2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "0" ,
"date" : "2017-01-17" ,
"extends_uuid" : "" ,
"info" : "OSINT - CARBANAK GROUP USES GOOGLE FOR MALWARE COMMAND-AND-CONTROL" ,
"publish_timestamp" : "1484684023" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1484683974" ,
"uuid" : "587e787d-c9f8-4132-9673-4d8402de0b81" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#12e400" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:threat-actor=\"Anunak\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#00223b" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#007c97" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "veris:actor:motive=\"Financial\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484683422" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "587e789e-d278-42a1-aa6a-457e02de0b81" ,
"value" : "Forcepoint Security Labs\u00e2\u201e\u00a2 recently investigated a trojanized RTF document which we tied to the Carbank criminal gang. The document contains an encoded Visual Basic Script (VBScript) typical of previous Carbanak malware. Recent samples of the malware have now included the ability to use Google services for command-and-control (C&C) communication. We have notified Google of the abuse and are working with them to share additional information.\r\n\r\nCarbanak (also known as Anunak) are a group of financially motivated criminals first exposed in 2015. The actors typically steal from financial institutions using targeted malware. Recently a new Carbanak attack campaign dubbed \"Digital Plagiarist\" was exposed where the group used weaponized office documents hosted on mirrored domains, in order to distribute malware."
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484683448" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "587e78b8-05ac-41d3-88b0-4a4902de0b81" ,
"value" : "https://blogs.forcepoint.com/security-labs/carbanak-group-uses-google-malware-command-and-control"
} ,
{
"category" : "Payload delivery" ,
"comment" : "3-ThompsonDan.rtf" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484683870" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "587e7a5e-f1e8-4295-b5ce-473102de0b81" ,
"value" : "1ec48e5c0b88f4f850facc718bbdec9200e4bd2d"
} ,
{
"category" : "Payload delivery" ,
"comment" : "order.docx" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484683871" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "587e7a5f-6d14-4a0e-a94e-448802de0b81" ,
"value" : "400f02249ba29a19ad261373e6ff3488646e95fb"
} ,
{
"category" : "Payload delivery" ,
"comment" : "claim.rtf" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484683872" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "587e7a60-99e8-4a1c-afdc-4cc302de0b81" ,
"value" : "88f9bf3d6e767f1d324632b998051f4730f011c3"
} ,
{
"category" : "Network activity" ,
"comment" : "Carbanak Google Apps Script C&Cs" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484683890" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "587e7a72-c370-4b7e-853a-41bc02de0b81" ,
"value" : "https://script.google.com/macros/s/AKfycbzuykcvX7j3TlBNyQfxtB1mqii31b4VTON640yiRJT0t6rS4s4/exec"
} ,
{
"category" : "Network activity" ,
"comment" : "Carbanak Google Apps Script C&Cs" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484683890" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "587e7a72-963c-4a15-8a07-4c6102de0b81" ,
"value" : "https://script.google.com/macros/s/AKfycbxxx5DHr0F8AYhLuDjnp7kGNELq6g27J4c_JWWx1p1nDfZh6InO/exec"
} ,
{
"category" : "Network activity" ,
"comment" : "Carbanak Google Apps Script C&Cs" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484683891" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "587e7a73-7e5c-4fb3-b848-4ce002de0b81" ,
"value" : "https://script.google.com/macros/s/AKfycbwZHCgg5EsCiPup_mNxDbSX7k7yBMeXWenOVN1BWXHmyBpb8ng/exec"
} ,
{
"category" : "Network activity" ,
"comment" : "Carbanak Google Forms C&Cs" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484683905" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "587e7a81-f360-40d6-943b-42a502de0b81" ,
"value" : "https://docs.google.com/forms/d/e/1FAIpQLScx9gwNadC7Vjo11mXLbU3aBQRrqVpoWjmNJ1ZneqpjaYLE3g/formResponse"
} ,
{
"category" : "Network activity" ,
"comment" : "Carbanak Google Forms C&Cs" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484683906" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "587e7a82-9c50-4923-bc1e-460002de0b81" ,
"value" : "https://docs.google.com/forms/d/e/1FAIpQLSfE9kshYBFSDAfRclW8m9rAdajqoYhzhEYmEAgZexE3LQ-17A/formResponse"
} ,
{
"category" : "Network activity" ,
"comment" : "Carbanak Google Forms C&Cs" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484683907" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "587e7a83-8088-4b4e-a146-43b102de0b81" ,
"value" : "https://docs.google.com/forms/d/e/1FAIpQLSdcdE7lTEiqV5MW3Up8Hgcy5NGkIKnLKoe0YPFriD4_9qYq9A/formResponse"
} ,
{
"category" : "Network activity" ,
"comment" : "Carbanak C&Cs" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484683920" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "587e7a90-1318-4655-bfb4-4bcf02de0b81" ,
"value" : "http://atlantis-bahamas.com/css/informs.jsp"
} ,
{
"category" : "Network activity" ,
"comment" : "Carbanak C&Cs" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484683921" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "587e7a91-cfa8-4d57-8ff5-4e5602de0b81" ,
"value" : "http://138.201.44.4/informs.jsp"
} ,
{
"category" : "Network activity" ,
"comment" : "Carbanak Cobalt Strike / Meterpreter DNS Beacon C&Cs" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484683936" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "587e7aa0-3a6c-4023-9e36-4c6402de0b81" ,
"value" : "aaa.stage.15594901.en.onokder.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Carbanak Cobalt Strike / Meterpreter DNS Beacon C&Cs" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484683937" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "587e7aa1-f6b4-4b0d-9e3c-400802de0b81" ,
"value" : "aaa.stage.4710846.ns3.kiposerd.com"
} ,
{
"category" : "Payload delivery" ,
"comment" : "3-ThompsonDan.rtf - Xchecked via VT: 1ec48e5c0b88f4f850facc718bbdec9200e4bd2d" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484683974" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "587e7ac6-6f94-4ab2-a39b-4d0802de0b81" ,
"value" : "7db1b8fd3ca8edbcb25a3849bad0182ea0b840e3cabc53c30b74af070d3ba247"
} ,
{
"category" : "Payload delivery" ,
"comment" : "3-ThompsonDan.rtf - Xchecked via VT: 1ec48e5c0b88f4f850facc718bbdec9200e4bd2d" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484683975" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "587e7ac7-072c-4bb4-8650-46d702de0b81" ,
"value" : "4b783bd0bd7fcf880ca75359d9fc4da6"
} ,
{
"category" : "External analysis" ,
"comment" : "3-ThompsonDan.rtf - Xchecked via VT: 1ec48e5c0b88f4f850facc718bbdec9200e4bd2d" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484683975" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "587e7ac7-3a78-4e9e-aa27-436a02de0b81" ,
"value" : "https://www.virustotal.com/file/7db1b8fd3ca8edbcb25a3849bad0182ea0b840e3cabc53c30b74af070d3ba247/analysis/1483977881/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "order.docx - Xchecked via VT: 400f02249ba29a19ad261373e6ff3488646e95fb" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484683976" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "587e7ac8-81ac-4b8b-9a34-422c02de0b81" ,
"value" : "c9f3e017b921c3d90127b25ef2f0c770a7fcbb429177284115ad18569ba4a441"
} ,
{
"category" : "Payload delivery" ,
"comment" : "order.docx - Xchecked via VT: 400f02249ba29a19ad261373e6ff3488646e95fb" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484683977" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "587e7ac9-c1ec-4401-bfc2-4def02de0b81" ,
"value" : "ae8404ad422e92b1be7561c418c35fb7"
} ,
{
"category" : "External analysis" ,
"comment" : "order.docx - Xchecked via VT: 400f02249ba29a19ad261373e6ff3488646e95fb" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484683978" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "587e7aca-6bc4-44dd-b72a-449b02de0b81" ,
"value" : "https://www.virustotal.com/file/c9f3e017b921c3d90127b25ef2f0c770a7fcbb429177284115ad18569ba4a441/analysis/1484193729/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "claim.rtf - Xchecked via VT: 88f9bf3d6e767f1d324632b998051f4730f011c3" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484683979" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "587e7acb-41a4-481b-a177-42b702de0b81" ,
"value" : "5c431c3c66b6dde35ffd528edca614b8b00ba7026714f431af8200f13098665f"
} ,
{
"category" : "Payload delivery" ,
"comment" : "claim.rtf - Xchecked via VT: 88f9bf3d6e767f1d324632b998051f4730f011c3" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484683980" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "587e7acc-5c98-4e6d-b6f3-4cf302de0b81" ,
"value" : "af53db730732aa7db5fdd45ebba34b94"
} ,
{
"category" : "External analysis" ,
"comment" : "claim.rtf - Xchecked via VT: 88f9bf3d6e767f1d324632b998051f4730f011c3" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1484683980" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "587e7acc-e2d4-4795-abf7-4afb02de0b81" ,
"value" : "https://www.virustotal.com/file/5c431c3c66b6dde35ffd528edca614b8b00ba7026714f431af8200f13098665f/analysis/1483178982/"
}
]
}
}