{ "type": "bundle", "id": "bundle--f3eda2d3-840b-46ba-ac74-50b68a58b0fe", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-03-22T10:41:30.000Z", "modified": "2023-03-22T10:41:30.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--f3eda2d3-840b-46ba-ac74-50b68a58b0fe", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-03-22T10:41:30.000Z", "modified": "2023-03-22T10:41:30.000Z", "name": "OSINT - Bad magic: new APT found in the area of Russo-Ukrainian conflict", "published": "2023-03-22T10:44:51Z", "object_refs": [ "indicator--3f7f43d2-3f5b-4889-bce9-1e7db7e98b8c", "indicator--f53a9fc1-30de-49ad-aecc-cd126e75420e", "indicator--7670fb0e-124a-4f63-a2db-7bd9b0a20955", "indicator--c364b5a4-6a58-48d4-ae44-acae539c5ec2", "indicator--f4d9620e-8f7c-485c-baaa-8f4e29767337", "indicator--0262e716-cf69-4575-9242-2ad91defd641", "indicator--63e75a16-29eb-4779-b201-045152b4c3ea", "indicator--2c3bed63-f9a6-4958-8101-578fbcba16fa", "indicator--abd928f6-cb7f-4df9-8d8a-c2e0cbb34734", "indicator--dadef232-712d-40c1-98bf-a6bdd6090b3c", "indicator--891b078e-61b9-4e73-a255-c33d4056a9ff", "indicator--75ba0f15-99c8-405f-985d-c1c29b93b69e", "indicator--82597eec-ca83-44ef-9891-0001c9b8b859", "indicator--fa31ec03-99c9-4591-aa13-8ef7d9b54735", "indicator--53fcdd8e-d471-4a5a-979a-b568bd92315e", "indicator--ee838d3f-f333-4347-9bc2-4bc3dc7bec16", "x-misp-object--18623db4-3137-4d12-9c7f-6611ecc9bba3" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"", "tlp:clear", "collaborative-intelligence:request=\"context\"", "estimative-language:confidence-in-analytic-judgment=\"moderate\"", "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "misp-galaxy:country=\"ukraine\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3f7f43d2-3f5b-4889-bce9-1e7db7e98b8c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-03-22T09:57:23.000Z", "modified": "2023-03-22T09:57:23.000Z", "description": "Distribution servers", "pattern": "[domain-name:value = 'webservice-srv.online']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-03-22T09:57:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f53a9fc1-30de-49ad-aecc-cd126e75420e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-03-22T09:57:23.000Z", "modified": "2023-03-22T09:57:23.000Z", "description": "Distribution servers", "pattern": "[domain-name:value = 'webservice-srv1.online']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-03-22T09:57:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7670fb0e-124a-4f63-a2db-7bd9b0a20955", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-03-22T09:57:23.000Z", "modified": "2023-03-22T09:57:23.000Z", "description": "Distribution servers", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.166.217.184']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-03-22T09:57:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c364b5a4-6a58-48d4-ae44-acae539c5ec2", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-03-22T10:38:47.000Z", "modified": "2023-03-22T10:38:47.000Z", "description": "Lure archives", "pattern": "[file:hashes.MD5 = '0a95a985e6be0918fdb4bfabf0847b5a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2021-09-22T00:00:00Z", "valid_until": "2023-03-22T00:00:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f4d9620e-8f7c-485c-baaa-8f4e29767337", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-03-22T10:39:39.000Z", "modified": "2023-03-22T10:39:39.000Z", "description": "Lure archives", "pattern": "[file:hashes.MD5 = 'ecb7af5771f4fe36a3065dc4d5516d84']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-04-28T00:00:00Z", "valid_until": "2023-03-22T00:00:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0262e716-cf69-4575-9242-2ad91defd641", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-03-22T10:40:03.000Z", "modified": "2023-03-22T10:40:03.000Z", "description": "Lure archives", "pattern": "[file:hashes.MD5 = '765f45198cb8039079a28289eab761c5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-06-06T00:00:00Z", "valid_until": "2023-03-22T00:00:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--63e75a16-29eb-4779-b201-045152b4c3ea", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-03-22T10:40:27.000Z", "modified": "2023-03-22T10:40:27.000Z", "description": "Lure archives", "pattern": "[file:hashes.MD5 = 'ebaf3c6818bfc619ca2876abd6979f6d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-08-05T00:00:00Z", "valid_until": "2023-03-22T00:00:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2c3bed63-f9a6-4958-8101-578fbcba16fa", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-03-22T10:41:05.000Z", "modified": "2023-03-22T10:41:05.000Z", "description": "Lure archives", "pattern": "[file:hashes.MD5 = '1032986517836a8b1f87db954722a33f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-08-12T00:00:00Z", "valid_until": "2023-03-22T00:00:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--abd928f6-cb7f-4df9-8d8a-c2e0cbb34734", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-03-22T10:41:30.000Z", "modified": "2023-03-22T10:41:30.000Z", "description": "Lure archives", "pattern": "[file:hashes.MD5 = '1de44e8da621cdeb62825d367693c75e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-23T00:00:00Z", "valid_until": "2023-03-22T00:00:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--dadef232-712d-40c1-98bf-a6bdd6090b3c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-03-22T10:19:33.000Z", "modified": "2023-03-22T10:19:33.000Z", "description": "CommonMagic network communication module", "pattern": "[file:hashes.MD5 = '7c0e5627fd25c40374bc22035d3fadd8' AND file:name = 'Overall.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-10-20T00:00:00Z", "valid_until": "2023-03-22T00:00:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--891b078e-61b9-4e73-a255-c33d4056a9ff", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-03-22T10:23:16.000Z", "modified": "2023-03-22T10:23:16.000Z", "pattern": "[file:hashes.MD5 = '9e19fe5c3cf3e81f347dd78cf3c2e0c2' AND file:name = 'Clean.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-10-20T00:00:00Z", "valid_until": "2023-03-22T00:00:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--75ba0f15-99c8-405f-985d-c1c29b93b69e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-03-22T10:22:20.000Z", "modified": "2023-03-22T10:22:20.000Z", "pattern": "[file:hashes.MD5 = 'ce8d77af445e3a7c7e56a6ea53af8c0d' AND file:name = 'All.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-10-20T00:00:00Z", "valid_until": "2023-03-22T00:00:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--82597eec-ca83-44ef-9891-0001c9b8b859", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-03-22T10:00:20.000Z", "modified": "2023-03-22T10:00:20.000Z", "pattern": "[file:hashes.MD5 = '1fe3a2502e330432f3cf37ca7acbffac']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-03-22T10:00:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fa31ec03-99c9-4591-aa13-8ef7d9b54735", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-03-22T10:20:30.000Z", "modified": "2023-03-22T10:20:30.000Z", "pattern": "[file:hashes.MD5 = '8c2f5e7432f1e6ad22002991772d589b' AND file:name = 'manutil.vbs']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-03-21T00:00:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--53fcdd8e-d471-4a5a-979a-b568bd92315e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-03-22T10:01:15.000Z", "modified": "2023-03-22T10:01:15.000Z", "pattern": "[file:hashes.MD5 = 'bec44b3194c78f6e858b1768c071c5db' AND file:name = 'service_pack.dat']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-03-22T10:01:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ee838d3f-f333-4347-9bc2-4bc3dc7bec16", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-03-22T10:21:19.000Z", "modified": "2023-03-22T10:21:19.000Z", "description": "PowerMagic installer", "pattern": "[file:hashes.MD5 = 'fee3db5db8817e82b1af4cedafd2f346' AND file:name = 'attachment.msi']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-09-23T00:00:00Z", "valid_until": "2023-03-22T00:00:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--18623db4-3137-4d12-9c7f-6611ecc9bba3", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-03-22T10:06:32.000Z", "modified": "2023-03-22T10:06:32.000Z", "labels": [ "misp:name=\"report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "link", "value": "https://securelist.com/bad-magic-apt/109087/", "category": "External analysis", "uuid": "b4470f51-5001-41db-9c75-a0253285d620" }, { "type": "text", "object_relation": "summary", "value": "Since the start of the Russo-Ukrainian conflict, Kaspersky researchers and the international community at large have identified a significant number of cyberattacks executed in a political and geopolitical context. We previously published an overview of cyber activities and the threat landscape related to the conflict between Russia and Ukraine and continue to monitor new threats in these regions.\r\n\r\nIn October 2022, we identified an active infection of government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods. The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server.", "category": "Other", "uuid": "1223eb19-ea81-4e8b-86ba-b532d31c6afd" }, { "type": "text", "object_relation": "type", "value": "Blog", "category": "Other", "uuid": "176b4d82-2fe3-46f5-81f6-b4c64442e447" } ], "x_misp_meta_category": "misc", "x_misp_name": "report" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }