{ "Event": { "analysis": "2", "date": "2017-03-23", "extends_uuid": "", "info": "OSINT - Winnti Abuses GitHub for C&C Communications", "publish_timestamp": "1490261675", "published": true, "threat_level_id": "2", "timestamp": "1490261359", "uuid": "58d38baa-a47c-40c5-8c8f-45b4950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#064800", "local": false, "name": "misp-galaxy:tool=\"Winnti\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1490261359", "to_ids": false, "type": "link", "uuid": "58d38bd6-fd08-43d4-b092-4586950d210f", "value": "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#001fc2", "local": false, "name": "estimative-language:likelihood-probability=\"almost-certain\"", "relationship_type": "" }, { "colour": "#075200", "local": false, "name": "admiralty-scale:source-reliability=\"b\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1490261359", "to_ids": false, "type": "text", "uuid": "58d38bea-6cd0-4bb7-86f6-4534950d210f", "value": "Developers constantly need to modify and rework their source codes when releasing new versions of applications or coding projects they create and maintain. This is what makes GitHub\u00e2\u20ac\u201dan online repository hosting service that provides version control management\u00e2\u20ac\u201dpopular. In many ways, it\u00e2\u20ac\u2122s like a social networking site for programmers and developers, one that provides a valuable platform for code management, sharing, collaboration, and integration.\r\n\r\nGitHub is no stranger to misuse, however. Open-source ransomware projects EDA2 and Hidden Tear\u00e2\u20ac\u201dsupposedly created for educational purposes\u00e2\u20ac\u201dwere hosted on GitHub, and have since spawned various offshoots that have been found targeting enterprises. Tools that exploited vulnerabilities in Internet of Things (IoT) devices were also made available on GitHub. Even the Limitless Keylogger, which was used in targeted attacks, was linked to a GitHub project.\r\n\r\nRecently, the Winnti group, a threat actor with a past of traditional cybercrime -particularly with financial fraud, has been seen abusing GitHub by turning it into a conduit for the command and control (C&C) communications of their seemingly new backdoor (detected by Trend Micro as BKDR64_WINNTI.ONM).\r\n\r\nOur research also showed that the group still uses some of the infamous PlugX malware variants\u00e2\u20ac\u201da staple in Winnti\u00e2\u20ac\u2122s arsenal\u00e2\u20ac\u201dto handle targeted attack operations via the GitHub account we identified.", "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#001fc2", "local": false, "name": "estimative-language:likelihood-probability=\"almost-certain\"", "relationship_type": "" }, { "colour": "#075200", "local": false, "name": "admiralty-scale:source-reliability=\"b\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "cryptbase.dll", "deleted": false, "disable_correlation": false, "timestamp": "1490261359", "to_ids": true, "type": "sha256", "uuid": "58d393bd-bf10-4b1e-9cbf-4ebc950d210f", "value": "06b077e31a6f339c4f3b1f61ba9a6a6ba827afe52ed5bed6a6bf56bf18a279ba" }, { "category": "Payload delivery", "comment": "loadperf.dll", "deleted": false, "disable_correlation": false, "timestamp": "1490261359", "to_ids": true, "type": "sha256", "uuid": "58d393be-6cb4-4753-8e81-4306950d210f", "value": "1e63a7186886deea6c4e5c2a329eab76a60be3a65bca1ba9ed6e71f9a46b7e9d" }, { "category": "Payload delivery", "comment": "loadoerf.ini", "deleted": false, "disable_correlation": false, "timestamp": "1490261359", "to_ids": true, "type": "sha256", "uuid": "58d393bf-f3f0-4c43-81a3-461b950d210f", "value": "7c37ebb96c54d5d8ea232951ccf56cb1d029facdd6b730f80ca2ad566f6c5d9b" }, { "category": "Payload delivery", "comment": "wbemcomn.ini", "deleted": false, "disable_correlation": false, "timestamp": "1490261359", "to_ids": true, "type": "sha256", "uuid": "58d393c0-18f8-4311-b6a1-4cb5950d210f", "value": "9d04ef8708cf030b9688bf3e8287c1790023a76374e43bd332178e212420f9fb" }, { "category": "Payload delivery", "comment": "cryptbase.ini", "deleted": false, "disable_correlation": false, "timestamp": "1490261359", "to_ids": true, "type": "sha256", "uuid": "58d393c0-5a30-47ca-be06-4960950d210f", "value": "b1a0d0508ee932bbf91625330d2136f33344ed70cb25f7e64be0620d32c4b9e2" }, { "category": "Payload delivery", "comment": "wbemcomn.dll", "deleted": false, "disable_correlation": false, "timestamp": "1490261359", "to_ids": true, "type": "sha256", "uuid": "58d393c1-75a4-42d5-915a-4c77950d210f", "value": "e5273b72c853f12b77a11e9c08ae6432fabbb32238ac487af2fb959a6cc26089" }, { "category": "Network activity", "comment": "443 (HTTPS) 53 (DNS) 80 (HTTP)", "deleted": false, "disable_correlation": false, "timestamp": "1490261359", "to_ids": true, "type": "ip-dst", "uuid": "58d3950a-ffb4-4a6b-a442-4e10950d210f", "value": "160.16.243.129" }, { "category": "Network activity", "comment": "443 (HTTPS) 53 (DNS)", "deleted": false, "disable_correlation": false, "timestamp": "1490261359", "to_ids": true, "type": "ip-dst", "uuid": "58d3950b-d098-49b4-8ad8-4255950d210f", "value": "174.139.203.18" }, { "category": "Network activity", "comment": "53 (DNS)", "deleted": false, "disable_correlation": false, "timestamp": "1490261359", "to_ids": true, "type": "ip-dst", "uuid": "58d3950c-6c0c-41fc-b0ff-4e3c950d210f", "value": "174.139.203.20" }, { "category": "Network activity", "comment": "443 (HTTPS) 53 (DNS)", "deleted": false, "disable_correlation": false, "timestamp": "1490261359", "to_ids": true, "type": "ip-dst", "uuid": "58d3950d-9778-4477-93b7-4192950d210f", "value": "174.139.203.22" }, { "category": "Network activity", "comment": "53 (DNS)", "deleted": false, "disable_correlation": false, "timestamp": "1490261359", "to_ids": true, "type": "ip-dst", "uuid": "58d3950e-4164-48d4-bda4-45f8950d210f", "value": "174.139.203.27" }, { "category": "Network activity", "comment": "53 (DNS)", "deleted": false, "disable_correlation": false, "timestamp": "1490261359", "to_ids": true, "type": "ip-dst", "uuid": "58d3950f-6e7c-4959-8f43-4f6b950d210f", "value": "174.139.203.34" }, { "category": "Network activity", "comment": "80 (HTTP)", "deleted": false, "disable_correlation": false, "timestamp": "1490261359", "to_ids": true, "type": "ip-dst", "uuid": "58d39510-5840-4bba-b5d3-43a1950d210f", "value": "174.139.62.58" }, { "category": "Network activity", "comment": "443 (HTTPS) 53 (DNS) 80 (HTTP)", "deleted": false, "disable_correlation": false, "timestamp": "1490261359", "to_ids": true, "type": "ip-dst", "uuid": "58d39511-d928-4adc-a65c-41ec950d210f", "value": "174.139.62.60" }, { "category": "Network activity", "comment": "443 (HTTPS)", "deleted": false, "disable_correlation": false, "timestamp": "1490261359", "to_ids": true, "type": "ip-dst", "uuid": "58d39512-beac-4951-bd97-422f950d210f", "value": "174.139.62.61" }, { "category": "Network activity", "comment": "443 (HTTPS) 53 (DNS) 80 (HTTP)", "deleted": false, "disable_correlation": false, "timestamp": "1490261359", "to_ids": true, "type": "ip-dst", "uuid": "58d39512-63ac-4119-b1d1-404c950d210f", "value": "61.195.98.245" }, { "category": "Network activity", "comment": "443 (HTTPS) 53 (DNS)", "deleted": false, "disable_correlation": false, "timestamp": "1490261359", "to_ids": true, "type": "ip-dst", "uuid": "58d39513-3674-4298-83a5-4e97950d210f", "value": "67.198.161.250" }, { "category": "Network activity", "comment": "443 (HTTPS)", "deleted": false, "disable_correlation": false, "timestamp": "1490261359", "to_ids": true, "type": "ip-dst", "uuid": "58d39514-ac10-4112-9f4a-44c6950d210f", "value": "67.198.161.251" }, { "category": "Network activity", "comment": "443 (HTTPS)", "deleted": false, "disable_correlation": false, "timestamp": "1490261359", "to_ids": true, "type": "ip-dst", "uuid": "58d39515-1c68-4743-8f45-4132950d210f", "value": "67.198.161.252" }, { "category": "Payload delivery", "comment": "wbemcomn.dll - Xchecked via VT: e5273b72c853f12b77a11e9c08ae6432fabbb32238ac487af2fb959a6cc26089", "deleted": false, "disable_correlation": false, "timestamp": "1490261378", "to_ids": true, "type": "sha1", "uuid": "58d39582-f3b8-4540-bc74-478a02de0b81", "value": "08afbd47ce5f4e296d375b3a2d069993e09c090f" }, { "category": "Payload delivery", "comment": "wbemcomn.dll - Xchecked via VT: e5273b72c853f12b77a11e9c08ae6432fabbb32238ac487af2fb959a6cc26089", "deleted": false, "disable_correlation": false, "timestamp": "1490261379", "to_ids": true, "type": "md5", "uuid": "58d39583-c104-4652-a263-44f802de0b81", "value": "3301341e7e769c92aefb07e4bec15ad2" }, { "category": "External analysis", "comment": "wbemcomn.dll - Xchecked via VT: e5273b72c853f12b77a11e9c08ae6432fabbb32238ac487af2fb959a6cc26089", "deleted": false, "disable_correlation": false, "timestamp": "1490261380", "to_ids": false, "type": "link", "uuid": "58d39584-3f08-4842-848f-475602de0b81", "value": "https://www.virustotal.com/file/e5273b72c853f12b77a11e9c08ae6432fabbb32238ac487af2fb959a6cc26089/analysis/1490216161/" }, { "category": "Payload delivery", "comment": "cryptbase.ini - Xchecked via VT: b1a0d0508ee932bbf91625330d2136f33344ed70cb25f7e64be0620d32c4b9e2", "deleted": false, "disable_correlation": false, "timestamp": "1490261381", "to_ids": true, "type": "sha1", "uuid": "58d39585-7cf8-45ba-8f84-48a202de0b81", "value": "5e23c5b5f21c0a6f894d636cd4f4469bf28b53ba" }, { "category": "Payload delivery", "comment": "cryptbase.ini - Xchecked via VT: b1a0d0508ee932bbf91625330d2136f33344ed70cb25f7e64be0620d32c4b9e2", "deleted": false, "disable_correlation": false, "timestamp": "1490261382", "to_ids": true, "type": "md5", "uuid": "58d39586-7de0-4c69-b715-4bb902de0b81", "value": "802890514844f6bab0cb2004c52025d6" }, { "category": "External analysis", "comment": "cryptbase.ini - Xchecked via VT: b1a0d0508ee932bbf91625330d2136f33344ed70cb25f7e64be0620d32c4b9e2", "deleted": false, "disable_correlation": false, "timestamp": "1490261383", "to_ids": false, "type": "link", "uuid": "58d39587-6484-49c5-8cf5-43ac02de0b81", "value": "https://www.virustotal.com/file/b1a0d0508ee932bbf91625330d2136f33344ed70cb25f7e64be0620d32c4b9e2/analysis/1490216160/" }, { "category": "Payload delivery", "comment": "wbemcomn.ini - Xchecked via VT: 9d04ef8708cf030b9688bf3e8287c1790023a76374e43bd332178e212420f9fb", "deleted": false, "disable_correlation": false, "timestamp": "1490261384", "to_ids": true, "type": "sha1", "uuid": "58d39588-a408-45a0-a2fa-4ba502de0b81", "value": "51891247e3caa4e4f8f71b2eaf8ba47602dc0be1" }, { "category": "Payload delivery", "comment": "wbemcomn.ini - Xchecked via VT: 9d04ef8708cf030b9688bf3e8287c1790023a76374e43bd332178e212420f9fb", "deleted": false, "disable_correlation": false, "timestamp": "1490261385", "to_ids": true, "type": "md5", "uuid": "58d39589-a960-47cc-9923-483e02de0b81", "value": "5b1852311cc9f5ccdddf35a9c473ab27" }, { "category": "External analysis", "comment": "wbemcomn.ini - Xchecked via VT: 9d04ef8708cf030b9688bf3e8287c1790023a76374e43bd332178e212420f9fb", "deleted": false, "disable_correlation": false, "timestamp": "1490261386", "to_ids": false, "type": "link", "uuid": "58d3958a-3b38-414e-96a1-4e8502de0b81", "value": "https://www.virustotal.com/file/9d04ef8708cf030b9688bf3e8287c1790023a76374e43bd332178e212420f9fb/analysis/1490216160/" }, { "category": "Payload delivery", "comment": "loadoerf.ini - Xchecked via VT: 7c37ebb96c54d5d8ea232951ccf56cb1d029facdd6b730f80ca2ad566f6c5d9b", "deleted": false, "disable_correlation": false, "timestamp": "1490261387", "to_ids": true, "type": "sha1", "uuid": "58d3958b-0dd0-40a0-97d2-446102de0b81", "value": "1eddc0e76f1dd787091cfdcf98a058dd4319fd34" }, { "category": "Payload delivery", "comment": "loadoerf.ini - Xchecked via VT: 7c37ebb96c54d5d8ea232951ccf56cb1d029facdd6b730f80ca2ad566f6c5d9b", "deleted": false, "disable_correlation": false, "timestamp": "1490261388", "to_ids": true, "type": "md5", "uuid": "58d3958c-6118-4f70-aec5-463102de0b81", "value": "c7d0ec5b742ee497b9ee536f23586949" }, { "category": "External analysis", "comment": "loadoerf.ini - Xchecked via VT: 7c37ebb96c54d5d8ea232951ccf56cb1d029facdd6b730f80ca2ad566f6c5d9b", "deleted": false, "disable_correlation": false, "timestamp": "1490261389", "to_ids": false, "type": "link", "uuid": "58d3958d-3960-4962-8469-497502de0b81", "value": "https://www.virustotal.com/file/7c37ebb96c54d5d8ea232951ccf56cb1d029facdd6b730f80ca2ad566f6c5d9b/analysis/1489477860/" }, { "category": "Payload delivery", "comment": "loadperf.dll - Xchecked via VT: 1e63a7186886deea6c4e5c2a329eab76a60be3a65bca1ba9ed6e71f9a46b7e9d", "deleted": false, "disable_correlation": false, "timestamp": "1490261390", "to_ids": true, "type": "sha1", "uuid": "58d3958e-f960-4209-8de4-4e5f02de0b81", "value": "64093d8dbf2e108c73fb5f96bbf0c2fcd8975c94" }, { "category": "Payload delivery", "comment": "loadperf.dll - Xchecked via VT: 1e63a7186886deea6c4e5c2a329eab76a60be3a65bca1ba9ed6e71f9a46b7e9d", "deleted": false, "disable_correlation": false, "timestamp": "1490261391", "to_ids": true, "type": "md5", "uuid": "58d3958f-2bf4-431b-a40d-41ed02de0b81", "value": "879ce99e253e598a3c156258a9e81457" }, { "category": "External analysis", "comment": "loadperf.dll - Xchecked via VT: 1e63a7186886deea6c4e5c2a329eab76a60be3a65bca1ba9ed6e71f9a46b7e9d", "deleted": false, "disable_correlation": false, "timestamp": "1490261392", "to_ids": false, "type": "link", "uuid": "58d39590-87e0-4b5e-9143-4fff02de0b81", "value": "https://www.virustotal.com/file/1e63a7186886deea6c4e5c2a329eab76a60be3a65bca1ba9ed6e71f9a46b7e9d/analysis/1490193118/" }, { "category": "Payload delivery", "comment": "cryptbase.dll - Xchecked via VT: 06b077e31a6f339c4f3b1f61ba9a6a6ba827afe52ed5bed6a6bf56bf18a279ba", "deleted": false, "disable_correlation": false, "timestamp": "1490261393", "to_ids": true, "type": "sha1", "uuid": "58d39591-8ed8-4334-a252-473902de0b81", "value": "1a20d3333e220f6fe2980dff119705c0ddc59604" }, { "category": "Payload delivery", "comment": "cryptbase.dll - Xchecked via VT: 06b077e31a6f339c4f3b1f61ba9a6a6ba827afe52ed5bed6a6bf56bf18a279ba", "deleted": false, "disable_correlation": false, "timestamp": "1490261394", "to_ids": true, "type": "md5", "uuid": "58d39592-3394-4c30-9626-4f5202de0b81", "value": "5b2484ad1f74f2c19ff0d29e63c773d8" }, { "category": "External analysis", "comment": "cryptbase.dll - Xchecked via VT: 06b077e31a6f339c4f3b1f61ba9a6a6ba827afe52ed5bed6a6bf56bf18a279ba", "deleted": false, "disable_correlation": false, "timestamp": "1490261395", "to_ids": false, "type": "link", "uuid": "58d39593-73e0-45fe-9265-4f1002de0b81", "value": "https://www.virustotal.com/file/06b077e31a6f339c4f3b1f61ba9a6a6ba827afe52ed5bed6a6bf56bf18a279ba/analysis/1490195522/" } ] } }