{ "type": "bundle", "id": "bundle--58179275-f030-4dce-a626-4c9802de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-31T19:17:29.000Z", "modified": "2016-10-31T19:17:29.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--58179275-f030-4dce-a626-4c9802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-31T19:17:29.000Z", "modified": "2016-10-31T19:17:29.000Z", "name": "OSINT - PSA: Conference Invite used as a Lure by Operation Lotus Blossom Actors", "published": "2016-10-31T19:17:34Z", "object_refs": [ "x-misp-attribute--5817929e-271c-4ba8-9cbc-4acc02de0b81", "observed-data--581792c2-2d30-4403-8c99-68fc02de0b81", "url--581792c2-2d30-4403-8c99-68fc02de0b81", "indicator--581792fd-75f0-4464-a327-405602de0b81", "indicator--581792fd-2920-4f99-9a62-4ad902de0b81", "indicator--581792fe-c394-45b7-8619-4c5102de0b81", "indicator--58179330-e5b0-4884-a984-44f602de0b81", "indicator--58179388-3ee4-4ed7-b686-664702de0b81", "indicator--58179388-dbbc-4176-ad81-664702de0b81", "indicator--58179389-d75c-4be4-b0d1-664702de0b81", "indicator--581794af-6c90-40a6-98a6-68fc02de0b81", "indicator--581794af-9e54-48e9-8b3a-68fc02de0b81", "observed-data--581794b0-afdc-4251-bf01-68fc02de0b81", "url--581794b0-afdc-4251-bf01-68fc02de0b81", "indicator--581794b0-4840-46aa-a35a-68fc02de0b81", "indicator--581794b1-f328-47eb-9020-68fc02de0b81", "observed-data--581794b1-2df8-4426-8302-68fc02de0b81", "url--581794b1-2df8-4426-8302-68fc02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "osint:source-type=\"blog-post\"", "misp-galaxy:threat-actor=\"Lotus Blossom\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5817929e-271c-4ba8-9cbc-4acc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-31T18:51:10.000Z", "modified": "2016-10-31T18:51:10.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"Financial fraud\"" ], "x_misp_category": "Financial fraud", "x_misp_type": "comment", "x_misp_value": "Actors related to the Operation Lotus Blossom campaign continue their attack campaigns in the Asia Pacific region. It appears that these threat actors have begun using Palo Alto Networks upcoming Cyber Security Summit hosted on November 3, 2016 in Jakarta, Indonesia as a lure to compromise targeted individuals. The payload installed in attacks using this lure is a variant of the Emissary Trojan that we have analyzed in the past, which has direct links to threat actors associated with Operation Lotus Blossom.\r\n\r\nAs our readers and customers in Indonesia are likely recipients of this phishing e-mail, we want to release some key facts to clarify the situation.\r\n\r\nThe malicious email will have an attachment named \u00e2\u20ac\u0153[FREE INVITATIONS] CyberSecurity Summit.doc\u00e2\u20ac\u009d that if opened will exploit CVE-2012-0158. The legitimate invitation emails from Palo Alto Networks did not carry any attachments.\r\nIn response to this incident, we have halted our email invitations, so please disregard all new emails related to invitations to this conference, as it may be malicious.\r\nIndividuals wishing to attend the conference should register on our official CYBERSECURITY SUMMIT \u00e2\u20ac\u201c JAKARTA website." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--581792c2-2d30-4403-8c99-68fc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-31T18:51:46.000Z", "modified": "2016-10-31T18:51:46.000Z", "first_observed": "2016-10-31T18:51:46Z", "last_observed": "2016-10-31T18:51:46Z", "number_observed": 1, "object_refs": [ "url--581792c2-2d30-4403-8c99-68fc02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--581792c2-2d30-4403-8c99-68fc02de0b81", "value": "http://researchcenter.paloaltonetworks.com/2016/10/unit42-psa-conference-invite-used-lure-operation-lotus-blossom-actors/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--581792fd-75f0-4464-a327-405602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-31T18:52:45.000Z", "modified": "2016-10-31T18:52:45.000Z", "description": "Delivery Document", "pattern": "[file:hashes.SHA256 = '61de3df463f94f8583934edb227b174c7e4473b89bd110a6f6ba44fad8c41943']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-10-31T18:52:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--581792fd-2920-4f99-9a62-4ad902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-31T18:52:45.000Z", "modified": "2016-10-31T18:52:45.000Z", "description": "Emissary Loader", "pattern": "[file:hashes.SHA256 = 'aefa519feab9c8741af98ae2ddc287c404117e208cecd6479ee427f682814286']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-10-31T18:52:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--581792fe-c394-45b7-8619-4c5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-31T18:52:46.000Z", "modified": "2016-10-31T18:52:46.000Z", "description": "C2 server", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.249.31.49']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-10-31T18:52:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58179330-e5b0-4884-a984-44f602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-31T18:53:36.000Z", "modified": "2016-10-31T18:53:36.000Z", "pattern": "[email-message:body_multipart[*].body_raw_ref.name = '[FREE INVITATIONS] CyberSecurity Summit.doc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-10-31T18:53:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"email-attachment\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58179388-3ee4-4ed7-b686-664702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-31T18:55:04.000Z", "modified": "2016-10-31T18:55:04.000Z", "pattern": "[file:name = '\\\\%APPDATA\\\\%\\\\Programs\\\\Dsdcmsoon.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-10-31T18:55:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58179388-dbbc-4176-ad81-664702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-31T18:55:04.000Z", "modified": "2016-10-31T18:55:04.000Z", "pattern": "[file:name = '\\\\%APPDATA\\\\%\\\\Programs\\\\DCMOS3124.DAT']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-10-31T18:55:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58179389-d75c-4be4-b0d1-664702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-31T18:55:05.000Z", "modified": "2016-10-31T18:55:05.000Z", "pattern": "[file:name = '\\\\%APPDATA\\\\%\\\\Programs\\\\CVNX044.DAT']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-10-31T18:55:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--581794af-6c90-40a6-98a6-68fc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-31T18:59:59.000Z", "modified": "2016-10-31T18:59:59.000Z", "description": "Emissary Loader - Xchecked via VT: aefa519feab9c8741af98ae2ddc287c404117e208cecd6479ee427f682814286", "pattern": "[file:hashes.SHA1 = '93352181787450e9147ef40124ebde818a361947']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-10-31T18:59:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--581794af-9e54-48e9-8b3a-68fc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-31T18:59:59.000Z", "modified": "2016-10-31T18:59:59.000Z", "description": "Emissary Loader - Xchecked via VT: aefa519feab9c8741af98ae2ddc287c404117e208cecd6479ee427f682814286", "pattern": "[file:hashes.MD5 = '9c06ac2eabd50ebfdd988df3b1a633fe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-10-31T18:59:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--581794b0-afdc-4251-bf01-68fc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-31T19:00:00.000Z", "modified": "2016-10-31T19:00:00.000Z", "first_observed": "2016-10-31T19:00:00Z", "last_observed": "2016-10-31T19:00:00Z", "number_observed": 1, "object_refs": [ "url--581794b0-afdc-4251-bf01-68fc02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--581794b0-afdc-4251-bf01-68fc02de0b81", "value": "https://www.virustotal.com/file/aefa519feab9c8741af98ae2ddc287c404117e208cecd6479ee427f682814286/analysis/1477934763/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--581794b0-4840-46aa-a35a-68fc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-31T19:00:00.000Z", "modified": "2016-10-31T19:00:00.000Z", "description": "Delivery Document - Xchecked via VT: 61de3df463f94f8583934edb227b174c7e4473b89bd110a6f6ba44fad8c41943", "pattern": "[file:hashes.SHA1 = '6f2688d24c67b766c4e3fc5de08e3f2137b71fad']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-10-31T19:00:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--581794b1-f328-47eb-9020-68fc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-31T19:00:01.000Z", "modified": "2016-10-31T19:00:01.000Z", "description": "Delivery Document - Xchecked via VT: 61de3df463f94f8583934edb227b174c7e4473b89bd110a6f6ba44fad8c41943", "pattern": "[file:hashes.MD5 = '20c96609d10b2d497031e1e42970913a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-10-31T19:00:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--581794b1-2df8-4426-8302-68fc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-31T19:00:01.000Z", "modified": "2016-10-31T19:00:01.000Z", "first_observed": "2016-10-31T19:00:01Z", "last_observed": "2016-10-31T19:00:01Z", "number_observed": 1, "object_refs": [ "url--581794b1-2df8-4426-8302-68fc02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--581794b1-2df8-4426-8302-68fc02de0b81", "value": "https://www.virustotal.com/file/61de3df463f94f8583934edb227b174c7e4473b89bd110a6f6ba44fad8c41943/analysis/1476950396/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }