155 lines
5.9 KiB
JSON
155 lines
5.9 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2017-09-09",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - Malware Group Uses Facebook CDN to Bypass Security Solutions",
|
||
|
"publish_timestamp": "1505131350",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1505131342",
|
||
|
"uuid": "59b63beb-1a3c-4144-83e6-167c950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1505131313",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "59b63c17-c4a8-4c4a-83a5-1296950d210f",
|
||
|
"value": "https://www.bleepingcomputer.com/news/security/malware-group-uses-facebook-cdn-to-bypass-security-solutions/",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1505131313",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "59b63c2c-7a44-43a1-8797-1296950d210f",
|
||
|
"value": "A malware group is using Facebook's CDN servers to store malicious files that it later uses to infect users with banking trojans.\r\n\r\nResearchers spotted several campaigns using Facebook's CDN servers in the last two weeks, and previously, the same group also used Dropbox and Google's cloud storage services to store the same malicious payloads.\r\n\r\nThe previous attacks that used Google and Dropbox URLs were documented by Palo Alto's Brad Duncan in a July write-up, and are almost identical to the ones detected last week by security researcher MalwareHunter.\r\n\r\nThe group uses Facebook's CDN because the domain is trusted by most security solutions and there are low chances of having it blocked, compared to hosting malware on domains rarely active inside a business network.",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "RAR file",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1505131313",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "59b63c59-a770-4b90-864e-0a3c950d210f",
|
||
|
"value": "1faa46ba708e3405e7053cde872c65cc7a7d7fbf6411374eb6e977f20c160e16"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DLL file",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1505131313",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "59b63c5a-8618-4ae7-9c82-0a3c950d210f",
|
||
|
"value": "41e463cd5d4cf20d02bb7cd23b70465480d1cd5cd3c9f8653e9f93b3a85124d8"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DLL file - Xchecked via VT: 41e463cd5d4cf20d02bb7cd23b70465480d1cd5cd3c9f8653e9f93b3a85124d8",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1505131313",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "59b67b31-5df0-417a-9938-488102de0b81",
|
||
|
"value": "707efd3835860caea7352e004db553dbbc90525e"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DLL file - Xchecked via VT: 41e463cd5d4cf20d02bb7cd23b70465480d1cd5cd3c9f8653e9f93b3a85124d8",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1505131313",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "59b67b31-3d54-44dc-ae09-449e02de0b81",
|
||
|
"value": "4225931e8ed5c37141695601ea99ecbd"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "DLL file - Xchecked via VT: 41e463cd5d4cf20d02bb7cd23b70465480d1cd5cd3c9f8653e9f93b3a85124d8",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1505131313",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "59b67b31-b4d0-4cc5-8dbc-4c5d02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/41e463cd5d4cf20d02bb7cd23b70465480d1cd5cd3c9f8653e9f93b3a85124d8/analysis/1505098449/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "RAR file - Xchecked via VT: 1faa46ba708e3405e7053cde872c65cc7a7d7fbf6411374eb6e977f20c160e16",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1505131313",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "59b67b31-f150-4f96-8768-478b02de0b81",
|
||
|
"value": "36167a3b63ee240ca7d9f303ec4ce6dc88ff9b4f"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "RAR file - Xchecked via VT: 1faa46ba708e3405e7053cde872c65cc7a7d7fbf6411374eb6e977f20c160e16",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1505131313",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "59b67b31-6ac0-4ccf-9e6a-4a9c02de0b81",
|
||
|
"value": "abb6eccc1b435497d04ed17b6ab6863e"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "RAR file - Xchecked via VT: 1faa46ba708e3405e7053cde872c65cc7a7d7fbf6411374eb6e977f20c160e16",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1505131313",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "59b67b31-8b04-4d3d-870b-434202de0b81",
|
||
|
"value": "https://www.virustotal.com/file/1faa46ba708e3405e7053cde872c65cc7a7d7fbf6411374eb6e977f20c160e16/analysis/1505098357/"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|