{ "type": "bundle", "id": "bundle--5aac24b9-0404-4877-8b3f-425e02de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-16T20:16:09.000Z", "modified": "2018-03-16T20:16:09.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5aac24b9-0404-4877-8b3f-425e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-16T20:16:09.000Z", "modified": "2018-03-16T20:16:09.000Z", "name": "OSINT - Sofacy Uses DealersChoice to Target European Government Agency", "published": "2018-03-16T20:16:18Z", "object_refs": [ "observed-data--5aac24cd-c348-4913-8e3c-46ad02de0b81", "url--5aac24cd-c348-4913-8e3c-46ad02de0b81", "x-misp-attribute--5aac24df-8cac-4ae2-9f83-41fe02de0b81", "indicator--5aac24ff-7354-4cea-8aaa-45e302de0b81", "indicator--5aac24ff-3730-48fb-a4e5-4d8702de0b81", "indicator--5aac2500-5ff8-4a87-9791-4b8f02de0b81", "indicator--5aac250d-65a0-4c55-b1d1-4f2402de0b81", "indicator--5aac2548-f190-4dbb-a63b-4fce02de0b81", "indicator--fdbb06b0-985e-4623-b4be-6ff5a18d2bca", "x-misp-object--69bee5ff-3c03-4673-9b38-3569296560c7", "indicator--c7e2bc2b-9343-40a6-b68c-816c2d4d7233", "x-misp-object--0c6dc100-f189-4185-9795-0d947e5148f2", "indicator--0f32f6dc-a546-44dd-adb1-81aa86fe31ac", "x-misp-object--ca30c358-c897-4462-84ff-b5feedfed6ad", "indicator--caa045ce-bcbe-4a02-bffb-ea43f82ef608", "x-misp-object--5bfdbdfb-a83b-4cd9-84a9-dad020118364", "relationship--2e35209f-e689-4db9-8282-08cedf28cb85", "relationship--9e81a705-995c-4ef6-a3fd-532e7d762316", "relationship--056e99b0-2953-4294-9127-19ada702eea3", "relationship--bd6b0e80-ec61-4641-bd13-a19b6120dd59" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:threat-actor=\"Sofacy\"", "misp-galaxy:mitre-mobile-attack-intrusion-set=\"APT28\"", "misp-galaxy:microsoft-activity-group=\"STRONTIUM\"", "osint:source-type=\"blog-post\"", "admiralty-scale:source-reliability=\"b\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5aac24cd-c348-4913-8e3c-46ad02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-16T20:13:08.000Z", "modified": "2018-03-16T20:13:08.000Z", "first_observed": "2018-03-16T20:13:08Z", "last_observed": "2018-03-16T20:13:08Z", "number_observed": 1, "object_refs": [ "url--5aac24cd-c348-4913-8e3c-46ad02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5aac24cd-c348-4913-8e3c-46ad02de0b81", "value": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5aac24df-8cac-4ae2-9f83-41fe02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-16T20:13:08.000Z", "modified": "2018-03-16T20:13:08.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Back in October 2016, Unit 42 published an initial analysis on a Flash exploitation framework used by the Sofacy threat group called DealersChoice. The attack consisted of Microsoft Word delivery documents that contained Adobe Flash objects capable of loading additional malicious Flash objects embedded in the file or directly provided by a command and control server. Sofacy continued to use DealersChoice throughout the fall of 2016, which we also documented in our December 2016 publication discussing Sofacy\u00e2\u20ac\u2122s larger campaign.\r\n\r\nOn March 12 and March 14, we observed the Sofacy group carrying out an attack on a European government agency involving an updated variant of DealersChoice. The updated DealersChoice documents used a similar process to obtain a malicious Flash object from a C2 server, but the inner mechanics of the Flash object contained significant differences in comparison to the original samples we analyzed.\r\n\r\nOne of the differences was a particularly clever evasion technique: to our knowledge this has never been observed in use. With the previous iterations of DealersChoice samples, the Flash object would immediately load and begin malicious tasks. In the March attacks, the Flash object is only loaded if the user scrolls through the entire content of the delivery document and views the specific page the Flash object is embedded on. Also, DealersChoice requires multiple interactions with an active C2 server to successfully exploit an end system.\r\n\r\nThe overall process to result in a successful exploitation is:\r\n\r\n User must open the Microsoft Word email attachment\r\n User must scroll to page three of the document, which will run the DealersChoice Flash object\r\n The Flash object must contact an active C2 server to download an additional Flash object containing exploit code\r\n The initial Flash object must contact the same C2 server to download a secondary payload\r\n Victim host must have a vulnerable version of Flash installed" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aac24ff-7354-4cea-8aaa-45e302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-16T20:11:43.000Z", "modified": "2018-03-16T20:11:43.000Z", "description": "Macro-ladened documents", "pattern": "[file:hashes.SHA256 = 'e5511b22245e26a003923ba476d7c36029939b2d1936e17a9b35b396467179ae']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-16T20:11:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aac24ff-3730-48fb-a4e5-4d8702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-16T20:11:43.000Z", "modified": "2018-03-16T20:11:43.000Z", "description": "Macro-ladened documents", "pattern": "[file:hashes.SHA256 = 'efb235776851502672dba5ef45d96cc65cb9ebba1b49949393a6a85b9c822f52']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-16T20:11:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aac2500-5ff8-4a87-9791-4b8f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-16T20:11:44.000Z", "modified": "2018-03-16T20:11:44.000Z", "description": "Macro-ladened documents", "pattern": "[file:hashes.SHA256 = 'c4be15f9ccfecf7a463f3b1d4a17e7b4f95de939e057662c3f97b52f7fa3c52f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-16T20:11:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aac250d-65a0-4c55-b1d1-4f2402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-16T20:13:09.000Z", "modified": "2018-03-16T20:13:09.000Z", "pattern": "[domain-name:value = 'ndpmedia24.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-16T20:13:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aac2548-f190-4dbb-a63b-4fce02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-16T20:12:56.000Z", "modified": "2018-03-16T20:12:56.000Z", "pattern": "[file:hashes.SHA256 = '0cd9ac328d858d8d83c9eb73bfdc59a958873b3d71b24c888d7408d9512a41d7' AND file:name = 'Defence & Security 2018 Conference Agenda.docx' AND file:x_misp_text = 'DealersChoice' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-16T20:12:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fdbb06b0-985e-4623-b4be-6ff5a18d2bca", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-16T20:13:12.000Z", "modified": "2018-03-16T20:13:12.000Z", "pattern": "[file:hashes.MD5 = '87d7c3096ae4167a19c10d0d204c4609' AND file:hashes.SHA1 = '7204be1059d404ecb81a20c89f9448f599aa9cfe' AND file:hashes.SHA256 = '0cd9ac328d858d8d83c9eb73bfdc59a958873b3d71b24c888d7408d9512a41d7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-16T20:13:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--69bee5ff-3c03-4673-9b38-3569296560c7", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-16T20:13:10.000Z", "modified": "2018-03-16T20:13:10.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/0cd9ac328d858d8d83c9eb73bfdc59a958873b3d71b24c888d7408d9512a41d7/analysis/1521229058/", "category": "External analysis", "uuid": "5aac2556-04d0-40d9-936b-44df02de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "7/60", "category": "Other", "uuid": "5aac2557-6e04-4c31-a658-4f5002de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2018-03-16T19:37:38", "category": "Other", "uuid": "5aac2557-299c-46a8-811e-45d102de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c7e2bc2b-9343-40a6-b68c-816c2d4d7233", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-16T20:13:14.000Z", "modified": "2018-03-16T20:13:14.000Z", "pattern": "[file:hashes.MD5 = 'f52ea8f238e57e49bfae304bd656ad98' AND file:hashes.SHA1 = '169c8f3e3d22e192c108bc95164d362ce5437465' AND file:hashes.SHA256 = 'efb235776851502672dba5ef45d96cc65cb9ebba1b49949393a6a85b9c822f52']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-16T20:13:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--0c6dc100-f189-4185-9795-0d947e5148f2", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-16T20:13:13.000Z", "modified": "2018-03-16T20:13:13.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/efb235776851502672dba5ef45d96cc65cb9ebba1b49949393a6a85b9c822f52/analysis/1521222896/", "category": "External analysis", "comment": "Macro-ladened documents", "uuid": "5aac2559-c9e4-46da-b7b5-48a602de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "37/59", "category": "Other", "comment": "Macro-ladened documents", "uuid": "5aac2559-42dc-4076-947c-410c02de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2018-03-16T17:54:56", "category": "Other", "comment": "Macro-ladened documents", "uuid": "5aac2559-ccec-44f3-bf71-432302de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0f32f6dc-a546-44dd-adb1-81aa86fe31ac", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-16T20:13:16.000Z", "modified": "2018-03-16T20:13:16.000Z", "pattern": "[file:hashes.MD5 = '94b288154e3d0225f86bb3c012fa8d63' AND file:hashes.SHA1 = '4873bafe44cff06845faa0ce7c270c4ce3c9f7b9' AND file:hashes.SHA256 = 'e5511b22245e26a003923ba476d7c36029939b2d1936e17a9b35b396467179ae']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-16T20:13:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--ca30c358-c897-4462-84ff-b5feedfed6ad", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-16T20:13:15.000Z", "modified": "2018-03-16T20:13:15.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/e5511b22245e26a003923ba476d7c36029939b2d1936e17a9b35b396467179ae/analysis/1521222684/", "category": "External analysis", "comment": "Macro-ladened documents", "uuid": "5aac255b-5d1c-4d18-83dc-49f502de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "37/57", "category": "Other", "comment": "Macro-ladened documents", "uuid": "5aac255b-e0b8-48b7-b404-470202de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2018-03-16T17:51:24", "category": "Other", "comment": "Macro-ladened documents", "uuid": "5aac255b-a4cc-4f24-bbcc-4bd302de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--caa045ce-bcbe-4a02-bffb-ea43f82ef608", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-16T20:13:19.000Z", "modified": "2018-03-16T20:13:19.000Z", "pattern": "[file:hashes.MD5 = '085be1b8b8f3e90be00f6a3bcea2879f' AND file:hashes.SHA1 = 'cc7607015cd7a1a4452acd3d87adabdd7e005bd7' AND file:hashes.SHA256 = 'c4be15f9ccfecf7a463f3b1d4a17e7b4f95de939e057662c3f97b52f7fa3c52f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-16T20:13:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5bfdbdfb-a83b-4cd9-84a9-dad020118364", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-16T20:13:17.000Z", "modified": "2018-03-16T20:13:17.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/c4be15f9ccfecf7a463f3b1d4a17e7b4f95de939e057662c3f97b52f7fa3c52f/analysis/1521222974/", "category": "External analysis", "comment": "Macro-ladened documents", "uuid": "5aac255d-ac80-4a76-80f7-487102de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "17/39", "category": "Other", "comment": "Macro-ladened documents", "uuid": "5aac255d-fb30-4025-b44f-4ca802de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2018-03-16T17:56:14", "category": "Other", "comment": "Macro-ladened documents", "uuid": "5aac255d-f454-4120-869f-482002de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2e35209f-e689-4db9-8282-08cedf28cb85", "created": "2018-03-16T20:13:18.000Z", "modified": "2018-03-16T20:13:18.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--fdbb06b0-985e-4623-b4be-6ff5a18d2bca", "target_ref": "x-misp-object--69bee5ff-3c03-4673-9b38-3569296560c7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9e81a705-995c-4ef6-a3fd-532e7d762316", "created": "2018-03-16T20:13:18.000Z", "modified": "2018-03-16T20:13:18.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--c7e2bc2b-9343-40a6-b68c-816c2d4d7233", "target_ref": "x-misp-object--0c6dc100-f189-4185-9795-0d947e5148f2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--056e99b0-2953-4294-9127-19ada702eea3", "created": "2018-03-16T20:13:18.000Z", "modified": "2018-03-16T20:13:18.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--0f32f6dc-a546-44dd-adb1-81aa86fe31ac", "target_ref": "x-misp-object--ca30c358-c897-4462-84ff-b5feedfed6ad" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bd6b0e80-ec61-4641-bd13-a19b6120dd59", "created": "2018-03-16T20:13:18.000Z", "modified": "2018-03-16T20:13:18.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--caa045ce-bcbe-4a02-bffb-ea43f82ef608", "target_ref": "x-misp-object--5bfdbdfb-a83b-4cd9-84a9-dad020118364" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }