misp-circl-feed/feeds/circl/misp/5a3cc84d-2434-4ae6-8d76-c328950d210f.json

520 lines
17 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "0",
"date": "2014-10-08",
"extends_uuid": "",
"info": "OSINT - Sednit espionage group now using custom exploit kit",
"publish_timestamp": "1518771000",
"published": true,
"threat_level_id": "3",
"timestamp": "1516071622",
"uuid": "5a3cc84d-2434-4ae6-8d76-c328950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
"name": "tlp:white"
},
{
"colour": "#0088cc",
"name": "misp-galaxy:exploit-kit=\"Sednit EK\""
},
{
"colour": "#007d98",
"name": "veris:actor:motive=\"Espionage\""
},
{
"colour": "#00223b",
"name": "osint:source-type=\"blog-post\""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516008798",
"to_ids": false,
"type": "link",
"uuid": "5a3cc85e-39cc-4aaf-8eec-4c5c950d210f",
"value": "https://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/",
"Tag": [
{
"colour": "#00223b",
"name": "osint:source-type=\"blog-post\""
}
]
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516008799",
"to_ids": true,
"type": "url",
"uuid": "5a5c62c4-5fa8-47a1-ac11-42d1950d210f",
"value": "http://defenceiq.us/2rfKZL_BGwEQ"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516008799",
"to_ids": true,
"type": "url",
"uuid": "5a5c62c4-d124-4726-be84-4da3950d210f",
"value": "http://cntt.akcdndata.com/gpw?file=stat.js"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516008800",
"to_ids": false,
"type": "comment",
"uuid": "5a5c62d9-9f74-422c-8f34-4b01950d210f",
"value": "For at least five years the Sednit group has been relentlessly attacking various institutions, most notably in Eastern Europe. The group used several advanced pieces of malware for these targeted attacks, in particular the one we named Win32/Sednit, also known as Sofacy.\r\n\r\nWe recently came across cases of legitimate financial websites being redirected to a custom exploit kit. Based on our research and on some information provided by the Google Security Team, we were able to establish that it is used by the Sednit group. This is a new strategy for this group which has relied mostly on spear-phishing emails up until now.\r\n\r\nIn this blog, we will first examine on recent cases of spear-phishing emails using the CVE-2014-1761 Microsoft Word exploit. We will then focus on the exploit kit, which appears to still be in development and testing phase, and briefly describe the actual payload.",
"Tag": [
{
"colour": "#00223b",
"name": "osint:source-type=\"blog-post\""
}
]
},
{
"category": "Network activity",
"comment": "Military news",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516008800",
"to_ids": true,
"type": "domain",
"uuid": "5a5c638d-0124-4863-9ec0-4887950d210f",
"value": "defenceiq.us"
},
{
"category": "Network activity",
"comment": "Military news",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516008800",
"to_ids": true,
"type": "domain",
"uuid": "5a5c638e-8a7c-43e1-937f-4b3b950d210f",
"value": "defenceiq.com"
},
{
"category": "Network activity",
"comment": "Military news",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516008800",
"to_ids": true,
"type": "domain",
"uuid": "5a5c638e-bf5c-4a8b-95a1-46b8950d210f",
"value": "armypress.org"
},
{
"category": "Network activity",
"comment": "Military news",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516008801",
"to_ids": true,
"type": "domain",
"uuid": "5a5c638f-4cec-4f74-827a-4e65950d210f",
"value": "armytime.com"
},
{
"category": "Network activity",
"comment": "Foreign Affairs magazine",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516008801",
"to_ids": true,
"type": "domain",
"uuid": "5a5c638f-4558-4ffb-84e6-4e5c950d210f",
"value": "mfapress.org"
},
{
"category": "Network activity",
"comment": "Foreign Affairs magazine",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516008802",
"to_ids": true,
"type": "domain",
"uuid": "5a5c638f-aad4-4cda-b677-420f950d210f",
"value": "foreignaffairs.com"
},
{
"category": "Network activity",
"comment": "Foreign Affairs magazine",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516008802",
"to_ids": true,
"type": "domain",
"uuid": "5a5c6390-a4a4-408c-ad20-45a1950d210f",
"value": "mfapress.com"
},
{
"category": "Network activity",
"comment": "CACI International, defense & cyber security contractor",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516008802",
"to_ids": true,
"type": "domain",
"uuid": "5a5c6390-ffd0-4f5b-a8e9-4b66950d210f",
"value": "caciltd.com"
},
{
"category": "Network activity",
"comment": "CACI International, defense & cyber security contractor",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516008803",
"to_ids": true,
"type": "domain",
"uuid": "5a5c6391-5ec8-4f4d-9dd1-4195950d210f",
"value": "caci.com"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516008803",
"to_ids": false,
"type": "mutex",
"uuid": "5a5c64c3-16fc-4549-ba11-46fb950d210f",
"value": "XSQWERSystemCriticalSection_for_1232321"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516008803",
"to_ids": true,
"type": "domain",
"uuid": "5a5c658d-553c-4781-b2b4-42e0950d210f",
"value": "msonlinelive.com"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516008804",
"to_ids": true,
"type": "domain",
"uuid": "5a5c658d-692c-41e7-bff7-4273950d210f",
"value": "windows-updater.com"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516008804",
"to_ids": true,
"type": "domain",
"uuid": "5a5c658e-b0c0-4b6c-95b3-4a10950d210f",
"value": "azureon-line.com"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516008805",
"to_ids": true,
"type": "filename",
"uuid": "5a5c65a4-a200-44f5-8df6-416f950d210f",
"value": "edg6EF885E2.tmp"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516008806",
"to_ids": true,
"type": "filename",
"uuid": "5a5c65a4-acbc-44bd-84eb-4716950d210f",
"value": "edg6E85F98675.tmp"
},
{
"category": "Payload delivery",
"comment": "Word exploit",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516004846",
"to_ids": true,
"type": "sha1",
"uuid": "5a5c65ee-e860-4444-911d-4da6950d210f",
"value": "86092636e7ffa22481ca89ac1b023c32c56b24cf"
},
{
"category": "Payload delivery",
"comment": "Word exploit",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516004847",
"to_ids": true,
"type": "sha1",
"uuid": "5a5c65ef-8130-414c-95a8-4513950d210f",
"value": "12223f098ba3088379ec1dc59440c662752ddabd"
},
{
"category": "Payload delivery",
"comment": "Dropper",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516004847",
"to_ids": true,
"type": "sha1",
"uuid": "5a5c65ef-25c8-40c4-bcca-4adc950d210f",
"value": "d61ee0b0d4ed95f3300735c81740a21b8beef337"
},
{
"category": "Payload delivery",
"comment": "Payload",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516004847",
"to_ids": true,
"type": "sha1",
"uuid": "5a5c65ef-9280-45a6-8a0d-40df950d210f",
"value": "d0db619a7a160949528d46d20fc0151bf9775c32"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "7",
"timestamp": "1516008809",
"uuid": "935f70e3-fd7e-4dcd-80a9-71f5122d366e",
"ObjectReference": [
{
"comment": "",
"object_uuid": "935f70e3-fd7e-4dcd-80a9-71f5122d366e",
"referenced_uuid": "6fb315f6-2c07-4d90-a911-0e19777e1ece",
"relationship_type": "analysed-with",
"timestamp": "1518771000",
"uuid": "5a5c756b-4d90-41a2-8a28-4e7502de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Dropper",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1516008806",
"to_ids": true,
"type": "sha1",
"uuid": "5a5c7566-eb8c-4a34-9931-47a402de0b81",
"value": "d61ee0b0d4ed95f3300735c81740a21b8beef337"
},
{
"category": "Payload delivery",
"comment": "Dropper",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1516008807",
"to_ids": true,
"type": "md5",
"uuid": "5a5c7567-daf8-4481-a034-4ade02de0b81",
"value": "df895e6479abf85c4c65d7d3a2451ddb"
},
{
"category": "Payload delivery",
"comment": "Dropper",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1516008807",
"to_ids": true,
"type": "sha256",
"uuid": "5a5c7567-446c-46e4-8a48-493c02de0b81",
"value": "6ffaa374cfa9504b061b52a353913c6c120bd4fe43e1a79f69fba7f964e30a4e"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "1",
"timestamp": "1516008808",
"uuid": "6fb315f6-2c07-4d90-a911-0e19777e1ece",
"Attribute": [
{
"category": "External analysis",
"comment": "Dropper",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1516008808",
"to_ids": false,
"type": "link",
"uuid": "5a5c7568-9fa0-46fb-b5e0-482d02de0b81",
"value": "https://www.virustotal.com/file/6ffaa374cfa9504b061b52a353913c6c120bd4fe43e1a79f69fba7f964e30a4e/analysis/1515795459/"
},
{
"category": "Other",
"comment": "Dropper",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1516008808",
"to_ids": false,
"type": "text",
"uuid": "5a5c7568-b834-46be-af37-4b5f02de0b81",
"value": "51/68"
},
{
"category": "Other",
"comment": "Dropper",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1516008808",
"to_ids": false,
"type": "datetime",
"uuid": "5a5c7568-8aec-4806-9c81-425c02de0b81",
"value": "2018-01-12T22:17:39"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "7",
"timestamp": "1516008812",
"uuid": "a480344a-22a8-4fc6-9f8e-40ca8337e6f7",
"ObjectReference": [
{
"comment": "",
"object_uuid": "a480344a-22a8-4fc6-9f8e-40ca8337e6f7",
"referenced_uuid": "644f91bf-274d-4743-ae1e-075b0118c184",
"relationship_type": "analysed-with",
"timestamp": "1518771000",
"uuid": "5a5c756b-f36c-42c9-aff2-40d702de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Payload",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1516008809",
"to_ids": true,
"type": "sha1",
"uuid": "5a5c7569-613c-44b5-ae13-497802de0b81",
"value": "d0db619a7a160949528d46d20fc0151bf9775c32"
},
{
"category": "Payload delivery",
"comment": "Payload",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1516008809",
"to_ids": true,
"type": "md5",
"uuid": "5a5c7569-5ffc-473c-ad49-48d302de0b81",
"value": "ee64d3273f9b4d80020c24edcbbf961e"
},
{
"category": "Payload delivery",
"comment": "Payload",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1516008810",
"to_ids": true,
"type": "sha256",
"uuid": "5a5c756a-40a8-4277-a82a-4d4b02de0b81",
"value": "e031299fa1381b40c660b8cd831bb861654f900a1e2952b1a76bedf140972a81"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "1",
"timestamp": "1516008810",
"uuid": "644f91bf-274d-4743-ae1e-075b0118c184",
"Attribute": [
{
"category": "External analysis",
"comment": "Payload",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1516008810",
"to_ids": false,
"type": "link",
"uuid": "5a5c756a-6948-4c29-89dc-443c02de0b81",
"value": "https://www.virustotal.com/file/e031299fa1381b40c660b8cd831bb861654f900a1e2952b1a76bedf140972a81/analysis/1490591462/"
},
{
"category": "Other",
"comment": "Payload",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1516008810",
"to_ids": false,
"type": "text",
"uuid": "5a5c756a-63e8-4ebb-af6b-49f602de0b81",
"value": "44/61"
},
{
"category": "Other",
"comment": "Payload",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1516008811",
"to_ids": false,
"type": "datetime",
"uuid": "5a5c756b-c6a8-4d3b-9ab5-426302de0b81",
"value": "2017-03-27T05:11:02"
}
]
}
]
}
}