{ "Event": { "analysis": "2", "date": "2018-11-26", "extends_uuid": "", "info": "OSINT - `event-stream` dependency attack steals wallets from users of copay", "publish_timestamp": "1543270402", "published": true, "threat_level_id": "3", "timestamp": "1543270394", "uuid": "5bfc6891-b838-44fe-bc17-16b702de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#00a0a0", "local": false, "name": "ecsirt:intrusions=\"application-compromise\"", "relationship_type": "" }, { "colour": "#0029ff", "local": false, "name": "estimative-language:confidence-in-analytic-judgment=\"high\"", "relationship_type": "" }, { "colour": "#001fc2", "local": false, "name": "estimative-language:likelihood-probability=\"almost-certain\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1543268515", "to_ids": false, "type": "link", "uuid": "5bfc68a3-19e0-4f70-81d4-48d502de0b81", "value": "https://github.com/bitpay/copay/issues/9346#issuecomment-441749542" }, { "category": "Network activity", "comment": "\"HTTP POST traffic on port 8080 to copayapi.host (which currently resolves to 51.38.112.212 and previously resolved to 145.249.104.239) or 111.90.151.134 indicates compromised and exfiltrated wallet private keys.\"", "deleted": false, "disable_correlation": false, "timestamp": "1543268542", "to_ids": true, "type": "domain", "uuid": "5bfc68be-0b50-47a2-a33e-16c502de0b81", "value": "copayapi.host" }, { "category": "Network activity", "comment": "\"HTTP POST traffic on port 8080 to copayapi.host (which currently resolves to 51.38.112.212 and previously resolved to 145.249.104.239) or 111.90.151.134 indicates compromised and exfiltrated wallet private keys.\"", "deleted": false, "disable_correlation": false, "timestamp": "1543268543", "to_ids": true, "type": "ip-dst", "uuid": "5bfc68bf-51a0-4f93-84ff-16c502de0b81", "value": "51.38.112.212" }, { "category": "Network activity", "comment": "\"HTTP POST traffic on port 8080 to copayapi.host (which currently resolves to 51.38.112.212 and previously resolved to 145.249.104.239) or 111.90.151.134 indicates compromised and exfiltrated wallet private keys.\"", "deleted": false, "disable_correlation": false, "timestamp": "1543268543", "to_ids": true, "type": "ip-dst", "uuid": "5bfc68bf-4798-421d-b09f-16c502de0b81", "value": "145.249.104.239" }, { "category": "Network activity", "comment": "\"HTTP POST traffic on port 8080 to copayapi.host (which currently resolves to 51.38.112.212 and previously resolved to 145.249.104.239) or 111.90.151.134 indicates compromised and exfiltrated wallet private keys.\"", "deleted": false, "disable_correlation": false, "timestamp": "1543268544", "to_ids": true, "type": "ip-dst", "uuid": "5bfc68c0-af3c-4165-8243-16c502de0b81", "value": "111.90.151.134" }, { "category": "Attribution", "comment": "copayapi.host's SOA record indicates the domain registrant's email address is \"kvlguuvh@sharklasers.co\" (very likely a throwaway email address).", "deleted": false, "disable_correlation": false, "timestamp": "1543268846", "to_ids": true, "type": "dns-soa-email", "uuid": "5bfc68ef-2698-4780-b1f5-45c902de0b81", "value": "kvlguuvh@sharklasers.co" }, { "category": "Social network", "comment": "The GitHub account of the event-stream hijacker: https://github.com/right9ctrl (email address right9ctrl@outlook.com)", "deleted": false, "disable_correlation": false, "timestamp": "1543268635", "to_ids": false, "type": "github-username", "uuid": "5bfc691b-da14-4228-997c-40e802de0b81", "value": "right9ctrl" }, { "category": "Network activity", "comment": "The NPM account of the event-stream hijacker: https://www.npmjs.com/~right9ctrlh", "deleted": false, "disable_correlation": false, "timestamp": "1543268714", "to_ids": false, "type": "url", "uuid": "5bfc696a-2a8c-4e1d-9f1c-4ef902de0b81", "value": "https://www.npmjs.com/~right9ctrl" }, { "category": "Network activity", "comment": "The GitHub repo for the malicious flat-map package: https://github.com/hugeglass/flatmap-stream", "deleted": false, "disable_correlation": false, "timestamp": "1543268733", "to_ids": false, "type": "url", "uuid": "5bfc697d-ab8c-4a6b-9083-453702de0b81", "value": "https://github.com/hugeglass/flatmap-stream" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1543268752", "to_ids": false, "type": "url", "uuid": "5bfc6990-28ec-4517-a397-4b8502de0b81", "value": "https://www.npmjs.com/~hugeglass" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1543268789", "to_ids": false, "type": "link", "uuid": "5bfc69b5-bd34-40c5-a2da-42e202de0b81", "value": "https://github.com/dominictarr/event-stream/issues/116" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1543268830", "to_ids": false, "type": "whois-registrant-email", "uuid": "5bfc69de-2090-455c-8b3c-45b102de0b81", "value": "right9ctrl@outlook.com" } ] } }