398 lines
17 KiB
JSON
398 lines
17 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5d832d9f-1508-4fdf-979b-4edf950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-20T13:32:46.000Z",
|
||
|
"modified": "2019-09-20T13:32:46.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "grouping",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "grouping--5d832d9f-1508-4fdf-979b-4edf950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-20T13:32:46.000Z",
|
||
|
"modified": "2019-09-20T13:32:46.000Z",
|
||
|
"name": "OSINT - Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks",
|
||
|
"context": "suspicious-activity",
|
||
|
"object_refs": [
|
||
|
"observed-data--5d832dc2-67e4-4561-84eb-42b1950d210f",
|
||
|
"url--5d832dc2-67e4-4561-84eb-42b1950d210f",
|
||
|
"x-misp-attribute--5d832de7-7b14-4ee6-9ac2-4471950d210f",
|
||
|
"observed-data--5d84c794-428c-41c9-b743-4270950d210f",
|
||
|
"windows-registry-key--5d84c794-428c-41c9-b743-4270950d210f",
|
||
|
"observed-data--5d84c79b-4ac8-4fd1-b315-4082950d210f",
|
||
|
"windows-registry-key--5d84c79b-4ac8-4fd1-b315-4082950d210f",
|
||
|
"indicator--5d84c9ca-1130-43f5-8418-42c6950d210f",
|
||
|
"indicator--5d84c9ca-62cc-4f84-819a-49d7950d210f",
|
||
|
"indicator--5d84c9ca-1bb8-4553-b847-4da7950d210f",
|
||
|
"indicator--5d84d3a3-66b8-4242-9876-4fb9950d210f",
|
||
|
"indicator--5d84d3a3-5158-4760-955b-49e0950d210f",
|
||
|
"indicator--5d84c63f-ad44-40aa-85f6-41fa950d210f",
|
||
|
"indicator--5d84ca7f-8904-4b83-aa2d-4efd950d210f",
|
||
|
"indicator--5d84d359-b914-4b54-8a37-42cb950d210f",
|
||
|
"indicator--5d84d370-6c2c-4918-80bd-4a01950d210f",
|
||
|
"indicator--5d84d38e-6880-4ffc-b9d8-4ae3950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:malpedia=\"OilRig\"",
|
||
|
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"OilRig\"",
|
||
|
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"OilRig - G0049\"",
|
||
|
"misp-galaxy:mitre-intrusion-set=\"OilRig\"",
|
||
|
"misp-galaxy:mitre-intrusion-set=\"OilRig - G0049\"",
|
||
|
"misp-galaxy:threat-actor=\"CHRYSENE\"",
|
||
|
"misp-galaxy:threat-actor=\"OilRig\"",
|
||
|
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT34\"",
|
||
|
"misp-galaxy:threat-actor=\"APT34\"",
|
||
|
"workflow:todo=\"add-missing-misp-galaxy-cluster-values\"",
|
||
|
"workflow:todo=\"expansion\"",
|
||
|
"type:OSINT",
|
||
|
"osint:lifetime=\"perpetual\"",
|
||
|
"osint:certainty=\"50\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5d832dc2-67e4-4561-84eb-42b1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-19T07:26:58.000Z",
|
||
|
"modified": "2019-09-19T07:26:58.000Z",
|
||
|
"first_observed": "2019-09-19T07:26:58Z",
|
||
|
"last_observed": "2019-09-19T07:26:58Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5d832dc2-67e4-4561-84eb-42b1950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5d832dc2-67e4-4561-84eb-42b1950d210f",
|
||
|
"value": "https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5d832de7-7b14-4ee6-9ac2-4471950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-19T07:27:35.000Z",
|
||
|
"modified": "2019-09-19T07:27:35.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "Previously undocumented group hits IT providers in the Middle East.\r\n\r\nA previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers\u2019 customers.\r\n\r\nThe group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access.\r\n\r\nAnother notable element of this attack is that, on two of the compromised networks, several hundred computers were infected with malware. This is an unusually large number of computers to be compromised in a targeted attack. It is possible that the attackers were forced to infect many machines before finding those that were of most interest to them.\r\n\r\nWe have seen Tortoiseshell activity as recently as July 2019."
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5d84c794-428c-41c9-b743-4270950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-20T12:35:32.000Z",
|
||
|
"modified": "2019-09-20T12:35:32.000Z",
|
||
|
"first_observed": "2019-09-20T12:35:32Z",
|
||
|
"last_observed": "2019-09-20T12:35:32Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"windows-registry-key--5d84c794-428c-41c9-b743-4270950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"regkey\"",
|
||
|
"misp:category=\"Persistence mechanism\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "windows-registry-key",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "windows-registry-key--5d84c794-428c-41c9-b743-4270950d210f",
|
||
|
"key": "HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\policies\\system\\Enablevmd"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5d84c79b-4ac8-4fd1-b315-4082950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-20T12:35:39.000Z",
|
||
|
"modified": "2019-09-20T12:35:39.000Z",
|
||
|
"first_observed": "2019-09-20T12:35:39Z",
|
||
|
"last_observed": "2019-09-20T12:35:39Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"windows-registry-key--5d84c79b-4ac8-4fd1-b315-4082950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"regkey\"",
|
||
|
"misp:category=\"Persistence mechanism\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "windows-registry-key",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "windows-registry-key--5d84c79b-4ac8-4fd1-b315-4082950d210f",
|
||
|
"key": "HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\policies\\system\\Sendvmd"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d84c9ca-1130-43f5-8418-42c6950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-20T12:44:58.000Z",
|
||
|
"modified": "2019-09-20T12:44:58.000Z",
|
||
|
"pattern": "[url:value = 'Infostealer/Sha.exe/Sha432.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-09-20T12:44:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d84c9ca-62cc-4f84-819a-49d7950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-20T12:44:58.000Z",
|
||
|
"modified": "2019-09-20T12:44:58.000Z",
|
||
|
"pattern": "[url:value = 'Infostealer/stereoversioncontrol.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-09-20T12:44:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d84c9ca-1bb8-4553-b847-4da7950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-20T12:44:58.000Z",
|
||
|
"modified": "2019-09-20T12:44:58.000Z",
|
||
|
"pattern": "[file:name = 'get-logon-history.ps1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-09-20T12:44:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d84d3a3-66b8-4242-9876-4fb9950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-20T13:26:59.000Z",
|
||
|
"modified": "2019-09-20T13:26:59.000Z",
|
||
|
"description": "Backdoor.Syskit C&C server",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '64.235.60.123']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-09-20T13:26:59Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d84d3a3-5158-4760-955b-49e0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-20T13:26:59.000Z",
|
||
|
"modified": "2019-09-20T13:26:59.000Z",
|
||
|
"description": "Backdoor.Syskit C&C server",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '64.235.39.45']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-09-20T13:26:59Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d84c63f-ad44-40aa-85f6-41fa950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-20T12:29:51.000Z",
|
||
|
"modified": "2019-09-20T12:29:51.000Z",
|
||
|
"pattern": "[file:name = '\\\\%Windir\\\\%\\\\temp\\\\rconfig.xml']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-09-20T12:29:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d84ca7f-8904-4b83-aa2d-4efd950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-20T12:47:59.000Z",
|
||
|
"modified": "2019-09-20T12:47:59.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = 'd9ac9c950e5495c9005b04843a40f01fa49d5fd49226cb5b03a055232ffc36f3']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-09-20T12:47:59Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d84d359-b914-4b54-8a37-42cb950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-20T13:25:45.000Z",
|
||
|
"modified": "2019-09-20T13:25:45.000Z",
|
||
|
"description": " Backdoor.Syskit ",
|
||
|
"pattern": "[file:hashes.SHA256 = 'f71732f997c53fa45eef5c988697eb4aa62c8655d8f0be3268636fc23addd193']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-09-20T13:25:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d84d370-6c2c-4918-80bd-4a01950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-20T13:26:08.000Z",
|
||
|
"modified": "2019-09-20T13:26:08.000Z",
|
||
|
"description": " Backdoor.Syskit ",
|
||
|
"pattern": "[file:hashes.SHA256 = '02a3296238a3d127a2e517f4949d31914c15d96726fb4902322c065153b364b2']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-09-20T13:26:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d84d38e-6880-4ffc-b9d8-4ae3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-09-20T13:26:38.000Z",
|
||
|
"modified": "2019-09-20T13:26:38.000Z",
|
||
|
"description": " Backdoor.Syskit ",
|
||
|
"pattern": "[file:hashes.SHA256 = '07d123364d8d04e3fe0bfa4e0e23ddc7050ef039602ecd72baed70e6553c3ae4']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-09-20T13:26:38Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|