Merge pull request #902 from Mathieu4141/threat-actors/97bd510f-7f92-…

…4d35-b389-3c269c47094b [threat actors] Add 3 actors
MISP · Dec 2, 2023 · 723c062 · 723c062
2 parents dbbb075 + 0391d3f
commit 723c062
Showing 1 changed file with 37 additions and 0 deletions.
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
@@ -13602,6 +13602,43 @@
       },
       "uuid": "89f5a5cb-514f-46db-8959-6bb9aa991e9f",
       "value": "WildPressure"
+    },
+    {
+      "description": "The TunnelSnake campaign demonstrates the activity of a sophisticated actor that invests significant resources in designing an evasive toolset and infiltrating networks of high-profile organizations. By leveraging Windows drivers, covert communications channels and proprietary malware, the group behind it maintains a considerable level of stealth. That said, some of its TTPs, like the usage of a commodity webshell and open-source legacy code for loading unsigned drivers, may get detected and in fact were flagged by Kaspersky's product, giving them visibility into the group’s operation.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.redpacketsecurity.com/operation-tunnelsnake/",
+          "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/"
+        ]
+      },
+      "uuid": "f0bb3d3a-c012-4d12-b621-51192977f190",
+      "value": "TunnelSnake"
+    },
+    {
+      "description": "ScamClub is a threat actor involved in malvertising activities since 2018. They target the Mobile Web market segment, particularly on iOS devices, where security software is often lacking. ScamClub utilizes obfuscation techniques and real-time bidding integration with ad exchanges to push malicious JavaScript payloads, leading to forced redirects and various scams such as phishing and gift card scams.",
+      "meta": {
+        "refs": [
+          "https://blog.confiant.com/exploring-scamclub-payloads-via-deobfuscation-using-abstract-syntax-trees-65ef7f412537",
+          "https://www.malwarebytes.com/blog/threat-intelligence/2023/11/associated-press-espn-cbs-among-top-sites-serving-fake-virus-alerts"
+        ]
+      },
+      "uuid": "dae45b1c-f957-4242-aa5b-f36b08994bad",
+      "value": "ScamClub"
+    },
+    {
+      "description": "Daixin is a threat actor group that has been active since at least June 2022. They primarily target the healthcare and public health sector with ransomware attacks, stealing sensitive data and threatening to release it if a ransom is not paid. They have successfully targeted various industries, including healthcare, aerospace, automotive, and packaged foods. Daixin gains initial access through VPN servers and exploits vulnerabilities or uses phishing attacks to obtain credentials. They have been responsible for cyberattacks on organizations such as the North Texas Municipal Water District and TransForm Shared Service Org, impacting their networks and stealing customer and patient information.",
+      "meta": {
+        "refs": [
+          "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-294a",
+          "https://www.mycert.org.my/portal/details?menu=431fab9c-d24c-4a27-ba93-e92edafdefa5&id=467c2374-9c18-4fb0-b5a7-155dfca4d611",
+          "https://www.databreaches.net/b-files-leaked/",
+          "https://titaniam.io/ransomware-prevention-daixin-team-ransomware-group/",
+          "https://www.databreaches.net/update-daixin-leaks-more-data-from-bluewater-health-and-other-hospitals-databases-yet-to-be-leaked/"
+        ]
+      },
+      "uuid": "5e32baed-f4b5-4149-8540-7515ad8c4dc0",
+      "value": "Daixin Team"
     }
   ],
   "version": 295