{ "Event": { "analysis": "2", "date": "2017-03-24", "extends_uuid": "", "info": "OSINT - New targeted attack against Saudi Arabia Government", "publish_timestamp": "1490340029", "published": true, "threat_level_id": "3", "timestamp": "1490339998", "uuid": "58d4c745-a110-4623-a9e6-497d950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1490339998", "to_ids": false, "type": "link", "uuid": "58d4c76a-f634-4a57-bcb3-464a950d210f", "value": "https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#001fc2", "local": false, "name": "estimative-language:likelihood-probability=\"almost-certain\"", "relationship_type": "" }, { "colour": "#075200", "local": false, "name": "admiralty-scale:source-reliability=\"b\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1490339998", "to_ids": false, "type": "text", "uuid": "58d4c781-4518-4271-a552-4672950d210f", "value": "A new spear phishing campaign is targeting Saudi Arabia governmental organizations. The attack originates from a phishing email containing a Word document in Arabic language. If the victim opens it up, it will not only infect their system but send the same phishing document to other contacts via their Outlook inbox.\r\n\r\nWe know that at least about a dozen Saudi agencies were targeted. As with most email-borne attacks, this one leverages social engineering to execute malicious code via a Macro.", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#001fc2", "local": false, "name": "estimative-language:likelihood-probability=\"almost-certain\"", "relationship_type": "" }, { "colour": "#075200", "local": false, "name": "admiralty-scale:source-reliability=\"b\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2 - potentialy compromised", "deleted": false, "disable_correlation": false, "timestamp": "1490339998", "to_ids": true, "type": "url", "uuid": "58d4c7ca-4c18-44f8-b75d-43e1950d210f", "value": "mail.spa.gov.sa/ews/exchange/exchange.asmx", "Tag": [ { "colour": "#2d0048", "local": false, "name": "adversary:infrastructure-status=\"compromised\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2 - potentialy compromised", "deleted": false, "disable_correlation": false, "timestamp": "1490339998", "to_ids": true, "type": "url", "uuid": "58d4c7cb-575c-4396-8757-4020950d210f", "value": "webmail.ecra/ews/exchange/exchange.asmx", "Tag": [ { "colour": "#2d0048", "local": false, "name": "adversary:infrastructure-status=\"compromised\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1490339998", "to_ids": true, "type": "ip-dst", "uuid": "58d4c7f4-6c64-41ca-bfa2-4314950d210f", "value": "62.149.118.67", "Tag": [ { "colour": "#2d0048", "local": false, "name": "adversary:infrastructure-status=\"compromised\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1490339998", "to_ids": true, "type": "ip-dst", "uuid": "58d4c7f5-678c-453a-9648-483f950d210f", "value": "85.194.112.9", "Tag": [ { "colour": "#2d0048", "local": false, "name": "adversary:infrastructure-status=\"compromised\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Binary payload", "deleted": false, "disable_correlation": false, "timestamp": "1490339998", "to_ids": true, "type": "md5", "uuid": "58d4c826-ab38-491e-85d1-48f2950d210f", "value": "4ed42233962a89deaa89fd7b989db081" }, { "category": "Payload delivery", "comment": "Binary payload", "deleted": false, "disable_correlation": false, "timestamp": "1490339998", "to_ids": true, "type": "sha256", "uuid": "58d4c827-9264-4eeb-8d3c-4aef950d210f", "value": "a96c57c35df18ac20d83b08a88e502071bd0033add0914b951adbd1639b0b873" }, { "category": "Payload delivery", "comment": "Word dropper", "deleted": false, "disable_correlation": false, "timestamp": "1490339998", "to_ids": true, "type": "md5", "uuid": "58d4c834-23b4-4f6a-b87f-4729950d210f", "value": "3cd5fa46507657f723719b7809d2d1f9" }, { "category": "Payload delivery", "comment": "Word dropper", "deleted": false, "disable_correlation": false, "timestamp": "1490339998", "to_ids": true, "type": "sha256", "uuid": "58d4c835-5d98-4a80-9386-4ab1950d210f", "value": "a6dbc36c472b3ba70a98efd0db35e75c340086be15d3c3ab4e39033604d0bcf9" }, { "category": "Payload delivery", "comment": "Word dropper - Xchecked via VT: a6dbc36c472b3ba70a98efd0db35e75c340086be15d3c3ab4e39033604d0bcf9", "deleted": false, "disable_correlation": false, "timestamp": "1490340007", "to_ids": true, "type": "sha1", "uuid": "58d4c8a7-306c-405e-aa6b-4e4102de0b81", "value": "34ddc14b9a04eba98c3aa1cb27033e12ec847e03" }, { "category": "External analysis", "comment": "Word dropper - Xchecked via VT: a6dbc36c472b3ba70a98efd0db35e75c340086be15d3c3ab4e39033604d0bcf9", "deleted": false, "disable_correlation": false, "timestamp": "1490340008", "to_ids": false, "type": "link", "uuid": "58d4c8a8-bf0c-4c05-9288-491a02de0b81", "value": "https://www.virustotal.com/file/a6dbc36c472b3ba70a98efd0db35e75c340086be15d3c3ab4e39033604d0bcf9/analysis/1490338453/" }, { "category": "Payload delivery", "comment": "Binary payload - Xchecked via VT: a96c57c35df18ac20d83b08a88e502071bd0033add0914b951adbd1639b0b873", "deleted": false, "disable_correlation": false, "timestamp": "1490340009", "to_ids": true, "type": "sha1", "uuid": "58d4c8a9-905c-4628-b347-4f3502de0b81", "value": "cf731ee0af5c19231ff51af589f7434c0367d508" }, { "category": "External analysis", "comment": "Binary payload - Xchecked via VT: a96c57c35df18ac20d83b08a88e502071bd0033add0914b951adbd1639b0b873", "deleted": false, "disable_correlation": false, "timestamp": "1490340010", "to_ids": false, "type": "link", "uuid": "58d4c8aa-f6e0-4953-b357-43a102de0b81", "value": "https://www.virustotal.com/file/a96c57c35df18ac20d83b08a88e502071bd0033add0914b951adbd1639b0b873/analysis/1490319480/" } ] } }