161 lines
7.8 KiB
JSON
161 lines
7.8 KiB
JSON
|
{
|
||
|
|
"type": "bundle",
|
||
|
|
"id": "bundle--58ecc214-a3a0-4d43-adff-95c6950d210f",
|
||
|
|
"objects": [
|
||
|
|
{
|
||
|
|
"type": "identity",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-04-11T11:50:21.000Z",
|
||
|
|
"modified": "2017-04-11T11:50:21.000Z",
|
||
|
|
"name": "CIRCL",
|
||
|
|
"identity_class": "organization"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "report",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "report--58ecc214-a3a0-4d43-adff-95c6950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-04-11T11:50:21.000Z",
|
||
|
|
"modified": "2017-04-11T11:50:21.000Z",
|
||
|
|
"name": "OSINT - Unraveling the Lamberts Toolkit An Overview of a Color-coded Multi-Stage Arsenal",
|
||
|
|
"published": "2017-04-11T11:50:24Z",
|
||
|
|
"object_refs": [
|
||
|
|
"indicator--58ecc237-fc2c-4d19-a299-95c7950d210f",
|
||
|
|
"indicator--58ecc238-cbb4-4aa4-899d-95c7950d210f",
|
||
|
|
"vulnerability--58ecc27a-1c04-4726-9e4a-9f1b950d210f",
|
||
|
|
"observed-data--58ecc28a-0a24-496c-a55b-861f950d210f",
|
||
|
|
"url--58ecc28a-0a24-496c-a55b-861f950d210f",
|
||
|
|
"x-misp-attribute--58ecc2a8-f8c8-4a89-8945-9f1e950d210f"
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"Threat-Report",
|
||
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
|
"misp-galaxy:threat-actor=\"Longhorn\"",
|
||
|
|
"osint:source-type=\"blog-post\""
|
||
|
|
],
|
||
|
|
"object_marking_refs": [
|
||
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--58ecc237-fc2c-4d19-a299-95c7950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-04-11T11:47:03.000Z",
|
||
|
|
"modified": "2017-04-11T11:47:03.000Z",
|
||
|
|
"description": "generic loader (hdmsvc.exe)",
|
||
|
|
"pattern": "[file:hashes.MD5 = '683afdef710bf3c96d42e6d9e7275130']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-04-11T11:47:03Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Payload delivery"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"md5\"",
|
||
|
|
"misp:category=\"Payload delivery\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--58ecc238-cbb4-4aa4-899d-95c7950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-04-11T11:47:04.000Z",
|
||
|
|
"modified": "2017-04-11T11:47:04.000Z",
|
||
|
|
"description": "winlib.dll, final payload (toolType=wl)",
|
||
|
|
"pattern": "[file:hashes.MD5 = '79e263f78e69110c09642bbb30f09ace']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-04-11T11:47:04Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Payload delivery"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"md5\"",
|
||
|
|
"misp:category=\"Payload delivery\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "vulnerability",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "vulnerability--58ecc27a-1c04-4726-9e4a-9f1b950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-04-11T11:48:10.000Z",
|
||
|
|
"modified": "2017-04-11T11:48:10.000Z",
|
||
|
|
"name": "CVE-2014-4148",
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"vulnerability\"",
|
||
|
|
"misp:category=\"Payload delivery\""
|
||
|
|
],
|
||
|
|
"external_references": [
|
||
|
|
{
|
||
|
|
"source_name": "cve",
|
||
|
|
"external_id": "CVE-2014-4148"
|
||
|
|
}
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "observed-data",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "observed-data--58ecc28a-0a24-496c-a55b-861f950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-04-11T11:49:15.000Z",
|
||
|
|
"modified": "2017-04-11T11:49:15.000Z",
|
||
|
|
"first_observed": "2017-04-11T11:49:15Z",
|
||
|
|
"last_observed": "2017-04-11T11:49:15Z",
|
||
|
|
"number_observed": 1,
|
||
|
|
"object_refs": [
|
||
|
|
"url--58ecc28a-0a24-496c-a55b-861f950d210f"
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"link\"",
|
||
|
|
"misp:category=\"External analysis\"",
|
||
|
|
"osint:source-type=\"blog-post\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "url",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "url--58ecc28a-0a24-496c-a55b-861f950d210f",
|
||
|
|
"value": "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "x-misp-attribute",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "x-misp-attribute--58ecc2a8-f8c8-4a89-8945-9f1e950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-04-11T11:49:17.000Z",
|
||
|
|
"modified": "2017-04-11T11:49:17.000Z",
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"text\"",
|
||
|
|
"misp:category=\"External analysis\"",
|
||
|
|
"osint:source-type=\"blog-post\""
|
||
|
|
],
|
||
|
|
"x_misp_category": "External analysis",
|
||
|
|
"x_misp_type": "text",
|
||
|
|
"x_misp_value": "Yesterday, our colleagues from Symantec published their analysis of Longhorn, an advanced threat actor that can be easily compared with Regin, ProjectSauron, Equation or Duqu2 in terms of its complexity.\r\n\r\nLonghorn, which we internally refer to as \u00e2\u20ac\u0153The Lamberts\u00e2\u20ac\u009d, first came to the attention of the ITSec community in 2014, when our colleagues from FireEye discovered an attack using a zero day vulnerability (CVE-2014-4148). The attack leveraged malware we called \u00e2\u20ac\u02dcBlackLambert\u00e2\u20ac\u2122, which was used to target a high profile organization in Europe.\r\n\r\nSince at least 2008, The Lamberts have used multiple sophisticated attack tools against high-profile victims. Their arsenal includes network-driven backdoors, several generations of modular backdoors, harvesting tools, and wipers. Versions for both Windows and OSX are known at this time, with the latest samples created in 2016.\r\n\r\nAlthough the operational security displayed by actors using the Lamberts toolkit is very good, one sample includes a PDB path that points to a project named \u00e2\u20ac\u0153Archan~1\u00e2\u20ac\u009d (perhaps \u00e2\u20ac\u02dcArchangel\u00e2\u20ac\u2122). The root folder on the PDB path is named \u00e2\u20ac\u0153Hudson\u00e2\u20ac\u009d. This is one of the very few mistakes we\u00e2\u20ac\u2122ve seen with this threat actor.\r\n\r\nWhile in most cases the infection vector remains unknown, the high profile attack from 2014 used a very complex Windows TTF zero-day exploit (CVE-2014-4148)."
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "marking-definition",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
|
"definition_type": "tlp",
|
||
|
|
"name": "TLP:WHITE",
|
||
|
|
"definition": {
|
||
|
|
"tlp": "white"
|
||
|
|
}
|
||
|
|
}
|
||
|
|
]
|
||
|
|
}
|