misp-circl-feed/feeds/circl/misp/59cab250-1480-406f-8e7a-4c7e02de0b81.json

489 lines
19 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "2",
"date": "2017-09-26",
"extends_uuid": "",
"info": "OSINT - Striking Oil: A Closer Look at Adversary Infrastructure",
"publish_timestamp": "1506456427",
"published": true,
"threat_level_id": "3",
"timestamp": "1506456406",
"uuid": "59cab250-1480-406f-8e7a-4c7e02de0b81",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "tlp:white",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:tool=\"TwoFace\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": false,
"type": "link",
"uuid": "59cab25e-8e18-492b-80fd-f69902de0b81",
"value": "https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/",
"Tag": [
{
"colour": "#00223b",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
}
]
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": false,
"type": "text",
"uuid": "59cab279-6d8c-42b2-b5f1-476902de0b81",
"value": "While expanding our research into the TwoFace webshell from this past July, we were able to uncover several IP addresses that logged in and directly interfaced with the shell we discovered and wrote about. Investigating deeper into these potential adversary IPs revealed a much larger infrastructure used to execute the attacks. We found the infrastructure was segregated into different functions for specific malicious objectives. We found some sites that were set up as credential harvesters (likely used in phishing attacks), a compromised system that was used to interact with a TwoFace webshell to hide the actor\u00e2\u20ac\u2122s location, and finally systems that interact with TwoFace webshell-compromised systems to provide command and control direction of those compromised systems.\r\n\r\nIn addition to uncovering the attack infrastructure for this adversary, we were able to determine a significant link between the operators of the set of attacks involving TwoFace and another attack campaign we have published on in detail: OilRig.",
"Tag": [
{
"colour": "#00223b",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
}
]
},
{
"category": "Payload delivery",
"comment": "Post-exploitation Tools",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": true,
"type": "sha256",
"uuid": "59cab2ae-ee3c-4fb0-bebc-4a3402de0b81",
"value": "28a0db561ff5a525bc2696cf98d96f443f528afe63c5097c5e0ccad071fcb8c2"
},
{
"category": "Payload delivery",
"comment": "Post-exploitation Tools",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": true,
"type": "sha256",
"uuid": "59cab2ae-e7fc-4fe2-9249-4f5c02de0b81",
"value": "744e0ce108598aaa8994f211e00769ac8a3f05324d3f07f7705277b9af7a7497"
},
{
"category": "Payload delivery",
"comment": "Post-exploitation Tools",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": true,
"type": "sha256",
"uuid": "59cab2ae-dbc0-4cd4-8593-4b8702de0b81",
"value": "caf5f9791ab3049811e16971b4673ec6d4baf35ffaadd7486ea4c5e318d10696"
},
{
"category": "Payload delivery",
"comment": "Post-exploitation Tools",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": true,
"type": "sha256",
"uuid": "59cab2ae-2d4c-4c7b-877a-4d0302de0b81",
"value": "6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301"
},
{
"category": "Payload delivery",
"comment": "Post-exploitation Tools",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": true,
"type": "sha256",
"uuid": "59cab2ae-6e70-4c00-b632-48eb02de0b81",
"value": "3b08535b4add194f5661e1131c8e81af373ca322cf669674cf1272095e5cab95"
},
{
"category": "Payload delivery",
"comment": "Post-exploitation Tools",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": true,
"type": "sha256",
"uuid": "59cab2ae-d2bc-45c8-9af5-425f02de0b81",
"value": "450ebd66ba67bb46bf18d122823ff07ef4a7b11afe63b6f269aec9236a1790cd"
},
{
"category": "Payload delivery",
"comment": "Post-exploitation Tools",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": true,
"type": "sha256",
"uuid": "59cab2ae-adc8-4820-b9c3-4c9f02de0b81",
"value": "5b7eb534a852c187eee7eb729056082eec7a028819191fc2bc3ba4d1127fbd12"
},
{
"category": "Payload delivery",
"comment": "Post-exploitation Tools",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": true,
"type": "sha256",
"uuid": "59cab2ae-2814-4ae0-84b3-499302de0b81",
"value": "6e623311768f1c419b3f755248a3b3d4bf80d26606a74ed4cfd25547a67734c7"
},
{
"category": "Payload delivery",
"comment": "Post-exploitation Tools",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": true,
"type": "sha256",
"uuid": "59cab2ae-2444-4dfe-bbbd-4f8702de0b81",
"value": "497e6965120a7ca6644da9b8291c65901e78d302139d221fcf0a3ec6c5cf9de3"
},
{
"category": "Payload delivery",
"comment": "Post-exploitation Tools",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": true,
"type": "sha256",
"uuid": "59cab2ae-4ce8-4325-b940-4e6202de0b81",
"value": "d3b03c0da854102802c21c0fa8736910ea039bbe93a140c09689fc802435ea31"
},
{
"category": "Payload delivery",
"comment": "Post-exploitation Tools",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": true,
"type": "sha256",
"uuid": "59cab2ae-9e74-4969-81e6-44d302de0b81",
"value": "5ead94f12c307438e6475e49f02bedaee0cd09ce6cebb7939f9a2830f913212c"
},
{
"category": "Payload delivery",
"comment": "Post-exploitation Tools",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": true,
"type": "sha256",
"uuid": "59cab2ae-27dc-420e-9693-49f802de0b81",
"value": "bb9b4e088eb99100156f56bbd35a21ff7e96981ffe78ca9132781e9b3f064f44"
},
{
"category": "Network activity",
"comment": "Credential Harvesting Domains",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": true,
"type": "domain",
"uuid": "59cab2c1-f358-42a9-9d5f-47fb02de0b81",
"value": "owa-insss-org-ill-owa-authen.ml"
},
{
"category": "Network activity",
"comment": "Credential Harvesting Domains",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456406",
"to_ids": true,
"type": "domain",
"uuid": "59cab2c2-28e8-413c-bf16-4b7c02de0b81",
"value": "webmaiil-tau-ac-il.ml"
},
{
"category": "Network activity",
"comment": "Credential Harvesting Domains",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": true,
"type": "domain",
"uuid": "59cab2c2-bd5c-4a38-b84d-465f02de0b81",
"value": "mail-macroadvisorypartners.ml"
},
{
"category": "Network activity",
"comment": "Credential Harvesting Domains",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456406",
"to_ids": true,
"type": "domain",
"uuid": "59cab2c2-0c68-41cf-a8cb-4d0102de0b81",
"value": "webmail-tidhar-co-il.ml"
},
{
"category": "Network activity",
"comment": "Credential Harvesting Domains",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456406",
"to_ids": true,
"type": "domain",
"uuid": "59cab2c2-c4e4-48f3-b732-44d202de0b81",
"value": "my-mailcoil.ml"
},
{
"category": "Network activity",
"comment": "Credential Harvesting Domains",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456406",
"to_ids": true,
"type": "domain",
"uuid": "59cab2c2-ea68-4b85-8e1e-48c402de0b81",
"value": "logn-micrsftonine-con.ml"
},
{
"category": "Network activity",
"comment": "Credential Harvesting Domains",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456406",
"to_ids": true,
"type": "domain",
"uuid": "59cab2c2-a804-4892-8444-439702de0b81",
"value": "so-cc-hujii-ac-il.ml"
},
{
"category": "Network activity",
"comment": "We observed the IP address 137.74.131[.]208 interacting with the TwoFace webshell as described in our previous blog.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456406",
"to_ids": true,
"type": "ip-dst",
"uuid": "59cab32d-bc80-49d0-b801-480b02de0b81",
"value": "137.74.131.208"
},
{
"category": "Payload delivery",
"comment": "Post-exploitation Tools - Xchecked via VT: 28a0db561ff5a525bc2696cf98d96f443f528afe63c5097c5e0ccad071fcb8c2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": true,
"type": "sha1",
"uuid": "59cab357-66cc-473d-a11d-4aaf02de0b81",
"value": "fd095248cc300eb60c758a8f51f6050b2fe56520"
},
{
"category": "Payload delivery",
"comment": "Post-exploitation Tools - Xchecked via VT: 28a0db561ff5a525bc2696cf98d96f443f528afe63c5097c5e0ccad071fcb8c2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": true,
"type": "md5",
"uuid": "59cab357-0e80-4b6a-b532-4f1e02de0b81",
"value": "28089bfa4a1991ae98a7230f055a6081"
},
{
"category": "External analysis",
"comment": "Post-exploitation Tools - Xchecked via VT: 28a0db561ff5a525bc2696cf98d96f443f528afe63c5097c5e0ccad071fcb8c2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": false,
"type": "link",
"uuid": "59cab357-5428-4492-bfbf-412d02de0b81",
"value": "https://www.virustotal.com/file/28a0db561ff5a525bc2696cf98d96f443f528afe63c5097c5e0ccad071fcb8c2/analysis/1500337719/"
},
{
"category": "Payload delivery",
"comment": "Post-exploitation Tools - Xchecked via VT: 6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": true,
"type": "sha1",
"uuid": "59cab357-afb0-402d-8585-443e02de0b81",
"value": "5221c2ce846d9cbc8ab73142b51414f31544289f"
},
{
"category": "Payload delivery",
"comment": "Post-exploitation Tools - Xchecked via VT: 6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": true,
"type": "md5",
"uuid": "59cab357-c808-483b-9e09-4b3f02de0b81",
"value": "b5450c8553def4996426ab46996b2e55"
},
{
"category": "External analysis",
"comment": "Post-exploitation Tools - Xchecked via VT: 6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": false,
"type": "link",
"uuid": "59cab357-c1ac-4ad8-8355-40e902de0b81",
"value": "https://www.virustotal.com/file/6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301/analysis/1497352004/"
},
{
"category": "Payload delivery",
"comment": "Post-exploitation Tools - Xchecked via VT: 3b08535b4add194f5661e1131c8e81af373ca322cf669674cf1272095e5cab95",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": true,
"type": "sha1",
"uuid": "59cab357-febc-4bfa-9185-439902de0b81",
"value": "b5c62d79eda4f7e4b60a9caa5736a3fdc2f1b27e"
},
{
"category": "Payload delivery",
"comment": "Post-exploitation Tools - Xchecked via VT: 3b08535b4add194f5661e1131c8e81af373ca322cf669674cf1272095e5cab95",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": true,
"type": "md5",
"uuid": "59cab357-2330-4b9b-8b15-499b02de0b81",
"value": "a7f7a0f74c8b48f1699858b3b6c11eda"
},
{
"category": "External analysis",
"comment": "Post-exploitation Tools - Xchecked via VT: 3b08535b4add194f5661e1131c8e81af373ca322cf669674cf1272095e5cab95",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": false,
"type": "link",
"uuid": "59cab357-6040-49e1-9e31-4ad502de0b81",
"value": "https://www.virustotal.com/file/3b08535b4add194f5661e1131c8e81af373ca322cf669674cf1272095e5cab95/analysis/1506412272/"
},
{
"category": "Payload delivery",
"comment": "Post-exploitation Tools - Xchecked via VT: 450ebd66ba67bb46bf18d122823ff07ef4a7b11afe63b6f269aec9236a1790cd",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": true,
"type": "sha1",
"uuid": "59cab357-3b20-4868-9a21-471f02de0b81",
"value": "289f3bfe297923507cf4c26ca500ae01819c6a95"
},
{
"category": "Payload delivery",
"comment": "Post-exploitation Tools - Xchecked via VT: 450ebd66ba67bb46bf18d122823ff07ef4a7b11afe63b6f269aec9236a1790cd",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": true,
"type": "md5",
"uuid": "59cab357-9130-4589-8b79-4edb02de0b81",
"value": "081e2ce7e2a603a78cc6c20a05b08ca8"
},
{
"category": "External analysis",
"comment": "Post-exploitation Tools - Xchecked via VT: 450ebd66ba67bb46bf18d122823ff07ef4a7b11afe63b6f269aec9236a1790cd",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": false,
"type": "link",
"uuid": "59cab357-adb8-4701-a11d-484102de0b81",
"value": "https://www.virustotal.com/file/450ebd66ba67bb46bf18d122823ff07ef4a7b11afe63b6f269aec9236a1790cd/analysis/1500539163/"
},
{
"category": "Payload delivery",
"comment": "Post-exploitation Tools - Xchecked via VT: 497e6965120a7ca6644da9b8291c65901e78d302139d221fcf0a3ec6c5cf9de3",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": true,
"type": "sha1",
"uuid": "59cab357-24c4-4f12-8ec1-454502de0b81",
"value": "5447283518473ea8b9d35424532a94e2966f7a90"
},
{
"category": "Payload delivery",
"comment": "Post-exploitation Tools - Xchecked via VT: 497e6965120a7ca6644da9b8291c65901e78d302139d221fcf0a3ec6c5cf9de3",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": true,
"type": "md5",
"uuid": "59cab357-d410-4086-a717-4aad02de0b81",
"value": "0f9d0b03254830714654c2ceb11a7f5d"
},
{
"category": "External analysis",
"comment": "Post-exploitation Tools - Xchecked via VT: 497e6965120a7ca6644da9b8291c65901e78d302139d221fcf0a3ec6c5cf9de3",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": false,
"type": "link",
"uuid": "59cab357-eb68-44ec-8d84-4d0e02de0b81",
"value": "https://www.virustotal.com/file/497e6965120a7ca6644da9b8291c65901e78d302139d221fcf0a3ec6c5cf9de3/analysis/1505921769/"
},
{
"category": "Payload delivery",
"comment": "Post-exploitation Tools - Xchecked via VT: 5ead94f12c307438e6475e49f02bedaee0cd09ce6cebb7939f9a2830f913212c",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": true,
"type": "sha1",
"uuid": "59cab357-b434-4887-ae7c-41fc02de0b81",
"value": "0c91a56f61c0365f56dc7b2b4e17bbf1e4cb134b"
},
{
"category": "Payload delivery",
"comment": "Post-exploitation Tools - Xchecked via VT: 5ead94f12c307438e6475e49f02bedaee0cd09ce6cebb7939f9a2830f913212c",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": true,
"type": "md5",
"uuid": "59cab357-c5c4-4fef-9d9a-468e02de0b81",
"value": "a56abdaa3438378bf16b3eccf317af8a"
},
{
"category": "External analysis",
"comment": "Post-exploitation Tools - Xchecked via VT: 5ead94f12c307438e6475e49f02bedaee0cd09ce6cebb7939f9a2830f913212c",
"deleted": false,
"disable_correlation": false,
"timestamp": "1506456407",
"to_ids": false,
"type": "link",
"uuid": "59cab357-4da0-4c0b-bfc2-42f002de0b81",
"value": "https://www.virustotal.com/file/5ead94f12c307438e6475e49f02bedaee0cd09ce6cebb7939f9a2830f913212c/analysis/1483030641/"
}
]
}
}