{ "type": "bundle", "id": "bundle--5d832d9f-1508-4fdf-979b-4edf950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-20T13:32:46.000Z", "modified": "2019-09-20T13:32:46.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "grouping", "spec_version": "2.1", "id": "grouping--5d832d9f-1508-4fdf-979b-4edf950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-20T13:32:46.000Z", "modified": "2019-09-20T13:32:46.000Z", "name": "OSINT - Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks", "context": "suspicious-activity", "object_refs": [ "observed-data--5d832dc2-67e4-4561-84eb-42b1950d210f", "url--5d832dc2-67e4-4561-84eb-42b1950d210f", "x-misp-attribute--5d832de7-7b14-4ee6-9ac2-4471950d210f", "observed-data--5d84c794-428c-41c9-b743-4270950d210f", "windows-registry-key--5d84c794-428c-41c9-b743-4270950d210f", "observed-data--5d84c79b-4ac8-4fd1-b315-4082950d210f", "windows-registry-key--5d84c79b-4ac8-4fd1-b315-4082950d210f", "indicator--5d84c9ca-1130-43f5-8418-42c6950d210f", "indicator--5d84c9ca-62cc-4f84-819a-49d7950d210f", "indicator--5d84c9ca-1bb8-4553-b847-4da7950d210f", "indicator--5d84d3a3-66b8-4242-9876-4fb9950d210f", "indicator--5d84d3a3-5158-4760-955b-49e0950d210f", "indicator--5d84c63f-ad44-40aa-85f6-41fa950d210f", "indicator--5d84ca7f-8904-4b83-aa2d-4efd950d210f", "indicator--5d84d359-b914-4b54-8a37-42cb950d210f", "indicator--5d84d370-6c2c-4918-80bd-4a01950d210f", "indicator--5d84d38e-6880-4ffc-b9d8-4ae3950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:malpedia=\"OilRig\"", "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"OilRig\"", "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"OilRig - G0049\"", "misp-galaxy:mitre-intrusion-set=\"OilRig\"", "misp-galaxy:mitre-intrusion-set=\"OilRig - G0049\"", "misp-galaxy:threat-actor=\"CHRYSENE\"", "misp-galaxy:threat-actor=\"OilRig\"", "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT34\"", "misp-galaxy:threat-actor=\"APT34\"", "workflow:todo=\"add-missing-misp-galaxy-cluster-values\"", "workflow:todo=\"expansion\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5d832dc2-67e4-4561-84eb-42b1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-19T07:26:58.000Z", "modified": "2019-09-19T07:26:58.000Z", "first_observed": "2019-09-19T07:26:58Z", "last_observed": "2019-09-19T07:26:58Z", "number_observed": 1, "object_refs": [ "url--5d832dc2-67e4-4561-84eb-42b1950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5d832dc2-67e4-4561-84eb-42b1950d210f", "value": "https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5d832de7-7b14-4ee6-9ac2-4471950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-19T07:27:35.000Z", "modified": "2019-09-19T07:27:35.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Previously undocumented group hits IT providers in the Middle East.\r\n\r\nA previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers\u2019 customers.\r\n\r\nThe group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access.\r\n\r\nAnother notable element of this attack is that, on two of the compromised networks, several hundred computers were infected with malware. This is an unusually large number of computers to be compromised in a targeted attack. It is possible that the attackers were forced to infect many machines before finding those that were of most interest to them.\r\n\r\nWe have seen Tortoiseshell activity as recently as July 2019." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5d84c794-428c-41c9-b743-4270950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-20T12:35:32.000Z", "modified": "2019-09-20T12:35:32.000Z", "first_observed": "2019-09-20T12:35:32Z", "last_observed": "2019-09-20T12:35:32Z", "number_observed": 1, "object_refs": [ "windows-registry-key--5d84c794-428c-41c9-b743-4270950d210f" ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"Persistence mechanism\"" ] }, { "type": "windows-registry-key", "spec_version": "2.1", "id": "windows-registry-key--5d84c794-428c-41c9-b743-4270950d210f", "key": "HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\policies\\system\\Enablevmd" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5d84c79b-4ac8-4fd1-b315-4082950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-20T12:35:39.000Z", "modified": "2019-09-20T12:35:39.000Z", "first_observed": "2019-09-20T12:35:39Z", "last_observed": "2019-09-20T12:35:39Z", "number_observed": 1, "object_refs": [ "windows-registry-key--5d84c79b-4ac8-4fd1-b315-4082950d210f" ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"Persistence mechanism\"" ] }, { "type": "windows-registry-key", "spec_version": "2.1", "id": "windows-registry-key--5d84c79b-4ac8-4fd1-b315-4082950d210f", "key": "HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\policies\\system\\Sendvmd" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d84c9ca-1130-43f5-8418-42c6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-20T12:44:58.000Z", "modified": "2019-09-20T12:44:58.000Z", "pattern": "[url:value = 'Infostealer/Sha.exe/Sha432.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-09-20T12:44:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d84c9ca-62cc-4f84-819a-49d7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-20T12:44:58.000Z", "modified": "2019-09-20T12:44:58.000Z", "pattern": "[url:value = 'Infostealer/stereoversioncontrol.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-09-20T12:44:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d84c9ca-1bb8-4553-b847-4da7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-20T12:44:58.000Z", "modified": "2019-09-20T12:44:58.000Z", "pattern": "[file:name = 'get-logon-history.ps1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-09-20T12:44:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d84d3a3-66b8-4242-9876-4fb9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-20T13:26:59.000Z", "modified": "2019-09-20T13:26:59.000Z", "description": "Backdoor.Syskit C&C server", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '64.235.60.123']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-09-20T13:26:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d84d3a3-5158-4760-955b-49e0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-20T13:26:59.000Z", "modified": "2019-09-20T13:26:59.000Z", "description": "Backdoor.Syskit C&C server", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '64.235.39.45']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-09-20T13:26:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d84c63f-ad44-40aa-85f6-41fa950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-20T12:29:51.000Z", "modified": "2019-09-20T12:29:51.000Z", "pattern": "[file:name = '\\\\%Windir\\\\%\\\\temp\\\\rconfig.xml']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-09-20T12:29:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d84ca7f-8904-4b83-aa2d-4efd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-20T12:47:59.000Z", "modified": "2019-09-20T12:47:59.000Z", "pattern": "[file:hashes.SHA256 = 'd9ac9c950e5495c9005b04843a40f01fa49d5fd49226cb5b03a055232ffc36f3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-09-20T12:47:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d84d359-b914-4b54-8a37-42cb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-20T13:25:45.000Z", "modified": "2019-09-20T13:25:45.000Z", "description": " Backdoor.Syskit ", "pattern": "[file:hashes.SHA256 = 'f71732f997c53fa45eef5c988697eb4aa62c8655d8f0be3268636fc23addd193']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-09-20T13:25:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d84d370-6c2c-4918-80bd-4a01950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-20T13:26:08.000Z", "modified": "2019-09-20T13:26:08.000Z", "description": " Backdoor.Syskit ", "pattern": "[file:hashes.SHA256 = '02a3296238a3d127a2e517f4949d31914c15d96726fb4902322c065153b364b2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-09-20T13:26:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d84d38e-6880-4ffc-b9d8-4ae3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-09-20T13:26:38.000Z", "modified": "2019-09-20T13:26:38.000Z", "description": " Backdoor.Syskit ", "pattern": "[file:hashes.SHA256 = '07d123364d8d04e3fe0bfa4e0e23ddc7050ef039602ecd72baed70e6553c3ae4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-09-20T13:26:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }