cyber-research / aptmalware Goto Github PK

Two samples were incorrectly assigned to FancyBear (APT28), although they were attributed to CozyBear (APT29) according to the CrowdStrike article (see table below) that served as ground truth for the blog post referenced in the cyber-research dataset.

• 6c1bce76f4d2358656132b6b1d471571820688ccdbaca0d86d0ca082b9390536
• b101cd29e18a515753409ae86ce68a4cedbe0d640d385eb24b9bbb69cf8186ae

In fact, the blog post incorrectly lists CozyBear (APT29) as creator of all file hashes mentioned in the CrowdStrike article including the hash of the threat intelligence report itself (see image below), even though only two samples belong to CozyBear (APT29) and three to FancyBear (APT28).

The file hash of the threat intelligence report was erroneously included in the cyber-research dataset, presumably because the report was also uploaded to VirusTotal as a PDF, so it was probably assumed that it is a real malware sample (despite no AV labels it as malicious).

• 2d815b11f3b916bdc27b049402f5f1c024cffe2318a4f27ebfa3b8a9fffe2880

In the same blog post, nine more threat intelligence reports could be found, eight of which are included in the dataset although they have no or only one detection (false positive) on VirusTotal.

• 1b6c3e6ef673f14536ff8d7c2bf18f9358a9a7f8962a24e2255f54ac451af86c
• 9b8495ff1d023e3ae7aed799f02d9cf24422a38dfb9ed37c0bdc65da55b4ee42
• a76b1ec9d196b5c071992486d096ad475226e92b6db06c351e3a4ad4e4949248
• b31b27aa0808aea5b0e8823ecb07402c0c2bbf6818a22457e146c97f685162b4
• f9ed13d5aa43c74287a936bf52772080fc26b5c62a805e19abceb20ef08ea5ff
• 2c7a60963b94b6fc924abdcb19da4d32f35c86cdfe2277b0081cd02c72435b48
• fb0cb4527efc48c90a2cd3e9e46ce59eaa280c85c50d7b680c98bb159c27881d
• b0f1f553a847f3244f434541edbf26904e2de18cca8db8f861ea33bb70942b61
• e83e2185f9e1a5dbc550914dcbc7a4d0f8b30a577ddb4cd8a0f36ac024a68aa0 (currently not on VT and in dataset)

Furthermore, cyber-research assigned the DarkHotel APT to North Korea, although the campaign has been attributed to South Korea by various security researchers (see references on Malpedia).

I created a pull request #2 proposing the following changes:

• move the two samples from the APT28 to the APT29 folder
• remove the threat intelligence reports from the dataset
• change the attributed country of DarkHotel APT from North Korea to South Korea
• update the expired URLs in the overview.csv
• update numbers in the README.md