misp-circl-feed/feeds/circl/stix-2.1/5981a635-1198-404e-99e3-4fad02de0b81.json

543 lines
24 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5981a635-1198-404e-99e3-4fad02de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T10:18:52.000Z",
"modified": "2017-08-02T10:18:52.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5981a635-1198-404e-99e3-4fad02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T10:18:52.000Z",
"modified": "2017-08-02T10:18:52.000Z",
"name": "OSINT - FIN7/Carbanak threat actor unleashes Bateleur JScript backdoor",
"published": "2017-08-02T10:19:11Z",
"object_refs": [
"x-misp-attribute--5981a64b-3b44-4cb4-92ce-47c502de0b81",
"observed-data--5981a65c-463c-48f2-a8e8-92c902de0b81",
"url--5981a65c-463c-48f2-a8e8-92c902de0b81",
"indicator--5981a6ab-0b6c-4729-945c-310e02de0b81",
"indicator--5981a6ab-e098-4d81-827f-310e02de0b81",
"indicator--5981a6ab-b188-4fb5-9dc6-310e02de0b81",
"indicator--5981a6cb-89b8-4bb2-afd6-487002de0b81",
"indicator--5981a6cb-afe0-4d12-b9cc-472102de0b81",
"indicator--5981a6cb-18f0-4cd5-ac56-4d3d02de0b81",
"indicator--5981a6cb-4020-4ccf-a18f-48c502de0b81",
"indicator--5981a6cb-2cb8-409e-b3f3-419402de0b81",
"indicator--5981a6cb-1504-45ba-be21-4cae02de0b81",
"indicator--5981a6d9-b2b0-4845-8e31-2ef302de0b81",
"indicator--5981a6ed-02c8-41bb-9762-92f802de0b81",
"indicator--5981a6ed-bb14-47ae-9a1f-92f802de0b81",
"indicator--5981a6fc-2ccc-460d-89ff-92bf02de0b81",
"indicator--5981a6fc-1bd8-4ed5-b8b1-92bf02de0b81",
"observed-data--5981a6fc-d200-4960-acff-92bf02de0b81",
"url--5981a6fc-d200-4960-acff-92bf02de0b81",
"indicator--5981a6fc-cdb4-4d58-be72-92bf02de0b81",
"indicator--5981a6fc-0df0-4fa0-ad87-92bf02de0b81",
"observed-data--5981a6fc-a6fc-473b-8d4e-92bf02de0b81",
"url--5981a6fc-a6fc-473b-8d4e-92bf02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\"",
"misp-galaxy:threat-actor=\"Anunak\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5981a64b-3b44-4cb4-92ce-47c502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T10:18:52.000Z",
"modified": "2017-08-02T10:18:52.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Proofpoint researchers have uncovered that the threat actor commonly referred to as FIN7 has added a new JScript backdoor called Bateleur and updated macros to its toolkit. We have observed these new tools being used to target U.S.-based chain restaurants, although FIN7 has previously targeted hospitality organizations, retailers, merchant services, suppliers and others. The new macros and Bateleur backdoor use sophisticated anti-analysis and sandbox evasion techniques as they attempt to cloak their activities and expand their victim pool.\r\n\r\nSpecifically, the first FIN7 change we observed was in the obfuscation technique found in their usual document attachments delivering the GGLDR script [1], initially described by researchers at FireEye [2]. In addition, starting in early June, we observed this threat actor using macro documents to drop a previously undocumented JScript backdoor, which we have named \u00e2\u20ac\u0153Bateleur\u00e2\u20ac\u009d, instead of dropping their customary GGLDR payload. Since its initial sighting, there have been multiple updates to Bateleur and the attachment macros."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5981a65c-463c-48f2-a8e8-92c902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T10:18:52.000Z",
"modified": "2017-08-02T10:18:52.000Z",
"first_observed": "2017-08-02T10:18:52Z",
"last_observed": "2017-08-02T10:18:52Z",
"number_observed": 1,
"object_refs": [
"url--5981a65c-463c-48f2-a8e8-92c902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5981a65c-463c-48f2-a8e8-92c902de0b81",
"value": "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5981a6ab-0b6c-4729-945c-310e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T10:18:36.000Z",
"modified": "2017-08-02T10:18:36.000Z",
"description": "On port 53 - Tinymet C&C",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.25.48.186' AND network-traffic:dst_port = '53']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T10:18:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"ip-dst|port\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5981a6ab-e098-4d81-827f-310e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T10:18:36.000Z",
"modified": "2017-08-02T10:18:36.000Z",
"description": "On port 443 - Tinymet C&C",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '46.166.168.213' AND network-traffic:dst_port = '443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T10:18:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"ip-dst|port\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5981a6ab-b188-4fb5-9dc6-310e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T10:18:36.000Z",
"modified": "2017-08-02T10:18:36.000Z",
"description": "On port 53 - Tinymet C&C",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '188.165.44.190' AND network-traffic:dst_port = '53']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T10:18:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"ip-dst|port\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5981a6cb-89b8-4bb2-afd6-487002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T10:18:36.000Z",
"modified": "2017-08-02T10:18:36.000Z",
"description": "On port 443 - Bateleur C&C",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '195.133.48.65' AND network-traffic:dst_port = '443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T10:18:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"ip-dst|port\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5981a6cb-afe0-4d12-b9cc-472102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T10:18:36.000Z",
"modified": "2017-08-02T10:18:36.000Z",
"description": "On port 443 - Bateleur C&C",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '195.133.49.73' AND network-traffic:dst_port = '443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T10:18:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"ip-dst|port\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5981a6cb-18f0-4cd5-ac56-4d3d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T10:18:36.000Z",
"modified": "2017-08-02T10:18:36.000Z",
"description": "On port 443 - Bateleur C&C",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.154.53.65' AND network-traffic:dst_port = '443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T10:18:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"ip-dst|port\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5981a6cb-4020-4ccf-a18f-48c502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T10:18:36.000Z",
"modified": "2017-08-02T10:18:36.000Z",
"description": "On port 443 - Bateleur C&C",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '188.120.241.27' AND network-traffic:dst_port = '443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T10:18:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"ip-dst|port\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5981a6cb-2cb8-409e-b3f3-419402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T10:18:36.000Z",
"modified": "2017-08-02T10:18:36.000Z",
"description": "On port 443 - Bateleur C&C",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '176.53.25.12' AND network-traffic:dst_port = '443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T10:18:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"ip-dst|port\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5981a6cb-1504-45ba-be21-4cae02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T10:18:36.000Z",
"modified": "2017-08-02T10:18:36.000Z",
"description": "On port 443 - Bateleur C&C",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.200.53.61' AND network-traffic:dst_port = '443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T10:18:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"ip-dst|port\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5981a6d9-b2b0-4845-8e31-2ef302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T10:18:36.000Z",
"modified": "2017-08-02T10:18:36.000Z",
"description": "FIN7 Password Stealer Module",
"pattern": "[file:hashes.SHA256 = '8c00afd815355a00c55036e5d18482f730d5e71a9f83fe23c7a1c0d9007ced5a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T10:18:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5981a6ed-02c8-41bb-9762-92f802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T10:18:36.000Z",
"modified": "2017-08-02T10:18:36.000Z",
"description": "Bateleur Document Droppers",
"pattern": "[file:hashes.SHA256 = 'cf86c7a92451dca1ebb76ebd3e469f3fa0d9b376487ee6d07ae57ab1b65a86f8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T10:18:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5981a6ed-bb14-47ae-9a1f-92f802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T10:18:36.000Z",
"modified": "2017-08-02T10:18:36.000Z",
"description": "Bateleur Document Droppers",
"pattern": "[file:hashes.SHA256 = 'c91642c0a5a8781fff9fd400bff85b6715c96d8e17e2d2390c1771c683c7ead9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T10:18:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5981a6fc-2ccc-460d-89ff-92bf02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T10:18:36.000Z",
"modified": "2017-08-02T10:18:36.000Z",
"description": "Bateleur Document Droppers - Xchecked via VT: c91642c0a5a8781fff9fd400bff85b6715c96d8e17e2d2390c1771c683c7ead9",
"pattern": "[file:hashes.SHA1 = 'e852f21b36a6700ba21a61b87f0e225040241309']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T10:18:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5981a6fc-1bd8-4ed5-b8b1-92bf02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T10:18:36.000Z",
"modified": "2017-08-02T10:18:36.000Z",
"description": "Bateleur Document Droppers - Xchecked via VT: c91642c0a5a8781fff9fd400bff85b6715c96d8e17e2d2390c1771c683c7ead9",
"pattern": "[file:hashes.MD5 = '467062d2a5a341716c42c6d7f36ba0ed']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T10:18:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5981a6fc-d200-4960-acff-92bf02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T10:18:36.000Z",
"modified": "2017-08-02T10:18:36.000Z",
"first_observed": "2017-08-02T10:18:36Z",
"last_observed": "2017-08-02T10:18:36Z",
"number_observed": 1,
"object_refs": [
"url--5981a6fc-d200-4960-acff-92bf02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5981a6fc-d200-4960-acff-92bf02de0b81",
"value": "https://www.virustotal.com/file/c91642c0a5a8781fff9fd400bff85b6715c96d8e17e2d2390c1771c683c7ead9/analysis/1501612940/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5981a6fc-cdb4-4d58-be72-92bf02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T10:18:36.000Z",
"modified": "2017-08-02T10:18:36.000Z",
"description": "Bateleur Document Droppers - Xchecked via VT: cf86c7a92451dca1ebb76ebd3e469f3fa0d9b376487ee6d07ae57ab1b65a86f8",
"pattern": "[file:hashes.SHA1 = '54fcccb8e4b62f7035f183831cd991851f88e4fc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T10:18:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5981a6fc-0df0-4fa0-ad87-92bf02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T10:18:36.000Z",
"modified": "2017-08-02T10:18:36.000Z",
"description": "Bateleur Document Droppers - Xchecked via VT: cf86c7a92451dca1ebb76ebd3e469f3fa0d9b376487ee6d07ae57ab1b65a86f8",
"pattern": "[file:hashes.MD5 = '9b1af2d9c0c0687c70466385800b6847']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-02T10:18:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5981a6fc-a6fc-473b-8d4e-92bf02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-02T10:18:36.000Z",
"modified": "2017-08-02T10:18:36.000Z",
"first_observed": "2017-08-02T10:18:36Z",
"last_observed": "2017-08-02T10:18:36Z",
"number_observed": 1,
"object_refs": [
"url--5981a6fc-a6fc-473b-8d4e-92bf02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5981a6fc-a6fc-473b-8d4e-92bf02de0b81",
"value": "https://www.virustotal.com/file/cf86c7a92451dca1ebb76ebd3e469f3fa0d9b376487ee6d07ae57ab1b65a86f8/analysis/1501620271/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}