adulau/misp-circl-feed
1
0
Fork 0
Code Issues Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/308d9f5c-4650-4548-9e2a-38a33a0a4c9a.json

873 lines
32 KiB
JSON
Raw Permalink Normal View History

chg: [feeds] updated
2024-12-27 11:52:46 +01:00
{
"Event": {
"analysis": "2",
"date": "2024-10-07",
"extends_uuid": "",
"info": "OSINT - Mamba 2FA: A new contender in the AiTM phishing ecosystem",
"publish_timestamp": "1734383517",
"published": true,
"threat_level_id": "3",
"timestamp": "1734383501",
"uuid": "308d9f5c-4650-4548-9e2a-38a33a0a4c9a",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#004646",
"local": false,
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
"local": false,
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
},
{
"colour": "#0087e8",
"local": false,
"name": "osint:certainty=\"50\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:clear",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:producer=\"Sekoia\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "Outgoing connection to domains of Mamba 2FA relay servers:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383195",
"to_ids": true,
"type": "domain",
"uuid": "97c331d1-0da3-483c-8a5d-25ee5fdcbe70",
"value": "drensyoons1sedt.com"
},
{
"category": "Network activity",
"comment": "Outgoing connection to domains of Mamba 2FA relay servers:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383195",
"to_ids": true,
"type": "domain",
"uuid": "fe25a304-2fcd-4e71-b6a3-61e1e23e7996",
"value": "sandoom2notnt.com"
},
{
"category": "Network activity",
"comment": "Outgoing connection to domains of Mamba 2FA relay servers:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383195",
"to_ids": true,
"type": "domain",
"uuid": "167538b6-49cd-4cec-a806-67dd5c4a5bd3",
"value": "grastoonm3vides.com"
},
{
"category": "Network activity",
"comment": "Outgoing connection to domains of Mamba 2FA relay servers:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383195",
"to_ids": true,
"type": "domain",
"uuid": "338672a9-e9ce-4e3e-8c7d-04f52a6c7230",
"value": "ccokies1cakes.com"
},
{
"category": "Network activity",
"comment": "Outgoing connection to domains of Mamba 2FA relay servers:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383195",
"to_ids": true,
"type": "domain",
"uuid": "4185210b-9f9a-4e24-a1cf-2e6419bed7a2",
"value": "ccokies2mangoes.com"
},
{
"category": "Network activity",
"comment": "Outgoing connection to domains of Mamba 2FA relay servers:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383195",
"to_ids": true,
"type": "domain",
"uuid": "54d04d47-815d-47cf-9cca-dc60308dd278",
"value": "ccokies3tomatoes.com"
},
{
"category": "Network activity",
"comment": "Outgoing connection to domains of Mamba 2FA relay servers:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383195",
"to_ids": true,
"type": "domain",
"uuid": "fdc91301-3b71-42b4-9902-c7ddb7484509",
"value": "m1tis-apicookies.com"
},
{
"category": "Network activity",
"comment": "Outgoing connection to domains of Mamba 2FA relay servers:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383195",
"to_ids": true,
"type": "domain",
"uuid": "817dfcdd-e77f-4cb1-ab83-38a90c8aca38",
"value": "m2fes-apicookies.com"
},
{
"category": "Network activity",
"comment": "Outgoing connection to domains of Mamba 2FA relay servers:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383195",
"to_ids": true,
"type": "domain",
"uuid": "d4a86133-7d37-416f-9328-36c133a77f26",
"value": "m3mas-apicookies.com"
},
{
"category": "Network activity",
"comment": "Outgoing connection to domains of Mamba 2FA relay servers:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383195",
"to_ids": true,
"type": "domain",
"uuid": "dec75fcf-3a0c-4f85-8f83-bc2ab4bf2f85",
"value": "winss0conect.click"
},
{
"category": "Network activity",
"comment": "Outgoing connection to domains of Mamba 2FA relay servers:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383195",
"to_ids": true,
"type": "domain",
"uuid": "805d2050-a0fd-4446-8943-60ea43b3d416",
"value": "winstnet80nss.cfd"
},
{
"category": "Network activity",
"comment": "Outgoing connection to domains of Mamba 2FA relay servers:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383195",
"to_ids": true,
"type": "domain",
"uuid": "a02c0051-9432-4bb1-8900-0e0c8ebdfdc7",
"value": "tenetur.top"
},
{
"category": "Network activity",
"comment": "Outgoing connection to domains of Mamba 2FA relay servers:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383195",
"to_ids": true,
"type": "domain",
"uuid": "a4ff214c-b3aa-4fc1-a4e2-407e6cae209e",
"value": "tenetur.xyz"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383240",
"to_ids": true,
"type": "domain",
"uuid": "2b48920a-e4fd-4df3-b45a-61d576b3321b",
"value": "hypexfinancial.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383240",
"to_ids": true,
"type": "domain",
"uuid": "5e1c2fad-29fc-4ab2-a8b8-7029a52e0a1f",
"value": "voltampereactive.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383240",
"to_ids": true,
"type": "domain",
"uuid": "f7d4212c-f545-4e65-96d6-bb95f7550e4a",
"value": "planchereserver.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383240",
"to_ids": true,
"type": "domain",
"uuid": "4dc4ee14-eec6-472b-af72-b262c368cdb5",
"value": "thirdmandomavis.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383240",
"to_ids": true,
"type": "domain",
"uuid": "642074d7-9e7a-4a98-a213-903aabca65a5",
"value": "fourthmanservice.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383240",
"to_ids": true,
"type": "domain",
"uuid": "6ff2c282-4661-4efb-8a7a-417525f9c20b",
"value": "sithchibb.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383240",
"to_ids": true,
"type": "domain",
"uuid": "93091fa6-c784-4bf3-b59d-921c6de5d84a",
"value": "copelustration.xyz"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383240",
"to_ids": true,
"type": "domain",
"uuid": "261f2bf7-9c25-4df7-88f6-a251481fd030",
"value": "copefood.xyz"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383240",
"to_ids": true,
"type": "domain",
"uuid": "1715b55e-3b8d-4519-8953-8234e7d1f95b",
"value": "seven-oranges.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383241",
"to_ids": true,
"type": "domain",
"uuid": "270b05cc-2184-48cc-8a94-5603fd918d35",
"value": "onemanforest.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383241",
"to_ids": true,
"type": "domain",
"uuid": "0014caeb-3f1b-4be8-ac8f-97d88fa974d7",
"value": "twomancake.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383241",
"to_ids": true,
"type": "domain",
"uuid": "2d4e765f-8f6b-4aea-bdca-c9ffe2ccf77c",
"value": "threemanshop.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383241",
"to_ids": true,
"type": "domain",
"uuid": "444201f0-245d-4768-88f0-c31b3b873af5",
"value": "fourmanchurch.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383241",
"to_ids": true,
"type": "domain",
"uuid": "2f2af954-9889-4662-929c-50d24c056135",
"value": "fivemanchool.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383241",
"to_ids": true,
"type": "domain",
"uuid": "095195f3-392c-4553-a4fd-74849ca872f5",
"value": "sixmanteams.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383241",
"to_ids": true,
"type": "domain",
"uuid": "fe591a81-8eea-4995-903b-fee6ad4258d4",
"value": "sevenmanjungle.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383241",
"to_ids": true,
"type": "domain",
"uuid": "d4e9d30e-e3ac-450f-80b9-e4b9e8a96166",
"value": "88mansession.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383241",
"to_ids": true,
"type": "domain",
"uuid": "7a5066b4-2573-434e-b787-479eed6b17d9",
"value": "fiveradio-newbam.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383241",
"to_ids": true,
"type": "domain",
"uuid": "a1c76780-f30d-4b38-a2f0-6b5f88ab3bd7",
"value": "nine9manforest.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383241",
"to_ids": true,
"type": "domain",
"uuid": "247db4c8-8e91-41a3-b599-3c698ac754f2",
"value": "10decadesmen.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383241",
"to_ids": true,
"type": "domain",
"uuid": "3c693026-5a9c-416f-b5bc-dda35e9e4f28",
"value": "11cyclesforest.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383241",
"to_ids": true,
"type": "domain",
"uuid": "e0b7a45e-cbe6-4526-b036-0f3b40dda687",
"value": "1messisnfarm.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383241",
"to_ids": true,
"type": "domain",
"uuid": "af8700b4-1403-468d-ae11-d167f9e56568",
"value": "2moniunesson.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383241",
"to_ids": true,
"type": "domain",
"uuid": "8bc22a04-df0b-44b9-b099-c24088830a0e",
"value": "3alphabetjay.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383241",
"to_ids": true,
"type": "domain",
"uuid": "07658f76-1fc8-4e2d-9124-174fc64341ca",
"value": "4sessionmoon.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383241",
"to_ids": true,
"type": "domain",
"uuid": "a60fa77f-35bb-4ebd-9589-61f9953e35ba",
"value": "5poleanalhy.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383241",
"to_ids": true,
"type": "domain",
"uuid": "5eb6cda8-f98e-4577-a281-41200d52111b",
"value": "6treesmangle.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383241",
"to_ids": true,
"type": "domain",
"uuid": "9b45a67c-cc3a-4f9d-a709-09714af63d5e",
"value": "7motionmansa.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383241",
"to_ids": true,
"type": "domain",
"uuid": "158e0e90-b25a-4c70-95fc-b985be4c29bc",
"value": "8boomandool.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383241",
"to_ids": true,
"type": "domain",
"uuid": "586da09a-26ac-46b1-83ed-79dd3d47564f",
"value": "9cantronnfit.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383241",
"to_ids": true,
"type": "domain",
"uuid": "5a5817a3-3ee8-4a67-9d4a-c88878321059",
"value": "10trioneyue8ss.com"
},
{
"category": "Network activity",
"comment": "The following domains were used previously, between November 2023 and July 2024:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383241",
"to_ids": true,
"type": "domain",
"uuid": "3a853f3e-2f01-4a57-91a2-a743faa9a05c",
"value": "11beamgools.com"
},
{
"category": "Network activity",
"comment": "The following IP addresses were used previously, between November 2023 and July 2024 (non-exhaustive list):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383286",
"to_ids": true,
"type": "ip-dst",
"uuid": "7eb3f653-8c22-4540-a9af-d86a8d658dcd",
"value": "45.61.130.11"
},
{
"category": "Network activity",
"comment": "The following IP addresses were used previously, between November 2023 and July 2024 (non-exhaustive list):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383286",
"to_ids": true,
"type": "ip-dst",
"uuid": "bcf3526c-5813-4955-81bb-117bdffae7ae",
"value": "45.61.169.4"
},
{
"category": "Network activity",
"comment": "The following IP addresses were used previously, between November 2023 and July 2024 (non-exhaustive list):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383286",
"to_ids": true,
"type": "ip-dst",
"uuid": "4ecce6b2-21d1-4230-9a12-786b9a5068ea",
"value": "172.86.64.212"
},
{
"category": "Network activity",
"comment": "The following IP addresses were used previously, between November 2023 and July 2024 (non-exhaustive list):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383286",
"to_ids": true,
"type": "ip-dst",
"uuid": "ec08cc07-de33-4a7a-a149-59685e68ef2a",
"value": "172.86.96.84"
},
{
"category": "Network activity",
"comment": "The following IP addresses were used previously, between November 2023 and July 2024 (non-exhaustive list):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383286",
"to_ids": true,
"type": "ip-dst",
"uuid": "27f7f457-220e-45c6-bac6-13e91f26eace",
"value": "172.86.96.128"
},
{
"category": "Network activity",
"comment": "The following IP addresses were used previously, between November 2023 and July 2024 (non-exhaustive list):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383286",
"to_ids": true,
"type": "ip-dst",
"uuid": "d3cbe9a1-31c2-4b6a-ae00-45fd54a32589",
"value": "172.86.97.78"
},
{
"category": "Network activity",
"comment": "The following IP addresses were used previously, between November 2023 and July 2024 (non-exhaustive list):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383286",
"to_ids": true,
"type": "ip-dst",
"uuid": "8a203781-2b72-495f-bee9-259a28d74f5f",
"value": "172.86.97.165"
},
{
"category": "Network activity",
"comment": "The following IP addresses were used previously, between November 2023 and July 2024 (non-exhaustive list):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383286",
"to_ids": true,
"type": "ip-dst",
"uuid": "22d7893a-cb78-45dc-94bc-31468544187d",
"value": "172.86.104.33"
},
{
"category": "Network activity",
"comment": "The following IP addresses were used previously, between November 2023 and July 2024 (non-exhaustive list):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383286",
"to_ids": true,
"type": "ip-dst",
"uuid": "d8c96e3e-182f-4d63-9995-bd83f9bf0291",
"value": "172.86.104.64"
},
{
"category": "Network activity",
"comment": "The following IP addresses were used previously, between November 2023 and July 2024 (non-exhaustive list):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383286",
"to_ids": true,
"type": "ip-dst",
"uuid": "9254c241-4664-4225-9538-5018fce49403",
"value": "172.86.104.178"
},
{
"category": "Network activity",
"comment": "The following IP addresses were used previously, between November 2023 and July 2024 (non-exhaustive list):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383286",
"to_ids": true,
"type": "ip-dst",
"uuid": "04d515eb-eb0c-4e58-9a5c-5ab145263407",
"value": "172.86.105.59"
},
{
"category": "Network activity",
"comment": "The following IP addresses were used previously, between November 2023 and July 2024 (non-exhaustive list):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383286",
"to_ids": true,
"type": "ip-dst",
"uuid": "2ca61f39-185f-4e21-8506-a71bd8b544c8",
"value": "172.86.105.72"
},
{
"category": "Network activity",
"comment": "The following IP addresses were used previously, between November 2023 and July 2024 (non-exhaustive list):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383286",
"to_ids": true,
"type": "ip-dst",
"uuid": "dca6d111-c4b6-4909-9bb2-2f75553e218b",
"value": "172.86.106.94"
},
{
"category": "Network activity",
"comment": "Between August and October 2024, Entra/M365 sign-ins from IP addresses of Mamba 2FA relay servers:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383316",
"to_ids": true,
"type": "ip-dst",
"uuid": "0aa0a70e-e8c0-40a0-bf79-814c8cb2dfaa",
"value": "2607:5500:3000:1cab::2"
},
{
"category": "Network activity",
"comment": "Between August and October 2024, Entra/M365 sign-ins from IP addresses of Mamba 2FA relay servers:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383316",
"to_ids": true,
"type": "ip-dst",
"uuid": "580104f7-a738-4975-b081-a6a5e78f1682",
"value": "2607:5500:3000:7bc::2"
},
{
"category": "Network activity",
"comment": "Between August and October 2024, Entra/M365 sign-ins from IP addresses of Mamba 2FA relay servers:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383316",
"to_ids": true,
"type": "ip-dst",
"uuid": "732b3d05-f49b-4ff9-8d6c-b6bd9b11e74f",
"value": "2607:5500:3000:312::2"
},
{
"category": "Network activity",
"comment": "Between August and October 2024, Entra/M365 sign-ins from IP addresses of Mamba 2FA relay servers:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383316",
"to_ids": true,
"type": "ip-dst",
"uuid": "dafda331-b4ef-46a1-9aff-1789cd0f1fcc",
"value": "2607:5500:3000:7a5::2"
},
{
"category": "Network activity",
"comment": "Between August and October 2024, Entra/M365 sign-ins from IP addresses of Mamba 2FA relay servers:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383316",
"to_ids": true,
"type": "ip-dst",
"uuid": "131616be-296d-4330-b712-79f431d51155",
"value": "2607:5500:3000:a8c::2"
},
{
"category": "Network activity",
"comment": "Between August and October 2024, Entra/M365 sign-ins from IP addresses of Mamba 2FA relay servers:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383316",
"to_ids": true,
"type": "ip-dst",
"uuid": "088f6e55-1ae5-4bcf-90e6-0e28564941dc",
"value": "2607:5500:3000:fea::2"
},
{
"category": "Network activity",
"comment": "Between August and October 2024, Entra/M365 sign-ins from IP addresses of Mamba 2FA relay servers:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383316",
"to_ids": true,
"type": "ip-dst",
"uuid": "e253f2ae-86ad-4210-8068-1766fa2014ff",
"value": "2607:5500:3000:b16::2"
},
{
"category": "Network activity",
"comment": "Since October 2024, Entra/M365 sign-ins from IP addresses of IPRoyal proxies used by Mamba 2FA (non-exhaustive list):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383340",
"to_ids": true,
"type": "ip-dst",
"uuid": "de1cf268-194a-4a8d-a12e-16ab29a3dd09",
"value": "23.26.35.67"
},
{
"category": "Network activity",
"comment": "Since October 2024, Entra/M365 sign-ins from IP addresses of IPRoyal proxies used by Mamba 2FA (non-exhaustive list):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383340",
"to_ids": true,
"type": "ip-dst",
"uuid": "2c206ae6-e1ac-4f01-b0bd-5655627613c8",
"value": "23.26.206.99"
},
{
"category": "Network activity",
"comment": "Since October 2024, Entra/M365 sign-ins from IP addresses of IPRoyal proxies used by Mamba 2FA (non-exhaustive list):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383340",
"to_ids": true,
"type": "ip-dst",
"uuid": "b85d4316-796e-4e83-879e-d328a926a592",
"value": "45.86.54.206"
},
{
"category": "Network activity",
"comment": "Since October 2024, Entra/M365 sign-ins from IP addresses of IPRoyal proxies used by Mamba 2FA (non-exhaustive list):",
"deleted": false,
"disable_correlation": false,
"timestamp": "1734383340",
"to_ids": true,
"type": "ip-dst",
"uuid": "ec5ed5d2-782c-4809-9e94-dfc45d2ccdd6",
"value": "45.9.153.102"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Report object to describe a report along with its metadata.",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "8",
"timestamp": "1734383124",
"uuid": "71e1c48a-6844-4e1a-8bdb-d50c457a3b67",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1734383124",
"to_ids": false,
"type": "link",
"uuid": "f59e905e-25d7-49a7-9540-d3999839627b",
"value": "https://blog.sekoia.io/mamba-2fa-a-new-contender-in-the-aitm-phishing-ecosystem/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1734383124",
"to_ids": false,
"type": "text",
"uuid": "20ffb8fa-cf64-4a5c-a96d-4d48c9c29d26",
"value": "In late May 2024, Sekoia\u2019s Threat Detection & Research (TDR) team received an insight from a partner about an ongoing phishing campaign leveraging HTML attachments that mimicked Microsoft 365 login pages. The phishing pages were able to relay some methods of multi-factor authentication (MFA), and made use of the Socket.IO JavaScript library to communicate via websockets with a backend server. At first, these characteristics look like the Tycoon 2FA phishing-as-a-service platform, but further inspection found that the campaign leveraged a previously unknown adversary-in-the-middle (AiTM) phishing kit, that Sekoia track as Mamba 2FA.\r\n\r\nTDR illuminated the infrastructure hosting the phishing pages and developed detection rules to identify Entra ID accounts compromised via this kit. Retro-hunting uncovered that several Sekoia XDR customers have been targeted by campaigns leveraging Mamba 2FA in the previous months, suggesting a widespread threat. Finally, during this investigation we identified that the kit was sold as phishing-as-a-service (PhaaS).\r\n\r\nOn 26 June 2024, ANY.RUN published an analysis of a phishing campaign that matched the characteristics and infrastructure of Mamba 2FA. Since then, and likely in reaction to this publication, the phishing kit and associated infrastructure have undergone several significant changes."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1734383124",
"to_ids": false,
"type": "text",
"uuid": "679665af-07d4-4b2f-92ab-fdd62874878b",
"value": "Blog"
}
]
}
]
}
}
Reference in a new issue Copy permalink