misp-circl-feed/feeds/circl/stix-2.1/5981907c-ee6c-4ed5-bc87-40af02de0b81.json

389 lines
18 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5981907c-ee6c-4ed5-bc87-40af02de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T08:48:16.000Z",
"modified": "2017-08-02T08:48:16.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5981907c-ee6c-4ed5-bc87-40af02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T08:48:16.000Z",
"modified": "2017-08-02T08:48:16.000Z",
"name": "OSINT - Real News, Fake Flash: Mac OS X Users Targeted",
"published": "2017-08-02T08:48:28Z",
"object_refs": [
"observed-data--598190a8-00ec-4767-b912-418602de0b81",
"url--598190a8-00ec-4767-b912-418602de0b81",
"x-misp-attribute--598190b8-24d0-4da9-84d0-48ac02de0b81",
"indicator--59819106-c5cc-4df8-ab93-4ac502de0b81",
"indicator--59819106-f024-4177-9670-400902de0b81",
"indicator--59819106-ac44-4f4d-b1c5-425602de0b81",
"indicator--59819106-7e30-446e-bcae-44e902de0b81",
"indicator--5981912b-da70-4840-bfe2-483402de0b81",
"indicator--5981912b-e808-49bf-8f5a-4bac02de0b81",
"indicator--5981912b-7ea8-4a36-b091-445102de0b81",
"indicator--5981912b-cb3c-4848-b644-4fd802de0b81",
"indicator--59819159-0430-4878-bc81-4ed502de0b81",
"indicator--5981918a-06a8-4acb-ab14-402102de0b81",
"indicator--598191d0-f6b8-44ba-b774-448f02de0b81",
"observed-data--598191d0-1f28-4cd2-96d9-479402de0b81",
"url--598191d0-1f28-4cd2-96d9-479402de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"ms-caro-malware:malware-platform=\"MacOS_X\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--598190a8-00ec-4767-b912-418602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T08:48:16.000Z",
"modified": "2017-08-02T08:48:16.000Z",
"first_observed": "2017-08-02T08:48:16Z",
"last_observed": "2017-08-02T08:48:16Z",
"number_observed": 1,
"object_refs": [
"url--598190a8-00ec-4767-b912-418602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--598190a8-00ec-4767-b912-418602de0b81",
"value": "https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--598190b8-24d0-4da9-84d0-48ac02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T08:48:16.000Z",
"modified": "2017-08-02T08:48:16.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Volexity recently identified a breach to the website of a well regarded media outlet in the country of Georgia. As part of this breach, the media organization\u00e2\u20ac\u2122s website was being leveraged as a component of a malware campaign targeting select visitors. The news organization provides reporting on its website in English, Georgian, and Russian. However, only the Georgian language portion of the website was impacted and used in an effort to distribute malware. The targets were then further narrowed to those that were running the Mac OS X operating system, had not previously visited the website, and had specific browser versions. The attackers accomplished much of this with JavaScript they placed on the media organization\u00e2\u20ac\u2122s website."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59819106-c5cc-4df8-ab93-4ac502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T08:48:16.000Z",
"modified": "2017-08-02T08:48:16.000Z",
"description": "GetFlashPlayer.zip - ZIP file containing the OSX/Leverage.A GetFlashPlayer.app application/directory.",
"pattern": "[file:hashes.MD5 = '6597ffd7d1d241b1bf776bc7e1e3f840']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T08:48:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59819106-f024-4177-9670-400902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T08:48:16.000Z",
"modified": "2017-08-02T08:48:16.000Z",
"description": "GetFlashPlayer.zip - ZIP file containing the OSX/Leverage.A GetFlashPlayer.app application/directory.",
"pattern": "[file:hashes.SHA1 = '2810d554b2e9e14551cef7293e5240b058fb78c3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T08:48:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59819106-ac44-4f4d-b1c5-425602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T08:48:16.000Z",
"modified": "2017-08-02T08:48:16.000Z",
"description": "GetFlashPlayer - Signed OSX/Leverage.A binary masquerading as a legitimate file from Adobe",
"pattern": "[file:hashes.MD5 = '28064805242b3aa9c138061d6c18e7f5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T08:48:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59819106-7e30-446e-bcae-44e902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T08:48:16.000Z",
"modified": "2017-08-02T08:48:16.000Z",
"description": "GetFlashPlayer - Signed OSX/Leverage.A binary masquerading as a legitimate file from Adobe",
"pattern": "[file:hashes.SHA1 = '2441e2e9f68b4110218e1fcdc2cfce864b96e2da']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T08:48:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5981912b-da70-4840-bfe2-483402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T08:48:16.000Z",
"modified": "2017-08-02T08:48:16.000Z",
"pattern": "[domain-name:value = 'updatesec.webredirect.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T08:48:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5981912b-e808-49bf-8f5a-4bac02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T08:48:16.000Z",
"modified": "2017-08-02T08:48:16.000Z",
"description": "updatesec.webredirect[.]org",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.77.53.146']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T08:48:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5981912b-7ea8-4a36-b091-445102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T08:48:16.000Z",
"modified": "2017-08-02T08:48:16.000Z",
"pattern": "[domain-name:value = 'downloadarchives.servehttp.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T08:48:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5981912b-cb3c-4848-b644-4fd802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T08:48:16.000Z",
"modified": "2017-08-02T08:48:16.000Z",
"description": "downloadarchives.servehttp[.]com",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '213.200.14.138']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T08:48:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59819159-0430-4878-bc81-4ed502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T08:48:16.000Z",
"modified": "2017-08-02T08:48:16.000Z",
"description": "Volexity was also able to find ties between the updatesec.webredirect[.]org exploitation and malware delivery server and the IP address 176.9.192.223. Volexity believes this IP is likely used for similar purposes and is directly related with the threat activity described in this blog.",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '176.9.192.223']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T08:48:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5981918a-06a8-4acb-ab14-402102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T08:48:16.000Z",
"modified": "2017-08-02T08:48:16.000Z",
"description": "In a final interesting twist, while writing this blog, Volexity noted that the IP address for the hostname updatesec.webredirect[.]org was updated to resolve to the Lithuanian IP address 185.28.22.22. This IP address does not appear to be responding on port 80, so no content would be served to visitors. However, it should be noted that this IP address is listed as a command and control server in the Stantinko report that was just released by ESET last week. Volexity is not aware of any ties between this threat activity and those behind Stantinko.",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.28.22.22']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T08:48:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--598191d0-f6b8-44ba-b774-448f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T08:48:16.000Z",
"modified": "2017-08-02T08:48:16.000Z",
"description": "GetFlashPlayer - Signed OSX/Leverage.A binary masquerading as a legitimate file from Adobe - Xchecked via VT: 2441e2e9f68b4110218e1fcdc2cfce864b96e2da",
"pattern": "[file:hashes.SHA256 = '58509ec67ce9a271bf4a1ec3cad3a37bb666c1df4cc90f16db7038982b57dcf1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T08:48:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--598191d0-1f28-4cd2-96d9-479402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T08:48:16.000Z",
"modified": "2017-08-02T08:48:16.000Z",
"first_observed": "2017-08-02T08:48:16Z",
"last_observed": "2017-08-02T08:48:16Z",
"number_observed": 1,
"object_refs": [
"url--598191d0-1f28-4cd2-96d9-479402de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--598191d0-1f28-4cd2-96d9-479402de0b81",
"value": "https://www.virustotal.com/file/58509ec67ce9a271bf4a1ec3cad3a37bb666c1df4cc90f16db7038982b57dcf1/analysis/1501618896/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}