273 lines
10 KiB
JSON
273 lines
10 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2017-08-17",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - Turla APT actor refreshes KopiLuwak JavaScript backdoor for use in G20-themed attack",
|
||
|
"publish_timestamp": "1503394300",
|
||
|
"published": true,
|
||
|
"threat_level_id": "2",
|
||
|
"timestamp": "1503394295",
|
||
|
"uuid": "599aa9ab-dd20-4ae1-a3fa-41b5950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-intrusion-set=\"Turla\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#12e200",
|
||
|
"name": "misp-galaxy:threat-actor=\"Turla Group\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#065000",
|
||
|
"name": "misp-galaxy:tool=\"Wipbot\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503394208",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "599aa9c0-4c78-432c-ac89-4f21950d210f",
|
||
|
"value": "https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503394208",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "599aa9df-3868-455a-9eee-4a7b950d210f",
|
||
|
"value": "Proofpoint researchers have observed a well-known Russian-speaking APT actor usually referred to as Turla using a new .NET/MSIL dropper for an existing backdoor called JS/KopiLuwak. The backdoor has been analyzed previously and is a robust tool associated with this group, likely being used as an early stage reconnaissance tool.",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "KopiLuwak MSIL Dropper",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503394208",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "599aac56-ee78-4833-b3ec-4d57950d210f",
|
||
|
"value": "7481e87023604e7534d02339540ddd9565273dd51c13d7677b9b4c9623f0440b"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "KopiLuwak JS Dropper",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503394208",
|
||
|
"to_ids": true,
|
||
|
"type": "filename|sha256",
|
||
|
"uuid": "599aac8c-01b4-479f-923a-4be1950d210f",
|
||
|
"value": "Scr.js|1c76a66a670a6f69b4fea25ca0ba4885eca9e1b85a2afbab61da3b4a6d52ae19"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "KopiLuwak JavaScript Decryptor",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503394208",
|
||
|
"to_ids": true,
|
||
|
"type": "filename|sha256",
|
||
|
"uuid": "599aacef-46f4-4c27-9ff5-4761950d210f",
|
||
|
"value": "appidpolicyconverter.js|5698c92fb8fe7ded0ff940c75979f44734650e4f2c852bdb4cbc9d46e7993185"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Benign PDF Decoy",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503394208",
|
||
|
"to_ids": true,
|
||
|
"type": "filename|sha256",
|
||
|
"uuid": "599aacf0-2780-49c1-bec8-4cbc950d210f",
|
||
|
"value": "Save the Date G20 Digital Economy Taskforce 23 24 October.pdf|c978da455018a73ddbc9e1d2bf8c208ad3ec2e622850f68ef6b0aae939e5d2ab"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "KopiLuwak C&C",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503394208",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "599aad87-131c-4268-96da-41fa950d210f",
|
||
|
"value": "http://www.huluwa.uk/wp-content/plugins/woocommerce/includes/class-wc-log.php"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "KopiLuwak C&C",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503394208",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "599aad88-4574-4084-8bd7-4acf950d210f",
|
||
|
"value": "http://tresor-rare.com.hk/wp-content/plugins/wordpress-seo/vendor/xrstf/composer-php52/lib/xrstf/Composer52/LogsLoader.php"
|
||
|
},
|
||
|
{
|
||
|
"category": "Antivirus detection",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503394208",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "599aafff-d180-48ea-904c-4684950d210f",
|
||
|
"value": "TROJAN Turla JS/KopiLuwak"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "KopiLuwak JavaScript Decryptor - Xchecked via VT: 5698c92fb8fe7ded0ff940c75979f44734650e4f2c852bdb4cbc9d46e7993185",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503394208",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "599abd3f-ac00-44a8-8cd2-139402de0b81",
|
||
|
"value": "efb9015be0497bdf6183383ff677fc8474ac69ce"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "KopiLuwak JavaScript Decryptor - Xchecked via VT: 5698c92fb8fe7ded0ff940c75979f44734650e4f2c852bdb4cbc9d46e7993185",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503394208",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "599abd3f-f9c0-49c7-ba81-139402de0b81",
|
||
|
"value": "df1b4f63c1adb9abfe04e0247956ce66"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "KopiLuwak JavaScript Decryptor - Xchecked via VT: 5698c92fb8fe7ded0ff940c75979f44734650e4f2c852bdb4cbc9d46e7993185",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503394208",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "599abd3f-c0fc-4747-97da-139402de0b81",
|
||
|
"value": "https://www.virustotal.com/file/5698c92fb8fe7ded0ff940c75979f44734650e4f2c852bdb4cbc9d46e7993185/analysis/1503295126/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "KopiLuwak JS Dropper - Xchecked via VT: 1c76a66a670a6f69b4fea25ca0ba4885eca9e1b85a2afbab61da3b4a6d52ae19",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503394208",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "599abd3f-b3d4-4d9d-8f76-139402de0b81",
|
||
|
"value": "9d7d559ee19321b07785956f8118d96a9ee47fc1"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "KopiLuwak JS Dropper - Xchecked via VT: 1c76a66a670a6f69b4fea25ca0ba4885eca9e1b85a2afbab61da3b4a6d52ae19",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503394208",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "599abd3f-b4e0-4d85-94b9-139402de0b81",
|
||
|
"value": "b318af64676a879dc50b491beccfa951"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "KopiLuwak JS Dropper - Xchecked via VT: 1c76a66a670a6f69b4fea25ca0ba4885eca9e1b85a2afbab61da3b4a6d52ae19",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503394208",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "599abd3f-25a4-405b-ad1b-139402de0b81",
|
||
|
"value": "https://www.virustotal.com/file/1c76a66a670a6f69b4fea25ca0ba4885eca9e1b85a2afbab61da3b4a6d52ae19/analysis/1503311389/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "KopiLuwak MSIL Dropper - Xchecked via VT: 7481e87023604e7534d02339540ddd9565273dd51c13d7677b9b4c9623f0440b",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503394208",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "599abd3f-dcb8-4039-83a5-139402de0b81",
|
||
|
"value": "5730e117b1efddc9a438a8bf603ff8b17736453e"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "KopiLuwak MSIL Dropper - Xchecked via VT: 7481e87023604e7534d02339540ddd9565273dd51c13d7677b9b4c9623f0440b",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503394208",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "599abd3f-428c-4a08-9f90-139402de0b81",
|
||
|
"value": "7c378d78b7a89aef27e8a3c5066b8511"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "KopiLuwak MSIL Dropper - Xchecked via VT: 7481e87023604e7534d02339540ddd9565273dd51c13d7677b9b4c9623f0440b",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503394208",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "599abd3f-cfd4-4eab-9f1d-139402de0b81",
|
||
|
"value": "https://www.virustotal.com/file/7481e87023604e7534d02339540ddd9565273dd51c13d7677b9b4c9623f0440b/analysis/1503304107/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503394208",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "599abf2f-85a0-40a4-aa4c-4a59950d210f",
|
||
|
"value": "Runer.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "KopiLuwak MSIL Dropper - Xchecked via VT: 7481e87023604e7534d02339540ddd9565273dd51c13d7677b9b4c9623f0440b",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1503394209",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "599bf9a1-bf10-4175-a56c-4d7c02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/7481e87023604e7534d02339540ddd9565273dd51c13d7677b9b4c9623f0440b/analysis/1503382271/"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|