{ "Event": { "analysis": "0", "date": "2017-08-02", "extends_uuid": "", "info": "OSINT - FIN7/Carbanak threat actor unleashes Bateleur JScript backdoor", "publish_timestamp": "1501669151", "published": true, "threat_level_id": "3", "timestamp": "1501669132", "uuid": "5981a635-1198-404e-99e3-4fad02de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" }, { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#12e400", "name": "misp-galaxy:threat-actor=\"Anunak\"" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1501669132", "to_ids": false, "type": "text", "uuid": "5981a64b-3b44-4cb4-92ce-47c502de0b81", "value": "Proofpoint researchers have uncovered that the threat actor commonly referred to as FIN7 has added a new JScript backdoor called Bateleur and updated macros to its toolkit. We have observed these new tools being used to target U.S.-based chain restaurants, although FIN7 has previously targeted hospitality organizations, retailers, merchant services, suppliers and others. The new macros and Bateleur backdoor use sophisticated anti-analysis and sandbox evasion techniques as they attempt to cloak their activities and expand their victim pool.\r\n\r\nSpecifically, the first FIN7 change we observed was in the obfuscation technique found in their usual document attachments delivering the GGLDR script [1], initially described by researchers at FireEye [2]. In addition, starting in early June, we observed this threat actor using macro documents to drop a previously undocumented JScript backdoor, which we have named \u00e2\u20ac\u0153Bateleur\u00e2\u20ac\u009d, instead of dropping their customary GGLDR payload. Since its initial sighting, there have been multiple updates to Bateleur and the attachment macros.", "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1501669132", "to_ids": false, "type": "link", "uuid": "5981a65c-463c-48f2-a8e8-92c902de0b81", "value": "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor", "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" } ] }, { "category": "Payload delivery", "comment": "On port 53 - Tinymet C&C", "deleted": false, "disable_correlation": false, "timestamp": "1501669116", "to_ids": true, "type": "ip-dst|port", "uuid": "5981a6ab-0b6c-4729-945c-310e02de0b81", "value": "185.25.48.186|53" }, { "category": "Payload delivery", "comment": "On port 443 - Tinymet C&C", "deleted": false, "disable_correlation": false, "timestamp": "1501669116", "to_ids": true, "type": "ip-dst|port", "uuid": "5981a6ab-e098-4d81-827f-310e02de0b81", "value": "46.166.168.213|443" }, { "category": "Payload delivery", "comment": "On port 53 - Tinymet C&C", "deleted": false, "disable_correlation": false, "timestamp": "1501669116", "to_ids": true, "type": "ip-dst|port", "uuid": "5981a6ab-b188-4fb5-9dc6-310e02de0b81", "value": "188.165.44.190|53" }, { "category": "Payload delivery", "comment": "On port 443 - Bateleur C&C", "deleted": false, "disable_correlation": false, "timestamp": "1501669116", "to_ids": true, "type": "ip-dst|port", "uuid": "5981a6cb-89b8-4bb2-afd6-487002de0b81", "value": "195.133.48.65|443" }, { "category": "Payload delivery", "comment": "On port 443 - Bateleur C&C", "deleted": false, "disable_correlation": false, "timestamp": "1501669116", "to_ids": true, "type": "ip-dst|port", "uuid": "5981a6cb-afe0-4d12-b9cc-472102de0b81", "value": "195.133.49.73|443" }, { "category": "Payload delivery", "comment": "On port 443 - Bateleur C&C", "deleted": false, "disable_correlation": false, "timestamp": "1501669116", "to_ids": true, "type": "ip-dst|port", "uuid": "5981a6cb-18f0-4cd5-ac56-4d3d02de0b81", "value": "185.154.53.65|443" }, { "category": "Payload delivery", "comment": "On port 443 - Bateleur C&C", "deleted": false, "disable_correlation": false, "timestamp": "1501669116", "to_ids": true, "type": "ip-dst|port", "uuid": "5981a6cb-4020-4ccf-a18f-48c502de0b81", "value": "188.120.241.27|443" }, { "category": "Payload delivery", "comment": "On port 443 - Bateleur C&C", "deleted": false, "disable_correlation": false, "timestamp": "1501669116", "to_ids": true, "type": "ip-dst|port", "uuid": "5981a6cb-2cb8-409e-b3f3-419402de0b81", "value": "176.53.25.12|443" }, { "category": "Payload delivery", "comment": "On port 443 - Bateleur C&C", "deleted": false, "disable_correlation": false, "timestamp": "1501669116", "to_ids": true, "type": "ip-dst|port", "uuid": "5981a6cb-1504-45ba-be21-4cae02de0b81", "value": "5.200.53.61|443" }, { "category": "Payload delivery", "comment": "FIN7 Password Stealer Module", "deleted": false, "disable_correlation": false, "timestamp": "1501669116", "to_ids": true, "type": "sha256", "uuid": "5981a6d9-b2b0-4845-8e31-2ef302de0b81", "value": "8c00afd815355a00c55036e5d18482f730d5e71a9f83fe23c7a1c0d9007ced5a" }, { "category": "Payload delivery", "comment": "Bateleur Document Droppers", "deleted": false, "disable_correlation": false, "timestamp": "1501669116", "to_ids": true, "type": "sha256", "uuid": "5981a6ed-02c8-41bb-9762-92f802de0b81", "value": "cf86c7a92451dca1ebb76ebd3e469f3fa0d9b376487ee6d07ae57ab1b65a86f8" }, { "category": "Payload delivery", "comment": "Bateleur Document Droppers", "deleted": false, "disable_correlation": false, "timestamp": "1501669116", "to_ids": true, "type": "sha256", "uuid": "5981a6ed-bb14-47ae-9a1f-92f802de0b81", "value": "c91642c0a5a8781fff9fd400bff85b6715c96d8e17e2d2390c1771c683c7ead9" }, { "category": "Payload delivery", "comment": "Bateleur Document Droppers - Xchecked via VT: c91642c0a5a8781fff9fd400bff85b6715c96d8e17e2d2390c1771c683c7ead9", "deleted": false, "disable_correlation": false, "timestamp": "1501669116", "to_ids": true, "type": "sha1", "uuid": "5981a6fc-2ccc-460d-89ff-92bf02de0b81", "value": "e852f21b36a6700ba21a61b87f0e225040241309" }, { "category": "Payload delivery", "comment": "Bateleur Document Droppers - Xchecked via VT: c91642c0a5a8781fff9fd400bff85b6715c96d8e17e2d2390c1771c683c7ead9", "deleted": false, "disable_correlation": false, "timestamp": "1501669116", "to_ids": true, "type": "md5", "uuid": "5981a6fc-1bd8-4ed5-b8b1-92bf02de0b81", "value": "467062d2a5a341716c42c6d7f36ba0ed" }, { "category": "External analysis", "comment": "Bateleur Document Droppers - Xchecked via VT: c91642c0a5a8781fff9fd400bff85b6715c96d8e17e2d2390c1771c683c7ead9", "deleted": false, "disable_correlation": false, "timestamp": "1501669116", "to_ids": false, "type": "link", "uuid": "5981a6fc-d200-4960-acff-92bf02de0b81", "value": "https://www.virustotal.com/file/c91642c0a5a8781fff9fd400bff85b6715c96d8e17e2d2390c1771c683c7ead9/analysis/1501612940/" }, { "category": "Payload delivery", "comment": "Bateleur Document Droppers - Xchecked via VT: cf86c7a92451dca1ebb76ebd3e469f3fa0d9b376487ee6d07ae57ab1b65a86f8", "deleted": false, "disable_correlation": false, "timestamp": "1501669116", "to_ids": true, "type": "sha1", "uuid": "5981a6fc-cdb4-4d58-be72-92bf02de0b81", "value": "54fcccb8e4b62f7035f183831cd991851f88e4fc" }, { "category": "Payload delivery", "comment": "Bateleur Document Droppers - Xchecked via VT: cf86c7a92451dca1ebb76ebd3e469f3fa0d9b376487ee6d07ae57ab1b65a86f8", "deleted": false, "disable_correlation": false, "timestamp": "1501669116", "to_ids": true, "type": "md5", "uuid": "5981a6fc-0df0-4fa0-ad87-92bf02de0b81", "value": "9b1af2d9c0c0687c70466385800b6847" }, { "category": "External analysis", "comment": "Bateleur Document Droppers - Xchecked via VT: cf86c7a92451dca1ebb76ebd3e469f3fa0d9b376487ee6d07ae57ab1b65a86f8", "deleted": false, "disable_correlation": false, "timestamp": "1501669116", "to_ids": false, "type": "link", "uuid": "5981a6fc-a6fc-473b-8d4e-92bf02de0b81", "value": "https://www.virustotal.com/file/cf86c7a92451dca1ebb76ebd3e469f3fa0d9b376487ee6d07ae57ab1b65a86f8/analysis/1501620271/" } ] } }