2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "2" ,
"date" : "2017-05-04" ,
"extends_uuid" : "" ,
"info" : "OSINT - A Mole exposing itself to sunlight Snake: Coming soon in Mac OS X flavour" ,
"publish_timestamp" : "1493900856" ,
"published" : true ,
"threat_level_id" : "2" ,
"timestamp" : "1493900587" ,
"uuid" : "590b172d-c8f4-4cdd-88cf-4443950d210f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#00223b" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#065100" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:tool=\"Turla\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#12e000" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:threat-actor=\"Sofacy\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#12e100" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:threat-actor=\"APT 29\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1493900360" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "590b1743-24d0-48ab-92ea-e282950d210f" ,
"value" : "Snake, also known as Turla, Uroburos and Agent.BTZ, is a relatively complex malware framework used for targeted attacks1.\r\n\r\nOver the past year Fox-IT has been involved in multiple incident response cases where the Snake framework was used to steal sensitive information. Targets include government institutions, military and large corporates.\r\n\r\nResearchers who have previously analyzed compromises where Snake was used have attributed the attacks to Russia2. Compared to other prolific attackers with alleged ties to Russia, such as APT28 (Fancy Bear) and APT29 (Cozy Bear), Snake\u00e2\u20ac\u2122s code is significantly more sophisticated, it\u00e2\u20ac\u2122s infrastructure more complex and targets more carefully selected.\r\n\r\nThe framework has traditionally focused on the Windows operating system, but in 2014 the first Linux variant was observed3.\r\n\r\nNow, Fox-IT has identified a version of Snake targeting Mac OS X.\r\nAs this version contains debug functionalities and was signed on February 21st, 2017 it is likely that the OS X version of Snake is not yet operational.\r\nFox-IT expects that the attackers using Snake will soon use the Mac OS X variant on targets." ,
"Tag" : [
{
"colour" : "#00223b" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#075200" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "admiralty-scale:source-reliability=\"b\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Network activity" ,
"comment" : "Snake's queue file for HTTP network transport" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1493900360" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "590b18c3-9540-41ff-942d-418e950d210f" ,
"value" : "car-service.effers.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Snake's queue file for HTTP network transport - IP is a VSAT terminal" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1493900360" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "590b18e3-d598-4f8b-b9a9-6ef6950d210f" ,
"value" : "83.229.87.11"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1493900360" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "590b18f9-5084-42d9-9442-47b2950d210f" ,
"value" : "https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/" ,
"Tag" : [
{
"colour" : "#00223b" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#075200" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "admiralty-scale:source-reliability=\"b\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "Install Adobe Flash Player.app.z" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1493900360" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "590b1c30-9a6c-4bca-a653-4b78950d210f" ,
"value" : "b8ee4556dc09b28826359b98343a4e00680971a6f8c6602747bd5d723d26eaea"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Install" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1493900360" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "590b1c31-c584-46e0-89f5-410d950d210f" ,
"value" : "5b7792a16c6b7978fca389882c6aeeb2c792352076bf6a064e7b8b90eace8060"
} ,
{
"category" : "Payload delivery" ,
"comment" : "install.sh" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1493900360" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "590b1c31-1628-4a48-b9ec-41d4950d210f" ,
"value" : "0a77f1b59c829a83d91a12c871fbd30c5c9d04b455f497e0c231cd21104bfea9"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Install Adobe Flash Player" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1493900360" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "590b1c31-b458-4d31-aeef-4c87950d210f" ,
"value" : "7848f7808af02ba0466f3a0687cf949c4d29a2d94b035481a3299ec519aaaa30"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Installdp" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1493900360" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "590b1c32-8a78-4f06-8b2b-4182950d210f" ,
"value" : "d5ea79632a1a67abbf9fb1c2813b899c90a5fb9442966ed4f530e92715087ee2"
} ,
{
"category" : "Payload delivery" ,
"comment" : "com.adobe.update" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1493900360" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "590b1c32-e7ec-4f52-b5aa-4fcd950d210f" ,
"value" : "b6df610aa5c1254c3af5b2ff806562c4937704e4ac248577cdcd3e7e7b3578a0"
} ,
{
"category" : "Payload delivery" ,
"comment" : "installd.sh" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1493900360" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "590b1c33-5974-4719-bfc3-488c950d210f" ,
"value" : "6e207a375782e3c9d86a3e426cfa38eddcf4898b3556abc75889f7e01cc49506"
} ,
{
"category" : "Payload delivery" ,
"comment" : "queue" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1493900360" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "590b1c33-4714-4c82-a97a-4e3c950d210f" ,
"value" : "92721d719b8085748fb66366d202457f6d38bfa108a2ecda71eee7e68f43a387"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Installdp - Xchecked via VT: d5ea79632a1a67abbf9fb1c2813b899c90a5fb9442966ed4f530e92715087ee2" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1493900366" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "590b1c4e-c6a8-4aeb-a6d5-e28202de0b81" ,
"value" : "0a0ae94f92a50937d920bf02dd26b477c840a915"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Installdp - Xchecked via VT: d5ea79632a1a67abbf9fb1c2813b899c90a5fb9442966ed4f530e92715087ee2" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1493900366" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "590b1c4e-83b4-4d78-a4b9-e28202de0b81" ,
"value" : "000e4225f382f9eee675dcaf3cbf9c7e"
} ,
{
"category" : "External analysis" ,
"comment" : "Installdp - Xchecked via VT: d5ea79632a1a67abbf9fb1c2813b899c90a5fb9442966ed4f530e92715087ee2" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1493900366" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "590b1c4e-8478-434c-bac9-e28202de0b81" ,
"value" : "https://www.virustotal.com/file/d5ea79632a1a67abbf9fb1c2813b899c90a5fb9442966ed4f530e92715087ee2/analysis/1493893902/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Install Adobe Flash Player - Xchecked via VT: 7848f7808af02ba0466f3a0687cf949c4d29a2d94b035481a3299ec519aaaa30" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1493900367" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "590b1c4f-d128-4fb9-8eff-e28202de0b81" ,
"value" : "d972e12685591b71432faaf70c71ced4b6e522a0"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Install Adobe Flash Player - Xchecked via VT: 7848f7808af02ba0466f3a0687cf949c4d29a2d94b035481a3299ec519aaaa30" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1493900367" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "590b1c4f-07b0-49f5-9bdd-e28202de0b81" ,
"value" : "3a5fc199189cf39ec58ec6fb2c3c7d93"
} ,
{
"category" : "External analysis" ,
"comment" : "Install Adobe Flash Player - Xchecked via VT: 7848f7808af02ba0466f3a0687cf949c4d29a2d94b035481a3299ec519aaaa30" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1493900368" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "590b1c50-89b8-41ae-b787-e28202de0b81" ,
"value" : "https://www.virustotal.com/file/7848f7808af02ba0466f3a0687cf949c4d29a2d94b035481a3299ec519aaaa30/analysis/1493898305/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Install - Xchecked via VT: 5b7792a16c6b7978fca389882c6aeeb2c792352076bf6a064e7b8b90eace8060" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1493900368" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "590b1c50-2940-474f-b5b6-e28202de0b81" ,
"value" : "a201f1760ca4f99dff682a4e5c656f149f5d8e7c"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Install - Xchecked via VT: 5b7792a16c6b7978fca389882c6aeeb2c792352076bf6a064e7b8b90eace8060" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1493900369" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "590b1c51-7b20-480a-acb0-e28202de0b81" ,
"value" : "6c74ff2cc39b5362ee5dec576ece211b"
} ,
{
"category" : "External analysis" ,
"comment" : "Install - Xchecked via VT: 5b7792a16c6b7978fca389882c6aeeb2c792352076bf6a064e7b8b90eace8060" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1493900369" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "590b1c51-7cf0-4bf1-9050-e28202de0b81" ,
"value" : "https://www.virustotal.com/file/5b7792a16c6b7978fca389882c6aeeb2c792352076bf6a064e7b8b90eace8060/analysis/1493887382/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Install Adobe Flash Player.app.z - Xchecked via VT: b8ee4556dc09b28826359b98343a4e00680971a6f8c6602747bd5d723d26eaea" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1493900369" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "590b1c51-1d1c-4e16-bd8d-e28202de0b81" ,
"value" : "d20482372f9e63a54854d639cc79d0b65bc8382b"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Install Adobe Flash Player.app.z - Xchecked via VT: b8ee4556dc09b28826359b98343a4e00680971a6f8c6602747bd5d723d26eaea" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1493900370" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "590b1c52-1b0c-4fdb-8799-e28202de0b81" ,
"value" : "77b4ffe73491d534946d010bfca138f7"
} ,
{
"category" : "External analysis" ,
"comment" : "Install Adobe Flash Player.app.z - Xchecked via VT: b8ee4556dc09b28826359b98343a4e00680971a6f8c6602747bd5d723d26eaea" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1493900370" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "590b1c52-ef70-4760-86a2-e28202de0b81" ,
"value" : "https://www.virustotal.com/file/b8ee4556dc09b28826359b98343a4e00680971a6f8c6602747bd5d723d26eaea/analysis/1493880806/"
}
]
}
}