{ "type": "bundle", "id": "bundle--5ae2129e-15b4-41e9-9428-4f1e02de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T18:13:30.000Z", "modified": "2018-04-26T18:13:30.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5ae2129e-15b4-41e9-9428-4f1e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T18:13:30.000Z", "modified": "2018-04-26T18:13:30.000Z", "name": "OSINT - Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide", "published": "2018-04-26T18:14:00Z", "object_refs": [ "observed-data--5ae212a9-3388-451a-ae23-4d1c02de0b81", "url--5ae212a9-3388-451a-ae23-4d1c02de0b81", "x-misp-attribute--5ae212bc-dbf8-4751-b05b-46ba02de0b81", "indicator--5ae212d1-cfe0-4bf3-bd0c-4ed302de0b81", "indicator--5ae212d2-9d48-4402-b518-4f0f02de0b81", "indicator--5ae212d2-2dd8-4943-91c4-4b6302de0b81", "indicator--5ae212e1-2a34-444c-a80c-441e02de0b81", "indicator--5ae212e2-6960-43d3-9df3-4e4602de0b81", "indicator--5ae212e2-4788-4879-aa82-465e02de0b81", "x-misp-attribute--5ae2148d-c224-4ec6-b3e4-46df02de0b81", "observed-data--5ae214c7-aa40-4154-a878-452302de0b81", "network-traffic--5ae214c7-aa40-4154-a878-452302de0b81", "ipv4-addr--5ae214c7-aa40-4154-a878-452302de0b81", "observed-data--5ae214c8-dd6c-4b76-947e-49a302de0b81", "network-traffic--5ae214c8-dd6c-4b76-947e-49a302de0b81", "ipv4-addr--5ae214c8-dd6c-4b76-947e-49a302de0b81", "observed-data--5ae214c8-54f4-4deb-bf2e-41bf02de0b81", "network-traffic--5ae214c8-54f4-4deb-bf2e-41bf02de0b81", "ipv4-addr--5ae214c8-54f4-4deb-bf2e-41bf02de0b81", "observed-data--5ae214c9-f330-48a2-9ec7-451702de0b81", "network-traffic--5ae214c9-f330-48a2-9ec7-451702de0b81", "ipv4-addr--5ae214c9-f330-48a2-9ec7-451702de0b81", "observed-data--5ae214c9-bafc-47b3-b4f7-400202de0b81", "network-traffic--5ae214c9-bafc-47b3-b4f7-400202de0b81", "ipv4-addr--5ae214c9-bafc-47b3-b4f7-400202de0b81", "observed-data--5ae214ca-8200-4bee-9a0a-45ec02de0b81", "network-traffic--5ae214ca-8200-4bee-9a0a-45ec02de0b81", "ipv4-addr--5ae214ca-8200-4bee-9a0a-45ec02de0b81", "observed-data--5ae214ca-a294-408a-994d-4d0102de0b81", "network-traffic--5ae214ca-a294-408a-994d-4d0102de0b81", "ipv4-addr--5ae214ca-a294-408a-994d-4d0102de0b81", "indicator--5ae21511-4b84-4dd2-a11a-4cd502de0b81", "observed-data--5ae2152a-6adc-4f6c-a335-407802de0b81", "network-traffic--5ae2152a-6adc-4f6c-a335-407802de0b81", "ipv4-addr--5ae2152a-6adc-4f6c-a335-407802de0b81", "observed-data--5ae2152a-c9b4-4719-8dcb-4e3b02de0b81", "network-traffic--5ae2152a-c9b4-4719-8dcb-4e3b02de0b81", "ipv4-addr--5ae2152a-c9b4-4719-8dcb-4e3b02de0b81", "indicator--5ae21588-3774-4c2c-bf14-420502de0b81", "indicator--95673d0d-503f-4625-9e5d-b6771753df90", "x-misp-object--f62ef2cf-61e4-4fcc-8c7b-5704df1d8cb8", "indicator--fdeba3ca-6ff5-43cf-a1af-95261b334cf1", "x-misp-object--c1a27f9e-61e5-485d-9294-7f9bf1daf55e", "indicator--01a4b35a-bfe0-48cd-92f0-fde425538024", "x-misp-object--ac8aaf36-e974-4941-8189-070a68af06ab", "relationship--16216edf-7b70-48e1-a220-2ac2b9c5d62d", "relationship--6d4884b2-b282-4fa9-96fa-4ec9d6db6075", "relationship--361fa8b7-8e58-4b2c-b567-04e9b058849f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Exfiltration Over Command and Control Channel - T1041\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Commonly Used Port - T1043\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Service Execution - T1035\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Automated Collection - T1119\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Data from Local System - T1005\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Process Discovery - T1057\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"System Time Discovery - T1124\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"File Deletion - T1107\"", "workflow:todo=\"create-missing-misp-galaxy-cluster-values\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ae212a9-3388-451a-ae23-4d1c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T18:13:26.000Z", "modified": "2018-04-26T18:13:26.000Z", "first_observed": "2018-04-26T18:13:26Z", "last_observed": "2018-04-26T18:13:26Z", "number_observed": 1, "object_refs": [ "url--5ae212a9-3388-451a-ae23-4d1c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"", "estimative-language:likelihood-probability=\"almost-certain\"", "estimative-language:confidence-in-analytic-judgment=\"moderate\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5ae212a9-3388-451a-ae23-4d1c02de0b81", "value": "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5ae212bc-dbf8-4751-b05b-46ba02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T18:13:27.000Z", "modified": "2018-04-26T18:13:27.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"", "estimative-language:likelihood-probability=\"almost-certain\"", "estimative-language:confidence-in-analytic-judgment=\"moderate\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure, entertainment, finance, health care, and telecommunications. This campaign, dubbed Operation GhostSecret, leverages multiple implants, tools, and malware variants associated with the state-sponsored cyber group Hidden Cobra. The infrastructure currently remains active. In this post, we dive deeply into this campaign. For a brief overview of this threat, see \u00e2\u20ac\u0153Global Malware Campaign Pilfers Data from Critical Infrastructure, Entertainment, Finance, Health Care, and Other Industries.\u00e2\u20ac\u009d\r\n\r\nOur investigation into this campaign reveals that the actor used multiple malware implants, including an unknown implant with capabilities similar to Bankshot. From March 18 to 26 we observed the malware operating in multiple areas of the world. This new variant resembles parts of the Destover malware, which was used in the 2014 Sony Pictures attack.\r\n\r\nFurthermore, the Advanced Threat Research team has discovered Proxysvc, which appears to be an undocumented implant. We have also uncovered additional control servers that are still active and associated with these new implants. Based on our analysis of public and private information from submissions, along with product telemetry, it appears Proxysvc was used alongside the 2017 Destover variant and has operated undetected since mid-2017.\r\n\r\nThe attackers behind Operation GhostSecret used a similar infrastructure to earlier threats, including SSL certificates used by FakeTLS in implants found in the Destover backdoor variant known as Escad, which was used in the Sony Pictures attack. Based on our technical analysis, telemetry, and data from submissions, we can assert with high confidence that this is the work of the Hidden Cobra group. The Advanced Threat Research team uncovered activity related to this campaign in March 2018, when the actors targeted Turkish banks. These initial findings appear to be the first stage of Operation GhostSecret. For more on the global aspect of this threat, see \u00e2\u20ac\u0153Global Malware Campaign Pilfers Data from Critical Infrastructure of Entertainment, Finance, Health Care, and Other Industries.\u00e2\u20ac\u009d" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ae212d1-cfe0-4bf3-bd0c-4ed302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T17:56:33.000Z", "modified": "2018-04-26T17:56:33.000Z", "pattern": "[file:hashes.SHA1 = 'fe887fcab66d7d7f79f05e0266c0649f0114ba7c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-04-26T17:56:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ae212d2-9d48-4402-b518-4f0f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T17:56:34.000Z", "modified": "2018-04-26T17:56:34.000Z", "pattern": "[file:hashes.SHA1 = '8f2918c721511536d8c72144eabaf685ddc21a35']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-04-26T17:56:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ae212d2-2dd8-4943-91c4-4b6302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T17:56:34.000Z", "modified": "2018-04-26T17:56:34.000Z", "pattern": "[file:hashes.SHA1 = '33ffbc8d6850794fa3b7bccb7b1aa1289e6eaa45']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-04-26T17:56:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ae212e1-2a34-444c-a80c-441e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T18:08:51.000Z", "modified": "2018-04-26T18:08:51.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.131.222.83']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-04-26T18:08:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ae212e2-6960-43d3-9df3-4e4602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T18:08:51.000Z", "modified": "2018-04-26T18:08:51.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '14.140.116.172']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-04-26T18:08:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ae212e2-4788-4879-aa82-465e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T18:08:51.000Z", "modified": "2018-04-26T18:08:51.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.131.222.109']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-04-26T18:08:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5ae2148d-c224-4ec6-b3e4-46df02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T18:08:52.000Z", "modified": "2018-04-26T18:08:52.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_type": "text", "x_misp_value": "Trojan-Bankshot2" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ae214c7-aa40-4154-a878-452302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T18:08:52.000Z", "modified": "2018-04-26T18:08:52.000Z", "first_observed": "2018-04-26T18:08:52Z", "last_observed": "2018-04-26T18:08:52Z", "number_observed": 1, "object_refs": [ "network-traffic--5ae214c7-aa40-4154-a878-452302de0b81", "ipv4-addr--5ae214c7-aa40-4154-a878-452302de0b81" ], "labels": [ "misp:type=\"ip-src\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5ae214c7-aa40-4154-a878-452302de0b81", "src_ref": "ipv4-addr--5ae214c7-aa40-4154-a878-452302de0b81", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5ae214c7-aa40-4154-a878-452302de0b81", "value": "121.240.155.74" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ae214c8-dd6c-4b76-947e-49a302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T18:08:53.000Z", "modified": "2018-04-26T18:08:53.000Z", "first_observed": "2018-04-26T18:08:53Z", "last_observed": "2018-04-26T18:08:53Z", "number_observed": 1, "object_refs": [ "network-traffic--5ae214c8-dd6c-4b76-947e-49a302de0b81", "ipv4-addr--5ae214c8-dd6c-4b76-947e-49a302de0b81" ], "labels": [ "misp:type=\"ip-src\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5ae214c8-dd6c-4b76-947e-49a302de0b81", "src_ref": "ipv4-addr--5ae214c8-dd6c-4b76-947e-49a302de0b81", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5ae214c8-dd6c-4b76-947e-49a302de0b81", "value": "121.240.155.76" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ae214c8-54f4-4deb-bf2e-41bf02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T18:08:53.000Z", "modified": "2018-04-26T18:08:53.000Z", "first_observed": "2018-04-26T18:08:53Z", "last_observed": "2018-04-26T18:08:53Z", "number_observed": 1, "object_refs": [ "network-traffic--5ae214c8-54f4-4deb-bf2e-41bf02de0b81", "ipv4-addr--5ae214c8-54f4-4deb-bf2e-41bf02de0b81" ], "labels": [ "misp:type=\"ip-src\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5ae214c8-54f4-4deb-bf2e-41bf02de0b81", "src_ref": "ipv4-addr--5ae214c8-54f4-4deb-bf2e-41bf02de0b81", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5ae214c8-54f4-4deb-bf2e-41bf02de0b81", "value": "121.240.155.77" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ae214c9-f330-48a2-9ec7-451702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T18:08:54.000Z", "modified": "2018-04-26T18:08:54.000Z", "first_observed": "2018-04-26T18:08:54Z", "last_observed": "2018-04-26T18:08:54Z", "number_observed": 1, "object_refs": [ "network-traffic--5ae214c9-f330-48a2-9ec7-451702de0b81", "ipv4-addr--5ae214c9-f330-48a2-9ec7-451702de0b81" ], "labels": [ "misp:type=\"ip-src\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5ae214c9-f330-48a2-9ec7-451702de0b81", "src_ref": "ipv4-addr--5ae214c9-f330-48a2-9ec7-451702de0b81", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5ae214c9-f330-48a2-9ec7-451702de0b81", "value": "121.240.155.78" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ae214c9-bafc-47b3-b4f7-400202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T18:08:54.000Z", "modified": "2018-04-26T18:08:54.000Z", "first_observed": "2018-04-26T18:08:54Z", "last_observed": "2018-04-26T18:08:54Z", "number_observed": 1, "object_refs": [ "network-traffic--5ae214c9-bafc-47b3-b4f7-400202de0b81", "ipv4-addr--5ae214c9-bafc-47b3-b4f7-400202de0b81" ], "labels": [ "misp:type=\"ip-src\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5ae214c9-bafc-47b3-b4f7-400202de0b81", "src_ref": "ipv4-addr--5ae214c9-bafc-47b3-b4f7-400202de0b81", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5ae214c9-bafc-47b3-b4f7-400202de0b81", "value": "223.30.98.169" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ae214ca-8200-4bee-9a0a-45ec02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T18:08:54.000Z", "modified": "2018-04-26T18:08:54.000Z", "first_observed": "2018-04-26T18:08:54Z", "last_observed": "2018-04-26T18:08:54Z", "number_observed": 1, "object_refs": [ "network-traffic--5ae214ca-8200-4bee-9a0a-45ec02de0b81", "ipv4-addr--5ae214ca-8200-4bee-9a0a-45ec02de0b81" ], "labels": [ "misp:type=\"ip-src\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5ae214ca-8200-4bee-9a0a-45ec02de0b81", "src_ref": "ipv4-addr--5ae214ca-8200-4bee-9a0a-45ec02de0b81", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5ae214ca-8200-4bee-9a0a-45ec02de0b81", "value": "223.30.98.170" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ae214ca-a294-408a-994d-4d0102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T18:08:55.000Z", "modified": "2018-04-26T18:08:55.000Z", "first_observed": "2018-04-26T18:08:55Z", "last_observed": "2018-04-26T18:08:55Z", "number_observed": 1, "object_refs": [ "network-traffic--5ae214ca-a294-408a-994d-4d0102de0b81", "ipv4-addr--5ae214ca-a294-408a-994d-4d0102de0b81" ], "labels": [ "misp:type=\"ip-src\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5ae214ca-a294-408a-994d-4d0102de0b81", "src_ref": "ipv4-addr--5ae214ca-a294-408a-994d-4d0102de0b81", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5ae214ca-a294-408a-994d-4d0102de0b81", "value": "14.140.116.172" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ae21511-4b84-4dd2-a11a-4cd502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T18:08:55.000Z", "modified": "2018-04-26T18:08:55.000Z", "description": "Both of these control servers used the PolarSSL certificate", "pattern": "[x509-certificate:hashes.SHA1 = 'd0cb9b2d4809575e1bc1f4657e0eb56f307c7a76']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-04-26T18:08:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"x509-fingerprint-sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ae2152a-6adc-4f6c-a335-407802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T18:08:56.000Z", "modified": "2018-04-26T18:08:56.000Z", "first_observed": "2018-04-26T18:08:56Z", "last_observed": "2018-04-26T18:08:56Z", "number_observed": 1, "object_refs": [ "network-traffic--5ae2152a-6adc-4f6c-a335-407802de0b81", "ipv4-addr--5ae2152a-6adc-4f6c-a335-407802de0b81" ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5ae2152a-6adc-4f6c-a335-407802de0b81", "dst_ref": "ipv4-addr--5ae2152a-6adc-4f6c-a335-407802de0b81", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5ae2152a-6adc-4f6c-a335-407802de0b81", "value": "193.248.247.59" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ae2152a-c9b4-4719-8dcb-4e3b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T18:08:56.000Z", "modified": "2018-04-26T18:08:56.000Z", "first_observed": "2018-04-26T18:08:56Z", "last_observed": "2018-04-26T18:08:56Z", "number_observed": 1, "object_refs": [ "network-traffic--5ae2152a-c9b4-4719-8dcb-4e3b02de0b81", "ipv4-addr--5ae2152a-c9b4-4719-8dcb-4e3b02de0b81" ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5ae2152a-c9b4-4719-8dcb-4e3b02de0b81", "dst_ref": "ipv4-addr--5ae2152a-c9b4-4719-8dcb-4e3b02de0b81", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5ae2152a-c9b4-4719-8dcb-4e3b02de0b81", "value": "196.4.67.45" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ae21588-3774-4c2c-bf14-420502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T18:08:56.000Z", "modified": "2018-04-26T18:08:56.000Z", "description": "Further investigation into the control server infrastructure reveals the SSL certificate d0cb9b2d4809575e1bc1f4657e0eb56f307c7a76, which is tied to the control server 203.131.222.83, used by the February 2018 implant. This server resides at Thammasat University in Bangkok, Thailand. The same entity hosted the control server for the Sony Pictures implants. This SSL certificate has been used in Hidden Cobra operations since the Sony Pictures attack. Analyzing this certificate reveals additional control servers using the same PolarSSL certificate. Further analysis of McAfee telemetry data reveals several IP addresses that are active, two within the same network block as the 2018 Destover-like implant.", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.131.222.95']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-04-26T18:08:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--95673d0d-503f-4625-9e5d-b6771753df90", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T18:09:00.000Z", "modified": "2018-04-26T18:09:00.000Z", "pattern": "[file:hashes.MD5 = 'd1cced59ad97f0f7c0fad78a46cca151' AND file:hashes.SHA1 = '8f2918c721511536d8c72144eabaf685ddc21a35' AND file:hashes.SHA256 = 'ae65288f5c96b4656402853b14acd1d060b2a6303d833df5b1f10cc7a34b0025']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-04-26T18:09:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--f62ef2cf-61e4-4fcc-8c7b-5704df1d8cb8", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T18:08:58.000Z", "modified": "2018-04-26T18:08:58.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-04-26T00:30:02", "category": "Other", "uuid": "5ae215ba-5938-4881-b51c-465202de0b81" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/ae65288f5c96b4656402853b14acd1d060b2a6303d833df5b1f10cc7a34b0025/analysis/1524702602/", "category": "External analysis", "uuid": "5ae215bb-24c8-49e2-84f4-4a1602de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "48/67", "category": "Other", "uuid": "5ae215bb-cc4c-4db4-9375-441c02de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fdeba3ca-6ff5-43cf-a1af-95261b334cf1", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T18:09:02.000Z", "modified": "2018-04-26T18:09:02.000Z", "pattern": "[file:hashes.MD5 = '87a9511137154886ee03610c7a346c59' AND file:hashes.SHA1 = 'fe887fcab66d7d7f79f05e0266c0649f0114ba7c' AND file:hashes.SHA256 = '45e68dce0f75353c448865b9abafbef5d4ed6492cd7058f65bf6aac182a9176a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-04-26T18:09:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--c1a27f9e-61e5-485d-9294-7f9bf1daf55e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T18:09:01.000Z", "modified": "2018-04-26T18:09:01.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-04-26T00:30:05", "category": "Other", "uuid": "5ae215bd-d93c-4539-b75a-405202de0b81" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/45e68dce0f75353c448865b9abafbef5d4ed6492cd7058f65bf6aac182a9176a/analysis/1524702605/", "category": "External analysis", "uuid": "5ae215bd-1f68-4b4a-a831-42b702de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "44/66", "category": "Other", "uuid": "5ae215be-e1e4-463a-8125-4e6a02de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--01a4b35a-bfe0-48cd-92f0-fde425538024", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T18:09:05.000Z", "modified": "2018-04-26T18:09:05.000Z", "pattern": "[file:hashes.MD5 = '35cd770bd67168229200933511eb45f4' AND file:hashes.SHA1 = '33ffbc8d6850794fa3b7bccb7b1aa1289e6eaa45' AND file:hashes.SHA256 = '05a567fe3f7c22a0ef78cc39dcf2d9ff283580c82bdbe880af9549e7014becfc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-04-26T18:09:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--ac8aaf36-e974-4941-8189-070a68af06ab", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-26T18:09:03.000Z", "modified": "2018-04-26T18:09:03.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-04-26T00:29:58", "category": "Other", "uuid": "5ae215bf-9cac-4e5f-8fd6-4c6802de0b81" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/05a567fe3f7c22a0ef78cc39dcf2d9ff283580c82bdbe880af9549e7014becfc/analysis/1524702598/", "category": "External analysis", "uuid": "5ae215bf-2810-41d9-9c22-480502de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "49/67", "category": "Other", "uuid": "5ae215c0-ff80-4bd3-b70a-44b602de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--16216edf-7b70-48e1-a220-2ac2b9c5d62d", "created": "2018-04-26T18:09:04.000Z", "modified": "2018-04-26T18:09:04.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--95673d0d-503f-4625-9e5d-b6771753df90", "target_ref": "x-misp-object--f62ef2cf-61e4-4fcc-8c7b-5704df1d8cb8" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6d4884b2-b282-4fa9-96fa-4ec9d6db6075", "created": "2018-04-26T18:09:04.000Z", "modified": "2018-04-26T18:09:04.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--fdeba3ca-6ff5-43cf-a1af-95261b334cf1", "target_ref": "x-misp-object--c1a27f9e-61e5-485d-9294-7f9bf1daf55e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--361fa8b7-8e58-4b2c-b567-04e9b058849f", "created": "2018-04-26T18:09:04.000Z", "modified": "2018-04-26T18:09:04.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--01a4b35a-bfe0-48cd-92f0-fde425538024", "target_ref": "x-misp-object--ac8aaf36-e974-4941-8189-070a68af06ab" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }