misp-circl-feed/feeds/circl/stix-2.1/f0ef984c-2467-40aa-83c6-7c671a6379cb.json

684 lines
43 KiB
JSON
Raw Normal View History

2024-08-07 08:13:15 +00:00
{
"type": "bundle",
"id": "bundle--f0ef984c-2467-40aa-83c6-7c671a6379cb",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-22T10:25:22.000Z",
"modified": "2023-12-22T10:25:22.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--f0ef984c-2467-40aa-83c6-7c671a6379cb",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-22T10:25:22.000Z",
"modified": "2023-12-22T10:25:22.000Z",
"name": "OSINT - BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates",
"published": "2023-12-22T10:25:51Z",
"object_refs": [
"vulnerability--b67555fd-db13-477a-8172-a62cbbbcea98",
"indicator--155f35d6-0bd4-477d-94f9-4a701e4acce3",
"indicator--f28a43c4-c271-4ade-b0d0-cb8af308528e",
"indicator--b23f7cd3-8bd4-46e7-ae8c-f6843b6cc91e",
"indicator--31c67ded-1d5d-4cf1-b0fa-5806a61840bd",
"indicator--21ef8e83-3971-46f6-9a6c-ea1192b3d783",
"indicator--03a083ae-ee66-41a7-965d-370c4eeb1bd1",
"indicator--e33bb2c5-c8fa-47af-ab3a-ca5c49f85af8",
"x-misp-object--635ec65f-5434-4b38-a3d7-38ed8b175b6c",
"vulnerability--5597432b-8b41-45e3-9fad-12af0b99ab96",
"indicator--75087ad7-fa5f-4c1f-8787-5a4ae9196e6d",
"indicator--723b5871-f074-4ce8-9849-724d5511b982",
"indicator--fe25feaf-bafd-4d19-b65d-1f7c980a3aaa",
"indicator--72cb4c96-1cdd-48ac-a541-fc06ae3c7525",
"indicator--b05a453c-a400-4517-9ce1-9371286a7e05",
"indicator--b0aca4a0-0e80-4f79-81f7-553b6cccd173",
"indicator--709a4bd0-742d-4747-8e3d-a0625e3a8369",
"indicator--46b89b5b-a2ce-47a5-b71f-dcefee24dd09",
"indicator--4672b9d2-f20a-441c-b2ca-c878b6a2d616",
"indicator--cd56b1ab-1f34-4a19-a34e-d540bd319013",
"indicator--9b353565-d858-4ebf-9fad-72662fe35bbf",
"indicator--4b885491-6ce9-4748-8c03-bbeb00f6a9fd",
"indicator--cf7bf3e6-22de-4aa6-a8c1-b6aaf0a840a2",
"note--aa1738ae-c325-4934-a532-044cd9afdf4a",
"relationship--b3413f8f-502f-4828-a84c-0c3367a44b0a"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"tlp:clear"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--b67555fd-db13-477a-8172-a62cbbbcea98",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-22T10:21:41.000Z",
"modified": "2023-12-22T10:21:41.000Z",
"name": "CVE-2023-36025",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload installation\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2023-36025"
}
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--155f35d6-0bd4-477d-94f9-4a701e4acce3",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-22T10:24:33.000Z",
"modified": "2023-12-22T10:24:33.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.181.159.29']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-12-22T10:24:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f28a43c4-c271-4ade-b0d0-cb8af308528e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-22T10:24:33.000Z",
"modified": "2023-12-22T10:24:33.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '79.110.62.96']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-12-22T10:24:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b23f7cd3-8bd4-46e7-ae8c-f6843b6cc91e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-22T10:24:50.000Z",
"modified": "2023-12-22T10:24:50.000Z",
"pattern": "[domain-name:value = 'heilee.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-12-22T10:24:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--31c67ded-1d5d-4cf1-b0fa-5806a61840bd",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-22T10:24:50.000Z",
"modified": "2023-12-22T10:24:50.000Z",
"pattern": "[domain-name:value = 'kairoscounselingmi.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-12-22T10:24:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--21ef8e83-3971-46f6-9a6c-ea1192b3d783",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-22T10:24:50.000Z",
"modified": "2023-12-22T10:24:50.000Z",
"pattern": "[domain-name:value = 'nathumvida.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-12-22T10:24:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--03a083ae-ee66-41a7-965d-370c4eeb1bd1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-22T10:24:50.000Z",
"modified": "2023-12-22T10:24:50.000Z",
"pattern": "[domain-name:value = 'searcherbigdealk.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-12-22T10:24:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e33bb2c5-c8fa-47af-ab3a-ca5c49f85af8",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-22T10:24:50.000Z",
"modified": "2023-12-22T10:24:50.000Z",
"pattern": "[domain-name:value = 'zxcdota2huysasi.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-12-22T10:24:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--635ec65f-5434-4b38-a3d7-38ed8b175b6c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-22T10:20:03.000Z",
"modified": "2023-12-22T10:20:03.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates",
"category": "External analysis",
"uuid": "72898b09-b4ff-4b80-aefc-39a753f4ceb5"
},
{
"type": "text",
"object_relation": "summary",
"value": "Throughout the summer and fall of 2023, DarkGate entered the ring competing for the top spot in the remote access trojan (RAT) and loader category. It was observed in use by multiple cybercrime actors and was spread via many methods such as email, Microsoft Teams, Skype, malvertising and fake updates. \r\n\r\nProofpoint researchers are tracking a particularly interesting operator of the DarkGate malware. At the time of publication, researchers are not attributing this cluster of activity to a known threat actor and are temporarily calling it BattleRoyal. Between September and November 2023, at least 20 email campaigns used DarkGate malware with GroupIDs \u201cPLEX\u201d, \u201cADS5\u201d, \u201cuser_871236672\u201d and \u201cusr_871663321\u201d. The GroupID is a configuration setting that is also referred to as username, botnet, campaign, or flag 23. The campaigns are notable for:",
"category": "Other",
"uuid": "5a9a1330-4516-4fc0-8ab4-9ff7f4954c5f"
},
{
"type": "text",
"object_relation": "title",
"value": "BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates",
"category": "Other",
"uuid": "58fb9365-2f9e-4198-9a07-20718dc706b6"
},
{
"type": "text",
"object_relation": "type",
"value": "Blog",
"category": "Other",
"uuid": "f0218d1d-017d-4c6a-b2ed-eb3b83f9f5e2"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--5597432b-8b41-45e3-9fad-12af0b99ab96",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-22T10:22:00.000Z",
"modified": "2023-12-22T10:22:00.000Z",
"name": "CVE-2023-36025",
"description": "Windows SmartScreen Security Feature Bypass Vulnerability",
"labels": [
"misp:name=\"vulnerability\"",
"misp:meta-category=\"vulnerability\"",
"misp:to_ids=\"False\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2023-36025"
},
{
"source_name": "url",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025"
}
],
"x_misp_cvss_score": "8.8",
"x_misp_cvss_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"x_misp_modified": "2023-11-21T01:33:00+00:00",
"x_misp_published": "2023-11-14T18:15:00+00:00",
"x_misp_state": "Published",
"x_misp_vulnerable_configuration": [
"cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*",
"cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*",
"cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*",
"cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*",
"cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*",
"cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*",
"cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*",
"cpe:2.3:o:microsoft:windows_11_22h2:-:*:*:*:*:*:x64:*",
"cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x64:*",
"cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x64:*",
"cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x64:*",
"cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x64:*",
"cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:arm64:*",
"cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:x86:*",
"cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:arm64:*",
"cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:arm64:*",
"cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x86:*",
"cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:x86:*",
"cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x86:*",
"cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:arm64:*",
"cpe:2.3:o:microsoft:windows_11_22h2:-:*:*:*:*:*:arm64:*",
"cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:x64:*",
"cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x64:*",
"cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x86:*",
"cpe:2.3:o:microsoft:windows_11_23h2:-:*:*:*:*:*:arm64:*",
"cpe:2.3:o:microsoft:windows_11_23h2:-:*:*:*:*:*:x64:*"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--75087ad7-fa5f-4c1f-8787-5a4ae9196e6d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-22T10:23:02.000Z",
"modified": "2023-12-22T10:23:02.000Z",
"pattern": "[file:hashes.SHA256 = 'fce452bcf10414ece8eee6451cf52b39211eb65ecaa02a15bc5809c8236369a4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-12-22T10:23:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--723b5871-f074-4ce8-9849-724d5511b982",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-22T10:23:10.000Z",
"modified": "2023-12-22T10:23:10.000Z",
"pattern": "[file:hashes.SHA256 = 'ea8f893c080159a423c9122b239ec389939e4c3c1f218bdee16dde744e08188f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-12-22T10:23:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--fe25feaf-bafd-4d19-b65d-1f7c980a3aaa",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-22T10:23:20.000Z",
"modified": "2023-12-22T10:23:20.000Z",
"pattern": "[file:hashes.SHA256 = 'e2a8a53e117f1dda2c09e5b83a13c99b848873a75b14d20823318840e84de243']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-12-22T10:23:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--72cb4c96-1cdd-48ac-a541-fc06ae3c7525",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-22T10:23:28.000Z",
"modified": "2023-12-22T10:23:28.000Z",
"pattern": "[file:hashes.SHA256 = '96ca146b6bb95de35f61289c2725f979a2957ce54761aff5f37726a85f2f9e77']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-12-22T10:23:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b05a453c-a400-4517-9ce1-9371286a7e05",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-22T10:23:39.000Z",
"modified": "2023-12-22T10:23:39.000Z",
"pattern": "[file:hashes.SHA256 = '7562c213f88efdb119a9bbe95603946ba3beb093c326c3b91e7015ae49561f0f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-12-22T10:23:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b0aca4a0-0e80-4f79-81f7-553b6cccd173",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-22T10:23:52.000Z",
"modified": "2023-12-22T10:23:52.000Z",
"pattern": "[file:hashes.SHA256 = '2f5af97b13b077a00218c60305b4eee5d88d14a9bd042beed286434c3fc6e084']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-12-22T10:23:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--709a4bd0-742d-4747-8e3d-a0625e3a8369",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-22T10:25:21.000Z",
"modified": "2023-12-22T10:25:21.000Z",
"description": "Enriched via the url_import module",
"pattern": "[url:value = 'http://5.181.159.29:80/Downloads/12.url' AND url:x_misp_resource_path = '/Downloads/12.url' AND url:x_misp_port = '80' AND url:x_misp_host = '5.181.159.29' AND url:x_misp_domain_without_tld = '5.181.159.29' AND url:x_misp_domain = '5.181.159.29']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-12-22T10:25:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"url\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--46b89b5b-a2ce-47a5-b71f-dcefee24dd09",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-22T10:25:21.000Z",
"modified": "2023-12-22T10:25:21.000Z",
"description": "Enriched via the url_import module",
"pattern": "[url:value = 'http://5.181.159.29:80/Downloads/evervendor.zip/evervendor.exe' AND url:x_misp_resource_path = '/Downloads/evervendor.zip/evervendor.exe' AND url:x_misp_port = '80' AND url:x_misp_host = '5.181.159.29' AND url:x_misp_domain_without_tld = '5.181.159.29' AND url:x_misp_domain = '5.181.159.29']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-12-22T10:25:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"url\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4672b9d2-f20a-441c-b2ca-c878b6a2d616",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-22T10:25:21.000Z",
"modified": "2023-12-22T10:25:21.000Z",
"description": "Enriched via the url_import module",
"pattern": "[url:value = 'http://79.110.62.96:80/Downloads/bye.zip/bye.vbs' AND url:x_misp_resource_path = '/Downloads/bye.zip/bye.vbs' AND url:x_misp_port = '80' AND url:x_misp_host = '79.110.62.96' AND url:x_misp_domain_without_tld = '79.110.62.96' AND url:x_misp_domain = '79.110.62.96']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-12-22T10:25:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"url\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--cd56b1ab-1f34-4a19-a34e-d540bd319013",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-22T10:25:21.000Z",
"modified": "2023-12-22T10:25:21.000Z",
"description": "Enriched via the url_import module",
"pattern": "[url:value = 'http://searcherbigdealk.com:2351/msizjbicvmd' AND url:x_misp_tld = 'com' AND url:x_misp_resource_path = '/msizjbicvmd' AND url:x_misp_port = '2351' AND url:x_misp_host = 'searcherbigdealk.com' AND url:x_misp_domain_without_tld = 'searcherbigdealk' AND url:x_misp_domain = 'searcherbigdealk.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-12-22T10:25:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"url\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9b353565-d858-4ebf-9fad-72662fe35bbf",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-22T10:25:21.000Z",
"modified": "2023-12-22T10:25:21.000Z",
"description": "Enriched via the url_import module",
"pattern": "[url:value = 'http://searcherbigdealk.com:2351/zjbicvmd' AND url:x_misp_tld = 'com' AND url:x_misp_resource_path = '/zjbicvmd' AND url:x_misp_port = '2351' AND url:x_misp_host = 'searcherbigdealk.com' AND url:x_misp_domain_without_tld = 'searcherbigdealk' AND url:x_misp_domain = 'searcherbigdealk.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-12-22T10:25:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"url\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4b885491-6ce9-4748-8c03-bbeb00f6a9fd",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-22T10:25:21.000Z",
"modified": "2023-12-22T10:25:21.000Z",
"description": "Enriched via the url_import module",
"pattern": "[url:value = 'https://heilee.com/qxz3l' AND url:x_misp_tld = 'com' AND url:x_misp_resource_path = '/qxz3l' AND url:x_misp_host = 'heilee.com' AND url:x_misp_domain_without_tld = 'heilee' AND url:x_misp_domain = 'heilee.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-12-22T10:25:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"url\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--cf7bf3e6-22de-4aa6-a8c1-b6aaf0a840a2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-22T10:25:21.000Z",
"modified": "2023-12-22T10:25:21.000Z",
"description": "Enriched via the url_import module",
"pattern": "[url:value = 'https://kairoscounselingmi.com/wp-content/uploads/astra/help/pr-nv28-2023.url' AND url:x_misp_tld = 'com' AND url:x_misp_resource_path = '/wp-content/uploads/astra/help/pr-nv28-2023.url' AND url:x_misp_host = 'kairoscounselingmi.com' AND url:x_misp_domain_without_tld = 'kairoscounselingmi' AND url:x_misp_domain = 'kairoscounselingmi.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-12-22T10:25:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"url\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "note",
"spec_version": "2.1",
"id": "note--aa1738ae-c325-4934-a532-044cd9afdf4a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-12-22T10:21:12.000Z",
"modified": "2023-12-22T10:21:12.000Z",
"abstract": "Report from - https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates (1703240419)",
"content": "# BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates\r\n\r\nDecember 21, 2023 Axel F, Dusty Miller, Tommy Madjar and Selena Larson \r\n\r\n### Overview\r\n\r\n Throughout the summer and fall of 2023, DarkGate entered the ring competing for the top spot in the remote access trojan (RAT) and loader category. It was observed in use by multiple cybercrime actors and was spread via many methods such as email, Microsoft Teams, Skype, malvertising and fake updates. \r\n\r\n Proofpoint researchers are tracking a particularly interesting operator of the DarkGate malware. At the time of publication, researchers are not attributing this cluster of activity to a known threat actor and are temporarily calling it BattleRoyal. Between September and November 2023, at least 20 email campaigns used DarkGate malware with GroupIDs \u201cPLEX\u201d, \u201cADS5\u201d, \u201cuser\\_871236672\u201d and \u201cusr\\_871663321\u201d. The GroupID is a configuration setting that is also referred to as username, botnet, campaign, or flag 23. The campaigns are notable for: \r\n\r\n \r\n* **Delivery:** via email and RogueRaticate fake browser updates \r\n * **Volumes and geography:** email campaigns include tens of thousands of emails targeting dozens of industries primarily in USA and Canada \r\n * **Attack chain:** includes a variety of notable tools such as 404 TDS, Keitaro TDS, and .URL files exploiting CVE-2023-36025 \r\n \r\n *Volume of DarkGate campaigns based on four GroupIDs discussed in this report.* \r\n\r\n ### TDS all the things! (an email campaign example)\r\n\r\n On October 2, 2023, Proofpoint identified one of the first campaigns in this cluster. It was notable due to the use of more than one traffic delivery system (TDS), specifically 404 TDS and Keitaro TDS. Additionally, the .URL files involved exploited CVE-2023-36025, a vulnerability in Windows SmartScreen. While other parts of the attack chain from this actor changed or varied, .URL files were involved in every campaign. \r\n\r\n The emails in this campaign contained: \r\n\r\n \r\n* 404 TDS URLs that, if clicked by the user, redirected to Keitaro TDS \r\n * Keitaro TDS was observed serving an internet shortcut (.URL) file \r\n * The internet shortcut, if double clicked, downloaded a zipped VBS script \r\n * The VBS in turn downloaded and executed several shell commands (cmd.exe) \r\n * The shell commands (a) created a directory on C: drive, (b) copied curl.exe from system folder to this new directory, (c) used the curl to download Autoit3.exe, (d) used curl to download and save an AutoIT script, and (e) ran the downloaded AutoIT script with the downloaded AutoIT interpreter \r\n * The AutoIT script ran an embedded DarkGate \r\n \r\n *Attack chain summary that follows the flow of: Email > 404 TDS > Keitaro TDS > .URL > .VBS > Shell commands > AutoIT / AutoIT script > DarkGate.* \r\n\r\n *Screenshot of an example email from October 2 campaign.* \r\n\r\n *Screenshot of the .URL file involved in the October 2 campaign.* \r\n\r\n Proofpoint has identified multiple cybercriminal campaigns exploiting CVE-2023-36025; however, the BattleRoyal cluster exploited this vulnerability more than any other actor observed in Proofpoint threat data. Notably, this activity cluster exploited CVE-2023-36025 before it was published by Microsoft. SmartScreen is a security feature that is designed to prevent people from visiting malicious websites. The vulnerability could allow an actor to bypass the SmartScreen defenses if a user clicked on a specially crafted .URL file or a hyperlink pointing to a .URL file. More specifically, a SmartScreen alert would not be triggered when a .URL points to a SMB or WebDav share as file:// and the malicious payload is inside a ZIP file which is specified in the URL target. \r\n\r\n ### RogueRaticate (fake browser update campaign example)\r\n\r\n On October 19, 2023, an external researcher identified and publicly shared details of the RogueRaticate fake update activity cluster using an interesting obfuscation techniq
"object_refs": [
"report--f0ef984c-2467-40aa-83c6-7c671a6379cb"
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--b3413f8f-502f-4828-a84c-0c3367a44b0a",
"created": "2023-12-22T10:22:01.000Z",
"modified": "2023-12-22T10:22:01.000Z",
"relationship_type": "related-to",
"source_ref": "vulnerability--5597432b-8b41-45e3-9fad-12af0b99ab96",
"target_ref": "vulnerability--b67555fd-db13-477a-8172-a62cbbbcea98"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}