misp-circl-feed/feeds/circl/misp/8cc5335e-915b-4e16-837d-49143e6987b4.json

401 lines
17 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "2",
"date": "2022-01-16",
"extends_uuid": "",
"info": "MSFT - MSTIC - Destructive malware targeting Ukrainian organizations",
"publish_timestamp": "1642350086",
"published": true,
"threat_level_id": "4",
"timestamp": "1642348752",
"uuid": "8cc5335e-915b-4e16-837d-49143e6987b4",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#004646",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "type:OSINT",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0071c3",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0087e8",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "osint:certainty=\"50\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#ffffff",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "tlp:white",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Data Destruction - T1485\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:target-information=\"Ukraine\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#7c0025",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "collaborative-intelligence:request=\"related-samples\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#420014",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "collaborative-intelligence:request=\"sample\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
}
],
"Attribute": [
{
"category": "Other",
"comment": "1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv: Enriched via the btc_steroids module",
"deleted": false,
"disable_correlation": false,
"timestamp": "1642346672",
"to_ids": false,
"type": "text",
"uuid": "78878812-d712-4bdb-b383-dee68c322b3d",
"value": "Address:\t1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfvBalance:\t0.0001185800 BTC (+0.0001185800 BTC / -0.0000000000 BTC)Transactions:\t1\t (previewing up to 5 most recent)======================================================================================#1\t14 Jan 2022 14:01:25 UTC\t 0.00011858 BTC 5.11 USD\t 4.48 EUR"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Metadata used to generate an executive level report",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "5",
"timestamp": "1642346505",
"uuid": "6a975fb9-d969-43e4-bd82-0fb95834cdb8",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1642346505",
"to_ids": false,
"type": "link",
"uuid": "c8da9b75-1b0d-4b69-a0ab-66bd656114e1",
"value": "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1642346505",
"to_ids": false,
"type": "text",
"uuid": "430ccaab-1f97-4d8a-b198-00410e9c6737",
"value": "Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a destructive malware operation targeting multiple organizations in Ukraine. This malware first appeared on victim systems in Ukraine on January 13, 2022. Microsoft is aware of the ongoing geopolitical events in Ukraine and surrounding region and encourages organizations to use the information in this post to proactively protect from any malicious activity.\r\n\r\nWhile our investigation is continuing, MSTIC has not found any notable associations between this observed activity, tracked as DEV-0586, and other known activity groups. MSTIC assesses that the malware, which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom.\r\n\r\nAt present and based on Microsoft visibility, our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues. These systems span multiple government, non-profit, and information technology organizations, all based in Ukraine. We do not know the current stage of this attacker\u2019s operational cycle or how many other victim organizations may exist in Ukraine or other geographic locations. However, it is unlikely these impacted systems represent the full scope of impact as other organizations are reporting.\r\n\r\nGiven the scale of the observed intrusions, MSTIC is not able to assess intent of the identified destructive actions but does believe these actions represent an elevated risk to any government agency, non-profit or enterprise located or with systems in Ukraine. We strongly encourage all organizations to immediately conduct a thorough investigation and to implement defenses using the information provided in this post. MSTIC will update this blog as we have additional information to share.\r\n\r\nAs with any observed nation-state actor activity, Microsoft directly and proactively notifies customers that have been targeted or compromised, providing them with the information they need to guide their investigations. MSTIC is also actively working with members of the global security community and other strategic partners to share information that can address this evolving threat through multiple channels. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor or merged with existing actors."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1642346505",
"to_ids": false,
"type": "text",
"uuid": "81a1cb8c-f4cf-4ab3-80ed-5bb85aa194d9",
"value": "Blog post"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "case-number",
"timestamp": "1642346506",
"to_ids": false,
"type": "text",
"uuid": "40f28a5c-bcc2-4351-9813-6b51a827a494",
"value": "DEV-0586"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An address used in a cryptocurrency",
"meta-category": "financial",
"name": "coin-address",
"template_uuid": "d0e6997e-78da-4815-a6a1-cfc1c1cb8a46",
"template_version": "5",
"timestamp": "1642346635",
"uuid": "a30c962e-674e-482e-9f93-dd99a6f44cf6",
"Attribute": [
{
"category": "Financial fraud",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "address",
"timestamp": "1642346635",
"to_ids": true,
"type": "btc",
"uuid": "b4de6e74-7a43-4efa-9365-b9f6c35ec177",
"value": "1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "symbol",
"timestamp": "1642346635",
"to_ids": false,
"type": "text",
"uuid": "fe71e9c8-03d7-45df-a9e8-011cf339ac74",
"value": "BTC"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "text",
"timestamp": "1642346635",
"to_ids": false,
"type": "text",
"uuid": "ebf79d73-a7cc-4065-92ce-61cf8b1991f5",
"value": "The two-stage malware overwrites the Master Boot Record (MBR) on victim systems with a ransom note (Stage 1). The MBR is the part of a hard drive that tells the computer how to load its operating system. The ransom note contains a Bitcoin wallet and Tox ID (a unique account identifier used in the Tox encrypted messaging protocol) that have not been previously observed by MSTIC:\r\n\r\nYour hard drive has been corrupted.\r\nIn case you want to recover all hard drives\r\nof your organization,\r\nYou should pay us $10k via bitcoin wallet\r\n1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via\r\ntox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65\r\nwith your organization name.\r\nWe will contact you to give further instructions."
}
]
},
{
"comment": "",
"deleted": false,
"description": "Command line and option related to a software malicious or not to execute specific commands.",
"meta-category": "misc",
"name": "command-line",
"template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
"template_version": "1",
"timestamp": "1642346720",
"uuid": "8f2d984e-5949-4a3f-8a71-2aeef9902aa1",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "value",
"timestamp": "1642346720",
"to_ids": false,
"type": "text",
"uuid": "c01659cb-5767-425d-b00a-779993d6f830",
"value": "cmd.exe /Q /c start c:\\stage1.exe 1> \\\\127.0.0.1\\ADMIN$\\__[TIMESTAMP] 2>&1"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "description",
"timestamp": "1642346720",
"to_ids": false,
"type": "text",
"uuid": "ffbdbc52-6baf-40b4-8ac4-e98c0900d435",
"value": "Example Impacket command line showing the execution of the destructive malware. The working directory has varied in observed intrusions."
}
]
},
{
"comment": "Hash of destructive malware stage1.exe",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1642346848",
"uuid": "7a41ba78-2acf-4af3-9beb-46bef578cc82",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1642346848",
"to_ids": true,
"type": "sha256",
"uuid": "41a8e720-fb8d-4e99-982a-22ed62aef4ad",
"value": "a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1642346848",
"to_ids": true,
"type": "filename",
"uuid": "cbd8aab7-a690-41c4-b908-ff5263321783",
"value": "stage1.exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1642346848",
"to_ids": false,
"type": "text",
"uuid": "94a2f573-2a42-4c5f-bb1f-e2b86944bda2",
"value": "Malicious"
}
]
},
{
"comment": "Hash of stage2.exe",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1642346832",
"uuid": "3d8cc8f9-5f4c-4236-b56a-7ebfd02129aa",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1642346832",
"to_ids": true,
"type": "sha256",
"uuid": "14d73e59-b8da-4bb5-9293-e0f2b658a046",
"value": "dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1642346832",
"to_ids": true,
"type": "filename",
"uuid": "335f0b7b-bcb3-42a2-8c4a-f2622bc133ee",
"value": "stage2.exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1642346832",
"to_ids": false,
"type": "text",
"uuid": "11a9aaf6-0787-488d-be5d-49b4bdd54c17",
"value": "Malicious"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Antivirus detection signature",
"meta-category": "misc",
"name": "av-signature",
"template_uuid": "4dbb56ef-4763-4c97-8696-a2bfc305cf8e",
"template_version": "1",
"timestamp": "1642347079",
"uuid": "043ad7de-27a2-4292-8aa2-5c05739275bb",
"Attribute": [
{
"category": "Antivirus detection",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "signature",
"timestamp": "1642347079",
"to_ids": false,
"type": "text",
"uuid": "499fd717-835c-4273-afc4-993042722618",
"value": "WhisperGate"
},
{
"category": "Antivirus detection",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "software",
"timestamp": "1642347079",
"to_ids": false,
"type": "text",
"uuid": "df08f949-327d-4da3-9da8-3e56626c42fa",
"value": "Microsoft 365 Defender"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Instant Message (IM) object template describing one or more IM message.",
"meta-category": "misc",
"name": "instant-message",
"template_uuid": "5fa51a24-f40f-4696-a77e-d31e26bab5fc",
"template_version": "1",
"timestamp": "1642348752",
"uuid": "11817599-476e-4b7b-9cd2-e2bc933ea892",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "from-user",
"timestamp": "1642348752",
"to_ids": false,
"type": "text",
"uuid": "d3e52216-4a08-4bd0-8b1d-c2d7e22e42d6",
"value": "8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "app-used",
"timestamp": "1642348752",
"to_ids": false,
"type": "text",
"uuid": "7b06931c-8d88-40cb-9165-1f324f0561f8",
"value": "Tox"
}
]
}
]
}
}