293 lines
13 KiB
JSON
293 lines
13 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--59b63beb-1a3c-4144-83e6-167c950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-11T12:02:22.000Z",
|
||
|
"modified": "2017-09-11T12:02:22.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--59b63beb-1a3c-4144-83e6-167c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-11T12:02:22.000Z",
|
||
|
"modified": "2017-09-11T12:02:22.000Z",
|
||
|
"name": "OSINT - Malware Group Uses Facebook CDN to Bypass Security Solutions",
|
||
|
"published": "2017-09-11T12:02:30Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--59b63c17-c4a8-4c4a-83a5-1296950d210f",
|
||
|
"url--59b63c17-c4a8-4c4a-83a5-1296950d210f",
|
||
|
"x-misp-attribute--59b63c2c-7a44-43a1-8797-1296950d210f",
|
||
|
"indicator--59b63c59-a770-4b90-864e-0a3c950d210f",
|
||
|
"indicator--59b63c5a-8618-4ae7-9c82-0a3c950d210f",
|
||
|
"indicator--59b67b31-5df0-417a-9938-488102de0b81",
|
||
|
"indicator--59b67b31-3d54-44dc-ae09-449e02de0b81",
|
||
|
"observed-data--59b67b31-b4d0-4cc5-8dbc-4c5d02de0b81",
|
||
|
"url--59b67b31-b4d0-4cc5-8dbc-4c5d02de0b81",
|
||
|
"indicator--59b67b31-f150-4f96-8768-478b02de0b81",
|
||
|
"indicator--59b67b31-6ac0-4ccf-9e6a-4a9c02de0b81",
|
||
|
"observed-data--59b67b31-8b04-4d3d-870b-434202de0b81",
|
||
|
"url--59b67b31-8b04-4d3d-870b-434202de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"type:OSINT",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59b63c17-c4a8-4c4a-83a5-1296950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-11T12:01:53.000Z",
|
||
|
"modified": "2017-09-11T12:01:53.000Z",
|
||
|
"first_observed": "2017-09-11T12:01:53Z",
|
||
|
"last_observed": "2017-09-11T12:01:53Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59b63c17-c4a8-4c4a-83a5-1296950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59b63c17-c4a8-4c4a-83a5-1296950d210f",
|
||
|
"value": "https://www.bleepingcomputer.com/news/security/malware-group-uses-facebook-cdn-to-bypass-security-solutions/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--59b63c2c-7a44-43a1-8797-1296950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-11T12:01:53.000Z",
|
||
|
"modified": "2017-09-11T12:01:53.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "A malware group is using Facebook's CDN servers to store malicious files that it later uses to infect users with banking trojans.\r\n\r\nResearchers spotted several campaigns using Facebook's CDN servers in the last two weeks, and previously, the same group also used Dropbox and Google's cloud storage services to store the same malicious payloads.\r\n\r\nThe previous attacks that used Google and Dropbox URLs were documented by Palo Alto's Brad Duncan in a July write-up, and are almost identical to the ones detected last week by security researcher MalwareHunter.\r\n\r\nThe group uses Facebook's CDN because the domain is trusted by most security solutions and there are low chances of having it blocked, compared to hosting malware on domains rarely active inside a business network."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59b63c59-a770-4b90-864e-0a3c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-11T12:01:53.000Z",
|
||
|
"modified": "2017-09-11T12:01:53.000Z",
|
||
|
"description": "RAR file",
|
||
|
"pattern": "[file:hashes.SHA256 = '1faa46ba708e3405e7053cde872c65cc7a7d7fbf6411374eb6e977f20c160e16']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-11T12:01:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59b63c5a-8618-4ae7-9c82-0a3c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-11T12:01:53.000Z",
|
||
|
"modified": "2017-09-11T12:01:53.000Z",
|
||
|
"description": "DLL file",
|
||
|
"pattern": "[file:hashes.SHA256 = '41e463cd5d4cf20d02bb7cd23b70465480d1cd5cd3c9f8653e9f93b3a85124d8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-11T12:01:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59b67b31-5df0-417a-9938-488102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-11T12:01:53.000Z",
|
||
|
"modified": "2017-09-11T12:01:53.000Z",
|
||
|
"description": "DLL file - Xchecked via VT: 41e463cd5d4cf20d02bb7cd23b70465480d1cd5cd3c9f8653e9f93b3a85124d8",
|
||
|
"pattern": "[file:hashes.SHA1 = '707efd3835860caea7352e004db553dbbc90525e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-11T12:01:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59b67b31-3d54-44dc-ae09-449e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-11T12:01:53.000Z",
|
||
|
"modified": "2017-09-11T12:01:53.000Z",
|
||
|
"description": "DLL file - Xchecked via VT: 41e463cd5d4cf20d02bb7cd23b70465480d1cd5cd3c9f8653e9f93b3a85124d8",
|
||
|
"pattern": "[file:hashes.MD5 = '4225931e8ed5c37141695601ea99ecbd']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-11T12:01:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59b67b31-b4d0-4cc5-8dbc-4c5d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-11T12:01:53.000Z",
|
||
|
"modified": "2017-09-11T12:01:53.000Z",
|
||
|
"first_observed": "2017-09-11T12:01:53Z",
|
||
|
"last_observed": "2017-09-11T12:01:53Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59b67b31-b4d0-4cc5-8dbc-4c5d02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59b67b31-b4d0-4cc5-8dbc-4c5d02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/41e463cd5d4cf20d02bb7cd23b70465480d1cd5cd3c9f8653e9f93b3a85124d8/analysis/1505098449/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59b67b31-f150-4f96-8768-478b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-11T12:01:53.000Z",
|
||
|
"modified": "2017-09-11T12:01:53.000Z",
|
||
|
"description": "RAR file - Xchecked via VT: 1faa46ba708e3405e7053cde872c65cc7a7d7fbf6411374eb6e977f20c160e16",
|
||
|
"pattern": "[file:hashes.SHA1 = '36167a3b63ee240ca7d9f303ec4ce6dc88ff9b4f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-11T12:01:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59b67b31-6ac0-4ccf-9e6a-4a9c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-11T12:01:53.000Z",
|
||
|
"modified": "2017-09-11T12:01:53.000Z",
|
||
|
"description": "RAR file - Xchecked via VT: 1faa46ba708e3405e7053cde872c65cc7a7d7fbf6411374eb6e977f20c160e16",
|
||
|
"pattern": "[file:hashes.MD5 = 'abb6eccc1b435497d04ed17b6ab6863e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-11T12:01:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59b67b31-8b04-4d3d-870b-434202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-11T12:01:53.000Z",
|
||
|
"modified": "2017-09-11T12:01:53.000Z",
|
||
|
"first_observed": "2017-09-11T12:01:53Z",
|
||
|
"last_observed": "2017-09-11T12:01:53Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59b67b31-8b04-4d3d-870b-434202de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59b67b31-8b04-4d3d-870b-434202de0b81",
|
||
|
"value": "https://www.virustotal.com/file/1faa46ba708e3405e7053cde872c65cc7a7d7fbf6411374eb6e977f20c160e16/analysis/1505098357/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|