337 lines
14 KiB
JSON
337 lines
14 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2016-05-30",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - Keep Calm and (Don\u00e2\u20ac\u2122t) Enable Macros: A New Threat Actor Targets UAE Dissidents",
|
||
|
"publish_timestamp": "1464615631",
|
||
|
"published": true,
|
||
|
"threat_level_id": "2",
|
||
|
"timestamp": "1464615557",
|
||
|
"uuid": "574c3d9c-41dc-4af6-b99d-1d31950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464614334",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "574c3dbe-22c0-4dcc-bf7e-0fa0950d210f",
|
||
|
"value": "https://citizenlab.org/2016/05/stealth-falcon/"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464614364",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "574c3ddc-75ec-410f-9c9e-4095950d210f",
|
||
|
"value": "This report describes a campaign of targeted spyware attacks carried out by a sophisticated operator, which we call Stealth Falcon. The attacks have been conducted from 2012 until the present, against Emirati journalists, activists, and dissidents. We discovered this campaign when an individual purporting to be from an apparently fictitious organization called \u00e2\u20ac\u0153The Right to Fight\u00e2\u20ac\u009d contacted Rori Donaghy. Donaghy, a UK-based journalist and founder of the Emirates Center for Human Rights, received a spyware-laden email in November 2015, purporting to offer him a position on a human rights panel. Donaghy has written critically of the United Arab Emirates (UAE) government in the past,1 and had recently published a series of articles based on leaked emails involving members of the UAE government.2\r\n\r\nCircumstantial evidence suggests a link between Stealth Falcon and the UAE government. We traced digital artifacts used in this campaign to links sent from an activist\u00e2\u20ac\u2122s Twitter account in December 2012, a period when it appears to have been under government control. We also identified other bait content employed by this threat actor. We found 31 public tweets sent by Stealth Falcon, 30 of which were directly targeted at one of 27 victims. Of the 27 targets, 24 were obviously linked to the UAE, based on their profile information (e.g., photos, \u00e2\u20ac\u0153UAE\u00e2\u20ac\u009d in account name, location), and at least six targets appeared to be operated by people who were arrested, sought for arrest, or convicted in absentia by the UAE government, in relation to their Twitter activity.\r\n\r\nThe attack on Donaghy \u00e2\u20ac\u201d and the Twitter attacks \u00e2\u20ac\u201d involved a malicious URL shortening site. When a user clicks on a URL shortened by Stealth Falcon operators, the site profiles the software on a user\u00e2\u20ac\u2122s computer, perhaps for future exploitation, before redirecting the user to a benign website containing bait content. We queried the URL shortener with every possible short URL, and identified 402 instances of bait content which we believe were sent by Stealth Falcon, 73% of which obviously referenced UAE issues. Of these URLs, only the one sent to Donaghy definitively contained spyware. However, we were able to trace the spyware Donaghy received to a network of 67 active command and control (C2) servers, suggesting broader use of the spyware, perhaps by the same or other operators."
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Fake invitation",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464614633",
|
||
|
"to_ids": true,
|
||
|
"type": "email-src",
|
||
|
"uuid": "574c3ee9-93c4-4421-abcb-493f950d210f",
|
||
|
"value": "the_right_to_fight@openmailbox.org"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "loaded a page containing a redirect to the website of Al Jazeera. Before completing the redirect, it invoked JavaScript to profile the target\u00e2\u20ac\u2122s computer.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464614671",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "574c3f0f-cc04-46b5-8476-0fa1950d210f",
|
||
|
"value": "http://aax.me/d0dde"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464614693",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "574c3f25-2208-4d70-b8cf-4d45950d210f",
|
||
|
"value": "http://aax.me/a6faa"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "This is a password-protected link to a file shared on an ownCloud15 instance. We obtained this file, and found it to be a Microsoft Word document.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464614716",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "574c3f3c-f278-4953-8396-0fa3950d210f",
|
||
|
"value": "https://cloud.openmailbox.org/index.php/s/ujDNWMmg8pdG3AL/authenticate"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "right2fight.docm (malicious document)",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464614746",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "574c3f5a-4858-462c-b673-49ef950d210f",
|
||
|
"value": "5a372b45285fe6f3df3ba277ee2de55d4a30fc8ef05de729cf464103632db40f"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "right2fight.docm (malicious document)",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464614791",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "574c3f87-b588-4337-8861-40e4950d210f",
|
||
|
"value": "f25466e4820404c817eaf75818b7177891735886"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "right2fight.docm (malicious document)",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464614819",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "574c3fa3-2348-4fb2-98b4-0a02950d210f",
|
||
|
"value": "80e8ef78b9e28015cde4205aaa65da97"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Gathered information is returned to and the server\u00e2\u20ac\u2122s response is executed as a PowerShell command.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464614876",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "574c3fdc-ad80-4719-a9db-445b950d210f",
|
||
|
"value": "http://adhostingcache.com/ehhe/eh4g4/adcache.txt"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464614889",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "574c3fe9-40b8-41a9-921a-3a1f950d210f",
|
||
|
"value": "95.215.44.37"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464614905",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "574c3ff9-dce4-4849-bda6-0f9f950d210f",
|
||
|
"value": "adhostingcache.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "registered on December 3rd,",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464614953",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "574c4029-e4e8-45fb-ae19-4d05950d210f",
|
||
|
"value": "adhostingcaches.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464614969",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "574c4039-a800-46e0-8611-46ba950d210f",
|
||
|
"value": "https://incapsulawebcache.com/cache/cache.nfo"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "to profile a user\u00e2\u20ac\u2122s system, perhaps to gather intelligence about potentially exploitable vulnerabilities.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464615021",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "574c4066-ec94-4eb7-9734-45b7950d210f",
|
||
|
"value": "http://aax.me/redirect.js"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Imported via the Freetext Import Tool",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464615207",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "574c4127-637c-4e46-b71d-4ad9950d210f",
|
||
|
"value": "http://goo.gl/60HAqJ"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Imported via the Freetext Import Tool",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464615208",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "574c4128-e0ec-4ef7-a25b-4c7c950d210f",
|
||
|
"value": "http://aax.me/0b152"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "The Case of the Fake Journalist",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464615239",
|
||
|
"to_ids": false,
|
||
|
"type": "email-src",
|
||
|
"uuid": "574c4147-b758-4998-a9be-4a18950d210f",
|
||
|
"value": "andrew.dwight389@outlook.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "message_032456944343.docm",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464615307",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "574c418b-6b6c-4a85-a5c4-42e2950d210f",
|
||
|
"value": "87e1df6f36b96b56186444e37e2a1ef5"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "message_032456944343.docm",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464615307",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "574c418b-96d4-4b20-afd6-40c1950d210f",
|
||
|
"value": "1c3757006f972ca957d925accf8bbb3023550d1b"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "message_032456944343.docm",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464615308",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "574c418c-37b0-4a7d-a9aa-4630950d210f",
|
||
|
"value": "4320204d577ef8b939115d16110e97ff04cb4f7d1e77ba5ce011d43f74abc7be"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "The document\u00e2\u20ac\u2122s macro was identical to the one sent to Donaghy, except it reported back to, and downloaded Stage Two from a different URL",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464615408",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "574c41f0-49a8-4170-a515-0fa3950d210f",
|
||
|
"value": "http://optimizedimghosting.com/wddf/hrrw/ggrr.txt"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "The document\u00e2\u20ac\u2122s macro was identical to the one sent to Donaghy, except it reported back to, and downloaded Stage Two from a different URL",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464615408",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "574c41f0-833c-4fe2-8e1e-0fa3950d210f",
|
||
|
"value": "optimizedimghosting.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "The Stage Two in this case reported back to",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464615437",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "574c420d-ead4-43ed-9cb9-4253950d210f",
|
||
|
"value": "https://edgecacheimagehosting.com/images/image.nfo"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "stage two server",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464615468",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "574c422c-ece4-4e1a-9b0f-3a1f950d210f",
|
||
|
"value": "edgecacheimagehosting.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "stage two server",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464615468",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "574c422c-f08c-44b3-bf88-3a1f950d210f",
|
||
|
"value": "incapsulawebcache.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "message_032456944343.docm - Xchecked via VT: 4320204d577ef8b939115d16110e97ff04cb4f7d1e77ba5ce011d43f74abc7be",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464615525",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "574c4265-cc78-4799-b446-0fa402de0b81",
|
||
|
"value": "https://www.virustotal.com/file/4320204d577ef8b939115d16110e97ff04cb4f7d1e77ba5ce011d43f74abc7be/analysis/1464593985/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Enriched via the dns module",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464615556",
|
||
|
"to_ids": false,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "574c4284-e35c-4201-88a7-0fa3950d210f",
|
||
|
"value": "87.120.37.83"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|