{ "type": "bundle", "id": "bundle--56bf2c35-198c-40be-adba-6cf602de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-13T13:20:26.000Z", "modified": "2016-02-13T13:20:26.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--56bf2c35-198c-40be-adba-6cf602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-13T13:20:26.000Z", "modified": "2016-02-13T13:20:26.000Z", "name": "OSINT - A Look Into Fysbis: Sofacy\u00e2\u20ac\u2122s Linux Backdoor", "published": "2016-02-13T13:21:39Z", "object_refs": [ "observed-data--56bf2ca7-5b68-4354-9c49-6cf202de0b81", "url--56bf2ca7-5b68-4354-9c49-6cf202de0b81", "x-misp-attribute--56bf2cb9-5ae4-4d06-a484-6cf502de0b81", "indicator--56bf2cce-066c-48f0-8683-6cf702de0b81", "indicator--56bf2ce4-4694-489b-ac8a-6cf402de0b81", "indicator--56bf2ce4-f9f0-472d-9a2f-6cf402de0b81", "observed-data--56bf2ce4-a178-430d-a972-6cf402de0b81", "url--56bf2ce4-a178-430d-a972-6cf402de0b81", "indicator--56bf2d19-73b4-49e4-a51e-6cf702de0b81", "indicator--56bf2d27-c7e0-4910-88b6-6cef02de0b81", "indicator--56bf2d27-fe94-44e9-a0c3-6cef02de0b81", "observed-data--56bf2d27-0f34-45fc-bd0b-6cef02de0b81", "url--56bf2d27-0f34-45fc-bd0b-6cef02de0b81", "indicator--56bf2d3c-b274-4ab9-853c-6cf202de0b81", "indicator--56bf2d44-6d80-4ae4-9592-fd7f02de0b81", "indicator--56bf2d44-0ec0-4236-b4d5-fd7f02de0b81", "observed-data--56bf2d44-404c-41ec-adca-fd7f02de0b81", "url--56bf2d44-404c-41ec-adca-fd7f02de0b81", "indicator--56bf2d78-5fa8-4c1f-8c0c-4c1702de0b81", "indicator--56bf2d78-a108-4636-8e8e-4eb202de0b81", "indicator--56bf2d78-23c4-41cb-b90c-499702de0b81", "indicator--56bf2d79-8720-4d1d-890f-452302de0b81", "indicator--56bf2d9a-2e64-40b2-a50c-d9bb02de0b81", "indicator--56bf2d9b-b7e8-4dad-9ae0-d9bb02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56bf2ca7-5b68-4354-9c49-6cf202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-13T13:16:23.000Z", "modified": "2016-02-13T13:16:23.000Z", "first_observed": "2016-02-13T13:16:23Z", "last_observed": "2016-02-13T13:16:23Z", "number_observed": 1, "object_refs": [ "url--56bf2ca7-5b68-4354-9c49-6cf202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56bf2ca7-5b68-4354-9c49-6cf202de0b81", "value": "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--56bf2cb9-5ae4-4d06-a484-6cf502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-13T13:16:41.000Z", "modified": "2016-02-13T13:16:41.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "The Sofacy group, also known as APT28 and Sednit, is a fairly well known cyber espionage group believed to have ties to Russia. Their targets have spanned all across the world, with a focus on government, defense organizations and various Eastern European governments. There have been numerous reports on their activities, to the extent that a Wikipedia entry has even been created for them.\r\nFrom these reports, we know that the group uses an abundance of tools and tactics, ranging across zero-day exploits targeting common applications such as Java or Microsoft Office, heavy use of spear-phishing attacks, compromising legitimate websites to stage watering-hole attacks, and targeting over a variety of operating systems \u00e2\u20ac\u201c Windows, OSX, Linux, even mobile iOS.\r\nThe Linux malware Fysbis is a preferred tool of Sofacy, and though it is not particularly sophisticated, Linux security in general is still a maturing area, especially in regards to malware. In short, it is entirely plausible that this tool has contributed to the success of associated attacks by this group. This blog post focuses specifically on this Linux tool preferred by Sofacy and describes considerations and implications when it comes to Linux malware." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56bf2cce-066c-48f0-8683-6cf702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-13T13:17:02.000Z", "modified": "2016-02-13T13:17:02.000Z", "pattern": "[file:hashes.MD5 = '364ff454dcf00420cff13a57bcb78467']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-13T13:17:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56bf2ce4-4694-489b-ac8a-6cf402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-13T13:17:24.000Z", "modified": "2016-02-13T13:17:24.000Z", "description": "- Xchecked via VT: 364ff454dcf00420cff13a57bcb78467", "pattern": "[file:hashes.SHA256 = '8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-13T13:17:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56bf2ce4-f9f0-472d-9a2f-6cf402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-13T13:17:24.000Z", "modified": "2016-02-13T13:17:24.000Z", "description": "- Xchecked via VT: 364ff454dcf00420cff13a57bcb78467", "pattern": "[file:hashes.SHA1 = '9444d2b29c6401bc7c2d14f071b11ec9014ae040']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-13T13:17:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56bf2ce4-a178-430d-a972-6cf402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-13T13:17:24.000Z", "modified": "2016-02-13T13:17:24.000Z", "first_observed": "2016-02-13T13:17:24Z", "last_observed": "2016-02-13T13:17:24Z", "number_observed": 1, "object_refs": [ "url--56bf2ce4-a178-430d-a972-6cf402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56bf2ce4-a178-430d-a972-6cf402de0b81", "value": "https://www.virustotal.com/file/8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb/analysis/1443639905/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56bf2d19-73b4-49e4-a51e-6cf702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-13T13:18:17.000Z", "modified": "2016-02-13T13:18:17.000Z", "pattern": "[file:hashes.MD5 = '075b6695ab63f36af65f7ffd45cccd39']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-13T13:18:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56bf2d27-c7e0-4910-88b6-6cef02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-13T13:18:31.000Z", "modified": "2016-02-13T13:18:31.000Z", "description": "- Xchecked via VT: 075b6695ab63f36af65f7ffd45cccd39", "pattern": "[file:hashes.SHA256 = '02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-13T13:18:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56bf2d27-fe94-44e9-a0c3-6cef02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-13T13:18:31.000Z", "modified": "2016-02-13T13:18:31.000Z", "description": "- Xchecked via VT: 075b6695ab63f36af65f7ffd45cccd39", "pattern": "[file:hashes.SHA1 = 'f080e509c988a9578862665b4fcf1e4bf8d77c3e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-13T13:18:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56bf2d27-0f34-45fc-bd0b-6cef02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-13T13:18:31.000Z", "modified": "2016-02-13T13:18:31.000Z", "first_observed": "2016-02-13T13:18:31Z", "last_observed": "2016-02-13T13:18:31Z", "number_observed": 1, "object_refs": [ "url--56bf2d27-0f34-45fc-bd0b-6cef02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56bf2d27-0f34-45fc-bd0b-6cef02de0b81", "value": "https://www.virustotal.com/file/02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592/analysis/1450364865/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56bf2d3c-b274-4ab9-853c-6cf202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-13T13:18:52.000Z", "modified": "2016-02-13T13:18:52.000Z", "pattern": "[file:hashes.MD5 = 'e107c5c84ded6cd9391aede7f04d64c8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-13T13:18:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56bf2d44-6d80-4ae4-9592-fd7f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-13T13:19:00.000Z", "modified": "2016-02-13T13:19:00.000Z", "description": "- Xchecked via VT: e107c5c84ded6cd9391aede7f04d64c8", "pattern": "[file:hashes.SHA256 = 'fd8b2ea9a2e8a67e4cb3904b49c789d57ed9b1ce5bebfe54fe3d98214d6a0f61']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-13T13:19:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56bf2d44-0ec0-4236-b4d5-fd7f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-13T13:19:00.000Z", "modified": "2016-02-13T13:19:00.000Z", "description": "- Xchecked via VT: e107c5c84ded6cd9391aede7f04d64c8", "pattern": "[file:hashes.SHA1 = 'ecdda7aca5c805e5be6e0ab2017592439de7e32c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-13T13:19:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56bf2d44-404c-41ec-adca-fd7f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-13T13:19:00.000Z", "modified": "2016-02-13T13:19:00.000Z", "first_observed": "2016-02-13T13:19:00Z", "last_observed": "2016-02-13T13:19:00Z", "number_observed": 1, "object_refs": [ "url--56bf2d44-404c-41ec-adca-fd7f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56bf2d44-404c-41ec-adca-fd7f02de0b81", "value": "https://www.virustotal.com/file/fd8b2ea9a2e8a67e4cb3904b49c789d57ed9b1ce5bebfe54fe3d98214d6a0f61/analysis/1450713631/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56bf2d78-5fa8-4c1f-8c0c-4c1702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-13T13:19:52.000Z", "modified": "2016-02-13T13:19:52.000Z", "description": "C&C", "pattern": "[domain-name:value = 'azureon-line.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-13T13:19:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56bf2d78-a108-4636-8e8e-4eb202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-13T13:19:52.000Z", "modified": "2016-02-13T13:19:52.000Z", "description": "C&C", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '198.105.125.74']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-13T13:19:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56bf2d78-23c4-41cb-b90c-499702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-13T13:19:52.000Z", "modified": "2016-02-13T13:19:52.000Z", "description": "C&C", "pattern": "[domain-name:value = 'mozilla-plugins.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-13T13:19:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56bf2d79-8720-4d1d-890f-452302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-13T13:19:53.000Z", "modified": "2016-02-13T13:19:53.000Z", "description": "C&C", "pattern": "[domain-name:value = 'mozillaplagins.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-13T13:19:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56bf2d9a-2e64-40b2-a50c-d9bb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-13T13:20:26.000Z", "modified": "2016-02-13T13:20:26.000Z", "pattern": "[file:name = '~/.config/ksysdef/ksysdefd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-13T13:20:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56bf2d9b-b7e8-4dad-9ae0-d9bb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-13T13:20:27.000Z", "modified": "2016-02-13T13:20:27.000Z", "pattern": "[file:name = '~/.config/dbus-notifier/dbus-inotifier']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-13T13:20:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }