171 lines
586 KiB
JSON
171 lines
586 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2017-06-12",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - MacRansom: Offered as Ransomware as a Service",
|
||
|
"publish_timestamp": "1497258829",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1497258805",
|
||
|
"uuid": "593e5a1d-0a18-40ac-9051-4188950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#6a0084",
|
||
|
"name": "ms-caro-malware:malware-platform=\"MacOS_X\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#006c6c",
|
||
|
"name": "ecsirt:malicious-code=\"ransomware\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#420053",
|
||
|
"name": "ms-caro-malware:malware-type=\"Ransom\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1497258805",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "593e5a28-466c-4c46-a613-42a4950d210f",
|
||
|
"value": "https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1497258805",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "593e5a42-c0cc-4fdc-92b6-4f36950d210f",
|
||
|
"value": "Many Mac OS users might assume that their computer is exempt from things like ransomware attacks and think that their system is somehow essentially \u00e2\u20ac\u0153secure.\u00e2\u20ac\u009d It is true that it\u00e2\u20ac\u2122s less likely for a Mac OS user to be attacked or infected by malware than a Windows user, but this has nothing to do with the level of vulnerability in the operating system. It is largely caused by the fact that over 90% of personal computers run on Microsoft Windows and only around 6% on Apple Mac OS.\r\n\r\n\r\n\r\nFigure 1: Market share for desktop OS (reference: NetMarketShare)\r\n\r\nMacRansom Portal\r\nJust recently, we here at FortiGuard Labs discovered a Ransomware-as-a-service (RaaS) that uses a web portal hosted in a TOR network which has become a trend nowadays. However, in this case it was rather interesting to see cybercriminals attack an operating system other than Windows. And this could be the first time to see RaaS that targets Mac OS",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "Antivirus detection",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1497258805",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "593e5a75-a6a4-465d-a853-4bdc950d210f",
|
||
|
"value": "OSX/MacRansom.A!tr"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Zip",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1497258805",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "593e5a90-18f4-4b53-a270-4d29950d210f",
|
||
|
"value": "a729d54da58ca605411d39bf5598a60d2de0657c81df971daab5def90444bcc3"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Mach-O file",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1497258805",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "593e5a90-39f8-4eda-a803-4a07950d210f",
|
||
|
"value": "617f7301fd67e8b5d8ad42d4e94e02cb313fe5ad51770ef93323c6115e52fe98"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Dropped files",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1497258805",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "593e5aab-0620-49a5-b936-4296950d210f",
|
||
|
"value": "~/LaunchAgent/com.apple.finder.plist"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Dropped files",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1497258805",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "593e5aab-7d24-4657-ba18-40d0950d210f",
|
||
|
"value": "~/Library/.FS_Store"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "FAQ from the MacRansom portal",
|
||
|
"data": "iVBORw0KGgoAAAANSUhEUgAAAwgAAAMECAYAAAAbxwJsAAAEDWlDQ1BJQ0MgUHJvZmlsZQAAOI2NVV1oHFUUPrtzZyMkzlNsNIV0qD8NJQ2TVjShtLp/3d02bpZJNtoi6GT27s6Yyc44M7v9oU9FUHwx6psUxL+3gCAo9Q/bPrQvlQol2tQgKD60+INQ6Ium65k7M5lpurHeZe58853vnnvuuWfvBei5qliWkRQBFpquLRcy4nOHj4g9K5CEh6AXBqFXUR0rXalMAjZPC3e1W99Dwntf2dXd/p+tt0YdFSBxH2Kz5qgLiI8B8KdVy3YBevqRHz/qWh72Yui3MUDEL3q44WPXw3M+fo1pZuQs4tOIBVVTaoiXEI/MxfhGDPsxsNZfoE1q66ro5aJim3XdoLFw72H+n23BaIXzbcOnz5mfPoTvYVz7KzUl5+FRxEuqkp9G/Ajia219thzg25abkRE/BpDc3pqvphHvRFys2weqvp+krbWKIX7nhDbzLOItiM8358pTwdirqpPFnMF2xLc1WvLyOwTAibpbmvHHcvttU57y5+XqNZrLe3lE/Pq8eUj2fXKfOe3pfOjzhJYtB/yll5SDFcSDiH+hRkH25+L+sdxKEAMZahrlSX8ukqMOWy/jXW2m6M9LDBc31B9LFuv6gVKg/0Szi3KAr1kGq1GMjU/aLbnq6/lRxc4XfJ98hTargX++DbMJBSiYMIe9Ck1YAxFkKEAG3xbYaKmDDgYyFK0UGYpfoWYXG+fAPPI6tJnNwb7ClP7IyF+D+bjOtCpkhz6CFrIa/I6sFtNl8auFXGMTP34sNwI/JhkgEtmDz14ySfaRcTIBInmKPE32kxyyE2Tv+thKbEVePDfW/byMM1Kmm0XdObS7oGD/MypMXFPXrCwOtoYjyyn7BV29/MZfsVzpLDdRtuIZnbpXzvlf+ev8MvYr/Gqk4H/kV/G3csdazLuyTMPsbFhzd1UabQbjFvDRmcWJxR3zcfHkVw9GfpbJmeev9F08WW8uDkaslwX6avlWGU6NRKz0g/SHtCy9J30o/ca9zX3Kfc19zn3BXQKRO8ud477hLnAfc1/G9mrzGlrfexZ5GLdn6ZZrrEohI2wVHhZywjbhUWEy8icMCGNCUdiBlq3r+xafL549HQ5jH+an+1y+LlYBifuxAvRN/lVVVOlwlCkdVm9NOL5BE4wkQ2SMlDZU97hX86EilU/lUmkQUztTE6mx1EEPh7OmdqBtAvv8HdWpbrJS6tJj3n0CWdM6busNzRV3S9KTYhqvNiqWmuroiKgYhshMjmhTh9ptWhsF7970j/SbMrsPE1suR5z7DMC+P/Hs+y7ijrQAlhyAgccjbhjPygfeBTjzhNqy28EdkUh8C+DU9+z2v/oyeH791OncxHOs5y2AtTc7nb/f73TWPkD/qwBnjX8BoJ98VVBg/m8AAAAJcEhZcwAAFxIAABcSAWef0lIAAEAASURBVHgB7F0HYBRF236upjdCSQIh9F4TWuhFBBWsiIUPUVEUKYpdEFGKvaCIigiCiB0pKqCAIFV6SUJII6EmIaRc2iVX/2f27pJLCBgh+ivOaLi73Z2Zd56Z3X37qHJzc+2QRSIgEZAISAQkAhIBiYBEQCIgEfjPI2AymZqp//MoSAAkAhIBiYBEQCIgEZAISAQkAhKBMgSkgFAGhfwiEZAISAQkAhIBiYBEQCIgEZAISAFBrgGJgERAIiARkAhIBCQCEgGJgESgDAEpIJRBIb9IBCQCEgGJgERAIiARkAhIBCQCUkCQa0AiIBGQCEgEJAISAYmAREAiIBEoQ0AKCGVQyC8SAYmAREAiIBGQCEgEJAISAYmAFBDkGpAISAQkAhIBiYBEQCIgEZAISATKEJACQhkU8otEQCIgEZAISAQkAhIBiYBEQCKgvSwIbIDGyxteeg1UzgZs1lIUF5pgryRy2FVqeHt7Q6t2XckKdiuKi4phrbxFm00Fna83PDXORlR2WEuNKDZa2Z8PvPXO43YbzDxuNNvK+r+scdRgJZXGAz7e+jJ6zKVFKDERqL+zqFRQqbTQaewwmy1wwauyq6D28IKXh3O+iKvFWIRis72M3r+TzIv2JeiHGlqdBlZTKVyzq+JxqHXw9vGA2jkoG/Etqja+rM//9VyzHq61xTVUUlQEQiCLRODyEFDuNzU8uK507s89O59bpmIUV3t9Xl73F6ul4jNXrffk81JT8RLSZSFdxv8nuioSI39JBCQCEgGJwD8ZAffXWjXpVEPvp8KW10ahR6sWaNGCf83bY+hdnyA70BMVXkkaT/jnHcbYYd0d14lr+dem7whsPG4rZ/iVnjXwCsrFkjHXo0NzZ7stu+PO2VugD7Tgx2euR0dn/RZR12LKtynw96rQWzXpr/nL1GorTvwyC71cdJPOhxfGwWT7m+hTGBWy1mot8mNW4Z3la5GUT2baeVylM2Lj6/egV2sHrq069ca9C2Pg53kZ01/z8JF5F4IN/9RqFCVtxteLXsX+8z7Qu8alNSFx07u4pq2D/pbtonDjG9vgoXUTOi9Gl9IGoC05jtdHX4vWyhpqic69h2DxYR08/iEQXIx8efyfiYBYr3ZbKTKT1uOx/s7nlfP51DqqD+5+b1f11meNDU/cQ47GSvPPYe3sWyo8c8VzV9D1v3m7oKc0U407p8Yokw1JBCQCEgGJwL8PgcuwINhgsfiibZMAZGUfx8lcx6Cz7V8hPnkSGtQvoWbacUzn4YGTCXuwd+8BHHdep5xJM2LL4RQM6tgOKmqKFSUumVtdXiZ2x8XhaGq6cpkqIAx9G7eDt7oU2adSkXr8OIrFGT8rTmUZoaGmDLAq1/5//kNWASU5J5CYehx5TkLqny2iBvxvoE8wwATQUpKG377/AC9M/Q5et72I62+ggACTAx2VDYaME0hNOo4s0qf2KUbdzCInfn+zlaPyRDnpt5ZkYP/WT/Hsgx8ht91AfHqjjgyPkdYmVuAASwwZSE0+jlMW/tT5wCM9n/QLNkdZPZVbrfSbGlWbEWeOJyPp+GnRIDwKzEgvEEIVf/4/Q1CJWPnzn44A153NXIjUb6fj+ue/Q25OAe+08uITDAxt1Bo2W3XWZnm9y/4m7iE+C61F2fh96dOY9O7PyMgrQHFJ5f5TkZx8B7YtaothE+fgvQe6wmTmw7ryZZdNiKwoEZAISAQkAlcLApchIJCfstjQuHMnhPkF4VRurvJ+MRrzcSrjHHThXsRGcFwqaFU5OJWaiPzCSnDZinA8MRXZ1s6ojVIHE6vRwp6RhWSjIgIo9f29Q9E5qjHbPwmVRkOGkIf5MlOp+d3dZalS83/3T+Go41WnKdq1ao1sp2quZUM/Muh/NecphAMbSnNS8PFjIzH9h1R64ngiiq5aCu/sBoTQzmt0PGDmOWoQ1f8I/AT9wt0pA99NvQMTlxyBlYJihJWMeyUVp1q4TQj6KSDQf+JPzr8NNrUPIlq1QbsiP1gJjndwOMID6AryV0+R2xzIr1cDAuLeonuaNQXffPYzDIpwoILG0xf1QkMR5EWrad0oRLfz+nvWlhAO+J+9xIBty5/H+DnfIl08b3m/aAND0bR+IIVjO2xWC/IykpCZb6DVYze+mjMZPr7zMf2OjtDRVVPKCFfD2pRjkAhIBCQCNYfAZQkIDAyAqX1vXFPXF4dpQqCeF6bCYpzJOg+brhFQSq6LLyhdUQYSD8fgvNOiUE52PmJjYnHm9G0IqU0bAI0AWvrNnz6ZjNy8IudlevjUvhZ9Opth+f83EpSTXsU3G12JIgZPxW83z1RsBuISU3E+fZD/YsLJRFM+QEnaKiz7WWjG/2VFEfjI3KSvxeJVqQrvX0kuuPIBUQARApzFsxGeWPwTntc5lrzdboGxoJBuYFfehWzhP4QAF6gQam2FqUg5bXKsWUreYS174e3PV2JEO0/ekyYUFxT/LfEtyi1Eu+qJ3V/gg3nfK8KBSqNHSMsBuOuh5zBrcj94c3pK87Owbu69ePaDLUjILEZRdhK+mPs+erZ5E0Pb+FOnI0WE/9AqlkOVCEgEJAJ/iMDlCQjUjJtLm6P/kCZ4P+4UjEJCKD
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1497258805",
|
||
|
"to_ids": false,
|
||
|
"type": "attachment",
|
||
|
"uuid": "593e5adb-ecdc-4c42-be07-4440950d210f",
|
||
|
"value": "mac17.png"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Mach-O file - Xchecked via VT: 617f7301fd67e8b5d8ad42d4e94e02cb313fe5ad51770ef93323c6115e52fe98",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1497258809",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "593e5b39-977c-442c-ba46-bbf302de0b81",
|
||
|
"value": "cf0743ed381ade69bba3d1dd3d357a8300bcd4ae"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Mach-O file - Xchecked via VT: 617f7301fd67e8b5d8ad42d4e94e02cb313fe5ad51770ef93323c6115e52fe98",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1497258809",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "593e5b39-6a4c-471c-85da-bbf302de0b81",
|
||
|
"value": "8fe94843a3e655209c57af587849ac3a"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Mach-O file - Xchecked via VT: 617f7301fd67e8b5d8ad42d4e94e02cb313fe5ad51770ef93323c6115e52fe98",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1497258810",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "593e5b3a-2020-4e7b-add4-bbf302de0b81",
|
||
|
"value": "https://www.virustotal.com/file/617f7301fd67e8b5d8ad42d4e94e02cb313fe5ad51770ef93323c6115e52fe98/analysis/1497256956/"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|