SYMBOLCOMMON_NAMEaka. SYNONYMS

CHRYSENE  (Back to overview)

aka: OilRig, Greenbug

Adversaries abusing ICS (based on Dragos Inc adversary list). This threat actor targets organizations involved in oil, gas, and electricity production, primarily in the Gulf region, for espionage purposes. According to one cybersecurity company, the threat actor “compromises a target machine and passes it off to another threat actor for further exploitation.”


Associated Families
apk.spynote ps1.bondupdater ps1.oilrig win.google_drive_rat win.jason win.saitama win.sidetwist win.pupy asp.twoface win.oopsie win.alma_communicator win.ismagent win.ismdoor win.rdat win.zerocleare

References
2022-07-18Palo Alto Networks Unit 42Unit 42
@online{42:20220718:evasive:ccfb062, author = {Unit 42}, title = {{Evasive Serpens}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/evasive-serpens/}, language = {English}, urldate = {2022-07-29} } Evasive Serpens
TwoFace ISMAgent ISMDoor OopsIE RDAT OilRig
2022-06-24XJuniorMohamed Ashraf
@online{ashraf:20220624:apt34:92c90d5, author = {Mohamed Ashraf}, title = {{APT34 - Saitama Agent}}, date = {2022-06-24}, organization = {XJunior}, url = {https://x-junior.github.io/malware%20analysis/2022/06/24/Apt34.html}, language = {English}, urldate = {2022-07-01} } APT34 - Saitama Agent
Saitama Backdoor
2022-06-20Infinitum ITinfinitum IT
@online{it:20220620:charming:b356ff2, author = {infinitum IT}, title = {{Charming Kitten (APT35)}}, date = {2022-06-20}, organization = {Infinitum IT}, url = {https://www.infinitumit.com.tr/apt-35/}, language = {Turkish}, urldate = {2022-06-22} } Charming Kitten (APT35)
LaZagne DownPaper MimiKatz pupy
2022-06-15VolexitySteven Adair, Thomas Lancaster, Volexity Threat Research
@online{adair:20220615:driftingcloud:58322a8, author = {Steven Adair and Thomas Lancaster and Volexity Threat Research}, title = {{DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach}}, date = {2022-06-15}, organization = {Volexity}, url = {https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/}, language = {English}, urldate = {2022-06-17} } DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach
pupy Sliver
2022-06-13SANS ISCRenato Marinho
@online{marinho:20220613:translating:633e46a, author = {Renato Marinho}, title = {{Translating Saitama's DNS tunneling messages}}, date = {2022-06-13}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/Translating+Saitama%27s+DNS+tunneling+messages/28738}, language = {English}, urldate = {2022-06-16} } Translating Saitama's DNS tunneling messages
Saitama Backdoor
2022-05-23Trend MicroDaniel Lunghi, Jaromír Hořejší
@techreport{lunghi:20220523:operation:e3c402b, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{Operation Earth Berberoka}}, date = {2022-05-23}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf}, language = {English}, urldate = {2022-07-25} } Operation Earth Berberoka
reptile oRAT Ghost RAT PlugX pupy Earth Berberoka
2022-05-11FortinetFred Gutierrez
@online{gutierrez:20220511:please:f67f45c, author = {Fred Gutierrez}, title = {{Please Confirm You Received Our APT}}, date = {2022-05-11}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt}, language = {English}, urldate = {2022-05-17} } Please Confirm You Received Our APT
Saitama Backdoor
2022-05-10Malwarebytes LabsThreat Intelligence Team
@online{team:20220510:apt34:b733b84, author = {Threat Intelligence Team}, title = {{APT34 targets Jordan Government using new Saitama backdoor}}, date = {2022-05-10}, organization = {Malwarebytes Labs}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/}, language = {English}, urldate = {2022-05-13} } APT34 targets Jordan Government using new Saitama backdoor
Saitama Backdoor
2022-04-28FortinetGergely Revay
@online{revay:20220428:overview:0ac963f, author = {Gergely Revay}, title = {{An Overview of the Increasing Wiper Malware Threat}}, date = {2022-04-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat}, language = {English}, urldate = {2022-04-29} } An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2022-04-27TrendmicroTrendmicro
@online{trendmicro:20220427:iocs:b6d7ab5, author = {Trendmicro}, title = {{IOCs for Earth Berberoka - Linux}}, date = {2022-04-27}, organization = {Trendmicro}, url = {https://documents.trendmicro.com/assets/txt/earth-berberoka-linux-iocs-2.txt}, language = {English}, urldate = {2022-07-25} } IOCs for Earth Berberoka - Linux
Rekoobe pupy Earth Berberoka
2022-03-30Recorded FutureInsikt Group
@techreport{group:20220330:social:e36c4e5, author = {Insikt Group}, title = {{Social Engineering Remains Key Tradecraft for Iranian APTs}}, date = {2022-03-30}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0330.pdf}, language = {English}, urldate = {2022-04-05} } Social Engineering Remains Key Tradecraft for Iranian APTs
Liderc pupy
2021-12-14Recorded FutureInsikt Group®
@online{group:20211214:full:5bf0cac, author = {Insikt Group®}, title = {{Full Spectrum Detections for 5 Popular Web Shells: Alfa, SharPyShell, Krypton, ASPXSpy, and TWOFACE}}, date = {2021-12-14}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/full-spectrum-detections-five-popular-web-shells/}, language = {English}, urldate = {2022-01-24} } Full Spectrum Detections for 5 Popular Web Shells: Alfa, SharPyShell, Krypton, ASPXSpy, and TWOFACE
TwoFace
2021-09-21civilsphereprojectcivilsphereproject
@online{civilsphereproject:20210921:capturing:60e5728, author = {civilsphereproject}, title = {{Capturing and Detecting AndroidTester Remote Access Trojan with the Emergency VPN}}, date = {2021-09-21}, organization = {civilsphereproject}, url = {https://www.civilsphereproject.org/blog/2021/9/21/capturing-and-detecting-androidtester-remote-access-trojan-with-the-emergency-vpn}, language = {English}, urldate = {2021-09-22} } Capturing and Detecting AndroidTester Remote Access Trojan with the Emergency VPN
SpyNote
2021-04-21FacebookMike Dvilyanski, David Agranovich
@online{dvilyanski:20210421:taking:23e0fb2, author = {Mike Dvilyanski and David Agranovich}, title = {{Taking Action Against Hackers in Palestine}}, date = {2021-04-21}, organization = {Facebook}, url = {https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/}, language = {English}, urldate = {2021-04-28} } Taking Action Against Hackers in Palestine
SpyNote Houdini NjRAT
2021-04-08CheckpointCheck Point Research
@online{research:20210408:irans:127f349, author = {Check Point Research}, title = {{Iran’s APT34 Returns with an Updated Arsenal}}, date = {2021-04-08}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/}, language = {English}, urldate = {2021-04-09} } Iran’s APT34 Returns with an Updated Arsenal
DNSpionage SideTwist TONEDEAF
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare BRONZE EDGEWOOD
2021-02-18PTSecurityPTSecurity
@online{ptsecurity:20210218:httpswwwptsecuritycomwwenanalyticsantisandboxtechniques:d616c1f, author = {PTSecurity}, title = {{https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/}}, date = {2021-02-18}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/}, language = {English}, urldate = {2021-02-25} } https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/
Poet RAT Gravity RAT Ketrican Okrum OopsIE Remcos RogueRobinNET RokRAT SmokeLoader
2020-12-10Intel 471Intel 471
@online{471:20201210:no:9fd2ae1, author = {Intel 471}, title = {{No pandas, just people: The current state of China’s cybercrime underground}}, date = {2020-12-10}, organization = {Intel 471}, url = {https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/}, language = {English}, urldate = {2020-12-10} } No pandas, just people: The current state of China’s cybercrime underground
Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT
2020-12-01QianxinQi Anxin Threat Intelligence Center
@online{center:20201201:blade:1b3519c, author = {Qi Anxin Threat Intelligence Center}, title = {{Blade Eagle Group - Targeted attack group activities circling the Middle East and West Asia's cyberspace revealed}}, date = {2020-12-01}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/Blade-hawk-The-activities-of-targeted-the-Middle-East-and-West-Asia-are-exposed/}, language = {English}, urldate = {2022-04-15} } Blade Eagle Group - Targeted attack group activities circling the Middle East and West Asia's cyberspace revealed
SpyNote BladeHawk
2020-11-27PTSecurityDenis Goydenko, Alexey Vishnyakov
@online{goydenko:20201127:investigation:7d12cee, author = {Denis Goydenko and Alexey Vishnyakov}, title = {{Investigation with a twist: an accidental APT attack and averted data destruction}}, date = {2020-11-27}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/}, language = {English}, urldate = {2020-12-01} } Investigation with a twist: an accidental APT attack and averted data destruction
TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz
2020-09-25Emanuele De Lucia
@online{lucia:20200925:vs:5b8c949, author = {Emanuele De Lucia}, title = {{APT vs Internet Service Providers}}, date = {2020-09-25}, url = {https://drive.google.com/file/d/1oA4YSwXLxEF-EXJcrM76Bc4_7ZfBGYE4/view}, language = {English}, urldate = {2020-10-02} } APT vs Internet Service Providers
TwoFace RGDoor
2020-09-15CrowdStrikeCrowdStrike Overwatch Team
@techreport{team:20200915:nowhere:284220e, author = {CrowdStrike Overwatch Team}, title = {{Nowhere to Hide - 2020 Threat Hunting Report}}, date = {2020-09-15}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf}, language = {English}, urldate = {2020-09-21} } Nowhere to Hide - 2020 Threat Hunting Report
NedDnLoader RDAT TRACER KITTEN
2020-07-22ThreatpostTara Seals
@online{seals:20200722:oilrig:a81ae8d, author = {Tara Seals}, title = {{OilRig APT Drills into Malware Innovation with Unique Backdoor}}, date = {2020-07-22}, organization = {Threatpost}, url = {https://threatpost.com/oilrig-apt-unique-backdoor/157646/}, language = {English}, urldate = {2020-07-23} } OilRig APT Drills into Malware Innovation with Unique Backdoor
OilRig
2020-07-22Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20200722:oilrig:4c26a7f, author = {Robert Falcone}, title = {{OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory}}, date = {2020-07-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/}, language = {English}, urldate = {2020-07-23} } OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory
RDAT OilRig
2020-07-15RelativityBartlomiej Czyż
@online{czy:20200715:indepth:9a7c4dd, author = {Bartlomiej Czyż}, title = {{An in-depth analysis of SpyNote remote access trojan}}, date = {2020-07-15}, organization = {Relativity}, url = {https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan}, language = {English}, urldate = {2020-11-06} } An in-depth analysis of SpyNote remote access trojan
SpyNote
2020-06-18Australian Cyber Security CentreAustralian Cyber Security Centre (ACSC)
@techreport{acsc:20200618:advisory:ed0f53c, author = {Australian Cyber Security Centre (ACSC)}, title = {{Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks}}, date = {2020-06-18}, institution = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf}, language = {English}, urldate = {2020-06-19} } Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks
TwoFace Cobalt Strike Empire Downloader
2020-05-19SymantecCritical Attack Discovery and Intelligence Team
@online{team:20200519:sophisticated:023b1bd, author = {Critical Attack Discovery and Intelligence Team}, title = {{Sophisticated Espionage Group Turns Attention to Telecom Providers in South Asia}}, date = {2020-05-19}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia}, language = {English}, urldate = {2020-05-20} } Sophisticated Espionage Group Turns Attention to Telecom Providers in South Asia
ISMAgent ISMDoor
2020-03-31VolexityVolexity Threat Research
@online{research:20200331:storm:b491e72, author = {Volexity Threat Research}, title = {{Storm Cloud Unleashed: Tibetan Focus of Highly Targeted Fake Flash Campaign}}, date = {2020-03-31}, organization = {Volexity}, url = {https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/}, language = {English}, urldate = {2020-04-07} } Storm Cloud Unleashed: Tibetan Focus of Highly Targeted Fake Flash Campaign
SpyNote Stitch Godlike12
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-01-23Recorded FutureInsikt Group
@techreport{group:20200123:european:c3ca9e3, author = {Insikt Group}, title = {{European Energy Sector Organization Targeted by PupyRAT Malware in Late 2019}}, date = {2020-01-23}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf}, language = {English}, urldate = {2020-01-27} } European Energy Sector Organization Targeted by PupyRAT Malware in Late 2019
pupy pupy pupy
2020-01FireEyeTom Hall, Mitchell Clarke, Mandiant
@techreport{hall:202001:mandiant:25e38ef, author = {Tom Hall and Mitchell Clarke and Mandiant}, title = {{Mandiant IR Grab Bag of Attacker Activity}}, date = {2020-01}, institution = {FireEye}, url = {https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf}, language = {English}, urldate = {2021-04-16} } Mandiant IR Grab Bag of Attacker Activity
TwoFace CHINACHOPPER HyperBro HyperSSL
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:ce31320, author = {SecureWorks}, title = {{COBALT GYPSY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-gypsy}, language = {English}, urldate = {2020-05-23} } COBALT GYPSY
TwoFace MacDownloader BONDUPDATER pupy Helminth jason RGDoor TinyZbot OilRig
2019-12-09IBM SecurityIBM IRIS
@online{iris:20191209:new:cc73a24, author = {IBM IRIS}, title = {{New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East}}, date = {2019-12-09}, organization = {IBM Security}, url = {https://www.ibm.com/downloads/cas/OAJ4VZNJ}, language = {English}, urldate = {2020-01-09} } New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East
ZeroCleare
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb, author = {Kelli Vanderlee and Nalani Fraser}, title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}}, date = {2019-11-19}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf}, language = {English}, urldate = {2021-03-02} } Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-11-09NSFOCUSMina Hao
@online{hao:20191109:apt34:550c673, author = {Mina Hao}, title = {{APT34 Event Analysis Report}}, date = {2019-11-09}, organization = {NSFOCUS}, url = {https://nsfocusglobal.com/apt34-event-analysis-report/}, language = {English}, urldate = {2020-03-09} } APT34 Event Analysis Report
BONDUPDATER DNSpionage
2019-09-18IronNetJonathan Lepore
@online{lepore:20190918:chirp:44c11e9, author = {Jonathan Lepore}, title = {{Chirp of the PoisonFrog}}, date = {2019-09-18}, organization = {IronNet}, url = {https://ironnet.com/blog/chirp-of-the-poisonfrog/}, language = {English}, urldate = {2020-01-09} } Chirp of the PoisonFrog
BONDUPDATER
2019-08-22CywareCyware
@online{cyware:20190822:apt34:3439fde, author = {Cyware}, title = {{APT34: The Helix Kitten Cybercriminal Group Loves to Meow Middle Eastern and International Organizations}}, date = {2019-08-22}, organization = {Cyware}, url = {https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae}, language = {English}, urldate = {2021-06-29} } APT34: The Helix Kitten Cybercriminal Group Loves to Meow Middle Eastern and International Organizations
TwoFace BONDUPDATER POWRUNER QUADAGENT Helminth ISMAgent Karkoff LONGWATCH OopsIE PICKPOCKET RGDoor VALUEVAULT
2019-08-22Github (n1nj4sec)n1nj4sec
@online{n1nj4sec:20190822:pupy:a822ccd, author = {n1nj4sec}, title = {{Pupy RAT}}, date = {2019-08-22}, organization = {Github (n1nj4sec)}, url = {https://github.com/n1nj4sec/pupy}, language = {English}, urldate = {2020-01-07} } Pupy RAT
pupy pupy pupy
2019-07-08SANSJosh M. Bryant, Robert Falcone
@techreport{bryant:20190708:hunting:7ce53d5, author = {Josh M. Bryant and Robert Falcone}, title = {{Hunting Webshells: Tracking TwoFace}}, date = {2019-07-08}, institution = {SANS}, url = {https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536345486.pdf}, language = {English}, urldate = {2020-01-09} } Hunting Webshells: Tracking TwoFace
TwoFace
2019-06-06Marco Ramilli
@online{ramilli:20190606:apt34:e2dbe80, author = {Marco Ramilli}, title = {{APT34: Jason project}}, date = {2019-06-06}, url = {https://marcoramilli.com/2019/06/06/apt34-jason-project/}, language = {English}, urldate = {2020-01-07} } APT34: Jason project
jason
2019-06-03Twitter (@P3pperP0tts)Pepper Potts
@online{potts:20190603:apt34:d5442c2, author = {Pepper Potts}, title = {{Tweet on APT34}}, date = {2019-06-03}, organization = {Twitter (@P3pperP0tts)}, url = {https://twitter.com/P3pperP0tts/status/1135503765287657472}, language = {English}, urldate = {2020-01-13} } Tweet on APT34
jason
2019-05-02Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20190502:apt34:06f5d53, author = {Marco Ramilli}, title = {{APT34: Glimpse project}}, date = {2019-05-02}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2019/05/02/apt34-glimpse-project/}, language = {English}, urldate = {2020-01-13} } APT34: Glimpse project
BONDUPDATER
2019-04-30ClearSkyClearSky Cyber Security
@online{security:20190430:raw:327940f, author = {ClearSky Cyber Security}, title = {{Raw Threat Intelligence 2019-04-30: Oilrig data dump link analysis}}, date = {2019-04-30}, organization = {ClearSky}, url = {https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr}, language = {English}, urldate = {2019-10-23} } Raw Threat Intelligence 2019-04-30: Oilrig data dump link analysis
SpyNote OopsIE
2019-04-30Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
@online{lee:20190430:behind:01b3010, author = {Bryan Lee and Robert Falcone}, title = {{Behind the Scenes with OilRig}}, date = {2019-04-30}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/behind-the-scenes-with-oilrig/}, language = {English}, urldate = {2020-01-06} } Behind the Scenes with OilRig
BONDUPDATER
2019-04-19Mediumx0rz
@online{x0rz:20190419:hacking:682f038, author = {x0rz}, title = {{Hacking (Back) and Influence Operations}}, date = {2019-04-19}, organization = {Medium}, url = {https://blog.0day.rocks/hacking-back-and-influence-operations-85cd52c1e933}, language = {English}, urldate = {2020-01-13} } Hacking (Back) and Influence Operations
BONDUPDATER
2019-04-16Robert Falcone
@online{falcone:20190416:dns:fed953e, author = {Robert Falcone}, title = {{DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling}}, date = {2019-04-16}, url = {https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/}, language = {English}, urldate = {2019-12-03} } DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling
BONDUPDATER QUADAGENT Alma Communicator Helminth ISMAgent
2019-03-27SymantecSecurity Response Attack Investigation Team
@online{team:20190327:elfin:836cc39, author = {Security Response Attack Investigation Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-01-06} } Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet Nanocore RAT pupy Quasar RAT Remcos TURNEDUP APT33
2019-03-27SymantecCritical Attack Discovery and Intelligence Team
@online{team:20190327:elfin:d90a330, author = {Critical Attack Discovery and Intelligence Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-04-21} } Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33
2019-02-13Youtube (SANS Digital Forensics & Incident Response)Josh Bryant, Robert Falcone
@online{bryant:20190213:hunting:8c671bf, author = {Josh Bryant and Robert Falcone}, title = {{Hunting Webshells: Tracking TwoFace - SANS Threat Hunting Summit 2018}}, date = {2019-02-13}, organization = {Youtube (SANS Digital Forensics & Incident Response)}, url = {https://www.youtube.com/watch?v=GjquFKa4afU}, language = {English}, urldate = {2020-01-13} } Hunting Webshells: Tracking TwoFace - SANS Threat Hunting Summit 2018
TwoFace
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:chrysene:73db459, author = {Cyber Operations Tracker}, title = {{Chrysene}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/chrysene}, language = {English}, urldate = {2019-12-20} } Chrysene
CHRYSENE
2019DragosDragos
@online{dragos:2019:adversary:0237a20, author = {Dragos}, title = {{Adversary Reports}}, date = {2019}, organization = {Dragos}, url = {https://dragos.com/adversaries.html}, language = {English}, urldate = {2020-01-10} } Adversary Reports
ALLANITE CHRYSENE DYMALLOY ELECTRUM Lazarus Group MAGNALLIUM XENOTIME
2018-12-21FireEyeGeoff Ackerman, Rick Cole, Andrew Thompson, Alex Orleans, Nick Carr
@online{ackerman:20181221:overruled:74ac7b4, author = {Geoff Ackerman and Rick Cole and Andrew Thompson and Alex Orleans and Nick Carr}, title = {{OVERRULED: Containing a Potentially Destructive Adversary}}, date = {2018-12-21}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html}, language = {English}, urldate = {2019-12-20} } OVERRULED: Containing a Potentially Destructive Adversary
POWERTON PoshC2 pupy
2018-12-17Twitter (@MJDutch)Justin
@online{justin:20181217:apt39:6e13cad, author = {Justin}, title = {{Tweet on APT39}}, date = {2018-12-17}, organization = {Twitter (@MJDutch)}, url = {https://twitter.com/MJDutch/status/1074820959784321026?s=19}, language = {English}, urldate = {2020-01-08} } Tweet on APT39
OilRig
2018-09-14NetScoutASERT Team
@online{team:20180914:tunneling:c41e0f2, author = {ASERT Team}, title = {{Tunneling Under the Sands}}, date = {2018-09-14}, organization = {NetScout}, url = {https://www.netscout.com/blog/asert/tunneling-under-sands}, language = {English}, urldate = {2020-01-13} } Tunneling Under the Sands
BONDUPDATER
2018-09-12Palo Alto Networks Unit 42Kyle Wilhoit, Robert Falcone
@online{wilhoit:20180912:oilrig:5c64e44, author = {Kyle Wilhoit and Robert Falcone}, title = {{OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government}}, date = {2018-09-12}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/}, language = {English}, urldate = {2019-12-20} } OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government
BONDUPDATER
2018-07-07Youtube (SteelCon)Dan Caban, Muks Hirani
@online{caban:20180707:youve:b02f5ff, author = {Dan Caban and Muks Hirani}, title = {{You’ve Got Mail!}}, date = {2018-07-07}, organization = {Youtube (SteelCon)}, url = {https://www.youtube.com/watch?time_continue=1333&v=1CGAmjAV8nI}, language = {English}, urldate = {2020-01-08} } You’ve Got Mail!
TwoFace
2018-04-20Booz Allen HamiltonJay Novak, Matthew Pennington
@online{novak:20180420:researchers:6764b0e, author = {Jay Novak and Matthew Pennington}, title = {{Researchers Discover New variants of APT34 Malware}}, date = {2018-04-20}, organization = {Booz Allen Hamilton}, url = {https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2}, language = {English}, urldate = {2020-01-06} } Researchers Discover New variants of APT34 Malware
BONDUPDATER POWRUNER
2018-03-25Vitali Kremez BlogVitali Kremez
@online{kremez:20180325:lets:070366d, author = {Vitali Kremez}, title = {{Let's Learn: Internals of Iranian-Based Threat Group "Chafer" Malware: Autoit and PowerShell Persistence}}, date = {2018-03-25}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/03/investigating-iranian-threat-group.html}, language = {English}, urldate = {2019-10-13} } Let's Learn: Internals of Iranian-Based Threat Group "Chafer" Malware: Autoit and PowerShell Persistence
OilRig
2018-03NyotronNYOTRON ATTACK RESPONSE CENTER
@techreport{center:201803:oilrig:b3c95ff, author = {NYOTRON ATTACK RESPONSE CENTER}, title = {{OilRig is Back with Next-Generation Tools and Techniques}}, date = {2018-03}, institution = {Nyotron}, url = {https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf}, language = {English}, urldate = {2019-10-13} } OilRig is Back with Next-Generation Tools and Techniques
GoogleDrive RAT
2018-03-01DragosDragos
@techreport{dragos:20180301:industrial:6e4e898, author = {Dragos}, title = {{INDUSTRIAL CONTROL SYSTEM THREATS}}, date = {2018-03-01}, institution = {Dragos}, url = {https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf}, language = {English}, urldate = {2020-01-08} } INDUSTRIAL CONTROL SYSTEM THREATS
CHRYSENE DYMALLOY ELECTRUM Lazarus Group MAGNALLIUM
2018-02-23Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
@online{lee:20180223:oopsie:f09d30f, author = {Bryan Lee and Robert Falcone}, title = {{OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan}}, date = {2018-02-23}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/}, language = {English}, urldate = {2019-12-20} } OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan
OopsIE
2017-12-11Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20171211:oilrig:8d7f26f, author = {Robert Falcone}, title = {{OilRig Performs Tests on the TwoFace Webshell}}, date = {2017-12-11}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/}, language = {English}, urldate = {2020-01-10} } OilRig Performs Tests on the TwoFace Webshell
TwoFace
2017-11-08Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20171108:oilrig:a8a3089, author = {Robert Falcone}, title = {{OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan}}, date = {2017-11-08}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/}, language = {English}, urldate = {2019-12-20} } OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan
Alma Communicator
2017-10-24ClearSkyClearSky Research Team
@online{team:20171024:iranian:f9fddd8, author = {ClearSky Research Team}, title = {{Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies}}, date = {2017-10-24}, organization = {ClearSky}, url = {http://www.clearskysec.com/greenbug/}, language = {English}, urldate = {2020-01-13} } Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies
ISMDoor
2017-08-28ClearSkyClearSky Research Team
@online{team:20170828:recent:fab1e53, author = {ClearSky Research Team}, title = {{Recent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug}}, date = {2017-08-28}, organization = {ClearSky}, url = {http://www.clearskysec.com/ismagent/}, language = {English}, urldate = {2019-12-19} } Recent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug
ISMAgent
2017-07-31Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20170731:twoface:8fe5f2d, author = {Robert Falcone and Bryan Lee}, title = {{TwoFace Webshell: Persistent Access Point for Lateral Movement}}, date = {2017-07-31}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/}, language = {English}, urldate = {2020-01-07} } TwoFace Webshell: Persistent Access Point for Lateral Movement
TwoFace OilRig
2017-02-16SecurityAffairsPierluigi Paganini
@online{paganini:20170216:iranian:917f46c, author = {Pierluigi Paganini}, title = {{Iranian hackers behind the Magic Hound campaign linked to Shamoon}}, date = {2017-02-16}, organization = {SecurityAffairs}, url = {https://securityaffairs.co/wordpress/56348/intelligence/magic-hound-campaign.html}, language = {English}, urldate = {2022-07-29} } Iranian hackers behind the Magic Hound campaign linked to Shamoon
pupy APT35
2017-02-15Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
@online{lee:20170215:magic:e0b1b72, author = {Bryan Lee and Robert Falcone}, title = {{Magic Hound Campaign Attacks Saudi Targets}}, date = {2017-02-15}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/}, language = {English}, urldate = {2019-09-22} } Magic Hound Campaign Attacks Saudi Targets
Leash MPKBot pupy Rocket Kitten
2017-02-15SecureworksSecureWorks' Counter Threat Unit Research Team
@online{team:20170215:iranian:004ec5a, author = {SecureWorks' Counter Threat Unit Research Team}, title = {{Iranian PupyRAT Bites Middle Eastern Organizations}}, date = {2017-02-15}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations}, language = {English}, urldate = {2019-10-23} } Iranian PupyRAT Bites Middle Eastern Organizations
pupy Cleaver
2017-02-10JPCERT/CCShusei Tomonaga
@online{tomonaga:20170210:malware:4f2c9aa, author = {Shusei Tomonaga}, title = {{Malware that infects using PowerSploit}}, date = {2017-02-10}, organization = {JPCERT/CC}, url = {https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/}, language = {Japanese}, urldate = {2020-01-08} } Malware that infects using PowerSploit
pupy
2017-01-23SymantecSymantec Security Response
@online{response:20170123:greenbug:a118a76, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-04-21} } Greenbug cyberespionage group targeting Middle East, possible links to Shamoon
DistTrack ISMDoor Greenbug
2017-01-23SymantecSymantec Security Response
@online{response:20170123:greenbug:96eab4c, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-01-13} } Greenbug cyberespionage group targeting Middle East, possible links to Shamoon
DistTrack ISMDoor Greenbug
2015-09-17F-SecureF-Secure Global
@online{global:20150917:dukes:5dc47f5, author = {F-Secure Global}, title = {{The Dukes: 7 Years Of Russian Cyber-Espionage}}, date = {2015-09-17}, organization = {F-Secure}, url = {https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/}, language = {English}, urldate = {2020-01-09} } The Dukes: 7 Years Of Russian Cyber-Espionage
TwoFace BONDUPDATER DNSpionage

Credits: MISP Project