misp-circl-feed/feeds/circl/stix-2.1/5898af07-fb0c-4135-b908-491b950d210f.json

429 lines
20 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5898af07-fb0c-4135-b908-491b950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-06T17:51:30.000Z",
"modified": "2017-02-06T17:51:30.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5898af07-fb0c-4135-b908-491b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-06T17:51:30.000Z",
"modified": "2017-02-06T17:51:30.000Z",
"name": "OSINT - ikittens: iranian actor resurfaces with malware for mac (macdownloader)",
"published": "2017-02-06T18:09:02Z",
"object_refs": [
"observed-data--5898af4b-4994-4038-9585-a54f950d210f",
"url--5898af4b-4994-4038-9585-a54f950d210f",
"x-misp-attribute--5898af5b-0820-480b-9940-4e56950d210f",
"indicator--5898b5f3-546c-4237-a137-4d0e950d210f",
"indicator--5898b604-bfb0-4064-9959-4c1a950d210f",
"indicator--5898b660-daa0-4188-a261-41b7950d210f",
"indicator--5898b662-245c-4479-8ff0-4a02950d210f",
"indicator--5898b663-fbfc-4d90-8d77-4b07950d210f",
"x-misp-attribute--5898b67e-5360-4339-aa8b-a54f950d210f",
"indicator--5898b6fc-a64c-4400-bcaf-76fb950d210f",
"indicator--5898b6fe-3ac0-4dc2-b797-76fb950d210f",
"indicator--5898b7a3-86b8-4477-9fdb-584202de0b81",
"indicator--5898b7a5-b58c-4f35-a7c7-584202de0b81",
"observed-data--5898b7a6-5ea8-4aee-ba0f-584202de0b81",
"url--5898b7a6-5ea8-4aee-ba0f-584202de0b81",
"indicator--5898b7a7-4314-4a24-a1c4-584202de0b81",
"indicator--5898b7a8-a824-4dcc-98d3-584202de0b81",
"observed-data--5898b7a8-acac-4f83-9097-584202de0b81",
"url--5898b7a8-acac-4f83-9097-584202de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5898af4b-4994-4038-9585-a54f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-06T17:17:55.000Z",
"modified": "2017-02-06T17:17:55.000Z",
"first_observed": "2017-02-06T17:17:55Z",
"last_observed": "2017-02-06T17:17:55Z",
"number_observed": 1,
"object_refs": [
"url--5898af4b-4994-4038-9585-a54f950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"admiralty-scale:source-reliability=\"f\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5898af4b-4994-4038-9585-a54f950d210f",
"value": "https://iranthreats.github.io/resources/macdownloader-macos-malware/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5898af5b-0820-480b-9940-4e56950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-06T17:16:09.000Z",
"modified": "2017-02-06T17:16:09.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "A macOS malware agent, named MacDownloader, was observed in the wild as targeting the defense industrial base, and reported elsewhere to have been used against an human rights advocate. MacDownloader strangely attempts to pose as both an installer for Adobe Flash, as well as the Bitdefender Adware Removal Tool, in order to extract system information and copies of OS X keychain databases. Based on observations on infrastructure, and the state of the code, we believe these incidents represent the first attempts to deploy the agent, and features such as persistence do not appear to work. Instead, MacDownloader is a simple exfiltration agent, with broader ambitions.\r\n\r\nThe macOS malware also mirrors the approach of the ExtremeDownloader dropper previously documented in our research, and samples of the latter identified during this time used the same infrastructure. Lastly, the exposure of test victim data and code references provide a unique insight into the development of the malware, with potential connections to agents developed by long dormant threat groups.\r\n\r\nSince the Technical Preview of our forthcoming Carnegie Endowment publication about state-sponsored espionage campaigns was released at Black Hat USA, we have continued to disclose information about current Iranian activities in order to promote public education and to provide indicators of compromise. While this agent is neither sophisticated nor full-featured, its sudden appearance is concerning given the popularity of Apple computers with certain community, and inaccurate perceptions about the security of those devices."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5898b5f3-546c-4237-a137-4d0e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-06T17:44:19.000Z",
"modified": "2017-02-06T17:44:19.000Z",
"description": "addone flashplayer.app.zip",
"pattern": "[file:hashes.SHA256 = '52efcfe30f96a85c9c068880c20663db64f0e08346e0f3b59c2e5bbcb41ba73c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-06T17:44:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5898b604-bfb0-4064-9959-4c1a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-06T17:44:36.000Z",
"modified": "2017-02-06T17:44:36.000Z",
"description": "Bitdefender Adware Removal Tool",
"pattern": "[file:hashes.SHA256 = '7a9cdb9d608b88bd7afce001cb285c2bb2ae76f5027977e8635aa04bd064ffb7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-06T17:44:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5898b660-daa0-4188-a261-41b7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-06T17:46:08.000Z",
"modified": "2017-02-06T17:46:08.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '46.17.97.37']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-06T17:46:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5898b662-245c-4479-8ff0-4a02950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-06T17:46:10.000Z",
"modified": "2017-02-06T17:46:10.000Z",
"pattern": "[domain-name:value = 'officialswebsites.info']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-06T17:46:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5898b663-fbfc-4d90-8d77-4b07950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-06T17:46:11.000Z",
"modified": "2017-02-06T17:46:11.000Z",
"pattern": "[domain-name:value = 'utc.officialswebsites.info']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-06T17:46:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5898b67e-5360-4339-aa8b-a54f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-06T17:46:49.000Z",
"modified": "2017-02-06T17:46:49.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_type": "pdb",
"x_misp_value": "%USERPROFILE%\\Desktop\\Projects\\Tiny_st\\BlackBerry\\obj\\Debug\\MSSUP.pdb"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5898b6fc-a64c-4400-bcaf-76fb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-06T17:48:44.000Z",
"modified": "2017-02-06T17:48:44.000Z",
"description": "The malware reads from the embedded Resources folder the \"checkadr.txt,\" which contains the URL for the first beacon. 192.168.3.217 is internal development server address",
"pattern": "[url:value = 'http://192.168.3.217/DroperTest']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-06T17:48:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5898b6fe-3ac0-4dc2-b797-76fb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-06T17:48:46.000Z",
"modified": "2017-02-06T17:48:46.000Z",
"description": "The malware reads from the embedded Resources folder the \"checkadr.txt,\" which contains the URL for the first beacon. 192.168.3.217 is internal development server address",
"pattern": "[url:value = 'http://46.17.97.37/Servermac.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-06T17:48:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5898b7a3-86b8-4477-9fdb-584202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-06T17:51:31.000Z",
"modified": "2017-02-06T17:51:31.000Z",
"description": "Bitdefender Adware Removal Tool - Xchecked via VT: 7a9cdb9d608b88bd7afce001cb285c2bb2ae76f5027977e8635aa04bd064ffb7",
"pattern": "[file:hashes.SHA1 = '5b5a34dfc102f0c18b0b0e83c6fda431969e7957']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-06T17:51:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5898b7a5-b58c-4f35-a7c7-584202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-06T17:51:33.000Z",
"modified": "2017-02-06T17:51:33.000Z",
"description": "Bitdefender Adware Removal Tool - Xchecked via VT: 7a9cdb9d608b88bd7afce001cb285c2bb2ae76f5027977e8635aa04bd064ffb7",
"pattern": "[file:hashes.MD5 = 'f8e4cab429263406fbf11b41fd539839']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-06T17:51:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5898b7a6-5ea8-4aee-ba0f-584202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-06T17:51:34.000Z",
"modified": "2017-02-06T17:51:34.000Z",
"first_observed": "2017-02-06T17:51:34Z",
"last_observed": "2017-02-06T17:51:34Z",
"number_observed": 1,
"object_refs": [
"url--5898b7a6-5ea8-4aee-ba0f-584202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5898b7a6-5ea8-4aee-ba0f-584202de0b81",
"value": "https://www.virustotal.com/file/7a9cdb9d608b88bd7afce001cb285c2bb2ae76f5027977e8635aa04bd064ffb7/analysis/1486400681/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5898b7a7-4314-4a24-a1c4-584202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-06T17:51:35.000Z",
"modified": "2017-02-06T17:51:35.000Z",
"description": "addone flashplayer.app.zip - Xchecked via VT: 52efcfe30f96a85c9c068880c20663db64f0e08346e0f3b59c2e5bbcb41ba73c",
"pattern": "[file:hashes.SHA1 = 'a323168f95d1a1c65186888c6dd16cd2f9f8539a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-06T17:51:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5898b7a8-a824-4dcc-98d3-584202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-06T17:51:36.000Z",
"modified": "2017-02-06T17:51:36.000Z",
"description": "addone flashplayer.app.zip - Xchecked via VT: 52efcfe30f96a85c9c068880c20663db64f0e08346e0f3b59c2e5bbcb41ba73c",
"pattern": "[file:hashes.MD5 = '787d664e842961f2a335139407f91a70']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-06T17:51:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5898b7a8-acac-4f83-9097-584202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-06T17:51:36.000Z",
"modified": "2017-02-06T17:51:36.000Z",
"first_observed": "2017-02-06T17:51:36Z",
"last_observed": "2017-02-06T17:51:36Z",
"number_observed": 1,
"object_refs": [
"url--5898b7a8-acac-4f83-9097-584202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5898b7a8-acac-4f83-9097-584202de0b81",
"value": "https://www.virustotal.com/file/52efcfe30f96a85c9c068880c20663db64f0e08346e0f3b59c2e5bbcb41ba73c/analysis/1486400701/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}