{ "type": "bundle", "id": "bundle--595ffeba-0eac-4c22-953c-c6c402de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-23T06:23:48.000Z", "modified": "2017-11-23T06:23:48.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "grouping", "spec_version": "2.1", "id": "grouping--595ffeba-0eac-4c22-953c-c6c402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-23T06:23:48.000Z", "modified": "2017-11-23T06:23:48.000Z", "name": "OSINT - Attack on Critical Infrastructure Leverages Template Injection", "context": "suspicious-activity", "object_refs": [ "observed-data--595ffec5-ab90-496e-8edf-41bc02de0b81", "url--595ffec5-ab90-496e-8edf-41bc02de0b81", "x-misp-attribute--595ffed7-8f20-4ae7-839f-419c02de0b81", "indicator--595fff2d-3c18-4ae2-98c6-46f902de0b81", "indicator--595fff2d-b108-4f78-bd75-437a02de0b81", "indicator--595fff2d-e9fc-439a-b74a-417c02de0b81", "indicator--595fff43-ea00-4f5c-b80d-478f02de0b81", "indicator--595fff43-ef64-46c8-a17f-42e302de0b81", "indicator--595fff43-90e4-4bab-896b-41df02de0b81", "indicator--595fff5c-5e24-4630-851a-4a4b02de0b81", "indicator--595fff5c-89b0-40fc-83ce-498702de0b81", "indicator--595fff83-90dc-49bb-adfb-474102de0b81", "indicator--595fff83-4b40-4ca6-b436-4b7b02de0b81", "observed-data--595fff83-6fa4-4702-8563-40cf02de0b81", "url--595fff83-6fa4-4702-8563-40cf02de0b81", "indicator--595fff83-099c-4d69-8fd3-4ff202de0b81", "indicator--595fff83-6c80-4097-a592-449902de0b81", "observed-data--595fff83-28d8-4599-ab7e-411a02de0b81", "url--595fff83-28d8-4599-ab7e-411a02de0b81", "indicator--595fff83-f46c-47e4-9a96-45d202de0b81", "indicator--595fff83-bab4-47da-ae9a-492602de0b81", "observed-data--595fff83-9aa8-4361-bf50-42a502de0b81", "url--595fff83-9aa8-4361-bf50-42a502de0b81", "indicator--595fff83-72e0-4302-9540-494302de0b81", "indicator--595fff83-5cac-4e37-8a69-447502de0b81", "observed-data--595fff83-fbdc-41f5-b908-47cf02de0b81", "url--595fff83-fbdc-41f5-b908-47cf02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "certsi:critical-sector=\"energy\"", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--595ffec5-ab90-496e-8edf-41bc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-07T21:39:48.000Z", "modified": "2017-07-07T21:39:48.000Z", "first_observed": "2017-07-07T21:39:48Z", "last_observed": "2017-07-07T21:39:48Z", "number_observed": 1, "object_refs": [ "url--595ffec5-ab90-496e-8edf-41bc02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--595ffec5-ab90-496e-8edf-41bc02de0b81", "value": "http://blog.talosintelligence.com/2017/07/template-injection.html" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--595ffed7-8f20-4ae7-839f-419c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-07T21:39:48.000Z", "modified": "2017-07-07T21:39:48.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Attackers are continually trying to find new ways to target users with malware sent via email. Talos has identified an email-based attack targeting the energy sector, including nuclear power, that puts a new spin on the classic word document attachment phish. Typically, malicious Word documents that are sent as attachments to phishing emails will themselves contain a script or macro that executes malicious code. In this case, there is no malicious code in the attachment itself. The attachment instead tries to download a template file over an SMB connection so that the user's credentials can be silently harvested. In addition, this template file could also potentially be used to download other malicious payloads to the victim's computer." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595fff2d-3c18-4ae2-98c6-46f902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-07T21:39:15.000Z", "modified": "2017-07-07T21:39:15.000Z", "description": "Related IP Address", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '184.154.150.66']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-07T21:39:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595fff2d-b108-4f78-bd75-437a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-07T21:39:15.000Z", "modified": "2017-07-07T21:39:15.000Z", "description": "Related IP Address", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.153.58.45']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-07T21:39:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595fff2d-e9fc-439a-b74a-417c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-07T21:39:15.000Z", "modified": "2017-07-07T21:39:15.000Z", "description": "Related IP Address", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '62.8.193.206']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-07T21:39:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595fff43-ea00-4f5c-b80d-478f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-07T21:39:15.000Z", "modified": "2017-07-07T21:39:15.000Z", "description": "Controls Engineer.docx", "pattern": "[file:hashes.SHA256 = 'b02508baf8567e62f3c0fd14833c82fb24e8ba4f0dc84aeb7690d9ea83385baa']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-07T21:39:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595fff43-ef64-46c8-a17f-42e302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-07T21:39:15.000Z", "modified": "2017-07-07T21:39:15.000Z", "description": "Controls Engineer.docx", "pattern": "[file:hashes.SHA256 = '3d6eadf0f0b3fb7f996e6eb3d540945c2d736822df1a37dcd0e25371fa2d75a0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-07T21:39:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595fff43-90e4-4bab-896b-41df02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-07T21:39:15.000Z", "modified": "2017-07-07T21:39:15.000Z", "description": "Controls Engineer.docx", "pattern": "[file:hashes.SHA256 = 'ac6c1df3895af63b864bb33bf30cb31059e247443ddb8f23517849362ec94f08']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-07T21:39:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595fff5c-5e24-4630-851a-4a4b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-07T21:39:15.000Z", "modified": "2017-07-07T21:39:15.000Z", "pattern": "[file:name = 'Report03-23-2017.docx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-07T21:39:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595fff5c-89b0-40fc-83ce-498702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-07T21:39:15.000Z", "modified": "2017-07-07T21:39:15.000Z", "description": "Report03-23-2017.docx", "pattern": "[file:hashes.SHA256 = '93cd6696e150caf6106e6066b58107372dcf43377bf4420c848007c10ff80bc9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-07T21:39:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595fff83-90dc-49bb-adfb-474102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-07T21:39:15.000Z", "modified": "2017-07-07T21:39:15.000Z", "description": "Report03-23-2017.docx - Xchecked via VT: 93cd6696e150caf6106e6066b58107372dcf43377bf4420c848007c10ff80bc9", "pattern": "[file:hashes.SHA1 = '67175f1de3a911958e4c075336160462df3ea7b1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-07T21:39:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595fff83-4b40-4ca6-b436-4b7b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-07T21:39:15.000Z", "modified": "2017-07-07T21:39:15.000Z", "description": "Report03-23-2017.docx - Xchecked via VT: 93cd6696e150caf6106e6066b58107372dcf43377bf4420c848007c10ff80bc9", "pattern": "[file:hashes.MD5 = '3c432a21cfd05f976af8c47a007928f7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-07T21:39:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--595fff83-6fa4-4702-8563-40cf02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-07T21:39:15.000Z", "modified": "2017-07-07T21:39:15.000Z", "first_observed": "2017-07-07T21:39:15Z", "last_observed": "2017-07-07T21:39:15Z", "number_observed": 1, "object_refs": [ "url--595fff83-6fa4-4702-8563-40cf02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--595fff83-6fa4-4702-8563-40cf02de0b81", "value": "https://www.virustotal.com/file/93cd6696e150caf6106e6066b58107372dcf43377bf4420c848007c10ff80bc9/analysis/1499449645/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595fff83-099c-4d69-8fd3-4ff202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-07T21:39:15.000Z", "modified": "2017-07-07T21:39:15.000Z", "description": "Controls Engineer.docx - Xchecked via VT: ac6c1df3895af63b864bb33bf30cb31059e247443ddb8f23517849362ec94f08", "pattern": "[file:hashes.SHA1 = '2872dcdf108563d16b6cf2ed383626861fc541d2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-07T21:39:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595fff83-6c80-4097-a592-449902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-07T21:39:15.000Z", "modified": "2017-07-07T21:39:15.000Z", "description": "Controls Engineer.docx - Xchecked via VT: ac6c1df3895af63b864bb33bf30cb31059e247443ddb8f23517849362ec94f08", "pattern": "[file:hashes.MD5 = '722154a36f32ba10e98020a8ad758a7a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-07T21:39:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--595fff83-28d8-4599-ab7e-411a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-07T21:39:15.000Z", "modified": "2017-07-07T21:39:15.000Z", "first_observed": "2017-07-07T21:39:15Z", "last_observed": "2017-07-07T21:39:15Z", "number_observed": 1, "object_refs": [ "url--595fff83-28d8-4599-ab7e-411a02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--595fff83-28d8-4599-ab7e-411a02de0b81", "value": "https://www.virustotal.com/file/ac6c1df3895af63b864bb33bf30cb31059e247443ddb8f23517849362ec94f08/analysis/1499451984/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595fff83-f46c-47e4-9a96-45d202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-07T21:39:15.000Z", "modified": "2017-07-07T21:39:15.000Z", "description": "Controls Engineer.docx - Xchecked via VT: 3d6eadf0f0b3fb7f996e6eb3d540945c2d736822df1a37dcd0e25371fa2d75a0", "pattern": "[file:hashes.SHA1 = '421eecdfe4f6987bb9ff7a6d65827563e53eafbb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-07T21:39:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595fff83-bab4-47da-ae9a-492602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-07T21:39:15.000Z", "modified": "2017-07-07T21:39:15.000Z", "description": "Controls Engineer.docx - Xchecked via VT: 3d6eadf0f0b3fb7f996e6eb3d540945c2d736822df1a37dcd0e25371fa2d75a0", "pattern": "[file:hashes.MD5 = '4e4e9aac289f1c55e50227e2de66463b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-07T21:39:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--595fff83-9aa8-4361-bf50-42a502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-07T21:39:15.000Z", "modified": "2017-07-07T21:39:15.000Z", "first_observed": "2017-07-07T21:39:15Z", "last_observed": "2017-07-07T21:39:15Z", "number_observed": 1, "object_refs": [ "url--595fff83-9aa8-4361-bf50-42a502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--595fff83-9aa8-4361-bf50-42a502de0b81", "value": "https://www.virustotal.com/file/3d6eadf0f0b3fb7f996e6eb3d540945c2d736822df1a37dcd0e25371fa2d75a0/analysis/1499463315/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595fff83-72e0-4302-9540-494302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-07T21:39:15.000Z", "modified": "2017-07-07T21:39:15.000Z", "description": "Controls Engineer.docx - Xchecked via VT: b02508baf8567e62f3c0fd14833c82fb24e8ba4f0dc84aeb7690d9ea83385baa", "pattern": "[file:hashes.SHA1 = '5df2cb4b3a29adad4ba0a8f0b7eab5b6ae633977']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-07T21:39:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595fff83-5cac-4e37-8a69-447502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-07T21:39:15.000Z", "modified": "2017-07-07T21:39:15.000Z", "description": "Controls Engineer.docx - Xchecked via VT: b02508baf8567e62f3c0fd14833c82fb24e8ba4f0dc84aeb7690d9ea83385baa", "pattern": "[file:hashes.MD5 = '4909db36f71106379832c8ca57ba5be8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-07T21:39:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--595fff83-fbdc-41f5-b908-47cf02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-07T21:39:15.000Z", "modified": "2017-07-07T21:39:15.000Z", "first_observed": "2017-07-07T21:39:15Z", "last_observed": "2017-07-07T21:39:15Z", "number_observed": 1, "object_refs": [ "url--595fff83-fbdc-41f5-b908-47cf02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--595fff83-fbdc-41f5-b908-47cf02de0b81", "value": "https://www.virustotal.com/file/b02508baf8567e62f3c0fd14833c82fb24e8ba4f0dc84aeb7690d9ea83385baa/analysis/1499445440/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }