{ "Event": { "analysis": "2", "date": "2018-07-03", "extends_uuid": "", "info": "OSINT - Down but Not Out: A Look Into Recent Exploit Kit Activities", "publish_timestamp": "1530626594", "published": true, "threat_level_id": "3", "timestamp": "1530626412", "uuid": "5b3b7b6f-6234-45ea-be4f-ab8202de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:exploit-kit=\"RIG\"", "relationship_type": "" }, { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530624896", "to_ids": false, "type": "link", "uuid": "5b3b7b80-2e20-4f5a-b8a8-ab8202de0b81", "value": "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-recent-exploit-kit-activities/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530624930", "to_ids": false, "type": "text", "uuid": "5b3b7ba2-e47c-404d-928f-415002de0b81", "value": "Exploit kits may be down, but they\u00e2\u20ac\u2122re not out. While they\u00e2\u20ac\u2122re still using the same techniques that involve malvertisements or embedding links in spam and malicious or compromised websites, their latest activities are making them significant factors in the threat landscape again. This is the case with Rig and GrandSoft, as well as the private exploit kit Magnitude \u00e2\u20ac\u201d exploit kits we found roping in relatively recent vulnerabilities to deliver cryptocurrency-mining malware, ransomware, botnet loaders, and banking trojans.\r\n\r\nBased on the exploit kits\u00e2\u20ac\u2122 latest activities, it appears they and their users are shifting tactics by joining the bandwagon, like capitalizing on cryptocurrency\u00e2\u20ac\u2122s popularity or using off-the-rack malware. We expect this to be the status quo this year, given the profitability of using cryptocurrency miners and the convenience of using ready-made malware. We also foresee more exploits that work on other software, such as CVE-2018-8174, which can be exploited via Microsoft Word and Internet Explorer." }, { "category": "Network activity", "comment": "Malicious domains and IP addresses related to GrandSoft exploit kit", "deleted": false, "disable_correlation": false, "timestamp": "1530625564", "to_ids": true, "type": "hostname", "uuid": "5b3b7e1c-756c-4e5a-aa63-46d002de0b81", "value": "ethical-buyback.lesbianssahgbrewingqzw.xyz" }, { "category": "Network activity", "comment": "Malicious domains and IP addresses related to GrandSoft exploit kit", "deleted": false, "disable_correlation": false, "timestamp": "1530625564", "to_ids": true, "type": "url", "uuid": "5b3b7e1c-a6c0-44b4-b4e7-415f02de0b81", "value": "ethical-buyback.lesbianssahgbrewingqzw.xyz/masking_celebration-skies" }, { "category": "Network activity", "comment": "Malicious domains and IP addresses related to GrandSoft exploit kit", "deleted": false, "disable_correlation": false, "timestamp": "1530625565", "to_ids": true, "type": "url", "uuid": "5b3b7e1d-bbec-4f67-aef5-40d702de0b81", "value": "papconnecting.net/wp-content/traffic.php" }, { "category": "Network activity", "comment": "GandCrab C&C", "deleted": false, "disable_correlation": false, "timestamp": "1530625591", "to_ids": true, "type": "domain", "uuid": "5b3b7e37-a474-4145-94c3-4b1402de0b81", "value": "carder.bit" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530625656", "to_ids": true, "type": "url", "uuid": "5b3b7e78-3d10-4fee-842a-ae7e02de0b81", "value": "91.210.104.247/debug.txt" }, { "category": "Network activity", "comment": "GandCrab Ransomware", "deleted": false, "disable_correlation": false, "timestamp": "1530625656", "to_ids": true, "type": "url", "uuid": "5b3b7e78-63a8-46d0-b8df-ae7e02de0b81", "value": "91.210.104.247/putty.exe" }, { "category": "Network activity", "comment": "(BlackTDS IP)", "deleted": false, "disable_correlation": false, "timestamp": "1530625657", "to_ids": true, "type": "ip-dst", "uuid": "5b3b7e79-0498-40d8-b851-ae7e02de0b81", "value": "200.74.240.219" }, { "category": "Network activity", "comment": "Magniber Payment Server", "deleted": false, "disable_correlation": false, "timestamp": "1530625857", "to_ids": true, "type": "ip-dst", "uuid": "5b3b7f41-9ca8-45cb-b4f8-ab8202de0b81", "value": "54.37.57.152" }, { "category": "Network activity", "comment": "Magniber Payment Server", "deleted": false, "disable_correlation": false, "timestamp": "1530625857", "to_ids": true, "type": "ip-dst", "uuid": "5b3b7f41-b204-4a20-a7e2-ab8202de0b81", "value": "64.188.10.44" }, { "category": "Network activity", "comment": "Magniber Payment Server", "deleted": false, "disable_correlation": false, "timestamp": "1530625857", "to_ids": true, "type": "ip-dst", "uuid": "5b3b7f41-cd24-4412-969c-ab8202de0b81", "value": "139.60.161.51" }, { "category": "Network activity", "comment": "Magnigate Step 1", "deleted": false, "disable_correlation": false, "timestamp": "1530625858", "to_ids": true, "type": "ip-dst", "uuid": "5b3b7f42-acc0-4282-98f3-ab8202de0b81", "value": "149.56.159.203" }, { "category": "Network activity", "comment": "Magnitude EK", "deleted": false, "disable_correlation": false, "timestamp": "1530625858", "to_ids": true, "type": "ip-dst", "uuid": "5b3b7f42-db68-451e-8a47-ab8202de0b81", "value": "167.114.191.124" }, { "category": "Network activity", "comment": "Magnigate Step 2", "deleted": false, "disable_correlation": false, "timestamp": "1530625859", "to_ids": true, "type": "ip-dst", "uuid": "5b3b7f43-c578-46ca-acbb-ab8202de0b81", "value": "167.114.33.110" }, { "category": "Network activity", "comment": "Magniber Payment Server", "deleted": false, "disable_correlation": false, "timestamp": "1530625859", "to_ids": true, "type": "ip-dst", "uuid": "5b3b7f43-ab28-4653-b8ea-ab8202de0b81", "value": "185.244.150.110" }, { "category": "Network activity", "comment": "Magnigate Step 2", "deleted": false, "disable_correlation": false, "timestamp": "1530625860", "to_ids": true, "type": "domain", "uuid": "5b3b7f44-3a94-4042-ab95-ab8202de0b81", "value": "fedpart.website" }, { "category": "Network activity", "comment": "Magnitude landing page", "deleted": false, "disable_correlation": false, "timestamp": "1530625860", "to_ids": true, "type": "domain", "uuid": "5b3b7f44-7518-4f82-a1fb-ab8202de0b81", "value": "addrole.space" }, { "category": "Network activity", "comment": "Magnigate Step 1b", "deleted": false, "disable_correlation": false, "timestamp": "1530625861", "to_ids": true, "type": "domain", "uuid": "5b3b7f45-c1d8-47e7-b326-ab8202de0b81", "value": "taxhuge.com" }, { "category": "Network activity", "comment": "Rig EK; also where Kardon Loader was downloaded", "deleted": false, "disable_correlation": false, "timestamp": "1530626064", "to_ids": true, "type": "ip-dst", "uuid": "5b3b8010-54e0-4e3c-85bb-ae8f02de0b81", "value": "188.225.37.242" }, { "category": "Network activity", "comment": "Malicious domains and IP addresses related to Rig exploit kit", "deleted": false, "disable_correlation": false, "timestamp": "1530626064", "to_ids": true, "type": "ip-dst", "uuid": "5b3b8010-0738-42da-8b4e-ae8f02de0b81", "value": "193.23.181.154" }, { "category": "Network activity", "comment": "Malicious domains and IP addresses related to Rig exploit kit", "deleted": false, "disable_correlation": false, "timestamp": "1530626065", "to_ids": true, "type": "url", "uuid": "5b3b8011-1f14-4735-9bc2-ae8f02de0b81", "value": "193.23.181.154/crypto/?placement=198395354" }, { "category": "Payload delivery", "comment": "TROJ_DLOADR.SULQ", "deleted": false, "disable_correlation": false, "timestamp": "1530626168", "to_ids": true, "type": "sha256", "uuid": "5b3b8078-ec74-4cff-bfa6-4b9d02de0b81", "value": "69ec63646a589127c573fed9498a11d3e75009751ac5e16a80e7aa684ad66240" }, { "category": "Payload delivery", "comment": "TROJ_KARDONLDR.A", "deleted": false, "disable_correlation": false, "timestamp": "1530626168", "to_ids": true, "type": "sha256", "uuid": "5b3b8078-ad54-4d3b-9cd0-424d02de0b81", "value": "aca8e9ecb7c8797c1bc03202a738a0ad586b00968f6c21ab83b9bb43b5c49243" }, { "category": "Payload delivery", "comment": "TROJ_KARIUS.A", "deleted": false, "disable_correlation": false, "timestamp": "1530626169", "to_ids": true, "type": "sha256", "uuid": "5b3b8079-b7f4-4277-858a-432902de0b81", "value": "5f7d3d7bf2ad424b8552ae78682a4f89080b41fedbcc34edce2b2a2c8baf47d4" }, { "category": "Payload delivery", "comment": "COINMINER_MALXMR.SM4-WIN32", "deleted": false, "disable_correlation": false, "timestamp": "1530626169", "to_ids": true, "type": "sha256", "uuid": "5b3b8079-8bb0-447f-ae3d-4d3d02de0b81", "value": "24d17158531180849f5b0819ac965d796886b8238d8a690e2a7ecb3d7fd3bf2b" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530626275", "uuid": "73665dc3-b0f2-4564-91b8-2932403695d7", "ObjectReference": [ { "comment": "", "object_uuid": "73665dc3-b0f2-4564-91b8-2932403695d7", "referenced_uuid": "d02d31c4-8128-41d2-bd3b-825b2389df8c", "relationship_type": "analysed-with", "timestamp": "1530626282", "uuid": "5b3b80ea-b010-4396-ae8d-4d2102de0b81" } ], "Attribute": [] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1530626273", "uuid": "d02d31c4-8128-41d2-bd3b-825b2389df8c", "Attribute": [] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530626277", "uuid": "1924a25c-c807-4fa6-a14c-d8061c3c72a3", "ObjectReference": [ { "comment": "", "object_uuid": "1924a25c-c807-4fa6-a14c-d8061c3c72a3", "referenced_uuid": "bcc933cf-b284-4ab8-b1fa-2e2c8a2e1613", "relationship_type": "analysed-with", "timestamp": "1530626282", "uuid": "5b3b80ea-44f0-4963-8548-4e7b02de0b81" } ], "Attribute": [] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1530626276", "uuid": "bcc933cf-b284-4ab8-b1fa-2e2c8a2e1613", "Attribute": [] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530626280", "uuid": "25e765d8-e066-4981-a075-0912806c404c", "ObjectReference": [ { "comment": "", "object_uuid": "25e765d8-e066-4981-a075-0912806c404c", "referenced_uuid": "87ffa5a2-5445-4088-81a6-13475f44401a", "relationship_type": "analysed-with", "timestamp": "1530626282", "uuid": "5b3b80ea-3c9c-4410-ad34-4bc902de0b81" } ], "Attribute": [] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1530626278", "uuid": "87ffa5a2-5445-4088-81a6-13475f44401a", "Attribute": [] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1530626282", "uuid": "a23c9b1d-82e5-4df2-9308-78f86d3e7f59", "ObjectReference": [ { "comment": "", "object_uuid": "a23c9b1d-82e5-4df2-9308-78f86d3e7f59", "referenced_uuid": "1c6f0eb3-95ce-493b-96b4-33424617a396", "relationship_type": "analysed-with", "timestamp": "1530626282", "uuid": "5b3b80ea-3e68-489a-8b99-424902de0b81" } ], "Attribute": [] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1530626281", "uuid": "1c6f0eb3-95ce-493b-96b4-33424617a396", "Attribute": [] } ] } }