95 lines
3.2 KiB
JSON
95 lines
3.2 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2016-04-22",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - powershell used for spreading trojan.laziok through google docs",
|
||
|
"publish_timestamp": "1461354099",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1461354043",
|
||
|
"uuid": "571a7cdc-c078-482d-98dc-4e42950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461353754",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "571a7d1a-3c00-4f54-b5b6-4782950d210f",
|
||
|
"value": "https://www.fireeye.com/blog/threat-research/2016/04/powershell_used_for.html"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461353774",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "571a7d2e-e64c-4deb-9edd-4c34950d210f",
|
||
|
"value": "Through our multi-flow detection capability, we recently identified malicious actors spreading Trojan.Laziok malware via Google Docs. We observed that the attackers managed to upload the payload to Google Docs in March 2016. During the brief time it was live, users accessing the malicious page from Internet Explorer (versions 3 to 11) would have become the unwilling hosts for the infostealer payload without any security warning. After we alerted Google about its presence, they quickly cleaned it and the original URL involved in propagation also went down."
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "the first stage initiates the attack by running obfuscated JavaScript from",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461353948",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "571a7ddc-f4c4-4bf6-a50d-41a9950d210f",
|
||
|
"value": "www.younglean.cba.pl/lean/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461353972",
|
||
|
"to_ids": false,
|
||
|
"type": "vulnerability",
|
||
|
"uuid": "571a7df4-0acc-4202-a834-4ef6950d210f",
|
||
|
"value": "CVE-2014-6332"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "The payload attempts to call back to a known bad Polish server",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461354032",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "571a7e30-257c-42e3-a297-4bb0950d210f",
|
||
|
"value": "http://193.189.117.36"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461354043",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "571a7e3b-75d0-4c6b-b9cc-433b950d210f",
|
||
|
"value": "193.189.117.36"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|