D EE 25 86 EA EA 1D FE 92 99 25 }\n $thumb_dat_content155 = { 83 06 A3 9A 9A 5E EF 26 87 EB EB 1E 00 93 9A 26 }\n $thumb_dat_content156 = { 84 07 A4 9B 9B 5F F0 27 88 EC EC 1F 01 94 9B 27 }\n $thumb_dat_content157 = { 85 08 A5 9C 9C 60 F1 28 89 ED ED 20 02 95 9C 28 }\n $thumb_dat_content158 = { 86 09 A6 9D 9D 61 F2 29 8A EE EE 21 03 96 9D 29 }\n $thumb_dat_content159 = { 87 0A A7 9E 9E 62 F3 2A 8B EF EF 22 04 97 9E 2A }\n $thumb_dat_content160 = { 88 0B A8 9F 9F 63 F4 2B 8C F0 F0 23 05 98 9F 2B }\n $thumb_dat_content161 = { 89 0C A9 A0 A0 64 F5 2C 8D F1 F1 24 06 99 A0 2C }\n $thumb_dat_content162 = { 8A 0D AA A1 A1 65 F6 2D 8E F2 F2 25 07 9A A1 2D }\n $thumb_dat_content163 = { 8B 0E AB A2 A2 66 F7 2E 8F F3 F3 26 08 9B A2 2E }\n $thumb_dat_content164 = { 8C 0F AC A3 A3 67 F8 2F 90 F4 F4 27 09 9C A3 2F }\n $thumb_dat_content165 = { 8D 10 AD A4 A4 68 F9 30 91 F5 F5 28 0A 9D A4 30 }\n $thumb_dat_content166 = { 8E 11 AE A5 A5 69 FA 31 92 F6 F6 29 0B 9E A5 31 }\n $thumb_dat_content167 = { 8F 12 AF A6 A6 6A FB 32 93 F7 F7 2A 0C 9F A6 32 }\n $thumb_dat_content168 = { 90 13 B0 A7 A7 6B FC 33 94 F8 F8 2B 0D A0 A7 33 }\n $thumb_dat_content169 = { 91 14 B1 A8 A8 6C FD 34 95 F9 F9 2C 0E A1 A8 34 }\n $thumb_dat_content170 = { 92 15 B2 A9 A9 6D FE 35 96 FA FA 2D 0F A2 A9 35 }\n $thumb_dat_content171 = { 93 16 B3 AA AA 6E 00 36 97 FB FB 2E 10 A3 AA 36 }\n $thumb_dat_content172 = { 94 17 B4 AB AB 6F 01 37 98 FC FC 2F 11 A4 AB 37 }\n $thumb_dat_content173 = { 95 18 B5 AC AC 70 02 38 99 FD FD 30 12 A5 AC 38 }\n $thumb_dat_content174 = { 96 19 B6 AD AD 71 03 39 9A FE FE 31 13 A6 AD 39 }\n $thumb_dat_content175 = { 97 1A B7 AE AE 72 04 3A 9B 00 00 32 14 A7 AE 3A }\n $thumb_dat_content176 = { 98 1B B8 AF AF 73 05 3B 9C 01 01 33 15 A8 AF 3B }\n $thumb_dat_content177 = { 99 1C B9 B0 B0 74 06 3C 9D 02 02 34 16 A9 B0 3C }\n $thumb_dat_content178 = { 9A 1D BA B1 B1 75 07 3D 9E 03 03 35 17 AA B1 3D }\n $thumb_dat_content179 = { 9B 1E BB B2 B2 76 08 3E 9F 04 04 36 18 AB B2 3E }\nBfV Cyber-Brief\n14\nBundesamt für Verfassungsschutz - Cyber-Brief Nr. 01/2022\nTLP:WHITE\nTLP:WHITE\n $thumb_dat_content180 = { 9C 1F BC B3 B3 77 09 3F A0 05 05 37 19 AC B3 3F }\n $thumb_dat_content181 = { 9D 20 BD B4 B4 78 0A 40 A1 06 06 38 1A AD B4 40 }\n $thumb_dat_content182 = { 9E 21 BE B5 B5 79 0B 41 A2 07 07 39 1B AE B5 41 }\n $thumb_dat_content183 = { 9F 22 BF B6 B6 7A 0C 42 A3 08 08 3A 1C AF B6 42 }\n $thumb_dat_content184 = { A0 23 C0 B7 B7 7B 0D 43 A4 09 09 3B 1D B0 B7 43 }\n $thumb_dat_content185 = { A1 24 C1 B8 B8 7C 0E 44 A5 0A 0A 3C 1E B1 B8 44 }\n $thumb_dat_content186 = { A2 25 C2 B9 B9 7D 0F 45 A6 0B 0B 3D 1F B2 B9 45 }\n $thumb_dat_content187 = { A3 26 C3 BA BA 7E 10 46 A7 0C 0C 3E 20 B3 BA 46 }\n $thumb_dat_content188 = { A4 27 C4 BB BB 7F 11 47 A8 0D 0D 3F 21 B4 BB 47 }\n $thumb_dat_content189 = { A5 28 C5 BC BC 80 12 48 A9 0E 0E 40 22 B5 BC 48 }\n $thumb_dat_content190 = { A6 29 C6 BD BD 81 13 49 AA 0F 0F 41 23 B6 BD 49 }\n $thumb_dat_content191 = { A7 2A C7 BE BE 82 14 4A AB 10 10 42 24 B7 BE 4A }\n $thumb_dat_content192 = { A8 2B C8 BF BF 83 15 4B AC 11 11 43 25 B8 BF 4B }\n $thumb_dat_content193 = { A9 2C C9 C0 C0 84 16 4C AD 12 12 44 26 B9 C0 4C }\n $thumb_dat_content194 = { AA 2D CA C1 C1 85 17 4D AE 13 13 45 27 BA C1 4D }\n $thumb_dat_content195 = { AB 2E CB C2 C2 86 18 4E AF 14 14 46 28 BB C2 4E }\n $thumb_dat_content196 = { AC 2F CC C3 C3 87 19 4F B0 15 15 47 29 BC C3 4F }\n $thumb_dat_content197 = { AD 30 CD C4 C4 88 1A 50 B1 16 16 48 2A BD C4 50 }\n $thumb_dat_content198 = { AE 31 CE C5 C5 89 1B 51 B2 17 17 49 2B BE C5 51 }\n $thumb_dat_content199 = { AF 32 CF C6 C6 8A 1C 52 B3 18 18 4A 2C BF C6 52 }\n $thumb_dat_content200 = { B0 33 D0 C7 C7 8B 1D 53 B4 19 19 4B 2D C0 C7 53 }\n $thumb_dat_content201 = { B1 34 D1 C8 C8 8C 1E 54 B5 1A 1A 4C 2E C1 C8 54 }\n $thumb_dat_content202 = { B2 35 D2 C9 C9 8D 1F 55 B6 1B 1B 4D 2F C2 C9 55 }\n $thumb_dat_content203 = { B3 36 D3 CA CA 8E 20 56 B7 1C 1C 4E 30 C3 CA 56 }\n $thumb_dat_content204 = { B4 37 D4 CB CB 8F 21 57 B8 1D 1D 4F 31 C4 CB 57 }\n $thumb_dat_content205 = { B5 38 D5 CC CC 90 22 58 B9 1E 1E 50 32 C5 CC 58 }\n $thumb_dat_content206 = { B6 39 D6 CD CD 91 23 59 BA 1F 1F 51 33 C6 CD 59 }\n $thumb_dat_content207 = { B7 3A D7 CE CE 92 24 5A BB 20 20 52 34 C7 CE 5A }\n $thumb_dat_content208 = { B8 3B D8 CF CF 93 25 5B BC 21 21 53 35 C8 CF 5B }\n $thumb_dat_content209 = { B9 3C D9 D0 D0 94 26 5C BD 22 22 54 36 C9 D0 5C }\n $thumb_dat_content210 = { BA 3D DA D1 D1 95 27 5D BE 23 23 55 37 CA D1 5D }\n $thumb_dat_content211 = { BB 3E DB D2 D2 96 28 5E BF 24 24 56 38 CB D2 5E }\n $thumb_dat_content212 = { BC 3F DC D3 D3 97 29 5F C0 25 25 57 39 CC D3 5F }\n $thumb_dat_content213 = { BD 40 DD D4 D4 98 2A 60 C1 26 26 58 3A CD D4 60 }\n $thumb_dat_content214 = { BE 41 DE D5 D5 99 2B 61 C2 27 27 59 3B CE D5 61 }\n $thumb_dat_content215 = { BF 42 DF D6 D6 9A 2C 62 C3 28 28 5A 3C CF D6 62 }\n $thumb_dat_content216 = { C0 43 E0 D7 D7 9B 2D 63 C4 29 29 5B 3D D0 D7 63 }\n $thumb_dat_content217 = { C1 44 E1 D8 D8 9C 2E 64 C5 2A 2A 5C 3E D1 D8 64 }\n $thumb_dat_content218 = { C2 45 E2 D9 D9 9D 2F 65 C6 2B 2B 5D 3F D2 D9 65 }\n $thumb_dat_content219 = { C3 46 E3 DA DA 9E 30 66 C7 2C 2C 5E 40 D3 DA 66 }\n $thumb_dat_content220 = { C4 47 E4 DB DB 9F 31 67 C8 2D 2D 5F 41 D4 DB 67 }\n $thumb_dat_content221 = { C5 48 E5 DC DC A0 32 68 C9 2E 2E 60 42 D5 DC 68 }\n $thumb_dat_content222 = { C6 49 E6 DD DD A1 33 69 CA 2F 2F 61 43 D6 DD 69 }\n $thumb_dat_content223 = { C7 4A E7 DE DE A2 34 6A CB 30 30 62 44 D7 DE 6A }\n $thumb_dat_content224 = { C8 4B E8 DF DF A3 35 6B CC 31 31 63 45 D8 DF 6B }\n $thumb_dat_content225 = { C9 4C E9 E0 E0 A4 36 6C CD 32 32 64 46 D9 E0 6C }\n $thumb_dat_content226 = { CA 4D EA E1 E1 A5 37 6D CE 33 33 65 47 DA E1 6D }\n $thumb_dat_content227 = { CB 4E EB E2 E2 A6 38 6E CF 34 34 66 48 DB E2 6E }\n $thumb_dat_content228 = { CC 4F EC E3 E3 A7 39 6F D0 35 35 67 49 DC E3 6F }\n $thumb_dat_content229 = { CD 50 ED E4 E4 A8 3A 70 D1 36 36 68 4A DD E4 70 }\n $thumb_dat_content230 = { CE 51 EE E5 E5 A9 3B 71 D2 37 37 69 4B DE E5 71 }\n $thumb_dat_content231 = { CF 52 EF E6 E6 AA 3C 72 D3 38 38 6A 4C DF E6 72 }\n $thumb_dat_content232 = { D0 53 F0 E7 E7 AB 3D 73 D4 39 39 6B 4D E0 E7 73 }\n $thumb_dat_content233 = { D1 54 F1 E8 E8 AC 3E 74 D5 3A 3A 6C 4E E1 E8 74 }\n $thumb_dat_content234 = { D2 55 F2 E9 E9 AD 3F 75 D6 3B 3B 6D 4F E2 E9 75 }\n $thumb_dat_content235 = { D3 56 F3 EA EA AE 40 76 D7 3C 3C 6E 50 E3 EA 76 }\n $thumb_dat_content236 = { D4 57 F4 EB EB AF 41 77 D8 3D 3D 6F 51 E4 EB 77 }\n $thumb_dat_content237 = { D5 58 F5 EC EC B0 42 78 D9 3E 3E 70 52 E5 EC 78 }\n $thumb_dat_content238 = { D6 59 F6 ED ED B1 43 79 DA 3F 3F 71 53 E6 ED 79 }\n $thumb_dat_content239 = { D7 5A F7 EE EE B2 44 7A DB 40 40 72 54 E7 EE 7A }\n $thumb_dat_content240 = { D8 5B F8 EF EF B3 45 7B DC 41 41 73 55 E8 EF 7B }\n $thumb_dat_content241 = { D9 5C F9 F0 F0 B4 46 7C DD 42 42 74 56 E9 F0 7C }\n $thumb_dat_content242 = { DA 5D FA F1 F1 B5 47 7D DE 43 43 75 57 EA F1 7D }\n $thumb_dat_content243 = { DB 5E FB F2 F2 B6 48 7E DF 44 44 76 58 EB F2 7E }\n $thumb_dat_content244 = { DC 5F FC F3 F3 B7 49 7F E0 45 45 77 59 EC F3 7F }\n $thumb_dat_content245 = { DD 60 FD F4 F4 B8 4A 80 E1 46 46 78 5A ED F4 80 }\n $thumb_dat_content246 = { DE 61 FE F5 F5 B9 4B 81 E2 47 47 79 5B EE F5 81 }\n $thumb_dat_content247 = { DF 62 00 F6 F6 BA 4C 82 E3 48 48 7A 5C EF F6 82 }\n $thumb_dat_content248 = { E0 63 01 F7 F7 BB 4D 83 E4 49 49 7B 5D F0 F7 83 }\n $thumb_dat_content249 = { E1 64 02 F8 F8 BC 4E 84 E5 4A 4A 7C 5E F1 F8 84 }\nBfV Cyber-Brief\n15\nBundesamt für Verfassungsschutz - Cyber-Brief Nr. 01/2022\nTLP:WHITE\nTLP:WHITE\n $thumb_dat_content250 = { E2 65 03 F9 F9 BD 4F 85 E6 4B 4B 7D 5F F2 F9 85 }\n $thumb_dat_content251 = { E3 66 04 FA FA BE 50 86 E7 4C 4C 7E 60 F3 FA 86 }\n $thumb_dat_content252 = { E4 67 05 FB FB BF 51 87 E8 4D 4D 7F 61 F4 FB 87 }\n $thumb_dat_content253 = { E5 68 06 FC FC C0 52 88 E9 4E 4E 80 62 F5 FC 88 }\n $thumb_dat_content254 = { E6 69 07 FD FD C1 53 89 EA 4F 4F 81 63 F6 FD 89 }\n $thumb_dat_content255 = { E7 6A 08 FE FE C2 54 8A EB 50 50 82 64 F7 FE 8A }\ncondition:\n any of them and filesize < 5MB\n}",apt27,CN,"Espionage, Information theft and espionage",2010,DE,TRUE,Exploit Vulnerability,"HYPERBRO, Zoho Manage Engine ADSelfService Plus, Microsoft Exchange Server",Corporations and Businesses,,, 2022-01-27,"North Korea's Lazarus APT leverages Windows Update client, GitHub in latest campaign _ Malwarebytes Labs",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2022/2022.01.27.Lazarus_APT/North%20Korea%27s%20Lazarus%20APT%20leverages%20Windows%20Update%20client%2C%20GitHub%20in%20latest%20campaign%20_%20Malwarebytes%20Labs.pdf,Malwarebytes,,,,lazarus group,KP,"Information theft and espionage, Espionage, Sabotage and destruction, Sabotage, Financial crime",2014,,FALSE,Malicious Documents,,Government and Defense Agencies,,, 2022-01-27,APT29_StellarParticle-Campaing_CrowdStrike,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2022/2022.01.27.APT29_StellarParticle/APT29_StellarParticle-Campaing_CrowdStrike.pdf,CrowdStrike,,"T1213:Data from Information Repositories, T1078:Valid Accounts, T1555:N/A, T1482:Domain Trust Discovery, T1550:N/A, T1546:N/A, T1087:Account Discovery, T1069:Permission Groups Discovery, T1595:N/A, T1057:Process Discovery, T1021:Remote Services, T1539:N/A, T1133:External Remote Services, T1003:Credential Dumping, T1098:Account Manipulation, T1036:Masquerading",,apt29,RU,"Espionage, Information theft and espionage",2008,,FALSE,"Credential Reuse, Website Equipping","GoldMax, TrailBlazer, Mimikatz, DSInternals, SolarWinds IT management software, MITRE ATT&CK Framework","Corporations and Businesses, Cloud/IoT Services",,, 2022-01-31,Shuckworm_APT,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2022/2022.01.31.Shuckworm_APT/Shuckworm_APT.pdf,Symantec,,,,shuckworm,RU,Information theft and espionage,2013,UA,,"Phishing, Malicious Documents","VBS backdoor, 7-zip SFX self-extracting binaries, MediaConvertor.dat, Remote Manipulator System (RMS), UltraVNC, Pterodo/Pteranodon",Government and Defense Agencies,2021-07-14,2021-08-18,35.0 2022-01-31,"Cisco Talos Intelligence Group - Comprehensive Threat Intelligence_ Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2022/2022.01.31.MuddyWater_Turkish/Cisco%20Talos%20Intelligence%20Group%20-%20Comprehensive%20Threat%20Intelligence_%20Iranian%20APT%20MuddyWater%20targets%20Turkish%20users%20via%20malicious%20PDFs%2C%20executables.pdf,Cisco,,,,muddywater,IR,"Espionage, Information theft and espionage",2017,"PK, TR, US",,"Spear Phishing, Malicious Documents","PowerShell, Visual Basic, LoLBins (living-off-the-land binaries), Malicious PDFs, XLS files, Windows executables, Canary tokens",Corporations and Businesses,,, 2022-02-02,cert.gov.ua_CERT-UA-3799(02-02-2022),Cyber attack of UAC-0056 group on state organizations of Ukraine using malicious programs SaintBot and OutSteel (CERT-UA #3799),https://app.box.com/s/gti3fn10hlnanb6c7y50g5n16w8t4cqc,CERT-UA,,,,uac-0056,RU,Information theft and espionage,2021,,FALSE,"Spear Phishing, Malicious Documents","OutSteel, SaintBot, AutoIt",Government and Defense Agencies,,, 2022-02-03,Symantec_Antlion-ChineseAPT-Target-Financial-Taiwan(02-03-2022),Antlion Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan,https://app.box.com/s/5ig1yhx66416nra8b9bdpgla1cbg0aoe,Symantec,CVE-2019-1458,,"rule checkid_loader\n{\n meta:\nauthor = ""Symantec, a division of Broadcom""\n description = ""BlackHole/BlackSwan / QuasarRAT/xClient loader""\n hash = ""29d7b82f9ae7fa0dbaf2d18c4d38d18028d652ed1ccc0846e8c781b4015b5f78""\n strings:\n $s1 = ""Call %s.%s(\\""%s\\"") => %d"" fullword wide\n $s2 = ""Assembly::CreateInstance failed w/hr 0x%08lx"" fullword wide\n $s3 = ""checkID""\n $s4 = ""NULL == checkID hMutex"" fullword\n $s5 = ""checkID Mutex ERROR_ALREADY_EXISTS"" fullword\n $s6 = ""dllmain mutex ERROR_ALREADY_EXISTS"" fullword\n7/7\n $x1 = ""xClient.Program"" fullword wide\n $x2 = ""LoadPayload"" fullword\n $m1 = ""SFZJ_Wh16gJGFKL"" ascii wide\n $m2 = ""d5129799-e543-4b8b-bb1b-e0cba81bccf8"" ascii wide\n $m3 = ""USA_HardBlack"" ascii wide\n $b1 = ""BlackHole.Slave.Program"" fullword wide\n $b2 = ""NuGet\\\\Config"" wide\n $b3 = ""VisualStudio.cfi"" wide\n $p = {E1 F6 3C AC AF AC AC AC A8 AC AC AC 53 53 AC AC 14}\n $t = ""0s+Nksjd1czZ1drJktPO24aEjISMtsvLy5LJzNjdyNnL1dLY08uS39PRhoSMhIy2jYyPkomNko2IjJKEiIaEjISM""\n condition:\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 2 of ($s*) and (all of ($x*) or any of ($m*) or all of ($b*) or\n$p or $t)\n}, rule EHAGBPSL_loader\n{\n meta:\nauthor = ""Symantec, a division of Broadcom""\n hash = ""e968e0d7e62fbc36ad95bc7b140cf7c32cd0f02fd6f4f914eeb7c7b87528cfe2""\n hash = ""2a541a06929dd7d18ddbae2cb23d5455d0666af7bdcdf45b498d1130a8434632""\n strings:\n $s1 = {45 00 00 00 48 00 00 00 41 00 00 00 47 00 00 00 42 00 00 00 50 00 00 00 53 00 00 00 4C} // EHAGBPSL\n $s2 = {74 00 00 00 61 00 00 00 72 00 00 00 57 00 00 00 6F 00 00 00 6B} // tarWok\n $b1 = ""bnRtZ3M="" fullword // ntmgs\n $b2 = ""TmV0d29yayBNYW5hZ2VtZW50IFNlcnZpY2U="" fullword // Network Management Service\n $b3 = ""UHJvdmlkZXMgYWJpbGl0eSB0byBtYW5hZ2UgbmV0d29yayBvdmVyIHRoZSBuZXQgcHJvdG9jb2wu"" fullword //\nProvides ability to manage network over the net protocol.\n $b4 = ""bnRtZ3MuZG"" // ntmgs.dll / ntmgs.dat\n $b5 = ""aW1nMS5qcGc="" fullword // img1.jpg\n $c1 = ""Wscms.nls"" fullword\n $c2 = ""Wscms.dat"" fullword\n $c3 = ""Wscms.dll"" fullword\n $c4 = ""Wscms.ini"" fullword\n $c5 = ""Images01.jpg"" fullword\n $e1 = ""StartWork"" fullword\n $e2 = ""ServiceMain"" fullword\n $h1 = {DD 9C BD 72} // CreateRemoteThread\n $h2 = {C0 97 E2 EF} // OpenProcess\n $h3 = {32 6D C7 D5} // RegisterServiceCtrlHandlerA\n6/7\n $h4 = {A1 6A 3D D8} // WriteProcessMemory\n condition:\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of ($e*) and (all of ($s*) or any of ($b*) or 3 of ($c*) or\nall of ($h*))\n}, rule keylogger\n{\n meta:\nauthor = ""Symantec, a division of Broadcom""\n hash = ""3db621cac1d026714356501f558b1847212c91169314c1d43bfc3a4798467d0d""\n hash = ""789f0ec8e60fbc8645641a47bc821b11a4486f28892b6ce14f867a40247954ed""\n strings:\n $m1 = ""BKB_Test"" fullword\n $m2 = ""KLG_sd76bxds1N"" fullword\n $k1 = ""%d/%02d/%02d %02d:%02d:%02d K-E-Y-L-O-G"" fullword\n $k2 = ""%d/%02d/%02d %02d:%02d:%02d C-L-I-P-B-D"" fullword\n $k3 = ""< Title--%s-- >"" fullword\n $k4 = ""ImpersonateLoggedOnUser Error(%d)"" fullword\n $f1 = {55 73 65 72 ?? ?? ?? 00 00 00 ?? ?? ?? 6B 65 79 2E} // Userkey.\n $f2 = {55 73 65 72 ?? ?? ?? 00 00 00 ?? ?? ?? 64 61 74 2E} // Userdat.\n condition:\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (2 of ($k*) or (any of ($m*) and any of ($f*)))\n}, rule xpack_loader\n{\n meta:\nauthor = ""Symantec, a division of Broadcom""\n hash = ""12425edb2c50eac79f06bf228cb2dd77bb1e847c4c4a2049c91e0c5b345df5f2""\n strings:\n $s1 = ""Length or Hash destoryed"" wide fullword\n $s2 = ""tag unmatched"" wide fullword\n $s3 = ""File size mismatch"" wide fullword\n $s4 = ""DESFile"" wide fullword\n $p1 = ""fomsal.Properties.Resources.resources"" wide fullword\n $p2 = ""xPack.Properties.Resources.resources"" wide fullword\n $p3 = ""foslta.Properties.Resources.resources"" wide fullword\n condition:\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (2 of ($s*) or any of ($p*))\n}, rule xpack_service\n{\n5/7\n meta:\nauthor = ""Symantec, a division of Broadcom""\n hash = ""390460900c318a9a5c9026208f9486af58b149d2ba98069007218973a6b0df66""\n strings:\n $s1 = ""C:\\\\Windows\\\\inf\\\\wdnvsc.inf"" wide fullword\n $s2 = ""PackService"" wide fullword\n $s3 = ""xPackSvc"" wide fullword\n $s4 = ""eG#!&5h8V$"" wide fullword\n condition:\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 3 of them\n}",antlion,CN,Information theft and espionage,2011,TW,,"Exploit Vulnerability, Malicious Documents","xPack backdoor, JpgRun loader, CheckID, NetSessionEnum, ENCODE MMC, Mimikatz (Kerberos golden ticket tool), PowerShell, WMIC, ProcDump, LSASS, PsExec, AnyDesk","Financial Institutions, Manufacturing",2020-12-15,2021-08-15,243.0 2022-02-03,PaloAltoNetworks_Russias-Gamaredon-PrimitiveBear-Targeting-Ukraine(02-03-2022),Gamaredon (Primitive Bear) Russian APT Group Actively Targeting Ukraine,https://app.box.com/s/bhitsulabbr6y4d8jz56ljweejy7htqf,Palo Alto,,,,gamaredon group,RU,Information theft and espionage,2013,UA,,"Spear Phishing, Malicious Documents","Cortex XDR, WildFire, Advanced URL Filtering, DNS Security, AutoFocus, Virtual Network Computing (VNC) software, schtasks.exe, wscript.exe",Government and Defense Agencies,,, 2022-02-04,Microsoft_ACTINIUM-Ukrainian-organizations(02-04-2022),ACTINIUM targets Ukrainian organizations,https://app.box.com/s/0qxv3fc5yx2j8lbv1ftlvmaakuy0nrsk,Microsoft,,,,actinium,RU,Information theft and espionage,2013,UA,,"Spear Phishing, Malicious Documents","Pterodo, QuietSieve, PowerPunch, DinoTrain, DesertDown, DilongTrash, ObfuBerry, ObfuMerry","Government and Defense Agencies, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2022-02-07,APT27 Group Targets German Organizations with HyperBro,,https://cyware.com/news/apt27-group-targets-german-organizations-with-hyperbro-2c43b7cf/,Cyware,CVE-2021-40539,,,apt27,CN,"Espionage, Information theft and espionage",2010,DE,TRUE,Exploit Vulnerability,"HyperBro RAT, Zoho AdSelf Service Plus software, ManageEngine software, ProxyLogon bugs","Healthcare, Energy and Utilities, Education and Research Institutions, Critical Infrastructure",,, 2022-02-07,Kaspersky_Roaming-Mantis-reaches-Europe(02-07-2022),Roaming Mantis reaches Europe,https://app.box.com/s/49t7lzqqzep1wj8nd6gu4i8bosi8ms8v,Kaspersky,,,,roaming mantis,,Financial crime,2017,"DE, FR, JP, KR, TW",,Phishing,"kuronekoyamato.apk, Java Native Interface (JNI), HEUR:Trojan-Dropper.AndroidOS.Wroba",Individuals,,, 2022-02-08,Proofpoint_UggBoots-Palestinian-Aligned-Espionage(02-08-2022),Ugg Boots 4 Sale: A Tale of Palestinian-Aligned Espionage,https://app.box.com/s/tkiardlg3bj6k1llkdnnr9n9glxj4246,Proofpoint,,,"rule Proofpoint_Molerats_TA402_NimbleMamba { \n meta: \n description = ""Detects .NET written NimbleMamba malware used by TA402/Molereats"" \n author = ""Proofpoint Threat Research"" \n disclaimer = ""Yara signature created for hunting purposes - not quality controlled within\nenterprise environment"" \n hash1 = ""430c12393a1714e3f5087e1338a3e3846ab62b18d816cc4916749a935f8dab44"" \n hash2 = ""c61fcd8bed15414529959e8b5484b2c559ac597143c1775b1cec7d493a40369d"" \n strings: \n $dotnet = ""#Strings"" ascii \n $dropbox = ""dropboxapi.com"" ascii wide \n $justpaste = ""justpaste.it"" wide \n $ip_1 = ""api.ipstack.com"" wide \neasyuploadservice.com \nDomain \n2e4671c517040cbd66a1be0f04fb8f2af7064fef2b5ee5e33d1f9d347e4c419f \nSHA256 \n15/15\n $ip_2 = ""myexternalip.com"" wide \n $ip_3 = ""ip-api.com"" wide \n $ip_4 = ""api.ipify.com"" wide \n $vm_1 = ""VMware|VIRTUAL|A M I|Xen"" wide \n $vm_2 = ""Microsoft|VMWare|Virtual"" wide \n condition: \n uint16be(0) == 0x4D5A and $dotnet and $dropbox and $justpaste and any of ($ip_*)\nand any of ($vm_*) \n}",ta402,PS,,,"AE, DZ, EG, IL, IR, JO, KW, QA, SA, SY, TN",,Spear Phishing,"NimbleMamba, BrittleBush, LastConn","Government and Defense Agencies, Education and Research Institutions",2021-11-15,2022-01-15,61.0 2022-02-09,SentinalOne_modified-elephant-apt(02-09-2022),Modified Elephant APT and a Decade of Fabricating Evidence,https://app.box.com/s/u4ugjnwl2w9f7pdfz22uh1l7cqc3xpdr,SentinelOne,"CVE-2012-0158, CVE-2014-1761, CVE-2015-1641",,,modifiedelephant,,,,IN,FALSE,"Spear Phishing, Malicious Documents","NetWire, DarkComet, CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, CVE-2015-1641","Education and Research Institutions, Non-Governmental Organizations (NGOs) and Nonprofits, Individuals",,, 2022-02-14,"The APT Fallout of Vulnerabilities such as ProxyLogon, OGNL Injection, and log4shell",,https://www.hvs-consulting.de/public/ThreatReport-EmissaryPanda.pdf,HVS Consulting,"CVE-2021-26084, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-31195, CVE-2021-31196, CVE-2021-33766, CVE-2021-34473, CVE-2021-34523, CVE-2021-42321, CVE-2021-44228, CVE-2021-44832","T1560:N/A, T1547:N/A, T1078:Valid Accounts, T1082:System Information Discovery, T1021:Remote Services, S0398:N/A, T1543:N/A, T1190:Exploit Public-Facing Application, T1112:Modify Registry, T1087:Account Discovery, T1071:Standard Application Layer Protocol, T1587:N/A, T1069:Permission Groups Discovery, T1119:Automated Collection, T1055:Process Injection, T1574:N/A, T1074:Data Staged, T1036:Masquerading, T1047:Windows Management Instrumentation, T1057:Process Discovery, T1003:Credential Dumping","rule HvS_APT27_HyperBro_Stage3_C2 { \n meta: \n description = ""HyperBro Stage 3 C2 path and user agent detection - also tested in memory"" \n license = ""https://creativecommons.org/licenses/by-nc/4.0/"" \n author = ""Marc Stroebel"" \n reference = ""https://www.hvs-consulting.de/en/threat-intelligence-report-emissary-panda-apt27"" \n date = ""2022-02-07"" \n hash1 = ""624e85bd669b97bc55ed5c5ea5f6082a1d4900d235a5d2e2a5683a04e36213e8"" \n strings: \n $s1 = ""api/v2/ajax"" ascii wide nocase \n $s2 = ""Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 \nSafari/537.36"" ascii wide nocase \n condition: \n all of them \n}, rule HvS_APT27_HyperBro_Stage3_Persistence { \n meta: \n description = ""HyperBro Stage 3 registry keys for persistence"" \n license = ""https://creativecommons.org/licenses/by-nc/4.0/"" \n author = ""Marko Dorfhuber"" \n reference = ""https://www.hvs-consulting.de/en/threat-intelligence-report-emissary-panda-apt27"" \n date = ""2022-02-07"" \n hash1 = ""624e85bd669b97bc55ed5c5ea5f6082a1d4900d235a5d2e2a5683a04e36213e8"" \n strings: \n $ = ""SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\config_"" ascii \n $ = ""SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\windefenders"" ascii \n condition: \n 1 of them \n}, rule HvS_APT27_HyperBro_Stage3 { \n meta: \n description = ""HyperBro Stage 3 detection - also tested in memory"" \n license = ""https://creativecommons.org/licenses/by-nc/4.0/"" \n author = ""Markus Poelloth"" \n reference = ""https://www.hvs-consulting.de/en/threat-intelligence-report-emissary-panda-apt27"" \n date = ""2022-02-07"" \n hash1 = ""624e85bd669b97bc55ed5c5ea5f6082a1d4900d235a5d2e2a5683a04e36213e8"" \n strings: \n $s1 = ""\\\\cmd.exe /A"" fullword wide \n $s2 = ""vftrace.dll"" fullword wide \n $s3 = ""msmpeng.exe"" fullword wide \n $s4 = ""\\\\\\\\.\\\\pipe\\\\testpipe"" fullword wide \n $s5 = ""thumb.dat"" fullword wide \n \n $g1 = ""%s\\\\%d.exe"" fullword wide \n $g2 = ""https://%s:%d/api/v2/ajax"" fullword wide \n $g3 = "" -k networkservice"" fullword wide \n $g4 = "" -k localservice"" fullword wide \n \n condition: \n uint16(0) == 0x5a4d and filesize < 300KB and \n (( 4 of ($s*) ) or (4 of ($g*))) \n}, rule HvS_APT27_HyperBro_Decrypted_Stage2 { \n meta: \n description = ""HyperBro Stage 2 and compressed Stage 3 detection"" \n license = ""https://creativecommons.org/licenses/by-nc/4.0/"" \n author = ""Moritz Oettle"" \n reference = ""https://www.hvs-consulting.de/en/threat-intelligence-report-emissary-panda-apt27"" \n date = ""2022-02-07"" \n hash1 = ""fc5a58bf0fce9cb96f35ee76842ff17816fe302e3164bc7c6a5ef46f6eff67ed"" \n strings: \n $lznt1_compressed_pe_header_small = { FC B9 00 4D 5A 90 } // This is the lznt1 compressed PE header \n \n $lznt1_compressed_pe_header_large_1 = { FC B9 00 4D 5A 90 00 03 00 00 00 82 04 00 30 FF FF 00 } \n $lznt1_compressed_pe_header_large_2 = { 00 b8 00 38 0d 01 00 40 04 38 19 00 10 01 00 00 } \n $lznt1_compressed_pe_header_large_3 = { 00 0e 1f ba 0e 00 b4 09 cd 00 21 b8 01 4c cd 21 } \n $lznt1_compressed_pe_header_large_4 = { 54 68 00 69 73 20 70 72 6f 67 72 00 61 6d 20 63 } \n $lznt1_compressed_pe_header_large_5 = { 61 6e 6e 6f 00 74 20 62 65 20 72 75 6e 00 20 69 } \n $lznt1_compressed_pe_header_large_6 = { 6e 20 44 4f 53 20 00 6d 6f 64 65 2e 0d 0d 0a 02 } \n \n condition: \n filesize < 200KB and \n ($lznt1_compressed_pe_header_small at 0x9ce) or (all of ($lznt1_compressed_pe_header_large_*)) \n}",emissary panda,CN,"Espionage, Information theft and espionage",2010,,,Exploit Vulnerability,"HyperBro Remote Access Tool (RAT), DLL Search Order Hijacking, DLL Side-loading",,2021-03-04,2021-11-09,250.0 2022-02-15,Fortinet_DriveGuard-Moses-Staff-Campaigns(02-15-2022),Guard Your Drive from DriveGuard: Moses Staff Campaigns Against Israeli Organizations Span Several Months,https://app.box.com/s/7p28si8yrjdrag1cvr43843itdscx8ur,Fortinet,,"T1033:System Owner/User Discovery, T1082:System Information Discovery, T1059:Command-Line Interface, T1573:N/A, T1505:N/A, T1569:N/A, T1190:Exploit Public-Facing Application, T1480:Execution Guardrails, T1071:Standard Application Layer Protocol, T1055:Process Injection, T1083:File and Directory Discovery, T1053:Scheduled Task, T1005:Data from Local System, T1140:Deobfuscate/Decode Files or Information, T1134:Access Token Manipulation, T1114:Email Collection, T1041:Exfiltration Over Command and Control Channel, T1008:Fallback Channels, T1003:Credential Dumping, T1113:Screen Capture",,moses staff,IR,Sabotage and destruction,2021,IL,TRUE,Exploit Vulnerability,"map.aspx, agent4.exe, calc.exe, iispool.aspx, ASP/Webshell.DW!tr, W64/Agent.AVV!tr, W32/Agent.UWN!tr, W32/Agent.UYS!tr, W64/Agent.AVS!tr, W64/Agent.AVU!tr",Corporations and Businesses,2020-12-15,2022-01-15,396.0 2022-02-15,ShadowPad Malware Analysis _ Secureworks,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2022/2022.02.15_ShadowPad/ShadowPad%20Malware%20Analysis%20_%20Secureworks.pdf,SecureWorks,,,,apt41,CN,"Financial crime, Information theft and espionage",2010,"AF, IN, VN",,,"ShadowPad, PlugX",,,, 2022-02-15,Proofpoint_Charting-TA2541s-Flight(02-15-2022),Charting TA2541's Flight,https://app.box.com/s/7vgs0ycvhmheyxski6g4766n9i49gq6i,Proofpoint,,TA2541:N/A,,ta2541,,Information theft and espionage,2017,,,"Spear Phishing, Malicious Documents","AsyncRAT, AgentTesla, Imminent Monitor, NetWire, WSH RAT, Parallax","Corporations and Businesses, Manufacturing, Government and Defense Agencies",,, 2022-02-16,Telsy_BabaDeda-LorecCPL-Outsteel-Ukraine(02-16-2022),BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine,https://app.box.com/s/uobrphf3bkfzyy4wt9tqh41v4m09bggk,Telsy,,,,lorec53,RU,Information theft and espionage,2021,UA,FALSE,"Spear Phishing, Malicious Documents","BabaDeda crypter, LorecCPL downloaders, Outsteel, SaintBot tool, AutoIt","Government and Defense Agencies, Non-Governmental Organizations (NGOs) and Nonprofits",,, 2022-02-16,nsfocus_Lorec53-LoriBear-Ukraine(02-16-2022),APT Group LOREC53 (Lori Bear) Recently Launched A Large-Scale Cyber Attack On Ukraine,https://app.box.com/s/japcw7r6uxnvyenklx06h21veadvdxvy,NSFOCUS,,,,lorec53,RU,Information theft and espionage,2021,"GE, IR, UA",FALSE,"Phishing, Malicious Documents, Exploit Vulnerability","LorecDocStealer (also known as OutSteel), LorecCPL, SaintBot","Government and Defense Agencies, Financial Institutions, Healthcare",,, 2022-02-16,alyac_NKorea-digital-asset-wallet-customer-center(02-16-2022),North Korea-linked APT attack found disguised as a digital asset wallet service customer center,https://app.box.com/s/sn6863bx5gk1i1o2kw7t5m2fk5s1f6iq,ESTSecurity,,,,kimsuky,KP,"Espionage, Information theft and espionage",2012,,,"Malicious Documents, Spear Phishing",Trojan.Downloader.DOC.Gen,"Corporations and Businesses, Financial Institutions",,, 2022-02-17,Sentinelone_Log4j2-TunnelVision-Exploiting-VMware-Horizon(02-17-2022),Iranian-Aligned Threat Actor,https://app.box.com/s/q1943pvy0ps4oftxo5iad7ngt4py5y51,SentinelOne,CVE-2018-13379,,,tunnelvision,IR,Information theft and espionage,2012,US,FALSE,Exploit Vulnerability,"Procdump, Plink, Ngrok, VMware Horizon NodeJS, Fast Reverse Proxy Client (FRPC)",,,, 2022-02-23,(Ex)Change of Pace_ UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware _ Mandiant,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2022/2022.02.23.UNC2596/%28Ex%29Change%20of%20Pace_%20UNC2596%20Observed%20Leveraging%20Vulnerabilities%20to%20Deploy%20Cuba%20Ransomware%20_%20Mandiant.pdf,Mandiant,,"T1056:Input Capture, T1095:Standard Non-Application Layer Protocol, T1033:System Owner/User Discovery, T1082:System Information Discovery, T1059:Command-Line Interface, T1027:Obfuscated Files or Information, T1021:Remote Services, T1573:N/A, T1018:Remote System Discovery, T1016:System Network Configuration Discovery, T1129:Execution through Module Load, T1012:Query Registry, T1098:Account Manipulation, T1569:N/A, T1543:N/A, T1583:N/A, T1486:Data Encrypted for Impact, T1190:Exploit Public-Facing Application, T1553:N/A, T1497:Virtualization/Sandbox Evasion, T1518:N/A, T1555:N/A, T1112:Modify Registry, T1087:Account Discovery, T1071:Standard Application Layer Protocol, T1489:Service Stop, T1070:Indicator Removal on Host, T1587:N/A, T1055:Process Injection, T1574:N/A, T1083:File and Directory Discovery, T1074:Data Staged, T1053:Scheduled Task, T1564:N/A, T1140:Deobfuscate/Decode Files or Information, T1608:N/A, T1136:Create Account, T1134:Access Token Manipulation, T1105:Remote File Copy, T1620:N/A, T1588:N/A, T1057:Process Discovery, T1010:Application Window Discovery","rule TERMITE\n{\n\xa0\xa0\xa0 meta:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 author = ""Mandiant""\n\xa0\xa0\xa0 strings:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $sb1 = { E8 4 3D 5? E3 B6 00 7? }\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $sb2 = { 6B ?? 0A 3 83 E9 30 }\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $si1 = ""VirtualAlloc"" fullword\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $ss1 = ""AUTO"" fullword\n\xa0\xa0\xa0 condition:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B) and all of them\n}, rule FDFWJTORFQVNXQHFAH\n{\n\xa0\xa0\xa0 meta:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 author = ""Mandiant""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 description = ""Detecting packer or cert.""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 md5 = ""939ab3c9a4f8eab524053e5c98d39ec9""\n\xa0\xa0\xa0 strings:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $cert = ""FDFWJTORFQVNXQHFAH""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $s1 = ""VLstuTmAlanc""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $s2 = { 54 68 F5 73 20 70 00 00 00 00 00 00 00 BE 66 67 72 BD 68 20 63 BD 69 6E 6F C0 1F 62 65 EC 72 75 6E FC 6D 6E 20 50 46 53 20 B9 66\n64 65 }\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $s3 = ""ViGuua!Gre""\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 $s4 = ""6seaIdFiYdA""\n\xa0\xa0\xa0 condition:\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0 (uint16(0) == 0x5A4D) and filesize < 2MB and ( $cert or 2 of ($s*) )\n}",unc2596,,,,,TRUE,Exploit Vulnerability,"COLDDRAW, NetSupport, Cobalt Strike BEACON, PsExec, RDP, PowerShell, WICKER, BUGHATCH, BURNTCIGAR, WEDGECUT, NetSupport RAT, TERMITE","Government and Defense Agencies, Energy and Utilities, Non-Governmental Organizations (NGOs) and Nonprofits, Healthcare, Critical Infrastructure",,, 2022-02-23,The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2022/2022.02.23.Bvp47/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf,RSA,,,,equation group,US,"Espionage, Sabotage and destruction, Information theft and espionage",2001,"AR, AT, BD, BE, CL, CN, DE, DK, DZ, EG, ES, GA, GB, IN, IT, JO, JP, KE, KR, LK, MX, NI, NL, NO, PK, RO, RU, US, ZA",,Covert Channels,"Bvp47, dewdrops, solutionchar_agents, tipoffs, StoicSurgeon, insision",Corporations and Businesses,,, 2022-02-24,Fortinet_Nobelium-Returns(02-24-2022),Nobelium Returns to the Political World Stage,https://app.box.com/s/grtbac6jg31vc1dkogzj6ahzd886luay,Fortinet,,"T1612:N/A, T1140:Deobfuscate/Decode Files or Information, T1204:User Execution, T1071:Standard Application Layer Protocol, T1059:Command-Line Interface, T1566:N/A, T1027:Obfuscated Files or Information, T1496:Resource Hijacking",,apt29,RU,"Espionage, Information theft and espionage",2008,PT,FALSE,"Spear Phishing, Malicious Documents","Cobalt Strike, HTML Smuggling",Government and Defense Agencies,,, 2022-02-24,Mandiant_Telegram-Malware-Iranian-Activity(02-24-2022),Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity,https://app.box.com/s/faiqlsm5s7q931y1j2kgi1mlmxjfwd70,Mandiant,,"T1560:N/A, T1547:N/A, T1572:N/A, T1033:System Owner/User Discovery, T1204:User Execution, T1059:Command-Line Interface, T1021:Remote Services, T1018:Remote System Discovery, T1219:Remote Access Tools, T1569:N/A, T1543:N/A, T1071:Standard Application Layer Protocol, T1587:N/A, T1566:N/A, T1053:Scheduled Task, T1046:Network Service Scanning, T1105:Remote File Copy, T1588:N/A, T1110:Brute Force, T1047:Windows Management Instrumentation, T1102:Web Service, T1003:Credential Dumping","rule M_Hunting_Backdoor_STARWHALE_GO_1 {\n meta:\n author = ""Mandiant""\n description = ""Detects strings for STARWHALE.GO""\nstrings:\n \n $main1 = ""main.findExecutable"" ascii\n \n $main2 = ""main.showMatrixElements"" ascii\n \n $delim = ""|&&%&&|"" ascii\n \n $matrix = ""MATRIX1*MATRIX2"" ascii\n \n $sample = ""1522526f4260f4653664276774"" ascii\ncondition:\n \n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 15MB and 4 of them\n}, rule M_Hunting_Backdoor_STARWHALE_1\n{\n meta:\n author = ""Mandiant""\n description = ""Detects strings for STARWHALE samples""\n md5 = "" cb84c6b5816504c993c33360aeec4705""\n rev = 1\n strings:\n $s1 = ""JSCript"" ascii nocase wide\n $s2 = ""VBSCript"" ascii nocase wide\n $s3 = ""WScript.Shell"" ascii nocase wide\n $s4 = ""ok"" ascii nocase wide\n $s5 = ""no"" ascii nocase wide\n $s6 = ""stari.txt"" ascii nocase wide\n $s7 = ""SoRRy"" ascii wide\n $s8 = ""EMIP"" ascii wide\n $s9 = ""NIp"" ascii wide\n $s10 = ""401"" ascii wide\n $s11 = ""_!#"" ascii wide\n $s12 = ""/!&^^&!/"" ascii wide\n $s13 = ""|!)!)!|"" ascii wide\n $s14 = ""|#@*@#|"" ascii wide\n $s15 = ""/!*##*!/"" ascii wide\n $s16 = ""sory"" ascii nocase wide\n condition:\n filesize > 5KB and filesize < 5MB and 10 of ($s*)\n}",muddywater,IR,"Espionage, Information theft and espionage",2017,,FALSE,Spear Phishing,", CRACKMAPEXEC, GRAMDOOR, STARWHALE, STARWHALE.GO, ScreenConnect","Government and Defense Agencies, Energy and Utilities, Financial Institutions",,, 2022-02-24,PaloAltoNetworks_SockDetour-Fileless-Socketless-Backdoor(02-24-2022),SockDetour Backdoor Targets U.S. Defense Contractors,https://app.box.com/s/sp477maf6mq20whuv6gk4pr3us0xas7c,Palo Alto,"CVE-2021-28799, CVE-2021-40539, CVE-2021-44077",,"rule apt_win_sockdetour\n{\nmeta:\nauthor = ""Unit 42 - PaloAltoNetworks""\ndate = ""2022-01-23""\ndescription = ""Detects SockDetour in memory or in PE format""\nhash01 = ""0b2b9a2ac4bff81847b332af18a8e0705075166a137ab248e4d9b5cbd8b960df""\n \nstrings:\n$public_key =\n""MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWD9BUhQQZkagIIHsCdn/wtRNXcYoEi3Z4PhZkH3mar20EONVyXWP/YUxyUmxD\n$json_name_sequence = {61 70 70 00 61 72 67 73 00 00 00 00 73 6F 63 6B 00 00 00 00 6B 65 79 00 61 72 67 73 00 00}\n$verification_bytes = {88 4 A0 4 90 4 82 4 FD 4 F5 4 FB 4 EF}\n$data_block = {08 4 1C 4 C1 4 78 4 D4 4 13 4 3A 4 D7 4 0F 4 AB 4 B3 4 A2 4 B8 4 AE 4 63 4 BB 4 03 4 E8 4 FF 4 3\n$initial_vector = {62 4 76 4 79 4 69 4 61 4 66 4 73 4 7A 4 6D 4 6B 4 6A 4 73 4 6D 4 71 4 67 4 6C}\n \ncondition:\nany of them\n}",,,,,,FALSE,Exploit Vulnerability,"SockDetour, QLocker, Cortex XDR, WildFire","Corporations and Businesses, Healthcare, Energy and Utilities, Education and Research Institutions, Financial Institutions, Government and Defense Agencies",2021-07-27,2022-02-15,203.0 2022-02-24,Symantec_Ukraine-Disk-wiping-Russian-Invasion(02-24-2022),Ukraine: Disk-wiping Attacks Precede Russian Invasion,https://app.box.com/s/0rgnnq0iav3fb7nrpfutf3pynwbpqsv2,Symantec,,,,,,,,"LT, UA",,Exploit Vulnerability,"SMB, Microsoft Exchange Server, Web shell, Tomcat, PowerShell, PostgreSQL, Trojan.KillDisk, Ransomware (client.exe, cdir.exe, cname.exe, connh.exe, intpub.exe), EaseUS Partition Master","Financial Institutions, Government and Defense Agencies, Corporations and Businesses",2021-11-12,2022-02-24,104.0 2022-02-24,CISA_AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations(02-24-2022),Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks,https://app.box.com/s/653jbuah6rtf91u8v6sz330fka14gy8z,CISA,"CVE-2020-0688, CVE-2020-1472","T1560:N/A, T1547:N/A, T1572:N/A, T1559:N/A, T1132:Data Encoding, T1589:N/A, T1204:User Execution, T1033:System Owner/User Discovery, T1082:System Information Discovery, T1090:Connection Proxy, T1203:Exploitation for Client Execution, T1059:Command-Line Interface, T1027:Obfuscated Files or Information, TA0005:Defense Evasion, T1016:System Network Configuration Discovery, T1219:Remote Access Tools, T1583:N/A, T1137:Office Application Startup, T1552:N/A, T1480:Execution Guardrails, T1555:N/A, T1518:N/A, T1218:Signed Binary Proxy Execution, T1087:Account Discovery, T1071:Standard Application Layer Protocol, T1001:Data Obfuscation, T1566:N/A, T1574:N/A, TA0010:Exfiltration, T1053:Scheduled Task, T1005:Data from Local System, T1083:File and Directory Discovery, T1036:Masquerading, TA0003:Persistence, T1140:Deobfuscate/Decode Files or Information, T1562:N/A, T1104:Multi-Stage Channels, T1548:N/A, T1049:System Network Connections Discovery, T1041:Exfiltration Over Command and Control Channel, T1105:Remote File Copy, T1588:N/A, T1047:Windows Management Instrumentation, T1102:Web Service, T1057:Process Discovery, T1003:Credential Dumping, T1113:Screen Capture, TA0035:N/A",,muddywater,IR,"Espionage, Information theft and espionage",2017,,FALSE,"Spear Phishing, Exploit Vulnerability, Malicious Documents","PowGoop, Small Sieve, Canopy/Starwhale, Mori, POWERSTATS","Government and Defense Agencies, Corporations and Businesses",,, 2022-02-25,Breaking news! Warning about 'HermeticWiper Malware' by Russian APT Groups,,https://dgc.org/en/hermeticwiper-malware/,Deutsche Gesellschaft für Cybersicherheit,,,,,,,,UA,,"Spear Phishing, Malicious Documents","MSI script, NSIS installer, UltraVNC",,,, 2022-02-26,Infographic APTs in South America,,https://www.atomicmatryoshka.com/post/infographic-apts-in-south-america,Atomic Matryoshka,,,,,,,,,FALSE,,,,,, 2022-03-01,Proofpoint_Asylum-Ambuscade-Ukrainian-Military-Emails-Target-European(03-01-2022),Asylum Ambuscade: State Actor Uses Compromised Private Ukrainian Military Emails to Target European Governments and Refugee Movement,https://app.box.com/s/u534ihlwhaxv8k1wke1aos1d4cqwui2f,Proofpoint,,,"rule WindowsInstaller_Silent_InstallProduct_MacroMethod\n{\n meta:\n author = ""Proofpoint Threat Research""\n date = ""20210728""\n hash = ""1561ece482c78a2d587b66c8eaf211e806ff438e506fcef8f14ae367db82d9b3;\na8fd0a5de66fa39056c0ddf2ec74ccd38b2ede147afa602aba00a3f0b55a88e0""\n reference = ""This signature has not been quality controlled in a production\nenvironment. Analysts believe that this method is utilized by multiple threat actors in the\nwild""\n \n strings:\n $doc_header = {D0 CF 11 E0 A1 B1 1A E1}\n $s1 = "".UILevel = 2""\n $s2 = ""CreateObject(\\""WindowsInstaller.Installer\\"")""\n $s3 = "".InstallProduct \\""http""\n \ncondition:\n $doc_header at 0 and all of ($s*)\n}",ghostwriter,BY,,,,,"Spear Phishing, Malicious Documents, Social Engineering","Macro Enabled Documents, GoPhish, MSI Packages, Lua Based Malware, WiX 3.11.0.1528, SunSeed",Government and Defense Agencies,,, 2022-03-01,Targeted APT Activity BABYSHARK Is Out for Blood,,https://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood,Huntress Labs,,T1035:Service Execution,,,,,,,FALSE,"Spear Phishing, Malicious Documents",BABYSHARK,Education and Research Institutions,2021-03-09,2022-02-16,344.0 2022-03-01,ESET_IsaacWiper-HermeticWizard-targeting-Ukraine(03-01-2022),IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine,https://app.box.com/s/5ieu30a7o5c6pxdqxiok5jl7mg1yeiea,ESET,,"T1485:Data Destruction, T1078:Valid Accounts, T1106:Execution through API, T1569:N/A, T1588:N/A, T1047:Windows Management Instrumentation, T1059:Command-Line Interface, T1561:N/A, T1021:Remote Services, T1499:Endpoint Denial of Service, T1018:Remote System Discovery",,,,,,UA,FALSE,Credential Reuse,"HermeticWiper, IsaacWiper, HermeticWizard, Win32/KillDisk.NCV, Win32/GenCBL.BSP, WinGo/Filecoder.BK, Win32/KillMBR.NHP, Win32/KillMBR.NHQ, Win32/RiskWare.RemoteAdmin.RemoteExec.AC, Impacket, RemCom",,2022-02-23,2022-02-26,3.0 2022-03-02,RecordedFuture_mtp-2022-0302(03-02-2022),HermeticWiper and PartyTicket Targeting Computers in Ukraine,https://app.box.com/s/t5hdmw12wxi1vi0nwnvz4tv8zeh1quc8,RecordedFuture,,,,sandworm,RU,"Espionage, Sabotage and destruction",2015,UA,,Exploit Vulnerability,"HermeticWiper, PartyTicket, WhisperGate, NotPetya",,2021-12-23,2022-02-24,63.0 2022-03-03,Ahnlab_Malicious-Hangul-disguised-pressreleases-presidential-election(03-03-2022),Distribution of malicious Hangul documents disguised as press releases for the 20th presidential election,https://app.box.com/s/6xy2tbwriztdpy8frdkjknwvfta61n2z,AhnLab,,,,,,,,,,"Spear Phishing, Malicious Documents",MDP.Powershell.M4208,"Government and Defense Agencies, Media and Entertainment Companies",,, 2022-03-07,"The Good, the Bad, and the Web Bug_ TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates _ Proofpoint US",,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2022/2022.03.07.TA416/The%20Good%2C%20the%20Bad%2C%20and%20the%20Web%20Bug_%20TA416%20Increases%20Operational%20Tempo%20Against%20European%20Governments%20as%20Conflict%20in%20Ukraine%20Escalates%20_%20Proofpoint%20US.pdf,Proofpoint,,,,ta416,,Information theft and espionage,2020,,,Spear Phishing,"Trident Loader PlugX, PotPlayer (used in DLL Search Order Hijacking), SMTP2Go (used for impersonation)",Government and Defense Agencies,,, 2022-03-09,Lab52_Lazyscripters-double-compromise-single-obfuscation(03-09-2022),Very very lazy Lazyscripter's scripts: double compromise in a single obfuscation,https://app.box.com/s/3rr58tcaqth9rn1ege689pq4f94zjsgx,Lab52,,,,lazyscripter,,,,,,"Spear Phishing, Malicious Documents, Watering Hole","njRAT, H-Worm, Houdini",Non-Governmental Organizations (NGOs) and Nonprofits,,, 2022-03-12,"Iranian APT New Methods to Target Turkey, Arabian Peninsula",,https://www.govinfosecurity.com/iranian-apt-new-methods-to-target-turkey-arabian-peninsula-a-18706,GovInfo Security,,,,muddywater,IR,"Espionage, Information theft and espionage",2017,"AE, AM, IQ, PK, SA, TR",FALSE,Malicious Documents,"SloughRAT, Canopy, Connectwise Remote Access client","Manufacturing, Healthcare, Government and Defense Agencies",,, 2022-03-15,Sentinelone_UAC-0056-Targeting-Ukraine-Fake-Translation-Software(03-15-2022),Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software,https://app.box.com/s/howogtsvvmqdljp5y4iupj6udhr970mv,SentinelOne,,,,uac-0056,RU,Information theft and espionage,2021,UA,,,"Cobalt Strike, GrimPlant, GraphSteel",Government and Defense Agencies,2021-12-15,2022-02-11,58.0 2022-03-17,Appendix_Cyclops Blink Sets Sights on ASUS Routers,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2022/2022.03.17.Cyclops_Blink_Voodoo_Bear/Appendix_Cyclops%20Blink%20Sets%20Sights%20on%20ASUS%20Routers.pdf,Trend Micro,,,,,,,,"CA, CY, DE, FR, GR, IT, MA, SA, SV, US",,,,,,, 2022-03-17,Cyclops Blink Sets Sights on Asus Routers,,https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2022/2022.03.17.Cyclops_Blink_Voodoo_Bear/Cyclops%20Blink%20Sets%20Sights%20on%20Asus%20Routers.pdf,Trend Micro,,,,sandworm,RU,"Espionage, Sabotage and destruction",2015,"CA, IN, IT, RU, US",,Credential Reuse,"Cyclops Blink, VPNFilter","Corporations and Businesses, Manufacturing, Individuals",,, 2022-03-17,Suspected DarkHotel APT activity update,,https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/suspected-darkhotel-apt-activity-update.html,Trellix,,"T1012:Query Registry, T1064:Scripting, T1204:User Execution, T1106:Execution through API, T1071:Standard Application Layer Protocol, T1070:Indicator Removal on Host, T1059:Command-Line Interface, T1566:N/A, T1053:Scheduled Task",,darkhotel,KR,"Espionage, Information theft and espionage",2007,,,"Spear Phishing, Malicious Documents","PowerShell, Mailman, RDN/Generic Downloader.x, BehavesLike.OLE2.Downloader.cg",Corporations and Businesses,,, 2022-03-21,TheDFIRReport_APT35-Automates-Initial-Access-Using-ProxyShell(03-21-2022),APT35 Automates Initial Access Using ProxyShell,https://app.box.com/s/effdjg8nuddhq3e9ooywuesizw5b0e3w,TheDFIRreport,"CVE-2021-31207, CVE-2021-34473, CVE-2021-34523","T1505:N/A, T1078:Valid Accounts, T1033:System Owner/User Discovery, T1082:System Information Discovery, T1105:Remote File Copy, T1543:N/A, T1059:Command-Line Interface, T1190:Exploit Public-Facing Application, T1003:Credential Dumping, T1098:Account Manipulation, T1036:Masquerading, T1016:System Network Configuration Discovery","rule files_dhvqx { \n meta: \n description = ""9893_files - file dhvqx.aspx"" \n author = ""TheDFIRReport"" \n reference = ""https://thedfirreport.com/2022/03/21/apt35-automates-initial-\naccess-using-proxyshell/"" \n date = ""2022-03-21"" \n hash1 = ""c5aae30675cc1fd83fd25330cec245af744b878a8f86626d98b8e7fcd3e970f8""\n strings: \n $s1 = ""eval(Request\exec_code\,\unsafe\);Response.End;"" fullword ascii \n $s2 = ""6