misp-circl-feed/feeds/circl/misp/5a2cec1b-7f7c-4e23-bd7f-40be02de0b81.json

342 lines
13 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "2",
"date": "2017-12-10",
"extends_uuid": "",
"info": "OSINT - StrongPity2 spyware replaces FinFisher in MitM campaign \u00e2\u20ac\u201c ISP involved?",
"publish_timestamp": "1512914097",
"published": true,
"threat_level_id": "2",
"timestamp": "1512895188",
"uuid": "5a2cec1b-7f7c-4e23-bd7f-40be02de0b81",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#0088cc",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:threat-actor=\"PROMETHIUM\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#ffffff",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "tlp:white",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:tool=\"StrongPity2\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1512893871",
"to_ids": false,
"type": "link",
"uuid": "5a2cec6d-e9c4-4cd0-9bca-4cf602de0b81",
"value": "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/",
"Tag": [
{
"colour": "#00223b",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#007ed9",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "osint:certainty=\"93\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
}
]
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1512893872",
"to_ids": false,
"type": "text",
"uuid": "5a2cec8f-ad7c-4132-924a-4fb002de0b81",
"value": "Continuing our research into FinFisher \u00e2\u20ac\u201c the infamous spyware known also as FinSpy and sold to governments and their agencies worldwide \u00e2\u20ac\u201c we noticed that the FinFisher malware in our previously-documented campaign, which had strong indicators of internet service provider (ISP) involvement, had been replaced by different spyware. Detected by ESET as Win32/StrongPity2, this spyware notably resembles one that was attributed to the group called StrongPity. As well as detecting and blocking this threat, all ESET products \u00e2\u20ac\u201c including the free ESET Online Scanner \u00e2\u20ac\u201c thoroughly clean systems compromised by StrongPity2.\r\n\r\nAs we reported in September, in campaigns we detected in two different countries, Man-in-the-Middle (MitM) attacks had been used to spread FinFisher, with the \u00e2\u20ac\u0153man\u00e2\u20ac\u009d in both cases most likely operating at the ISP level. According to our telemetry, those campaigns were terminated on 21 September 2017 \u00e2\u20ac\u201c the very day we published our research.\r\n\r\nOn 8 October 2017, the same campaign resurfaced in one of those two countries, using the same (and very uncommon) structure of HTTP redirects to achieve \u00e2\u20ac\u0153on-the-fly\u00e2\u20ac\u009d browser redirection, only this time distributing Win32/StrongPity2 instead of FinFisher. We analyzed the new spyware and immediately noticed several similarities to malware allegedly operated by the StrongPity group in the past.",
"Tag": [
{
"colour": "#00223b",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#007ed9",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "osint:certainty=\"93\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
}
]
},
{
"category": "Payload delivery",
"comment": "Hashes of analyzed samples:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1512893872",
"to_ids": true,
"type": "sha1",
"uuid": "5a2cecbf-c70c-43e7-b987-4c9502de0b81",
"value": "4ad3ecc01d3aa73b97f53e317e3441244cf60cbd"
},
{
"category": "Payload delivery",
"comment": "Hashes of analyzed samples:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1512893872",
"to_ids": true,
"type": "sha1",
"uuid": "5a2cecc0-f914-4007-9a3f-45ec02de0b81",
"value": "8b33b11991e1e94b7a1b03d6fb20541c012be0e3"
},
{
"category": "Payload delivery",
"comment": "Hashes of analyzed samples:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1512893872",
"to_ids": true,
"type": "sha1",
"uuid": "5a2cecc0-ff28-4fb3-b316-42f002de0b81",
"value": "49c2bcae30a537454ad0b9344b38a04a0465a0b5"
},
{
"category": "Payload delivery",
"comment": "Hashes of analyzed samples:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1512893872",
"to_ids": true,
"type": "sha1",
"uuid": "5a2cecc0-8c7c-4f26-a5ff-4bfc02de0b81",
"value": "e17b5e71d26b2518871c73e8b1459e85fb922814"
},
{
"category": "Payload delivery",
"comment": "Hashes of analyzed samples:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1512893872",
"to_ids": true,
"type": "sha1",
"uuid": "5a2cecc0-df50-4b03-8eab-4b7102de0b81",
"value": "76fc68607a608018277afa74ee09d5053623ff36"
},
{
"category": "Payload delivery",
"comment": "Hashes of analyzed samples:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1512893873",
"to_ids": true,
"type": "sha1",
"uuid": "5a2cecc0-251c-4d8f-b820-476802de0b81",
"value": "87a38a8c357f549b695541d603de30073035043d"
},
{
"category": "Payload delivery",
"comment": "Hashes of analyzed samples:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1512893873",
"to_ids": true,
"type": "sha1",
"uuid": "5a2cecc0-5528-4690-9081-4f5502de0b81",
"value": "9f2d9d2131eff6220abaf97e2acd1bbb5c66f4e0"
},
{
"category": "Payload delivery",
"comment": "Hashes of analyzed samples:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1512893873",
"to_ids": true,
"type": "sha1",
"uuid": "5a2cecc0-c908-4983-aef9-461d02de0b81",
"value": "f8009ef802a28c2e21bce76b31094ed4a16e70d6"
},
{
"category": "Payload delivery",
"comment": "Hashes of analyzed samples:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1512893873",
"to_ids": true,
"type": "sha1",
"uuid": "5a2cecc0-7fd8-4ea2-838a-423602de0b81",
"value": "a0437a2c8c50b8748ca3344c38bc80279779add7"
},
{
"category": "Network activity",
"comment": "Domain serving the software packages trojanized by Win32/StrongPity2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1512893873",
"to_ids": true,
"type": "url",
"uuid": "5a2cece5-f034-425c-bdb3-467d02de0b81",
"value": "https://downloading.internetdownloading.co"
},
{
"category": "Payload delivery",
"comment": "Hashes of analyzed samples: - Xchecked via VT: a0437a2c8c50b8748ca3344c38bc80279779add7",
"deleted": false,
"disable_correlation": false,
"timestamp": "1512893873",
"to_ids": true,
"type": "sha256",
"uuid": "5a2cedb1-0d68-45fb-82f6-4f3102de0b81",
"value": "0ef8d249a2e8cb096b69c7f2cae46a073681bd43fcabc9c50eb5df454c71baea"
},
{
"category": "Payload delivery",
"comment": "Hashes of analyzed samples: - Xchecked via VT: a0437a2c8c50b8748ca3344c38bc80279779add7",
"deleted": false,
"disable_correlation": false,
"timestamp": "1512893873",
"to_ids": true,
"type": "md5",
"uuid": "5a2cedb1-e590-4697-aaf9-43f802de0b81",
"value": "5f8dd1a37ad2b36b178777d6bbf8a35b"
},
{
"category": "External analysis",
"comment": "Hashes of analyzed samples: - Xchecked via VT: a0437a2c8c50b8748ca3344c38bc80279779add7",
"deleted": false,
"disable_correlation": false,
"timestamp": "1512893873",
"to_ids": false,
"type": "link",
"uuid": "5a2cedb1-8828-4342-8688-48e702de0b81",
"value": "https://www.virustotal.com/file/0ef8d249a2e8cb096b69c7f2cae46a073681bd43fcabc9c50eb5df454c71baea/analysis/1512879477/"
},
{
"category": "Payload delivery",
"comment": "Hashes of analyzed samples: - Xchecked via VT: f8009ef802a28c2e21bce76b31094ed4a16e70d6",
"deleted": false,
"disable_correlation": false,
"timestamp": "1512893874",
"to_ids": true,
"type": "sha256",
"uuid": "5a2cedb2-b11c-481d-b598-467f02de0b81",
"value": "462e85023952d23b74d697911653604b40497424e7a6fe505366addae6c375f7"
},
{
"category": "Payload delivery",
"comment": "Hashes of analyzed samples: - Xchecked via VT: f8009ef802a28c2e21bce76b31094ed4a16e70d6",
"deleted": false,
"disable_correlation": false,
"timestamp": "1512893875",
"to_ids": true,
"type": "md5",
"uuid": "5a2cedb3-ff88-455a-add9-455702de0b81",
"value": "be6f2a03dfddbaf1166854730961d13c"
},
{
"category": "External analysis",
"comment": "Hashes of analyzed samples: - Xchecked via VT: f8009ef802a28c2e21bce76b31094ed4a16e70d6",
"deleted": false,
"disable_correlation": false,
"timestamp": "1512893875",
"to_ids": false,
"type": "link",
"uuid": "5a2cedb3-18ec-487b-92e5-46ca02de0b81",
"value": "https://www.virustotal.com/file/462e85023952d23b74d697911653604b40497424e7a6fe505366addae6c375f7/analysis/1512864532/"
},
{
"category": "Payload delivery",
"comment": "Hashes of analyzed samples: - Xchecked via VT: e17b5e71d26b2518871c73e8b1459e85fb922814",
"deleted": false,
"disable_correlation": false,
"timestamp": "1512893875",
"to_ids": true,
"type": "sha256",
"uuid": "5a2cedb3-c700-4050-9092-479802de0b81",
"value": "57da6fa244402a7fe5d4f8f8abf2acbc08db3817faee93dd8ccdc8a2a3554245"
},
{
"category": "Payload delivery",
"comment": "Hashes of analyzed samples: - Xchecked via VT: e17b5e71d26b2518871c73e8b1459e85fb922814",
"deleted": false,
"disable_correlation": false,
"timestamp": "1512893875",
"to_ids": true,
"type": "md5",
"uuid": "5a2cedb3-3538-46e4-b83c-489602de0b81",
"value": "08d971f5f4707ae6ea56ed2f243c38b7"
},
{
"category": "External analysis",
"comment": "Hashes of analyzed samples: - Xchecked via VT: e17b5e71d26b2518871c73e8b1459e85fb922814",
"deleted": false,
"disable_correlation": false,
"timestamp": "1512893875",
"to_ids": false,
"type": "link",
"uuid": "5a2cedb3-769c-4574-81d2-434f02de0b81",
"value": "https://www.virustotal.com/file/57da6fa244402a7fe5d4f8f8abf2acbc08db3817faee93dd8ccdc8a2a3554245/analysis/1512862923/"
},
{
"category": "Network activity",
"comment": "URLs used to exfiltrate stolen data",
"deleted": false,
"disable_correlation": false,
"timestamp": "1512893919",
"to_ids": true,
"type": "url",
"uuid": "5a2ceddf-183c-4fea-a9cd-4b9e02de0b81",
"value": "https://updserv-east-cdn3.com/s3s3sxhxTuDSrkBQb88wE99Q.php"
},
{
"category": "Network activity",
"comment": "URLs used to exfiltrate stolen data",
"deleted": false,
"disable_correlation": false,
"timestamp": "1512893920",
"to_ids": true,
"type": "url",
"uuid": "5a2cede0-524c-483d-983a-4f2902de0b81",
"value": "https://updserv-east-cdn3.com/kU2QLsNB6TzexJv5vGdunVXT.php"
},
{
"category": "Network activity",
"comment": "URLs used to exfiltrate stolen data",
"deleted": false,
"disable_correlation": false,
"timestamp": "1512893921",
"to_ids": true,
"type": "url",
"uuid": "5a2cede1-2874-4fac-9a9c-4a2702de0b81",
"value": "https://updserv-east-cdn3.com/p55C3xhxTuD5rkBQbB8wE99Q.php"
},
{
"category": "Artifacts dropped",
"comment": "Folder created by the malware to store its components",
"deleted": false,
"disable_correlation": false,
"timestamp": "1512893955",
"to_ids": true,
"type": "filename",
"uuid": "5a2cedf2-4948-4937-823a-492b02de0b81",
"value": "%temp%\\lang_be29c9f3-83we"
}
]
}
}