Threat Actors Database

Cylance has determined that Operation Shaheen was an espionage campaign executed over the course of the last year. It was a targeted campaign which appeared to focus on individuals and organizations in Pakistan, specifically the government and the military. Cylance’s window into this campaign, though significant, is not all-encompassing. Indeed, our research revealed evidence that The White Company conducted extensive prior reconnaissance of its targets, and continues to operate largely unnoticed by the security community.

In collaboration with QGroup GmbH, SentinelLabs is monitoring a threat activity we track as WIP26. The threat actor behind WIP26 has been targeting telecommunication providers in the Middle East. WIP26 is characterized by the abuse of public Cloud infrastructure – Microsoft 365 Mail, Microsoft Azure, Google Firebase, and Dropbox – for malware delivery, data exfiltration, and C2 purposes. The WIP26 activity is initiated by precision targeting of employees through WhatsApp messages that contain Dropbox links to a malware loader. Tricking employees into downloading and executing the loader ultimately leads to the deployment of backdoors that leverage Microsoft 365 Mail and Google Firebase instances as C2 servers. We refer to these backdoors as CMD365 and CMDEmber, respectively. The main functionality of CMD365 and CMDEmber is to execute attacker-provided system commands using the Windows command interpreter.

The DFIR (Digital Forensics and Incident Response) team of S2 Grupo first identified this actor in August 2018 and since then the follow-up has been carried out during the last few months. This group attacks the Middle East and does not use very sophisticated mechanisms, at least in the campaign started in August 2018 which was monitored. It is considered unsophisticated by the fact that the scripts are unobtrusive, communications go unencrypted by HTTP, they use Powershell (increasingly monitored), and so on. Despite this apparently unsophisticated modus operandi compared to other actors, they manage to infect their victims and carry out their objectives. In addition, as will be seen during the report, the detection rate of some of the scripts in December 2018 by the main antivirus manufacturers is low, an aspect that must be highlighted. We must be aware that once these scripts are executed, it is when the behavior analysis of many solutions will detect them, but this fact has not been studied by LAB52. This actor in all the artifacts analyzed shows his victims a decoy document in Arabic with different themes.

These are reported APT activities attributed to a country, but not to an individual threat group.

These are reported APT activities attributed to a country, but not to an individual threat group.

These are reported APT activities attributed to a country, but not to an individual threat group.

These are reported APT activities attributed to a country, but not to an individual threat group.

This actor may be related to Iridium . ( AdvIntel ) “Achilles” is an English-speaking threat actor primarily operating on various English-language underground hacking forums as well as through secure messengers. Achilles specializes in obtaining accesses to high-value corporate internal networks. On May 4, 2019, Achilles claimed to have access to UNICEF network as well as networks of several high-profile corporate entities. They were able to provide evidence of their presence within the UNICEF network and two private sector companies. It is noteworthy that they provided access to networks at a relatively low price range of $5,000 USD to $2,000 USD. The majority of Achilles offers are related to breaches into multinational corporate networks via external VPN and compromised RDPs. Targets include private companies and government organizations, primarily in the British Commonwealth. Achilles has been particularly active on forums through the last seven months, with rising spikes in activities in Fall 2018 and Spring 2019.

Cyber criminals utilized Avalanche botnet infrastructure to host and distribute a variety of malware variants to victims, including the targeting of over 40 major financial institutions. Victims may have had their sensitive personal information stolen (e.g., user account credentials). Victims’ compromised systems may also have been used to conduct other malicious activity, such as launching denial-of-service (DoS) attacks or distributing malware variants to other victims’ computers. In addition, Avalanche infrastructure was used to run money mule schemes where criminals recruited people to commit fraud involving transporting and laundering stolen money or merchandise. Avalanche used fast-flux DNS, a technique to hide the criminal servers, behind a constantly changing network of compromised systems acting as proxies. Avalanche has been observed to distribute GozNym (operated by Bamboo Spider, TA544|used-by}} and much of the malware from TA505, Graceful Spider, Gold Evergreen .

Circles is a surveillance firm that reportedly exploits weaknesses in the global mobile phone system to snoop on calls, texts, and the location of phones around the globe. Circles is affiliated with NSO Group, which develops the oft-abused Pegasus spyware. Circles, whose products work without hacking the phone itself, says they sell only to nation-states. According to leaked documents, Circles customers can purchase a system that they connect to their local telecommunications companies’ infrastructure, or can use a separate system called the “Circles Cloud,” which interconnects with telecommunications companies around the world. According to the U.S. Department of Homeland Security, all U.S. wireless networks are vulnerable to the types of weaknesses reportedly exploited by Circles. A majority of networks around the globe are similarly vulnerable. Using Internet scanning, we found a unique signature associated with the hostnames of Check Point firewalls used in Circles deployments. This scanning enabled us to identify Circles deployments in at least 25 countries. While companies selling exploitation of the global cellular system tend to operate in secrecy, one company has emerged as a known player: Circles. The company was reportedly founded in 2008, acquired in 2014 by Francisco Partners, and then merged with NSO Group. Circles is known for selling systems to exploit SS7 vulnerabilities, and claims to sell this technology exclusively to nation-states.

Group-IB first learned of the Cron malware gang in March 2015, when the criminal gang was distributing the Cron Bot malware disguised as Viber and Google Play apps. The Cron malware gang abused the popularity of SMS-banking services and distributed the malware onto victims' Android devices by setting up apps designed to mimic banks' official apps. The gang even inserted the malware into fake mobile apps for popular pornography websites, such as PornHub. After targeting customers of the Bank in Russia, where they were living in, the Cron gang planned to expand its operation by targeting customers of banks in various countries, including the US, the UK, Germany, France, Turkey, Singapore, and Australia. In June 2016, the gang rented a piece of malware called 'Tiny.z' for $2,000 per month, designed to attack customers of Russian banks as well as international banks in Britain, Germany, France, the United States and Turkey, among other countries.

A group calling itself “Handala Hack Team” has claimed responsibility for recent cyber attacks. They present themselves as a newly formed pro-Palestinian activist group, yet their identity behind the social media profiles remains uncertain. Handala Hack has set up various social media accounts, including on Telegram, Tox, Twitter, and BreachForums, and has also launched their own website, which is currently incomplete. As they reported the attacks in real-time, they also mocked the Israel National Cyber Directorate (INCD). Their website’s purpose is still unclear, but it may be intended for publicizing information about hacked targets.

The Infraud Organization ran an online forum dedicated to criminal activity that federal prosecutors claim had more than 10,000 members in March 2017. The site used the slogan 'In Fraud We Trust,' according to the Justice Department. The gang that operated Infraud engaged in a variety of identity theft and financial fraud from October 2010 to February 2018, prosecutors say. It's believed to be responsible for the sale or purchase of over 4 million compromised payment card numbers during that time, according to the court filing. The aim of the organization was to develop the 'premier online destination for the purchase and sale of stolen property and other contraband' that also serves as the source of other contraband vendors, according to the Justice Department. The gang used advertising to direct web traffic from its website to other automated sites that were owned or operated by its members, helping other cybercriminals traffic in point-of-sale malware, banking Trojans, stolen payment card details and counterfeit identification, prosecutors say.

This document details a large and sophisticated operation, code named “Windigo”, in which a malicious group has compromised thousands of Linux and Unix servers. The compromised servers are used to steal SSH credentials, redirect web visitors to malicious content and send spam. This operation has been ongoing since at least 2011 and has affected high profile servers and companies, including cPanel – the company behind the famous web hosting control panel – and Linux Foundation’s kernel.org – the main repository of source code for the Linux kernel. However this operation is not about stealing company resources or altering Linux’s source code as we will unveil throughout the report. The complexity of the backdoors deployed by the malicious actors shows out of the ordinary knowledge of operating systems and programming. Additionally, extra care was given to ensure portability, meaning the various pieces of malware will run on a wide range of server operating systems and to do so in an extremely stealthy fashion. The Windigo operation does not leverage any new vulnerability against Linux or Unix systems. Known systemic weaknesses were exploited by the malicious actors in order to build and maintain their botnet.

PhishLabs is monitoring a threat actor group that has set up fraudulent hosting companies with leased IP space from a legitimate reseller. They are using this infrastructure for bulletproof hosting services as well as to carry out their own phishing attacks. The group, which is based in Indonesia, has been dubbed Planetary Reef. Planetary Reef is most notable in how they host phishing sites. While traditional methods of distributing phishing attacks rely on compromised websites or increasingly, free domains, Planetary Reef is leasing their IP space from a large reseller. Using space, the group has created an array of seemingly legitimate hosting companies that they promote through social media.

Check Point Mobile Threat Prevention has detected a new, unknown mobile malware that targeted two customer Android devices belonging to employees at a large financial services institution. Mobile Threat Prevention identified the threat automatically by detecting exploitation attempts while examining the malware in the MTP emulators. The infection was remediated after the system notified the devices owners and the system administrators. The infection vector was a drive-by download attack, and the Check Points Threat-Cloud indicates some adult content sites served the malicious payload. Called HummingBad, this malware establishes a persistent rootkit with the objective to generate fraudulent ad revenue for its perpetrator, similar to the Brain Test app discovered by Check Point earlier this year. In addition, HummingBad installs fraudulent apps to increase the revenue stream for the fraudster.

A threat actor mentioned in a summary report only, so we don't know who they are yet.

A threat actor mentioned in a summary report only, so we don't know who they are yet.

Not much is known about this actor yet.

A threat actor mentioned in a summary report only, so we don't know who they are yet.