misp-circl-feed/feeds/circl/misp/758d96ed-9dd4-4009-9270-65f2c3dd30cc.json

505 lines
16 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event": {
"analysis": "0",
"date": "2022-09-02",
"extends_uuid": "",
"info": "Buzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From BookWorm",
"publish_timestamp": "1666603457",
"published": true,
"threat_level_id": "2",
"timestamp": "1666603410",
"uuid": "758d96ed-9dd4-4009-9270-65f2c3dd30cc",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#064b00",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Hijack Execution Flow - T1574\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Indicator Removal on Host - T1070\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Execution Guardrails - T1480\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Boot or Logon Autostart Execution - T1547\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Boot or Logon Initialization Scripts - T1037\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Create or Modify System Process - T1543\"",
"relationship_type": ""
},
{
"colour": "#075900",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1417\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Gather Victim Host Information - T1592\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Bypass User Access Control - T1548.002\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Malware - T1587.001\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:malpedia=\"BumbleBee\"",
"relationship_type": ""
},
{
"colour": "#004646",
"local": "0",
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
"local": "0",
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
},
{
"colour": "#0087e8",
"local": "0",
"name": "osint:certainty=\"50\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": "0",
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:tool=\"BumbleBee\"",
"relationship_type": ""
},
{
"colour": "#00b3b3",
"local": "0",
"name": "ecsirt:intrusions=\"backdoor\"",
"relationship_type": ""
},
{
"colour": "#00a9ce",
"local": "0",
"name": "veris:action:malware:variety=\"Backdoor\"",
"relationship_type": ""
},
{
"colour": "#2c0037",
"local": "0",
"name": "ms-caro-malware:malware-type=\"Backdoor\"",
"relationship_type": ""
},
{
"colour": "#001534",
"local": "0",
"name": "ms-caro-malware-full:malware-type=\"Backdoor\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:malpedia=\"Bookworm\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:tool=\"Bookworm\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Backdoor.Win32.BUMBLEB.ZTIC - ore",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662729265",
"to_ids": true,
"type": "sha256",
"uuid": "35a4ef92-4ae2-4a9b-b23e-d03024f278a1",
"value": "eeca34fba68754e05e7307de61708e4ce74441754fcc6ae762148edf9e8e2ca0"
},
{
"category": "Payload delivery",
"comment": "Backdoor.Win32.BUMBLEB.ZTIC - bin",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662729274",
"to_ids": true,
"type": "sha256",
"uuid": "5823caf2-1ab2-4c0d-a24e-de7edd58b23e",
"value": "6690b7ace461b60b7a72613c202d70f4684c8cdc5afbb4267c67b5fe5dbf828e"
},
{
"category": "Payload delivery",
"comment": "Backdoor.Win32.BUMBLEB.ZTIC - bin",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662729281",
"to_ids": true,
"type": "sha256",
"uuid": "d56163b8-3f70-494a-8c03-b5cd66da7aca",
"value": "4ecde81a476f1e4622d192fe2f120f7c5c3ec58bf118b791d5532f3ff61c09ee"
},
{
"category": "Payload delivery",
"comment": "Backdoor.Win32.BUMBLEB.ZTIC - bin",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662729289",
"to_ids": true,
"type": "sha256",
"uuid": "dba0f86f-314c-4aac-b08c-5b4d47e2a1da",
"value": "8ab8bb836b074e170c129b7f0523d256930fd1f8cf126ca1875b450fdb6c4c05"
},
{
"category": "Payload delivery",
"comment": "Backdoor.Win32.BUMBLEB.ZTIC - ore",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662729293",
"to_ids": true,
"type": "sha256",
"uuid": "903429af-87ca-4865-ab0a-da4febe313e9",
"value": "515cb31b2c89df83ea6d54d5c0c3e4fe9a024319d9bd8fd76ad351860bd67ea3"
},
{
"category": "Payload delivery",
"comment": "Backdoor.Win32.BUMBLEB.ZTIC - bin",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662729299",
"to_ids": true,
"type": "sha256",
"uuid": "01769315-d698-45fe-8388-4853f1f7a30d",
"value": "8e340746339614ca105a1873dad471188b24421648d080e37d52b87f4ced5e6d"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662729805",
"to_ids": true,
"type": "url",
"uuid": "c9e05448-4911-489a-a310-2f6bd3b0c8f5",
"value": "http://www.synolo.ns01.biz:80/update"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662729805",
"to_ids": true,
"type": "url",
"uuid": "5cb19648-900a-4363-ac92-f0dcef307ef1",
"value": "http://118.163.105.130:80/update"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662963677",
"to_ids": true,
"type": "filename",
"uuid": "39fff771-4832-4181-abf2-1aadd9a9d815",
"value": "launcher.dll"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662963677",
"to_ids": true,
"type": "filename",
"uuid": "f25b964c-9158-436e-8f77-86e949f4c5ac",
"value": "kernel.dll"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662963677",
"to_ids": true,
"type": "filename",
"uuid": "6516e8c0-eb91-45f4-9436-cdce2e06e1ab",
"value": "installer.dll"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662963677",
"to_ids": true,
"type": "filename",
"uuid": "79256a9e-de15-47c7-a361-eb7281617e36",
"value": "keylog.dll"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662963677",
"to_ids": true,
"type": "filename",
"uuid": "11ac46b5-49f4-44cc-9eb4-edf82ec428da",
"value": "loader.dll"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662963677",
"to_ids": true,
"type": "filename",
"uuid": "2f9eb12e-0e85-4498-aee6-e01f9855fe79",
"value": "slaver.dll"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Metadata used to generate an executive level report",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "7",
"timestamp": "1662708531",
"uuid": "a68b22f1-a68b-4866-b711-3e20fd9914b2",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1662708531",
"to_ids": false,
"type": "link",
"uuid": "56256c65-96f3-4ffc-b9d2-b2cd01e49cdc",
"value": "https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1662708531",
"to_ids": false,
"type": "text",
"uuid": "72c873ac-5a7e-4cde-a97f-7d6a1fe8d4e9",
"value": "\"In March 2021, we investigated a backdoor with a unique modular architecture. Its type of modular framework made our static analysis more challenging because it required us to first rebuild its structure or use dynamic analysis to understand its functionality and behavior.\""
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1662708531",
"to_ids": false,
"type": "text",
"uuid": "72b488f3-fd16-46c6-a46e-787709228af3",
"value": "Report"
}
]
},
{
"comment": " Trojan.Win32.MULTICOM.ZTIC",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1662724249",
"uuid": "807f2024-9752-456a-be70-284533077af6",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1662724249",
"to_ids": true,
"type": "sha256",
"uuid": "57ac80d1-cca3-4457-8969-76874f9915b3",
"value": "f8809c6c56d2a0f8a08fe181614e6d9488eeb6983f044f2e6a8fa6a617ef2475"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1662724249",
"to_ids": true,
"type": "filename",
"uuid": "fe5af199-95c0-46c2-8459-97a88ec5efe8",
"value": "slaver.exe"
}
]
},
{
"comment": "Trojan.Win32.REGLOAD.ZTI",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1662724592",
"uuid": "01ffa6b4-4c4a-4e4d-848c-2e8834970353",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1662724592",
"to_ids": true,
"type": "filename",
"uuid": "6a41f248-8cc7-422e-8669-37ba4601bed7",
"value": "XecureIO_v20.dll"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1662724592",
"to_ids": true,
"type": "sha256",
"uuid": "66759a76-7557-4c81-8419-cd7e47ad7952",
"value": "3fc6c5df4a04d555d5cbf2ca53bed7769b5595fc6143a2599097cb6193ef8810"
}
]
},
{
"comment": "Trojan.Win32.REGLOAD.ZTI",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1662724615",
"uuid": "788f4f53-7c1e-4528-9315-17e4af67cae6",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1662724615",
"to_ids": true,
"type": "sha256",
"uuid": "8ea49814-7e60-42bf-a3ec-b273de5751ea",
"value": "ea5db8d658f42acad38106cbc46eea5944607eb709fb00f8adb501d4779fbea0"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1662724615",
"to_ids": true,
"type": "filename",
"uuid": "2772b523-c1a8-436a-8ccf-ddac54976d6a",
"value": "XecureIO_v20.dll"
}
]
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}