misp-circl-feed/feeds/circl/misp/5cc209b3-82e0-4d0e-980d-4a6002de0b81.json

604 lines
22 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "2",
"date": "2019-04-25",
"extends_uuid": "",
"info": "OSINT - Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware",
"publish_timestamp": "1556220892",
"published": true,
"threat_level_id": "3",
"timestamp": "1556220724",
"uuid": "5cc209b3-82e0-4d0e-980d-4a6002de0b81",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#0088cc",
"name": "misp-galaxy:threat-actor=\"TA505\""
},
{
"colour": "#004646",
"name": "type:OSINT"
},
{
"colour": "#0071c3",
"name": "osint:lifetime=\"perpetual\""
},
{
"colour": "#0087e8",
"name": "osint:certainty=\"50\""
},
{
"colour": "#ffffff",
"name": "tlp:white"
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Command and Control Channel - T1041\""
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "011042019.xls",
"deleted": false,
"disable_correlation": false,
"timestamp": "1556220446",
"to_ids": true,
"type": "sha1",
"uuid": "5cc20a1e-8ef4-4468-bd53-48ca02de0b81",
"value": "880b383532534e32f3fa49692d676d9488aabac1"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1556220446",
"to_ids": true,
"type": "sha1",
"uuid": "5cc20a1e-20b0-4f51-a8f5-45cc02de0b81",
"value": "63aeb16b5d001cbd94b636e9f557fe97b8467c8d"
},
{
"category": "Payload delivery",
"comment": "msie988.tmp",
"deleted": false,
"disable_correlation": false,
"timestamp": "1556220446",
"to_ids": true,
"type": "sha1",
"uuid": "5cc20a1e-1184-4ed9-9d66-409a02de0b81",
"value": "ad35fa0b3799562931b4bfa3abd057214b8721ff"
},
{
"category": "Payload delivery",
"comment": "pegas.dll",
"deleted": false,
"disable_correlation": false,
"timestamp": "1556220446",
"to_ids": true,
"type": "sha1",
"uuid": "5cc20a1e-0bb8-401f-9cbd-45a002de0b81",
"value": "06f232210e507f09f01155e7d0cb5389b8a31042"
},
{
"category": "Network activity",
"comment": "First C2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1556220446",
"to_ids": true,
"type": "ip-dst",
"uuid": "5cc20a1e-35f8-49e0-b7d2-49a302de0b81",
"value": "79.141.171.160"
},
{
"category": "Network activity",
"comment": "Second C2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1556220446",
"to_ids": true,
"type": "domain",
"uuid": "5cc20a1e-7e0c-40f1-b9dd-429c02de0b81",
"value": "aasdkkkdsa3442.icu"
},
{
"category": "Network activity",
"comment": "Second C2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1556220446",
"to_ids": true,
"type": "domain",
"uuid": "5cc20a1e-cfe4-459a-8837-4ce702de0b81",
"value": "joisf333.icu"
},
{
"category": "Network activity",
"comment": "Second C2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1556220446",
"to_ids": true,
"type": "domain",
"uuid": "5cc20a1e-0e98-4860-acf2-48e602de0b81",
"value": "zxskjkkjsk3232.pw"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1556220462",
"to_ids": false,
"type": "link",
"uuid": "5cc20a2e-6408-4271-a41f-41da02de0b81",
"value": "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1556220479",
"to_ids": false,
"type": "text",
"uuid": "5cc20a3f-8e84-4d6c-b3b0-47d702de0b81",
"value": "The cybersecurity community has long known that any information technology tool that is used for legitimate purposes can also be manipulated by attackers to enhance their malware. Recently, however, many native Windows OS processes are being used for malicious purposes as well. \r\n\r\nIn this research, we introduce a meticulously planned, malicious operation against a financial institution in April of 2019. This advanced operation combines a targeted phishing attack with advanced tools that gather intel on the environment. The operation chooses whether or not to create persistence and installs a sophisticated backdoor called ServHelper used to take over the network.\r\nKey Aspects of TA505\u00e2\u20ac\u2122s Operation\r\n\r\n Highly targeted phishing campaign to a small number of specific accounts within the company.\r\n Signed and verified malicious code. This is an extra percussion taken to avoid detection.\r\n A deliberate timeline, indicated by the timing of the phishing attack and signing of the malicious code.\r\n A selective persistence mechanism and self destruct commands based on autonomous reconnaissance.\r\n Large emphasis on removal of evidence using self destruct commands and deleting scripts.\r\n Multiple C2 domains, in the event of blacklisting or inability to connect for another reason.\r\n The operation integrates four different LOLBins, which indicates the attackers continued, advanced attempts to avoid detection."
},
{
"category": "Network activity",
"comment": "Attribute #4400619 enriched by dns.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1556220871",
"to_ids": false,
"type": "ip-src",
"uuid": "5cc20bc7-c4f8-4085-925e-4bc0e387cbd9",
"value": "195.123.227.79"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "15",
"timestamp": "1556220505",
"uuid": "2f52d11d-5df6-44ca-8934-12cce8d33395",
"ObjectReference": [
{
"comment": "",
"object_uuid": "2f52d11d-5df6-44ca-8934-12cce8d33395",
"referenced_uuid": "5ea2997f-c82f-4ea7-88b8-c468ba4f136a",
"relationship_type": "analysed-with",
"timestamp": "1556220506",
"uuid": "5cc20a5a-7048-4ce0-b768-4abe02de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "msie988.tmp",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1556220446",
"to_ids": true,
"type": "md5",
"uuid": "4a9332a4-a469-4dd1-a7d8-50623bd162a0",
"value": "4ca90e372982c864b8eae6d95161a213"
},
{
"category": "Payload delivery",
"comment": "msie988.tmp",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1556220446",
"to_ids": true,
"type": "sha1",
"uuid": "f07316ac-0ecd-4dff-9f93-4731768a03f3",
"value": "ad35fa0b3799562931b4bfa3abd057214b8721ff"
},
{
"category": "Payload delivery",
"comment": "msie988.tmp",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1556220446",
"to_ids": true,
"type": "sha256",
"uuid": "9b4786d2-f9c3-47c2-8f53-872d16d08f64",
"value": "843578299d9e60e52f781ca487aa83f5df4c5f4ca71d3a941a8ea249476c5c3c"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1556220505",
"uuid": "5ea2997f-c82f-4ea7-88b8-c468ba4f136a",
"Attribute": [
{
"category": "Other",
"comment": "msie988.tmp",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1556220446",
"to_ids": false,
"type": "datetime",
"uuid": "39e083d0-2e54-439d-92e0-bd5ceb8a6603",
"value": "2019-04-22T09:26:21"
},
{
"category": "Payload delivery",
"comment": "msie988.tmp",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1556220446",
"to_ids": false,
"type": "link",
"uuid": "a83aa4df-1f72-4b3a-bdb2-cef656e4a0dc",
"value": "https://www.virustotal.com/file/843578299d9e60e52f781ca487aa83f5df4c5f4ca71d3a941a8ea249476c5c3c/analysis/1555925181/"
},
{
"category": "Payload delivery",
"comment": "msie988.tmp",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1556220446",
"to_ids": false,
"type": "text",
"uuid": "cebb4a53-f987-4755-b609-f65fc6721b4f",
"value": "48/70"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "15",
"timestamp": "1556220505",
"uuid": "60c23628-c767-4b08-9cb4-0d55c6432479",
"ObjectReference": [
{
"comment": "",
"object_uuid": "60c23628-c767-4b08-9cb4-0d55c6432479",
"referenced_uuid": "9ad338a8-5f89-44f4-becf-21bc9b8fb072",
"relationship_type": "analysed-with",
"timestamp": "1556220506",
"uuid": "5cc20a5a-8e3c-4717-92ee-468a02de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1556220446",
"to_ids": true,
"type": "md5",
"uuid": "68b3c8c3-7705-4b2a-be94-cbb6e0216012",
"value": "4acd155b901884134f01b383eb035c23"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1556220446",
"to_ids": true,
"type": "sha1",
"uuid": "39b76acb-16b2-4612-93cf-5598b94f923f",
"value": "63aeb16b5d001cbd94b636e9f557fe97b8467c8d"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1556220446",
"to_ids": true,
"type": "sha256",
"uuid": "fdc50148-c268-455e-861f-d0d1cfa0f53f",
"value": "cd7bb7396f21c88742fefb278e6e7c9a564dfe109b434494d159518175739c40"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1556220505",
"uuid": "9ad338a8-5f89-44f4-becf-21bc9b8fb072",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1556220446",
"to_ids": false,
"type": "datetime",
"uuid": "e018eb15-af9b-422d-8d19-cfb07e16b0c6",
"value": "2019-04-25T13:10:17"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1556220446",
"to_ids": false,
"type": "link",
"uuid": "0097e14c-21ec-49da-b18d-d24ad3cb346c",
"value": "https://www.virustotal.com/file/cd7bb7396f21c88742fefb278e6e7c9a564dfe109b434494d159518175739c40/analysis/1556197817/"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1556220446",
"to_ids": false,
"type": "text",
"uuid": "3087c659-8379-415a-9da4-23b7eb460be2",
"value": "37/60"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "15",
"timestamp": "1556220505",
"uuid": "b278e19f-e981-47bc-be90-072138554a61",
"ObjectReference": [
{
"comment": "",
"object_uuid": "b278e19f-e981-47bc-be90-072138554a61",
"referenced_uuid": "7f6c6430-6be4-4b8a-907e-8e71dcedb01c",
"relationship_type": "analysed-with",
"timestamp": "1556220506",
"uuid": "5cc20a5a-2b64-415f-952f-4a0602de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "011042019.xls",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1556220446",
"to_ids": true,
"type": "md5",
"uuid": "060881cd-3d3f-4c61-a67a-7817f68170a6",
"value": "2d3238185537429ea693a81a1c6ca4c0"
},
{
"category": "Payload delivery",
"comment": "011042019.xls",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1556220446",
"to_ids": true,
"type": "sha1",
"uuid": "a7a7b0ec-7c69-4c85-81fe-5caa4198dda2",
"value": "880b383532534e32f3fa49692d676d9488aabac1"
},
{
"category": "Payload delivery",
"comment": "011042019.xls",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1556220446",
"to_ids": true,
"type": "sha256",
"uuid": "0ffef506-ec41-41a3-ae94-aa233182cce5",
"value": "c0bcd76c486a8c8994fc005d83d64716ed3604c8559463867412c446e5364169"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1556220505",
"uuid": "7f6c6430-6be4-4b8a-907e-8e71dcedb01c",
"Attribute": [
{
"category": "Other",
"comment": "011042019.xls",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1556220446",
"to_ids": false,
"type": "datetime",
"uuid": "6cdfbbe1-b251-4207-84c5-870c9d1369ca",
"value": "2019-04-25T16:23:40"
},
{
"category": "Payload delivery",
"comment": "011042019.xls",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1556220446",
"to_ids": false,
"type": "link",
"uuid": "202d31f1-719e-4245-a692-bdab4419e08e",
"value": "https://www.virustotal.com/file/c0bcd76c486a8c8994fc005d83d64716ed3604c8559463867412c446e5364169/analysis/1556209420/"
},
{
"category": "Payload delivery",
"comment": "011042019.xls",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1556220446",
"to_ids": false,
"type": "text",
"uuid": "4c3e9b5e-41d5-4fa6-8ed3-38a17934b789",
"value": "28/59"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "15",
"timestamp": "1556220505",
"uuid": "e4b67b34-d84d-4e77-8453-814d9fa42d87",
"ObjectReference": [
{
"comment": "",
"object_uuid": "e4b67b34-d84d-4e77-8453-814d9fa42d87",
"referenced_uuid": "a6d17903-91e1-4a0c-9cf3-48ff6f7b22cd",
"relationship_type": "analysed-with",
"timestamp": "1556220506",
"uuid": "5cc20a5a-2db0-4efd-bdd0-42ab02de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "pegas.dll",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1556220446",
"to_ids": true,
"type": "md5",
"uuid": "a9e9d964-1fb1-46fa-925d-fa9d5e7e173c",
"value": "4a8198fca604a78dd210803aebd5cbba"
},
{
"category": "Payload delivery",
"comment": "pegas.dll",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1556220446",
"to_ids": true,
"type": "sha1",
"uuid": "d9c7597c-63b9-4a32-ad96-4bcda0b957cc",
"value": "06f232210e507f09f01155e7d0cb5389b8a31042"
},
{
"category": "Payload delivery",
"comment": "pegas.dll",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1556220446",
"to_ids": true,
"type": "sha256",
"uuid": "e7d44fc8-aa7b-4fea-be3a-bb4937418aca",
"value": "9dc1381816b8b18aead256bdc05486171968abbc6ff01766088fbfe7badd194e"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1556220505",
"uuid": "a6d17903-91e1-4a0c-9cf3-48ff6f7b22cd",
"Attribute": [
{
"category": "Other",
"comment": "pegas.dll",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1556220446",
"to_ids": false,
"type": "datetime",
"uuid": "f0b9cbb0-ecd0-4c07-8d12-8d57a3086e89",
"value": "2019-04-22T13:10:47"
},
{
"category": "Payload delivery",
"comment": "pegas.dll",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1556220446",
"to_ids": false,
"type": "link",
"uuid": "ebbf25ae-2093-4f10-a4fe-742ed2f9c82f",
"value": "https://www.virustotal.com/file/9dc1381816b8b18aead256bdc05486171968abbc6ff01766088fbfe7badd194e/analysis/1555938647/"
},
{
"category": "Payload delivery",
"comment": "pegas.dll",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1556220446",
"to_ids": false,
"type": "text",
"uuid": "30c4a904-f9c8-489f-ac44-b89617fd734b",
"value": "39/66"
}
]
}
]
}
}