{ "type": "bundle", "id": "bundle--d5ccd0b6-f554-4182-8ac3-c8a4d5789ba6", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-09-24T08:14:48.000Z", "modified": "2021-09-24T08:14:48.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--d5ccd0b6-f554-4182-8ac3-c8a4d5789ba6", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-09-24T08:14:48.000Z", "modified": "2021-09-24T08:14:48.000Z", "name": "TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines", "published": "2021-09-24T08:14:56Z", "object_refs": [ "indicator--327ed82a-9666-498f-8ecc-192fc7c06f12", "x-misp-object--4639d0ff-7a62-41b3-a940-cdcb09f3fe35", "indicator--eefe6bfb-d38a-4a21-bc00-ecbd6506cffd", "indicator--96abab21-a8a7-4869-b680-89144e5625e7", "x-misp-object--f06729c8-10e4-4d20-9605-1661be3ae2c7", "relationship--c43c0b80-28e7-4a56-bbcc-eba97e67310f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"", "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla - G0010\"", "misp-galaxy:threat-actor=\"Turla Group\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--327ed82a-9666-498f-8ecc-192fc7c06f12", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-09-24T08:10:34.000Z", "modified": "2021-09-24T08:10:34.000Z", "pattern": "[file:hashes.SHA256 = '030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-09-24T08:10:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--4639d0ff-7a62-41b3-a940-cdcb09f3fe35", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-09-24T08:10:17.000Z", "modified": "2021-09-24T08:10:17.000Z", "labels": [ "misp:name=\"report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "link", "value": "https://blog.talosintelligence.com/2021/09/tinyturla.html", "category": "External analysis", "uuid": "65654f61-cd9f-416f-a840-debc025dc4da" }, { "type": "text", "object_relation": "summary", "value": "Cisco Talos found a previously undiscovered backdoor from the Turla APT that we are seeing in the wild. This simple backdoor is likely used as a second-chance backdoor to maintain access to the system, even if the primary malware is removed. It could also be used as a second-stage dropper to infect the system with additional malware.", "category": "Other", "uuid": "4368eb41-7e59-4a68-b66c-c9c7c51a11dc" }, { "type": "text", "object_relation": "type", "value": "Blog post", "category": "Other", "uuid": "83b51ac8-9547-41f0-b3ac-5f6c4cfa2ebb" } ], "x_misp_meta_category": "misc", "x_misp_name": "report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--eefe6bfb-d38a-4a21-bc00-ecbd6506cffd", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-09-24T08:11:00.000Z", "modified": "2021-09-24T08:11:00.000Z", "pattern": "import \\\\\"pe\\\\\"\r\nrule TinyTurla {\r\nmeta:\r\nauthor = \\\\\"Cisco Talos\\\\\"\r\ndescription = \\\\\"Detects Tiny Turla backdoor DLL\\\\\"\r\nstrings:\r\n$a = \\\\\"Title:\\\\\" fullword wide\r\n$b = \\\\\"Hosts\\\\\" fullword wide\r\n$c = \\\\\"Security\\\\\" fullword wide\r\n$d = \\\\\"TimeLong\\\\\" fullword wide\r\n$e = \\\\\"TimeShort\\\\\" fullword wide\r\n$f = \\\\\"MachineGuid\\\\\" fullword wide\r\n$g = \\\\\"POST\\\\\" fullword wide\r\n$h = \\\\\"WinHttpSetOption\\\\\" fullword ascii\r\n$i = \\\\\"WinHttpQueryDataAvailable\\\\\" fullword ascii\r\n\r\ncondition:\r\npe.is_pe and\r\npe.characteristics & pe.DLL and\r\npe.exports(\\\\\"ServiceMain\\\\\") and\r\nall of them\r\n}", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2021-09-24T08:11:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"yara\"", "misp:meta-category=\"misc\"", "misp:to_ids=\"True\"" ], "x_misp_context": "all" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--96abab21-a8a7-4869-b680-89144e5625e7", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-09-24T08:14:48.000Z", "modified": "2021-09-24T08:14:48.000Z", "pattern": "[file:hashes.MD5 = '028878c4b6ab475ed0be97eca6f92af9' AND file:hashes.SHA1 = '02c37ccdfccfe03560a4bf069f46e8ae3a5d2348' AND file:hashes.SHA256 = '030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-09-24T08:14:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--f06729c8-10e4-4d20-9605-1661be3ae2c7", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2021-09-24T08:12:06.000Z", "modified": "2021-09-24T08:12:06.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2021-09-24T06:19:11+00:00", "category": "Other", "uuid": "e8315fa6-f0c1-4e44-9bcc-c7a6d7aa8ebb" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/gui/file/030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01/detection/f-030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01-1632464351", "category": "Payload delivery", "uuid": "0643f79e-7e59-46ad-b98d-b00f28b73c5c" }, { "type": "text", "object_relation": "detection-ratio", "value": "48/68", "category": "Payload delivery", "uuid": "b6fb0bca-c924-4dfc-937b-30cfe83b1ceb" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c43c0b80-28e7-4a56-bbcc-eba97e67310f", "created": "2021-09-24T08:12:06.000Z", "modified": "2021-09-24T08:12:06.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--96abab21-a8a7-4869-b680-89144e5625e7", "target_ref": "x-misp-object--f06729c8-10e4-4d20-9605-1661be3ae2c7" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }