adulau/misp-circl-feed
1
0
Fork 0
Code Issues Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/3594b211-1c7c-4e20-8c85-62564c2e7267.json

633 lines
21 KiB
JSON
Raw Permalink Normal View History

chg: [feeds] updated
2024-12-27 11:52:46 +01:00
{
"Event": {
"analysis": "2",
"date": "2024-08-23",
"extends_uuid": "",
"info": "OSINT - NGate Android malware relays NFC traffic to steal cash",
"publish_timestamp": "1724415888",
"published": true,
"threat_level_id": "3",
"timestamp": "1724415650",
"uuid": "3594b211-1c7c-4e20-8c85-62564c2e7267",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:sector=\"Finance\"",
"relationship_type": "targets"
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:sector=\"Retail\"",
"relationship_type": "targets"
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1660\"",
"relationship_type": "uses"
},
{
"colour": "#004646",
"local": false,
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
"local": false,
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
},
{
"colour": "#0087e8",
"local": false,
"name": "osint:certainty=\"50\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:clear",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "NGate C&C server.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1724414986",
"to_ids": true,
"type": "ip-dst",
"uuid": "c778b40f-401f-477c-acc0-1ac6326f4828",
"value": "172.187.98.211"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Report object to describe a report along with its metadata.",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "8",
"timestamp": "1724414846",
"uuid": "b664e0c0-e94c-4811-813b-591ab0fa6230",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1724414846",
"to_ids": false,
"type": "link",
"uuid": "404f429d-75fe-45c5-a62f-d025e478fe8b",
"value": "https://www.welivesecurity.com/en/eset-research/ngate-android-malware-relays-nfc-traffic-to-steal-cash/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1724414846",
"to_ids": false,
"type": "text",
"uuid": "390e6769-ecd7-4a0e-9dfa-5e095f8f1735",
"value": "Android malware discovered by ESET Research relays NFC data from victims\u2019 payment cards, via victims\u2019 mobile phones, to the device of a perpetrator waiting at an ATM"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "title",
"timestamp": "1724414846",
"to_ids": false,
"type": "text",
"uuid": "cc82d712-5537-4376-a7b1-9391a174d286",
"value": "NGate Android malware relays NFC traffic to steal cash"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1724414846",
"to_ids": false,
"type": "text",
"uuid": "e434a86a-c69b-4506-bc04-c1e04c66e284",
"value": "Blog"
}
]
},
{
"comment": "NGate distribution website.",
"deleted": false,
"description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.",
"meta-category": "network",
"name": "ip-port",
"template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",
"template_version": "9",
"timestamp": "1724414934",
"uuid": "670685e7-856e-457a-ab8b-5d50b99c951d",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1724414934",
"to_ids": true,
"type": "ip-dst",
"uuid": "67064af6-5c07-45a4-b8e1-baa8b40fcb4e",
"value": "91.222.136.153"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1724414934",
"to_ids": true,
"type": "domain",
"uuid": "9439ed21-eb5f-4f98-a5de-e330c46fd8ec",
"value": "raiffeisen-cz.eu"
}
]
},
{
"comment": "Phishing website.",
"deleted": false,
"description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.",
"meta-category": "network",
"name": "ip-port",
"template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",
"template_version": "9",
"timestamp": "1724414957",
"uuid": "8a1c1eaf-fb1f-4192-bfb3-e39ccdcb15b3",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1724414957",
"to_ids": true,
"type": "ip-dst",
"uuid": "3c88f7a9-0be0-4ac0-8867-fdec41a04901",
"value": "104.21.7.213"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "hostname",
"timestamp": "1724414957",
"to_ids": true,
"type": "hostname",
"uuid": "891a583a-d494-4cce-b2d4-db2acc88093c",
"value": "client.nfcpay.workers.dev"
}
]
},
{
"comment": "NGate distribution website.",
"deleted": false,
"description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.",
"meta-category": "network",
"name": "ip-port",
"template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",
"template_version": "9",
"timestamp": "1724415006",
"uuid": "2a96d936-8d8e-4833-a84c-995747fcea47",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1724415006",
"to_ids": true,
"type": "ip-dst",
"uuid": "9846f6cb-d2c0-49e2-9447-631031dc3f4a",
"value": "185.104.45.51"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "hostname",
"timestamp": "1724415006",
"to_ids": true,
"type": "hostname",
"uuid": "1fe9e1b1-6099-4bfb-90b9-6a53620cdfec",
"value": "app.mobil-csob-cz.eu"
}
]
},
{
"comment": "NGate C&C server.",
"deleted": false,
"description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.",
"meta-category": "network",
"name": "ip-port",
"template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",
"template_version": "9",
"timestamp": "1724415045",
"uuid": "f7ef3692-2d4f-4e0f-80c0-cc96e626c3a9",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1724415045",
"to_ids": true,
"type": "ip-dst",
"uuid": "32acdd39-eee2-45a0-b41f-5e98ab0d1244",
"value": "185.181.165.124"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "hostname",
"timestamp": "1724415045",
"to_ids": true,
"type": "hostname",
"uuid": "68095d80-8f97-4858-b0b2-3b3d20f85c2f",
"value": "nfc.cryptomaker.info"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.",
"meta-category": "misc",
"name": "attack-step",
"template_uuid": "F86CD6C4-B89D-454A-95C1-165D456D8A74",
"template_version": "1",
"timestamp": "1724415189",
"uuid": "6b219eb5-41e8-469a-8cc5-3ecb54a84332",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "description",
"timestamp": "1724415189",
"to_ids": false,
"type": "text",
"uuid": "a0e43ef8-1ed3-46d7-9742-a751e6f1d736",
"value": "NGate has been distributed using dedicated websites impersonating legitimate services.",
"Tag": [
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1660\"",
"relationship_type": ""
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "key-step",
"timestamp": "1724415169",
"to_ids": false,
"type": "boolean",
"uuid": "2a5ae6e7-da1b-4f94-8e4e-3ff43cb675e0",
"value": "1"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "succesful",
"timestamp": "1724415169",
"to_ids": false,
"type": "boolean",
"uuid": "74a75b4d-d19d-42d2-b230-61e85138eb58",
"value": "1"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.",
"meta-category": "misc",
"name": "attack-step",
"template_uuid": "F86CD6C4-B89D-454A-95C1-165D456D8A74",
"template_version": "1",
"timestamp": "1724415284",
"uuid": "56c8a4e9-c52a-4377-8def-71524d6b8715",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "description",
"timestamp": "1724415284",
"to_ids": false,
"type": "text",
"uuid": "4f6963ef-3bb5-4bdb-b40d-6178126bcc06",
"value": "NGate tries to obtain victims\u2019 sensitive information via a phishing WebView pretending to be a banking service.",
"Tag": [
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"GUI Input Capture - T1417.002\"",
"relationship_type": ""
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "key-step",
"timestamp": "1724415235",
"to_ids": false,
"type": "boolean",
"uuid": "7c4f878d-1b89-47bb-a7f0-b1c868133688",
"value": "1"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "succesful",
"timestamp": "1724415235",
"to_ids": false,
"type": "boolean",
"uuid": "fed9ae65-503d-45c2-80df-d43e39285885",
"value": "1"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.",
"meta-category": "misc",
"name": "attack-step",
"template_uuid": "F86CD6C4-B89D-454A-95C1-165D456D8A74",
"template_version": "1",
"timestamp": "1724415353",
"uuid": "77a91913-41d6-40e8-9cbc-0e989dc54ee6",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "description",
"timestamp": "1724415353",
"to_ids": false,
"type": "text",
"uuid": "da979af4-c499-4610-b1af-7820f3dc628f",
"value": "NGate can extract information about the device including device model, Android version, and information about NFC.",
"Tag": [
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1426\"",
"relationship_type": ""
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "key-step",
"timestamp": "1724415322",
"to_ids": false,
"type": "boolean",
"uuid": "888930cd-782c-4bd9-99c4-2239c6cab3a6",
"value": "1"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "succesful",
"timestamp": "1724415322",
"to_ids": false,
"type": "boolean",
"uuid": "e871cb13-a5d9-4fd5-9f00-288297b6e8f2",
"value": "1"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.",
"meta-category": "misc",
"name": "attack-step",
"template_uuid": "F86CD6C4-B89D-454A-95C1-165D456D8A74",
"template_version": "1",
"timestamp": "1724415428",
"uuid": "6db83e7d-e8b9-4af7-b066-9eeeda3c916c",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "description",
"timestamp": "1724415428",
"to_ids": false,
"type": "text",
"uuid": "ca52e318-d16a-49be-b6e2-b7613b6d2a5a",
"value": "NGate uses a JavaScript interface to send and execute commands to compromised devices.",
"Tag": [
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1437.001\"",
"relationship_type": ""
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "key-step",
"timestamp": "1724415399",
"to_ids": false,
"type": "boolean",
"uuid": "b0889480-3b42-4c97-85c3-67f8856d8025",
"value": "1"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "succesful",
"timestamp": "1724415399",
"to_ids": false,
"type": "boolean",
"uuid": "efe0764c-6c26-4c54-af83-8da6d778e745",
"value": "1"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.",
"meta-category": "misc",
"name": "attack-step",
"template_uuid": "F86CD6C4-B89D-454A-95C1-165D456D8A74",
"template_version": "1",
"timestamp": "1724415516",
"uuid": "a7e7a430-0053-4575-b02a-887781f3d366",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "description",
"timestamp": "1724415516",
"to_ids": false,
"type": "text",
"uuid": "7e3569d4-82a3-43c3-a442-49ac998f5f98",
"value": "NGate uses port 5566 to communicate with its server to exfiltrate NFC traffic.",
"Tag": [
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Non-Standard Port - T1509\"",
"relationship_type": ""
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "key-step",
"timestamp": "1724415482",
"to_ids": false,
"type": "boolean",
"uuid": "40a6d4dd-fd27-44a0-9b0f-852e35675301",
"value": "1"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "succesful",
"timestamp": "1724415482",
"to_ids": false,
"type": "boolean",
"uuid": "0b72b277-4b84-49bb-81f4-c2e10bf29447",
"value": "1"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.",
"meta-category": "misc",
"name": "attack-step",
"template_uuid": "F86CD6C4-B89D-454A-95C1-165D456D8A74",
"template_version": "1",
"timestamp": "1724415600",
"uuid": "27848d85-df48-41a8-9b49-487e5dead30e",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "description",
"timestamp": "1724415600",
"to_ids": false,
"type": "text",
"uuid": "ea267d0d-3ec9-48a2-ae63-1fd63f2ee08e",
"value": "NGate can exfiltrate NFC traffic.",
"Tag": [
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Out of Band Data - T1644\"",
"relationship_type": ""
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "key-step",
"timestamp": "1724415565",
"to_ids": false,
"type": "boolean",
"uuid": "f82b6eaa-3c80-4c8c-a6dd-beb307454d60",
"value": "1"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "succesful",
"timestamp": "1724415565",
"to_ids": false,
"type": "boolean",
"uuid": "53c9d6b4-1417-4d01-bb55-fec10c3009c4",
"value": "1"
}
]
}
]
}
}
Reference in a new issue Copy permalink