{ "Event": { "analysis": "2", "date": "2017-05-18", "extends_uuid": "", "info": "OSINT - Will Astrum Fill the Vacuum in the Exploit Kit Landscape?", "publish_timestamp": "1495135852", "published": true, "threat_level_id": "3", "timestamp": "1495135834", "uuid": "591df523-1b50-4547-ae34-4dca02de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#0088cc", "name": "misp-galaxy:exploit-kit=\"Astrum\"" }, { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#001d3f", "name": "riskiq:threat-type=\"exploit-kit\"" }, { "colour": "#3ab400", "name": "enisa:nefarious-activity-abuse=\"exploits-exploit-kits\"" }, { "colour": "#ff0000", "name": "dnc:infrastructure-type=\"exploit-kit\"" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1495135696", "to_ids": false, "type": "link", "uuid": "591df52d-9d40-4b89-93aa-4e9c02de0b81", "value": "http://blog.trendmicro.com/trendlabs-security-intelligence/astrum-exploit-kit-abuses-diffie-hellman-key-exchange/", "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1495135696", "to_ids": false, "type": "text", "uuid": "591df541-cb4c-454a-9ca3-4e7202de0b81", "value": "The decline of exploit kit activity\u00e2\u20ac\u201dparticularly from well-known exploit kits like Magnitude, Nuclear, Neutrino, and Rig during the latter half of 2016\u00e2\u20ac\u201ddoesn\u00e2\u20ac\u2122t mean exploit kits are throwing in the towel just yet. This is the casse with Astrum (also known as Stagano), an old and seemingly reticent exploit kit we observed to have been updated multiple times as of late.\r\n\r\nAstrum was known to be have been exclusively used by the AdGholas malvertising campaign that delivered a plethora of threats including banking Trojans Dreambot/Gozi (also known as Ursnif, and detected by Trend Micro as BKDR_URSNIF) and RAMNIT (TROJ_RAMNIT, PE_RAMNIT). We\u00e2\u20ac\u2122re also seeing Astrum redirected by the Seamless malvertising campaign, which is known for using the Rig exploit kit.\r\n\r\nAstrum\u00e2\u20ac\u2122s recent activities feature several upgrades and show how it\u00e2\u20ac\u2122s starting to move away from the more established malware mentioned above. It appears these changes were done to lay the groundwork for future campaigns, and possibly to broaden its use. With a modus operandi that deters analysis and forensics by abusing the Diffie-Hellman key exchange, it appears Astrum is throwing down the gauntlet.", "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" } ] }, { "category": "Network activity", "comment": "IP Address and domain related to Astrum exploit kit:", "deleted": false, "disable_correlation": false, "timestamp": "1495135696", "to_ids": true, "type": "ip-dst", "uuid": "591df59d-ce64-42b5-b2b6-429402de0b81", "value": "141.255.161.68" }, { "category": "Network activity", "comment": "IP Address and domain related to Astrum exploit kit:", "deleted": false, "disable_correlation": false, "timestamp": "1495135696", "to_ids": true, "type": "url", "uuid": "591df59d-ad88-40e7-9ba9-4c3d02de0b81", "value": "http://define.predatorhuntingusa.com" }, { "category": "Payload delivery", "comment": "dropped payload", "deleted": false, "disable_correlation": false, "timestamp": "1495135696", "to_ids": true, "type": "sha256", "uuid": "591df5ab-1f9c-4aca-8d89-4bb002de0b81", "value": "39b1e99034338d7f5b0cbff9fb9bd93d9e4dd8f4c77b543da435bb2d2259b0b5" }, { "category": "Payload delivery", "comment": "dropped payload", "deleted": false, "disable_correlation": false, "timestamp": "1495135696", "to_ids": true, "type": "sha256", "uuid": "591df5ab-07a4-4467-af75-4af302de0b81", "value": "ccf89a7c8005948b9548cdde12cbd060f618234fd00dfd434c52ea5027353be8" }, { "category": "Network activity", "comment": "IP Addresses related to Seamless Malvertising Campaign", "deleted": false, "disable_correlation": false, "timestamp": "1495135696", "to_ids": true, "type": "ip-dst", "uuid": "591df5c8-a484-4569-923d-447202de0b81", "value": "193.124.200.194" }, { "category": "Network activity", "comment": "IP Addresses related to Seamless Malvertising Campaign", "deleted": false, "disable_correlation": false, "timestamp": "1495135696", "to_ids": true, "type": "ip-dst", "uuid": "591df5c9-821c-421d-a18b-452e02de0b81", "value": "193.124.200.212" }, { "category": "Payload delivery", "comment": "IP Addresses related to Seamless Malvertising Campaign", "deleted": false, "disable_correlation": false, "timestamp": "1495135696", "to_ids": true, "type": "filename", "uuid": "591df5c9-7b30-4f7d-9d78-418802de0b81", "value": "194.58.40.46" }, { "category": "Payload delivery", "comment": "dropped payload - Xchecked via VT: ccf89a7c8005948b9548cdde12cbd060f618234fd00dfd434c52ea5027353be8", "deleted": false, "disable_correlation": false, "timestamp": "1495135700", "to_ids": true, "type": "sha1", "uuid": "591df5d4-6564-4541-b200-404e02de0b81", "value": "691d3600ede858cfbb56a76ccaf3e2ae9cd784a2" }, { "category": "Payload delivery", "comment": "dropped payload - Xchecked via VT: ccf89a7c8005948b9548cdde12cbd060f618234fd00dfd434c52ea5027353be8", "deleted": false, "disable_correlation": false, "timestamp": "1495135700", "to_ids": true, "type": "md5", "uuid": "591df5d4-6f4c-40e3-baac-4acc02de0b81", "value": "34b6eb75b8e973fbb065586b4a169cf6" }, { "category": "External analysis", "comment": "dropped payload - Xchecked via VT: ccf89a7c8005948b9548cdde12cbd060f618234fd00dfd434c52ea5027353be8", "deleted": false, "disable_correlation": false, "timestamp": "1495135701", "to_ids": false, "type": "link", "uuid": "591df5d5-ab48-4e46-83ab-403002de0b81", "value": "https://www.virustotal.com/file/ccf89a7c8005948b9548cdde12cbd060f618234fd00dfd434c52ea5027353be8/analysis/1494841409/" }, { "category": "Payload delivery", "comment": "dropped payload - Xchecked via VT: 39b1e99034338d7f5b0cbff9fb9bd93d9e4dd8f4c77b543da435bb2d2259b0b5", "deleted": false, "disable_correlation": false, "timestamp": "1495135701", "to_ids": true, "type": "sha1", "uuid": "591df5d5-6c84-4bba-950b-48e702de0b81", "value": "79b64ec0395ba20f0de4f6139d6d994668c7b45b" }, { "category": "Payload delivery", "comment": "dropped payload - Xchecked via VT: 39b1e99034338d7f5b0cbff9fb9bd93d9e4dd8f4c77b543da435bb2d2259b0b5", "deleted": false, "disable_correlation": false, "timestamp": "1495135702", "to_ids": true, "type": "md5", "uuid": "591df5d6-a22c-4d13-ab1d-45bb02de0b81", "value": "986df65fe63bcab25996b5edc93b0de0" }, { "category": "External analysis", "comment": "dropped payload - Xchecked via VT: 39b1e99034338d7f5b0cbff9fb9bd93d9e4dd8f4c77b543da435bb2d2259b0b5", "deleted": false, "disable_correlation": false, "timestamp": "1495135702", "to_ids": false, "type": "link", "uuid": "591df5d6-f854-4881-b6da-43bf02de0b81", "value": "https://www.virustotal.com/file/39b1e99034338d7f5b0cbff9fb9bd93d9e4dd8f4c77b543da435bb2d2259b0b5/analysis/1493282868/" } ] } }