162 lines
7.4 KiB
JSON
162 lines
7.4 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "0",
|
||
|
"date": "2017-03-27",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - APT29 Domain Fronting With TOR",
|
||
|
"publish_timestamp": "1490617834",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1490617717",
|
||
|
"uuid": "58d90481-e090-4900-96f4-600b950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#12e100",
|
||
|
"name": "misp-galaxy:threat-actor=\"APT 29\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1490617717",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "58d90497-a81c-4c9f-87d0-3aaf950d210f",
|
||
|
"value": "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1490617717",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "58d904a9-fb94-4c81-b632-4f57950d210f",
|
||
|
"value": "Mandiant has observed Russian nation-state attackers APT29 employing domain fronting techniques for stealthy backdoor access to victim environments for at least two years. There has been considerable discussion about domain fronting following the release of a paper detailing these techniques. Domain fronting provides outbound network connections that are indistinguishable from legitimate requests for popular websites.\r\n\r\nAPT29 has used The Onion Router (TOR) and the TOR domain fronting plugin meek to create a hidden, encrypted network tunnel that appeared to connect to Google services over TLS. This tunnel provided the attacker remote access to the host system using the Terminal Services (TS), NetBIOS, and Server Message Block (SMB) services, while appearing to be traffic to legitimate websites. The attackers also leveraged a common Windows exploit to access a privileged command shell without authenticating.\r\n\r\nWe first discussed APT29\u00e2\u20ac\u2122s use of these techniques as part of our \u00e2\u20ac\u0153No Easy Breach\u00e2\u20ac\u009d talk at DerbyCon 6.0. For additional details on how we first identified this backdoor, and the epic investigation it was part of, see the slides and presentation.",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "googleService.exe the primary TOR executable, responsible for establishing and maintaining encrypted proxy connections.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1490617717",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "58d90505-9ab4-447e-9655-63e8950d210f",
|
||
|
"value": "fe744a5b2d07de396a8b3fe97155fc64e350b76d88db36c619cd941279987dc5"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "GoogleUpdate.exe - the meek-client plugin, which obfuscates the TOR connection.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1490617717",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "58d90507-2bd8-4734-b5f2-63e8950d210f",
|
||
|
"value": "2f39dee2ee608e39917cc022d9aae399959e967a2dd70d83b81785a98bd9ed36"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Bridge traffic using the meek plugin to https://meek-reflect.appspot.com and obfuscate HTTPS and DNS requests to appear destined for www.google.com",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1490617717",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "58d90556-766c-4ebb-bc85-63e9950d210f",
|
||
|
"value": "https://meek-reflect.appspot.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "GoogleUpdate.exe - the meek-client plugin, which obfuscates the TOR connection. - Xchecked via VT: 2f39dee2ee608e39917cc022d9aae399959e967a2dd70d83b81785a98bd9ed36",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1490617726",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "58d9057e-7978-4a64-99fa-450502de0b81",
|
||
|
"value": "57e2f0fdc2566f11af661dc02e989dd65132a3f4"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "GoogleUpdate.exe - the meek-client plugin, which obfuscates the TOR connection. - Xchecked via VT: 2f39dee2ee608e39917cc022d9aae399959e967a2dd70d83b81785a98bd9ed36",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1490617728",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "58d90580-401c-4457-9ebc-406c02de0b81",
|
||
|
"value": "31b3069cef380b4bf85e75a8885bcee8"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "GoogleUpdate.exe - the meek-client plugin, which obfuscates the TOR connection. - Xchecked via VT: 2f39dee2ee608e39917cc022d9aae399959e967a2dd70d83b81785a98bd9ed36",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1490617729",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "58d90581-c7c4-4ee8-b11d-4f4302de0b81",
|
||
|
"value": "https://www.virustotal.com/file/2f39dee2ee608e39917cc022d9aae399959e967a2dd70d83b81785a98bd9ed36/analysis/1490381093/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "googleService.exe the primary TOR executable, responsible for establishing and maintaining encrypted proxy connections. - Xchecked via VT: fe744a5b2d07de396a8b3fe97155fc64e350b76d88db36c619cd941279987dc5",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1490617731",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "58d90583-8c60-4205-b7fc-4fca02de0b81",
|
||
|
"value": "6842243f5a41f66a81b85ee524c3cfc7ace10da8"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "googleService.exe the primary TOR executable, responsible for establishing and maintaining encrypted proxy connections. - Xchecked via VT: fe744a5b2d07de396a8b3fe97155fc64e350b76d88db36c619cd941279987dc5",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1490617733",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "58d90585-3618-42a4-8f86-4d3c02de0b81",
|
||
|
"value": "628d4f33bd604203d25dbc6a5bb35b90"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "googleService.exe the primary TOR executable, responsible for establishing and maintaining encrypted proxy connections. - Xchecked via VT: fe744a5b2d07de396a8b3fe97155fc64e350b76d88db36c619cd941279987dc5",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1490617735",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "58d90587-45d0-4b86-99a1-4f9402de0b81",
|
||
|
"value": "https://www.virustotal.com/file/fe744a5b2d07de396a8b3fe97155fc64e350b76d88db36c619cd941279987dc5/analysis/1490588868/"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|