191 lines
8.7 KiB
JSON
191 lines
8.7 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5718d5d3-25d4-415c-a97b-4920950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-02T07:59:26.000Z",
|
||
|
"modified": "2016-05-02T07:59:26.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--5718d5d3-25d4-415c-a97b-4920950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-02T07:59:26.000Z",
|
||
|
"modified": "2016-05-02T07:59:26.000Z",
|
||
|
"name": "OSINT - MULTIGRAIN \u00e2\u20ac\u201c Point of Sale Attackers Make an Unhealthy Addition to the Pantry",
|
||
|
"published": "2016-05-02T08:00:02Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--5718d5df-218c-47c5-a8a6-4e8e950d210f",
|
||
|
"url--5718d5df-218c-47c5-a8a6-4e8e950d210f",
|
||
|
"x-misp-attribute--5718d5ec-8fe0-408b-9538-4e90950d210f",
|
||
|
"indicator--5718d6b0-bee4-4e88-a620-490a950d210f",
|
||
|
"indicator--572708a0-8dd4-4b6f-a812-4f7902de0b81",
|
||
|
"indicator--572708a0-8198-489c-863f-44d202de0b81",
|
||
|
"observed-data--572708a0-6018-4118-810b-409c02de0b81",
|
||
|
"url--572708a0-6018-4118-810b-409c02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"type:OSINT",
|
||
|
"circl:topic=\"services\"",
|
||
|
"veris:action:malware:variety=\"Ram scraper\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5718d5df-218c-47c5-a8a6-4e8e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-21T13:30:07.000Z",
|
||
|
"modified": "2016-04-21T13:30:07.000Z",
|
||
|
"first_observed": "2016-04-21T13:30:07Z",
|
||
|
"last_observed": "2016-04-21T13:30:07Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5718d5df-218c-47c5-a8a6-4e8e950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5718d5df-218c-47c5-a8a6-4e8e950d210f",
|
||
|
"value": "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5718d5ec-8fe0-408b-9538-4e90950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-21T13:30:20.000Z",
|
||
|
"modified": "2016-04-21T13:30:20.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "FireEye recently discovered a new variant of a point of sale (POS) malware family known as NewPosThings. This variant, which we call \u00e2\u20ac\u0153MULTIGRAIN\u00e2\u20ac\u009d, consists largely of a subset of slightly modified code from NewPosThings. The variant is highly targeted, digitally signed, and exfiltrates stolen payment card data over DNS. The addition of DNS-based exfiltration is new for this malware family; however, other POS malware families such as BernhardPOS and FrameworkPOS have used this technique in the past.\r\n\r\nUsing DNS for data exfiltration provides several advantages to the attacker. Sensitive environments that process card data will often monitor, restrict, or entirely block the HTTP or FTP traffic often used for exfiltration in other environments. While these common internet protocols may be disabled within a restrictive card processing environment, DNS is still necessary to resolve hostnames within the corporate environment and is unlikely to be blocked."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5718d6b0-bee4-4e88-a620-490a950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-21T13:33:36.000Z",
|
||
|
"modified": "2016-04-21T13:33:36.000Z",
|
||
|
"description": "Imported via the freetext import.",
|
||
|
"pattern": "[file:hashes.MD5 = 'f924cec68be776e41726ee765f469d50']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-04-21T13:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572708a0-8dd4-4b6f-a812-4f7902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-02T07:58:24.000Z",
|
||
|
"modified": "2016-05-02T07:58:24.000Z",
|
||
|
"description": "Imported via the freetext import. - Xchecked via VT: f924cec68be776e41726ee765f469d50",
|
||
|
"pattern": "[file:hashes.SHA256 = '6abf4544f60ac6117706727c241b97924e0c474f505838d0eb0491fc62b673cd']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-02T07:58:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572708a0-8198-489c-863f-44d202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-02T07:58:24.000Z",
|
||
|
"modified": "2016-05-02T07:58:24.000Z",
|
||
|
"description": "Imported via the freetext import. - Xchecked via VT: f924cec68be776e41726ee765f469d50",
|
||
|
"pattern": "[file:hashes.SHA1 = 'f7125695a1c59970b7557362c67f81d93d871373']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-02T07:58:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--572708a0-6018-4118-810b-409c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-02T07:58:24.000Z",
|
||
|
"modified": "2016-05-02T07:58:24.000Z",
|
||
|
"first_observed": "2016-05-02T07:58:24Z",
|
||
|
"last_observed": "2016-05-02T07:58:24Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--572708a0-6018-4118-810b-409c02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--572708a0-6018-4118-810b-409c02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/6abf4544f60ac6117706727c241b97924e0c474f505838d0eb0491fc62b673cd/analysis/1461918348/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|