{ "Event": { "analysis": "2", "date": "2017-08-27", "extends_uuid": "", "info": "OSINT - Ukrainian Financial Institutions Targeted by Wave of Malicious EPS File Attacks", "publish_timestamp": "1503813407", "published": true, "threat_level_id": "3", "timestamp": "1503813100", "uuid": "59a25cc4-e870-4bef-a7d1-48a802de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#6edb00", "local": "0", "name": "circl:topic=\"finance\"", "relationship_type": "" } ], "Attribute": [ { "category": "Payload delivery", "comment": "To prevent this attack from being successful, we recommend that Microsoft\u00e2\u20ac\u2122s security patches be immediately installed on endpoints. These patches will address the following CVE-numbers", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": false, "type": "vulnerability", "uuid": "59a25cf6-d7a0-4d00-8b4e-45f902de0b81", "value": "CVE-2015-2545", "Tag": [ { "colour": "#418100", "local": "0", "name": "circl:incident-classification=\"vulnerability\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "To prevent this attack from being successful, we recommend that Microsoft\u00e2\u20ac\u2122s security patches be immediately installed on endpoints. These patches will address the following CVE-numbers", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": false, "type": "vulnerability", "uuid": "59a25cf6-9670-4c50-a443-409202de0b81", "value": "CVE-2017-0261", "Tag": [ { "colour": "#418100", "local": "0", "name": "circl:incident-classification=\"vulnerability\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "To prevent this attack from being successful, we recommend that Microsoft\u00e2\u20ac\u2122s security patches be immediately installed on endpoints. These patches will address the following CVE-numbers", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": false, "type": "vulnerability", "uuid": "59a25cf6-affc-42cf-948f-4f5b02de0b81", "value": "CVE-2017-0262", "Tag": [ { "colour": "#418100", "local": "0", "name": "circl:incident-classification=\"vulnerability\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": true, "type": "sha256", "uuid": "59a25d41-4b6c-4cbc-8e15-44a602de0b81", "value": "ecc055974d7d190871dc4eb1bf1f8b998d6e8abf04dba2ff560ae395aeec4d5d" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": true, "type": "sha256", "uuid": "59a25d41-974c-4dad-b1d5-40fc02de0b81", "value": "430c1bfa22e0f7b0e8742c0d70b8911089ba58645818e4281d7066d1324a3952" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": true, "type": "sha256", "uuid": "59a25d41-d920-44d6-a046-4bf002de0b81", "value": "1892154cc47e8a1bc81186d131e001a22e4edbc4fd88688eb1782b934e1941b6" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": true, "type": "sha256", "uuid": "59a25d41-8a74-4e53-a3bb-43ab02de0b81", "value": "e9d843761df7f6ef193d9f8e88d93a90816f2067fdd51a1c0765dfbfd4cb398f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": true, "type": "sha256", "uuid": "59a25d41-ac30-47e6-832d-411102de0b81", "value": "647572d133677882f52843f799375ac77178616bcd3d9ed13b95d49eecfd0a51" }, { "category": "Network activity", "comment": "Once the malware has managed to infect a system, it tries to connect to a server based in France over TCP port 80", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": true, "type": "url", "uuid": "59a25d7d-17d8-48c9-9f7a-45aa02de0b81", "value": "http://137.74.224.142/z/get.php?name=3c6*****" }, { "category": "Artifacts dropped", "comment": "When we dug deeper into the details of the \u00e2\u20ac\u02dcimage1.eps\u00e2\u20ac\u2122 file, we noticed two awkward strings that you normally wouldn\u00e2\u20ac\u2122t see in malware", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": true, "type": "pattern-in-file", "uuid": "59a25da6-2424-4517-af23-4b6702de0b81", "value": "%%Icantdestroywhatisntthere" }, { "category": "Artifacts dropped", "comment": "When we dug deeper into the details of the \u00e2\u20ac\u02dcimage1.eps\u00e2\u20ac\u2122 file, we noticed two awkward strings that you normally wouldn\u00e2\u20ac\u2122t see in malware", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": true, "type": "pattern-in-file", "uuid": "59a25da6-eea4-46cf-a439-400c02de0b81", "value": "%%Myheartisjusttoodarktocare" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": false, "type": "email-attachment", "uuid": "59a25dc1-ee70-4f02-9db8-b60e02de0b81", "value": "\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0.docx" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": false, "type": "email-attachment", "uuid": "59a25dc1-7764-4a0b-89c0-b60e02de0b81", "value": "\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0 \u00d0\u00bf\u00d0\u00be \u00d1\u0081\u00d1\u2021\u00d0\u00b5\u00d1\u201a\u00d1\u0192.docx" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": false, "type": "email-attachment", "uuid": "59a25dc1-db3c-46fb-bd1c-b60e02de0b81", "value": "\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0 \u00d0\u00bf\u00d0\u00be \u00d0\u00ba\u00d0\u00b0\u00d1\u20ac\u00d1\u201a\u00d0\u00b5.docx" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": false, "type": "email-attachment", "uuid": "59a25dc1-36c4-412d-8b6d-b60e02de0b81", "value": "\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0 \u00d0\u00bf\u00d0\u00be \u00d0\u00ba\u00d0\u00b0\u00d1\u20ac\u00d1\u201a\u00d0\u00b5 \u00d0\u00ba\u00d0\u00bb\u00d0\u00b8\u00d0\u00b5\u00d0\u00bd\u00d1\u201a\u00d0\u00b0.docx" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": false, "type": "email-attachment", "uuid": "59a25dc1-9058-4d49-b0e9-b60e02de0b81", "value": "12.docx" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": false, "type": "text", "uuid": "59a25dd9-bf68-45c0-9374-494302de0b81", "value": "Last week, the Ukrainian Central Bank issued a warning around an attack being launched against Ukrainian banks. Thanks to one of our contacts in the region, we received the malware at an early stage and were able to provide coverage for our customers\u00e2\u20ac\u201dalways our first priority. Now that local authorities have publicly disclosed the matter, we would like to share some insights into the campaign.\r\n\r\nThe attacks appear to have targeted banks in Russia as well as Ukraine, and we are aware of reports of similar attack vectors and payloads in other countries.\r\n\r\nThe initial threat started with emails sent to the banks around August 10, 2017, and a second wave on August 18 that carried attachments containing a payload. The subject of the emails were triggered to get the attention of the users and lure them into opening the attachments." }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 647572d133677882f52843f799375ac77178616bcd3d9ed13b95d49eecfd0a51", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": true, "type": "sha1", "uuid": "59a25dec-e044-4ab0-a56f-b60e02de0b81", "value": "583570d92cc49ec7661c055c4900c439446307f9" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 647572d133677882f52843f799375ac77178616bcd3d9ed13b95d49eecfd0a51", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": true, "type": "md5", "uuid": "59a25dec-a75c-45e3-89eb-b60e02de0b81", "value": "4eee1c5db5c4678cfa7ad6262a18253d" }, { "category": "External analysis", "comment": "- Xchecked via VT: 647572d133677882f52843f799375ac77178616bcd3d9ed13b95d49eecfd0a51", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": false, "type": "link", "uuid": "59a25dec-f1ac-4268-8c34-b60e02de0b81", "value": "https://www.virustotal.com/file/647572d133677882f52843f799375ac77178616bcd3d9ed13b95d49eecfd0a51/analysis/1503366922/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: e9d843761df7f6ef193d9f8e88d93a90816f2067fdd51a1c0765dfbfd4cb398f", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": true, "type": "sha1", "uuid": "59a25dec-cd54-489e-ada2-b60e02de0b81", "value": "dfaa3825b6bf2fc21978bf3234f38ffbd2966b96" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: e9d843761df7f6ef193d9f8e88d93a90816f2067fdd51a1c0765dfbfd4cb398f", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": true, "type": "md5", "uuid": "59a25dec-eb38-4439-88b3-b60e02de0b81", "value": "98c5c33f5c0bd07ac3e24935edab202a" }, { "category": "External analysis", "comment": "- Xchecked via VT: e9d843761df7f6ef193d9f8e88d93a90816f2067fdd51a1c0765dfbfd4cb398f", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": false, "type": "link", "uuid": "59a25dec-7f9c-4fd1-8047-b60e02de0b81", "value": "https://www.virustotal.com/file/e9d843761df7f6ef193d9f8e88d93a90816f2067fdd51a1c0765dfbfd4cb398f/analysis/1503021378/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 1892154cc47e8a1bc81186d131e001a22e4edbc4fd88688eb1782b934e1941b6", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": true, "type": "sha1", "uuid": "59a25dec-5794-402f-a588-b60e02de0b81", "value": "a85e66a654ca056a14f64516af62e82c07036e06" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 1892154cc47e8a1bc81186d131e001a22e4edbc4fd88688eb1782b934e1941b6", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": true, "type": "md5", "uuid": "59a25dec-2500-44c2-b562-b60e02de0b81", "value": "cfc0b41a7cde01333f10d48e9997d293" }, { "category": "External analysis", "comment": "- Xchecked via VT: 1892154cc47e8a1bc81186d131e001a22e4edbc4fd88688eb1782b934e1941b6", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": false, "type": "link", "uuid": "59a25dec-0d44-442b-b613-b60e02de0b81", "value": "https://www.virustotal.com/file/1892154cc47e8a1bc81186d131e001a22e4edbc4fd88688eb1782b934e1941b6/analysis/1503475768/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 430c1bfa22e0f7b0e8742c0d70b8911089ba58645818e4281d7066d1324a3952", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": true, "type": "sha1", "uuid": "59a25dec-a084-4101-8ba1-b60e02de0b81", "value": "a8bcbaedfbd3eff1e3d5005c35bd8f4c4f6f325c" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 430c1bfa22e0f7b0e8742c0d70b8911089ba58645818e4281d7066d1324a3952", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": true, "type": "md5", "uuid": "59a25dec-2e20-4de3-90c2-b60e02de0b81", "value": "5df8067a6fcb6c45c3b5c14adb944806" }, { "category": "External analysis", "comment": "- Xchecked via VT: 430c1bfa22e0f7b0e8742c0d70b8911089ba58645818e4281d7066d1324a3952", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": false, "type": "link", "uuid": "59a25dec-6aa8-4213-a915-b60e02de0b81", "value": "https://www.virustotal.com/file/430c1bfa22e0f7b0e8742c0d70b8911089ba58645818e4281d7066d1324a3952/analysis/1503474922/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: ecc055974d7d190871dc4eb1bf1f8b998d6e8abf04dba2ff560ae395aeec4d5d", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": true, "type": "sha1", "uuid": "59a25dec-bc48-4a8a-8977-b60e02de0b81", "value": "5983b31b80b7f3d84d9d0436574a7351d8522e9c" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: ecc055974d7d190871dc4eb1bf1f8b998d6e8abf04dba2ff560ae395aeec4d5d", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": true, "type": "md5", "uuid": "59a25dec-355c-4c9b-8590-b60e02de0b81", "value": "c43f1716d6dbb243f0b8cd92944a04bd" }, { "category": "External analysis", "comment": "- Xchecked via VT: ecc055974d7d190871dc4eb1bf1f8b998d6e8abf04dba2ff560ae395aeec4d5d", "deleted": false, "disable_correlation": false, "timestamp": "1503813100", "to_ids": false, "type": "link", "uuid": "59a25dec-c0d8-4432-a038-b60e02de0b81", "value": "https://www.virustotal.com/file/ecc055974d7d190871dc4eb1bf1f8b998d6e8abf04dba2ff560ae395aeec4d5d/analysis/1503475773/" } ] } }