Skip to content

Commit 562fa6b

Browse files
Infinit3iInfinit3i
committed
5 more apts
1 parent fe2b32d commit 562fa6b

File tree

5 files changed

+316
-0
lines changed

5 files changed

+316
-0
lines changed

app/Modules/Apts/Magic_Hound.py

Lines changed: 74 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,74 @@
1+
def get_content():
2+
return {
3+
"id": "G0059",
4+
"url_id": "Magic_Hound",
5+
"title": "Magic Hound",
6+
"tags": ["Iranian-sponsored", "cyber espionage", "long-term operations"],
7+
"description": "Magic Hound is an Iranian-sponsored threat group likely aligned with the Islamic Revolutionary Guard Corps. It has conducted sophisticated cyber espionage operations since at least 2014, targeting government, military, academic, and health organizations, including the WHO. The group is known for complex social engineering and spearphishing campaigns.",
8+
"associated_groups": [
9+
"TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18",
10+
"Phosphorus", "Newscaster", "APT35", "Mint Sandstorm"
11+
],
12+
"campaigns": [],
13+
"techniques": [
14+
"T1087.003", "T1098.002", "T1098.007", "T1583.001", "T1583.006", "T1595.002",
15+
"T1071", "T1071.001", "T1560.001", "T1547.001", "T1059.001", "T1059.003",
16+
"T1059.005", "T1586.002", "T1584.001", "T1136.001", "T1486", "T1005", "T1482",
17+
"T1189", "T1114", "T1114.001", "T1114.002", "T1573", "T1585.001", "T1585.002",
18+
"T1567", "T1190", "T1083", "T1592.002", "T1589", "T1589.001", "T1589.002",
19+
"T1590.005", "T1591.001", "T1564.003", "T1562", "T1562.001", "T1562.002",
20+
"T1562.004", "T1070.003", "T1070.004", "T1105", "T1056.001", "T1570", "T1036.004",
21+
"T1036.005", "T1036.010", "T1112", "T1046", "T1571", "T1027.010", "T1027.013",
22+
"T1588.002", "T1003.001", "T1566.002", "T1566.003", "T1598.003", "T1057", "T1572",
23+
"T1090", "T1021.001", "T1018", "T1053.005", "T1113", "T1505.003", "T1218.011",
24+
"T1082", "T1016", "T1016.001", "T1016.002", "T1049", "T1033", "T1204.001",
25+
"T1204.002", "T1078.001", "T1078.002", "T1102.002", "T1047"
26+
],
27+
"contributors": ["Anastasios Pingios", "Bryan Lee", "Daniyal Naeem, BT Security"],
28+
"version": "6.1",
29+
"created": "16 January 2018",
30+
"last_modified": "17 November 2024",
31+
"navigator": "", # Can be filled with a URL if a navigator layer is available
32+
"references": [
33+
{"source": "MITRE ATT&CK", "url": "https://attack.mitre.org/groups/G0059/"},
34+
{"source": "Check Point", "url": "https://research.checkpoint.com"},
35+
{"source": "MSTIC", "url": "https://www.microsoft.com/security/blog"}
36+
],
37+
"resources": [
38+
"https://attack.mitre.org/groups/G0059/",
39+
"https://www.clearskysec.com/charming-kitten/",
40+
"https://www.secureworks.com/research/threat-profiles/cobalt-illusion"
41+
],
42+
"remediation": "Implement application whitelisting, monitor and restrict use of PowerShell, deploy endpoint detection and response (EDR) tools, and segment networks to minimize lateral movement.",
43+
"improvements": "Enhance phishing detection, improve mail filtering, educate users on social engineering risks, and implement behavioral monitoring on endpoints.",
44+
"hunt_steps": [
45+
"Look for PowerShell scripts with base64-encoded commands",
46+
"Monitor for usage of rundll32 with comsvcs.dll",
47+
"Identify anomalous mailbox export requests in Exchange logs",
48+
"Inspect creation of local accounts like 'DefaultAccount' or 'help'"
49+
],
50+
"expected_outcomes": [
51+
"Detection of unauthorized mailbox access",
52+
"Identification of suspicious PowerShell activity",
53+
"Discovery of adversary-created user accounts",
54+
"Alerts on potential C2 traffic over non-standard ports"
55+
],
56+
"false_positive": "Legitimate admin tools (e.g., PowerShell, RDP) may resemble adversary use. Validate against expected behavior and timing patterns.",
57+
"clearing_steps": [
58+
"Disable and remove unauthorized user accounts",
59+
"Restore firewall rules to default",
60+
"Re-enable and configure LSA protection",
61+
"Audit and clean Exchange mailbox export history"
62+
],
63+
"ioc": {
64+
"sha256": [],
65+
"md5": [],
66+
"ip": [],
67+
"domain": [],
68+
"resources": [
69+
"https://www.mandiant.com/resources/m-trends-2018",
70+
"https://www.clearskysec.com/the-kittens-are-back-in-town/",
71+
"https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity"
72+
]
73+
}
74+
}

app/Modules/Apts/Malteiro.py

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
def get_content():
2+
return {
3+
"id": "G1026",
4+
"url_id": "Malteiro",
5+
"title": "Malteiro",
6+
"tags": ["financially motivated", "Latin America", "MaaS", "banking trojan"],
7+
"description": "Malteiro is a financially motivated criminal group, believed to be based in Brazil, and has been active since at least November 2019. The group operates the Mispadu banking trojan under a Malware-as-a-Service model, primarily targeting victims in Latin America—especially Mexico—and Europe, notably Spain and Portugal.",
8+
"associated_groups": [],
9+
"campaigns": [],
10+
"techniques": [
11+
"T1059.005", "T1555", "T1555.003", "T1140", "T1657", "T1027.013",
12+
"T1566.001", "T1055.001", "T1518.001", "T1082", "T1614.001", "T1204.002"
13+
],
14+
"contributors": ["Daniel Fernando Soriano Espinosa", "SCILabs"],
15+
"version": "1.0",
16+
"created": "13 March 2024",
17+
"last_modified": "29 March 2024",
18+
"navigator": "", # You may link to MITRE Navigator layer if available
19+
"references": [
20+
{"source": "SCILabs", "url": "https://scilabs.io/threat-profile-malteiro"},
21+
{"source": "SCILabs", "url": "https://scilabs.io/ursa-mispadu-overlap"}
22+
],
23+
"resources": [
24+
"https://attack.mitre.org/groups/G1026/",
25+
"https://scilabs.io/threat-profile-malteiro",
26+
"https://scilabs.io/ursa-mispadu-overlap"
27+
],
28+
"remediation": "Educate users about phishing risks, block execution of VBS scripts from email sources, monitor and restrict DLL injection, and implement mail and web content filtering to reduce malicious delivery vectors.",
29+
"improvements": "Deploy behavioral monitoring to detect process injection patterns, enhance email gateway inspection for encoded content, and implement endpoint protection to detect Mispadu’s known indicators.",
30+
"hunt_steps": [
31+
"Search for DLL injection behavior from unknown parent processes",
32+
"Monitor for encoded VBS execution patterns via Base64",
33+
"Review registry run key modifications linked to new persistence mechanisms",
34+
"Look for NirSoft utility executions (MailPassView, WebBrowserPassView)"
35+
],
36+
"expected_outcomes": [
37+
"Detection of credential harvesting via known NirSoft tools",
38+
"Identification of Mispadu-related persistence mechanisms",
39+
"Alerts on spearphishing attachments containing obfuscated content",
40+
"Recognition of language-based evasion behavior"
41+
],
42+
"false_positive": "Use of NirSoft tools in legitimate forensic settings may trigger alerts. Validate intent and user context before responding.",
43+
"clearing_steps": [
44+
"Remove any malicious registry entries created for persistence",
45+
"Clear temporary directories for potential dropper files",
46+
"Reset credentials stored in web browsers and mail clients",
47+
"Conduct full scan for injected DLLs and remove Mispadu binaries"
48+
],
49+
"ioc": {
50+
"sha256": [],
51+
"md5": [],
52+
"ip": [],
53+
"domain": [],
54+
"resources": [
55+
"https://scilabs.io/threat-profile-malteiro",
56+
"https://scilabs.io/ursa-mispadu-overlap"
57+
]
58+
}
59+
}

app/Modules/Apts/Metador.py

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
def get_content():
2+
return {
3+
"id": "G1013",
4+
"url_id": "Metador",
5+
"title": "Metador",
6+
"tags": ["espionage", "Middle East", "Africa", "telco", "stealth", "living-off-the-land"],
7+
"description": "Metador is a suspected cyber espionage group first reported in September 2022. It has primarily targeted telecommunications providers, ISPs, and universities in the Middle East and Africa. The name 'Metador' comes from the 'I am meta' string found in malware and anticipated Spanish-language responses from C2 servers. The group is known for advanced evasion tactics and long-term stealthy operations using custom malware like metaMain and Mafalda.",
8+
"associated_groups": [],
9+
"campaigns": [],
10+
"techniques": [
11+
"T1071.001", "T1059.003", "T1546.003", "T1070.004", "T1105", "T1095",
12+
"T1027.013", "T1588.001", "T1588.002"
13+
],
14+
"contributors": ["Massimiliano Romano, BT Security", "Sittikorn Sangrattanapitak"],
15+
"version": "1.1",
16+
"created": "25 January 2023",
17+
"last_modified": "11 April 2024",
18+
"navigator": "",
19+
"references": [
20+
{"source": "SentinelLabs", "url": "https://www.sentinelone.com/labs/the-mystery-of-metador/"},
21+
{"source": "SentinelLabs Technical Appendix", "url": "https://www.sentinelone.com/labs/metador-technical-appendix/"}
22+
],
23+
"resources": [
24+
"https://attack.mitre.org/groups/G1013/",
25+
"https://www.sentinelone.com/labs/the-mystery-of-metador/",
26+
"https://www.sentinelone.com/labs/metador-technical-appendix/"
27+
],
28+
"remediation": "Disable unnecessary WMI event subscriptions, monitor for Living-off-the-Land Binaries (LOLBins) like cdb.exe, and implement behavioral analysis to detect stealthy tool deployment. Enforce strict application allowlisting and deploy EDR solutions capable of detecting memory-based threats.",
29+
"improvements": "Enhance host logging to capture WMI subscription changes and event tracing. Correlate ingress tool transfer events with uncommon LOLBin execution. Improve detection of encrypted payloads being loaded into memory.",
30+
"hunt_steps": [
31+
"Look for execution of cdb.exe in non-debugging contexts",
32+
"Monitor for WMI event subscriptions linked to persistence",
33+
"Search for encrypted files or dropped binaries followed by deletion",
34+
"Correlate HTTP/TCP traffic with unknown malware samples named metaMain or Mafalda"
35+
],
36+
"expected_outcomes": [
37+
"Identification of stealthy C2 over TCP/HTTP",
38+
"Detection of metaMain and Mafalda execution artifacts",
39+
"Discovery of post-exploitation persistence via WMI subscriptions",
40+
"Visibility into data staging and exfiltration activity"
41+
],
42+
"false_positive": "Use of cdb.exe or WMI may occur in legitimate administrative or troubleshooting scenarios. Validation should consider context and behavioral chaining.",
43+
"clearing_steps": [
44+
"Delete WMI event subscriptions established by attacker malware",
45+
"Remove encrypted payloads and clean dropped tools (e.g., cdb.exe)",
46+
"Revoke any credentials or accounts accessed by Metador tools",
47+
"Conduct memory forensics to ensure no reflective code or hidden implants persist"
48+
],
49+
"ioc": {
50+
"sha256": [],
51+
"md5": [],
52+
"ip": [],
53+
"domain": [],
54+
"resources": [
55+
"https://www.sentinelone.com/labs/the-mystery-of-metador/",
56+
"https://www.sentinelone.com/labs/metador-technical-appendix/"
57+
]
58+
}
59+
}

app/Modules/Apts/Moafee.py

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
def get_content():
2+
return {
3+
"id": "G0002",
4+
"url_id": "Moafee",
5+
"title": "Moafee",
6+
"tags": ["Chinese APT", "Guangdong", "DragonOK affiliation", "espionage"],
7+
"description": "Moafee is a suspected China-based cyber espionage group believed to operate from Guangdong Province. It has shown overlaps in tactics, techniques, and procedures with DragonOK, including the use of similar custom tools. Moafee’s known capabilities are limited but notable for their use of binary padding in malware obfuscation.",
8+
"associated_groups": ["DragonOK"],
9+
"campaigns": [],
10+
"techniques": [
11+
"T1027.001"
12+
],
13+
"contributors": [],
14+
"version": "1.1",
15+
"created": "31 May 2017",
16+
"last_modified": "16 April 2025",
17+
"navigator": "",
18+
"references": [
19+
{
20+
"source": "FireEye Blog",
21+
"url": "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"
22+
}
23+
],
24+
"resources": [
25+
"https://attack.mitre.org/groups/G0002/"
26+
],
27+
"remediation": "Identify and block executables exhibiting excessive binary padding. Employ antivirus and EDR tools capable of detecting obfuscation techniques. Review inbound malware for padding anomalies.",
28+
"improvements": "Enhance file scanning capabilities with entropy-based detection of padded binaries. Update YARA rules to catch binary obfuscation patterns common in Moafee campaigns.",
29+
"hunt_steps": [
30+
"Search for binary files with large blocks of null bytes or repeating patterns near the end of the file",
31+
"Check for known PoisonIvy indicators",
32+
"Monitor for execution of heavily padded binaries with low entropy",
33+
"Validate use of registry keys commonly modified by PoisonIvy"
34+
],
35+
"expected_outcomes": [
36+
"Detection of obfuscated malware samples using binary padding",
37+
"Correlation of activity with DragonOK-linked tools such as PoisonIvy",
38+
"Visibility into persistence mechanisms involving Registry Run keys"
39+
],
40+
"false_positive": "Some legitimate installers or applications may include padding for alignment or packaging purposes. Use contextual indicators to distinguish malicious binaries.",
41+
"clearing_steps": [
42+
"Remove PoisonIvy implants and registry persistence keys",
43+
"Clean up any suspicious executables using padding-based obfuscation",
44+
"Audit systems for rootkit artifacts and dynamic link library injections"
45+
],
46+
"ioc": {
47+
"sha256": [],
48+
"md5": [],
49+
"ip": [],
50+
"domain": [],
51+
"resources": [
52+
"https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"
53+
]
54+
}
55+
}

app/Modules/Apts/menuPass.py

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
def get_content():
2+
return {
3+
"id": "G0045",
4+
"url_id": "menuPass",
5+
"title": "menuPass",
6+
"tags": ["Chinese-state sponsored", "global espionage", "APT10", "MSS"],
7+
"description": "menuPass is a Chinese threat group active since at least 2006, known for its association with the Ministry of State Security (MSS) Tianjin State Security Bureau. The group has conducted cyber espionage against global targets across industries such as defense, healthcare, aerospace, energy, and education. It is particularly noted for extensive operations against Japanese organizations and global managed service providers (MSPs).",
8+
"associated_groups": [
9+
"Cicada", "POTASSIUM", "Stone Panda", "APT10",
10+
"Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE"
11+
],
12+
"campaigns": [],
13+
"techniques": [
14+
"T1087.002", "T1583.001", "T1560", "T1560.001", "T1119", "T1059.001", "T1059.003",
15+
"T1005", "T1039", "T1074.001", "T1074.002", "T1140", "T1568.001", "T1190", "T1210",
16+
"T1083", "T1574.001", "T1070.003", "T1070.004", "T1105", "T1056.001", "T1036",
17+
"T1036.003", "T1036.005", "T1106", "T1046", "T1027.013", "T1588.002", "T1003.002",
18+
"T1003.003", "T1003.004", "T1566.001", "T1055.012", "T1090.002", "T1021.001",
19+
"T1021.004", "T1018", "T1053.005", "T1553.002", "T1218.004", "T1016", "T1049",
20+
"T1199", "T1204.002", "T1078", "T1047"
21+
],
22+
"contributors": ["Edward Millington", "Michael Cox"],
23+
"version": "3.0",
24+
"created": "31 May 2017",
25+
"last_modified": "17 November 2024",
26+
"navigator": "", # Can be filled with a valid MITRE Navigator layer URL
27+
"references": [
28+
{"source": "MITRE ATT&CK", "url": "https://attack.mitre.org/groups/G0045/"},
29+
{"source": "USDC SDNY", "url": "https://www.justice.gov/opa/press-release/file/1116411/download"},
30+
{"source": "Operation Cloud Hopper", "url": "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"}
31+
],
32+
"resources": [
33+
"https://attack.mitre.org/groups/G0045/",
34+
"https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion",
35+
"https://www.pwc.co.uk/operation-cloud-hopper"
36+
],
37+
"remediation": "Enforce strong segmentation between MSP and client networks, monitor for suspicious use of PowerShell and certutil, restrict outbound DNS and HTTP traffic where not required, and deploy behavioral endpoint detection tools.",
38+
"improvements": "Enhance SOC visibility into scheduled task execution, process injection, and DLL sideloading behaviors. Enable script block logging and deep PowerShell logging. Detect abuse of signed tools (Living off the Land Binaries).",
39+
"hunt_steps": [
40+
"Search for certutil execution with base64 or decode arguments",
41+
"Identify suspicious scheduled tasks or use of atexec.py",
42+
"Review for DLL sideloading activity and renamed tools like InstallUtil",
43+
"Detect command execution from Office macros or .lnk files"
44+
],
45+
"expected_outcomes": [
46+
"Discovery of masqueraded and encoded dropper scripts",
47+
"Detection of credential dumping and NTDS staging",
48+
"Identification of lateral movement via RDP, PSCP, or WMI",
49+
"Alerting on PlugX, PoisonIvy, or RedLeaves malware artifacts"
50+
],
51+
"false_positive": "Legitimate administrative tools such as net use, csvde, or certutil may be used in valid workflows. Verify user intent and baseline behavior before taking action.",
52+
"clearing_steps": [
53+
"Remove scheduled tasks created by attackers",
54+
"Delete DLLs used in sideloading (e.g., renamed versions of certutil)",
55+
"Purge encoded scripts or macros from startup folders",
56+
"Revoke any compromised credentials and reset passwords"
57+
],
58+
"ioc": {
59+
"sha256": [],
60+
"md5": [],
61+
"ip": [],
62+
"domain": [],
63+
"resources": [
64+
"https://attack.mitre.org/groups/G0045/",
65+
"https://www.justice.gov/opa/press-release/file/1116411/download",
66+
"https://www.baesystems.com/en-media-centre/operation-cloud-hopper"
67+
]
68+
}
69+
}

0 commit comments

Comments
 (0)