{ "Event": { "analysis": "0", "date": "2019-09-09", "extends_uuid": "", "info": "OSINT - ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group", "publish_timestamp": "1568204241", "published": true, "threat_level_id": "3", "timestamp": "1568193300", "uuid": "5d78a50e-ba3c-40b3-a5c1-4fb1950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#0088cc", "name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Stealth Falcon\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Stealth Falcon - G0038\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-intrusion-set=\"Stealth Falcon\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-intrusion-set=\"Stealth Falcon - G0038\"" }, { "colour": "#13f100", "name": "misp-galaxy:threat-actor=\"Stealth Falcon\"" }, { "colour": "#004646", "name": "type:OSINT" }, { "colour": "#0071c3", "name": "osint:lifetime=\"perpetual\"" }, { "colour": "#0087e8", "name": "osint:certainty=\"50\"" }, { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-attack-pattern=\"BITS Jobs - T1197\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"BITS Jobs - T1197\"" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1568188868", "to_ids": false, "type": "link", "uuid": "5d78a9c4-1108-4eb4-aca8-e76e950d210f", "value": "https://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1568188891", "to_ids": false, "type": "text", "uuid": "5d78a9db-1b4c-4f0b-8e96-8aaa950d210f", "value": "Stealth Falcon is a threat group, active since 2012, that targets political activists and journalists in the Middle East. It has been tracked by the Citizen Lab, a non-profit organization focusing on security and human rights, which published an analysis of a particular cyberattack in 2016. In January of 2019, Reuters published an investigative report into Project Raven, an initiative allegedly employing former NSA operatives and aiming at the same types of targets as Stealth Falcon." }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1568189620", "to_ids": true, "type": "domain", "uuid": "5d78acb4-ae5c-468f-8570-e7f0950d210f", "value": "footballtimes.info" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1568189620", "to_ids": true, "type": "domain", "uuid": "5d78acb4-8a10-4a25-9981-e7f0950d210f", "value": "vegetableportfolio.com" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1568189620", "to_ids": true, "type": "domain", "uuid": "5d78acb4-91d4-4a43-b367-e7f0950d210f", "value": "windowsearchcache.com" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1568189620", "to_ids": true, "type": "domain", "uuid": "5d78acb4-fed4-4e1a-9239-e7f0950d210f", "value": "electricalweb.org" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1568189620", "to_ids": true, "type": "domain", "uuid": "5d78acb4-1f6c-43db-9dc0-e7f0950d210f", "value": "upnpdiscover.org" }, { "category": "Payload delivery", "comment": "malware as detected by ESET", "deleted": false, "disable_correlation": false, "timestamp": "1568189662", "to_ids": true, "type": "sha1", "uuid": "5d78acde-9514-4e9d-968b-c52e950d210f", "value": "31b54aebdaf5fbc73a66ac41ccb35943cc9b7f72" }, { "category": "Payload delivery", "comment": "malware as detected by ESET", "deleted": false, "disable_correlation": false, "timestamp": "1568189662", "to_ids": true, "type": "sha1", "uuid": "5d78acde-80f8-4127-81c8-c52e950d210f", "value": "50973a3fc57d70c7911f7a952356188b9939e56b" }, { "category": "Payload delivery", "comment": "malware as detected by ESET", "deleted": false, "disable_correlation": false, "timestamp": "1568189662", "to_ids": true, "type": "sha1", "uuid": "5d78acde-69bc-4b16-935d-c52e950d210f", "value": "244eb62b9ac30934098ca4204447440d6fc4e259" }, { "category": "Payload delivery", "comment": "malware as detected by ESET", "deleted": false, "disable_correlation": false, "timestamp": "1568189662", "to_ids": true, "type": "sha1", "uuid": "5d78acde-d94c-48a4-9770-c52e950d210f", "value": "5c8f83cc4ff57e7c67925df4d9daabe5d0cc07e2" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1568193151", "to_ids": false, "type": "text", "uuid": "5d78ba7f-97f0-4ba7-8062-95e4950d210f", "value": "Win32/StealthFalcon" }, { "category": "Network activity", "comment": "Attribute #7611029 enriched by dns.", "deleted": false, "disable_correlation": false, "timestamp": "1568193349", "to_ids": false, "type": "ip-src", "uuid": "5d78bb45-783c-456e-a632-4105e387cbd9", "value": "185.227.82.19" }, { "category": "Network activity", "comment": "Attribute #7611030 enriched by dns.", "deleted": false, "disable_correlation": false, "timestamp": "1568193349", "to_ids": false, "type": "ip-src", "uuid": "5d78bb45-5550-4792-81df-43b1e387cbd9", "value": "46.183.219.85" }, { "category": "Network activity", "comment": "Attribute #7611032 enriched by dns.", "deleted": false, "disable_correlation": false, "timestamp": "1568193350", "to_ids": false, "type": "ip-src", "uuid": "5d78bb46-8dbc-41cf-971d-431de387cbd9", "value": "193.105.134.75" } ], "Object": [ { "comment": "", "deleted": false, "description": "Command line and option related to a software malicious or not to execute specific commands.", "meta-category": "misc", "name": "command-line", "template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf", "template_version": "1", "timestamp": "1568189161", "uuid": "5d78aae9-e0fc-4efb-957e-4829950d210f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "description", "timestamp": "1568189161", "to_ids": false, "type": "text", "uuid": "5d78aae9-9994-4be3-90b5-4f4e950d210f", "value": "Uninstall itself" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "value", "timestamp": "1568189167", "to_ids": false, "type": "text", "uuid": "5d78aaef-b248-4e75-a0eb-4453950d210f", "value": "K" } ] }, { "comment": "", "deleted": false, "description": "Command line and option related to a software malicious or not to execute specific commands.", "meta-category": "misc", "name": "command-line", "template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf", "template_version": "1", "timestamp": "1568189276", "uuid": "5d78ab5c-a620-4d62-b72b-8aa5950d210f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "description", "timestamp": "1568189276", "to_ids": false, "type": "text", "uuid": "5d78ab5c-a738-43f5-9441-8aa5950d210f", "value": "Update configuration data" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "value", "timestamp": "1568189282", "to_ids": false, "type": "text", "uuid": "5d78ab62-3fd8-49d7-9c2e-8aa5950d210f", "value": "CFG" } ] }, { "comment": "", "deleted": false, "description": "Command line and option related to a software malicious or not to execute specific commands.", "meta-category": "misc", "name": "command-line", "template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf", "template_version": "1", "timestamp": "1568189713", "uuid": "5d78ad11-8e74-4fda-92f9-e7f0950d210f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "description", "timestamp": "1568189713", "to_ids": false, "type": "text", "uuid": "5d78ad11-5028-48f2-a2d7-e7f0950d210f", "value": "Execute the specified application" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "value", "timestamp": "1568189713", "to_ids": false, "type": "text", "uuid": "5d78ad11-deb8-4372-a92a-e7f0950d210f", "value": "RC" } ] }, { "comment": "", "deleted": false, "description": "Command line and option related to a software malicious or not to execute specific commands.", "meta-category": "misc", "name": "command-line", "template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf", "template_version": "1", "timestamp": "1568189734", "uuid": "5d78ad26-4fbc-4e8e-a634-ca95950d210f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "description", "timestamp": "1568189734", "to_ids": false, "type": "text", "uuid": "5d78ad26-9728-4f7e-b0d1-ca95950d210f", "value": "Write downloaded data to file" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "value", "timestamp": "1568189734", "to_ids": false, "type": "text", "uuid": "5d78ad26-84c0-4df6-884e-ca95950d210f", "value": "DL" } ] }, { "comment": "", "deleted": false, "description": "Command line and option related to a software malicious or not to execute specific commands.", "meta-category": "misc", "name": "command-line", "template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf", "template_version": "1", "timestamp": "1568189754", "uuid": "5d78ad3a-5f28-4ba2-a5c6-8aa5950d210f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "description", "timestamp": "1568189754", "to_ids": false, "type": "text", "uuid": "5d78ad3a-3c64-4abb-917a-8aa5950d210f", "value": "Prepare a file for exfiltration" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "value", "timestamp": "1568189754", "to_ids": false, "type": "text", "uuid": "5d78ad3a-4e10-403d-8aac-8aa5950d210f", "value": "CF" } ] }, { "comment": "", "deleted": false, "description": "Command line and option related to a software malicious or not to execute specific commands.", "meta-category": "misc", "name": "command-line", "template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf", "template_version": "1", "timestamp": "1568189792", "uuid": "5d78ad60-53c4-4617-b7c0-8aa9950d210f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "description", "timestamp": "1568189792", "to_ids": false, "type": "text", "uuid": "5d78ad60-b23c-4624-9dbe-8aa9950d210f", "value": "Not implemented/no operation" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "value", "timestamp": "1568189792", "to_ids": false, "type": "text", "uuid": "5d78ad60-44bc-474a-b925-8aa9950d210f", "value": "CFWD" } ] }, { "comment": "", "deleted": false, "description": "Command line and option related to a software malicious or not to execute specific commands.", "meta-category": "misc", "name": "command-line", "template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf", "template_version": "1", "timestamp": "1568189869", "uuid": "5d78adad-d90c-4b7f-b37c-8aaa950d210f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "description", "timestamp": "1568189869", "to_ids": false, "type": "text", "uuid": "5d78adad-02d8-4d3d-8e80-8aaa950d210f", "value": "Exfiltrate and delete files" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "value", "timestamp": "1568189869", "to_ids": false, "type": "text", "uuid": "5d78adad-0394-46aa-8539-8aaa950d210f", "value": "CFW" } ] }, { "comment": "RC4 keys", "deleted": false, "description": "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).", "meta-category": "misc", "name": "credential", "template_uuid": "a27e98c9-9b0e-414c-8076-d201e039ca09", "template_version": "3", "timestamp": "1568190180", "uuid": "5d78aee4-c290-488a-a73c-e7f0950d210f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "format", "timestamp": "1568190180", "to_ids": false, "type": "text", "uuid": "5d78aee4-f13c-4d4b-9ecb-e7f0950d210f", "value": "clear-text" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "origin", "timestamp": "1568190180", "to_ids": false, "type": "text", "uuid": "5d78aee4-c7ac-489b-af60-e7f0950d210f", "value": "malware-analysis" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "type", "timestamp": "1568190180", "to_ids": false, "type": "text", "uuid": "5d78aee4-3d40-455a-84f5-e7f0950d210f", "value": "encryption-key" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "password", "timestamp": "1568190180", "to_ids": false, "type": "text", "uuid": "5d78aee4-d974-4836-9831-e7f0950d210f", "value": "258A4A9D139823F55D7B9DA1825D101107FBF88634A870DE9800580DAD556BA3" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "password", "timestamp": "1568190180", "to_ids": false, "type": "text", "uuid": "5d78aee4-a068-4554-96ac-e7f0950d210f", "value": "2519DB0FFEC604D6C9A655CF56B98EDCE10405DE36810BC3DCF125CDE30BA5A2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "password", "timestamp": "1568190180", "to_ids": false, "type": "text", "uuid": "5d78aee4-fbf0-4a90-86a8-e7f0950d210f", "value": "3EDB6EA77CD0987668B360365D5F39FDCF6B366D0DEAC9ECE5ADC6FFD20227F6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "password", "timestamp": "1568190180", "to_ids": false, "type": "text", "uuid": "5d78aee4-a99c-4333-b7dd-e7f0950d210f", "value": "8DFFDE77A39F3AF46D0CE0B84A189DB25A2A0FEFD71A0CD0054D8E0D60AB08DE" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1568190180", "to_ids": false, "type": "text", "uuid": "5d78aee4-1c2c-4f50-858f-e7f0950d210f", "value": "Note: Malware derives a second RC4 key by XORing each byte of the hardcoded key with 0x3D." } ] }, { "comment": "Backdoor commands", "deleted": false, "description": "Command functionalities related to a software malicious or not to execute specific commands. Command-line are attached to this object for the related commands.", "meta-category": "misc", "name": "command", "template_uuid": "21ad70d8-d397-11e9-9ea7-43b2d5f6a6e3", "template_version": "1", "timestamp": "1568193120", "uuid": "5d78b6f6-9ae4-4260-a284-c534950d210f", "ObjectReference": [ { "comment": "", "object_uuid": "5d78b6f6-9ae4-4260-a284-c534950d210f", "referenced_uuid": "5d78aae9-e0fc-4efb-957e-4829950d210f", "relationship_type": "contains", "timestamp": "1568192298", "uuid": "5d78b72a-b5e8-4e20-b1b1-c52e950d210f" }, { "comment": "", "object_uuid": "5d78b6f6-9ae4-4260-a284-c534950d210f", "referenced_uuid": "5d78ab5c-a620-4d62-b72b-8aa5950d210f", "relationship_type": "contains", "timestamp": "1568192716", "uuid": "5d78b8cc-0c68-4192-ab7c-95e4950d210f" }, { "comment": "", "object_uuid": "5d78b6f6-9ae4-4260-a284-c534950d210f", "referenced_uuid": "5d78ad11-8e74-4fda-92f9-e7f0950d210f", "relationship_type": "contains", "timestamp": "1568192728", "uuid": "5d78b8d8-75a4-477e-b497-95e4950d210f" }, { "comment": "", "object_uuid": "5d78b6f6-9ae4-4260-a284-c534950d210f", "referenced_uuid": "5d78ad26-4fbc-4e8e-a634-ca95950d210f", "relationship_type": "contains", "timestamp": "1568192739", "uuid": "5d78b8e3-8ab8-4ad0-b6bf-95e4950d210f" }, { "comment": "", "object_uuid": "5d78b6f6-9ae4-4260-a284-c534950d210f", "referenced_uuid": "5d78ad3a-5f28-4ba2-a5c6-8aa5950d210f", "relationship_type": "contains", "timestamp": "1568192797", "uuid": "5d78b91d-6d90-46a2-b159-e7f0950d210f" }, { "comment": "", "object_uuid": "5d78b6f6-9ae4-4260-a284-c534950d210f", "referenced_uuid": "5d78ad60-53c4-4617-b7c0-8aa9950d210f", "relationship_type": "contains", "timestamp": "1568192809", "uuid": "5d78b929-5b9c-47e5-85d2-e7f0950d210f" }, { "comment": "", "object_uuid": "5d78b6f6-9ae4-4260-a284-c534950d210f", "referenced_uuid": "5d78adad-d90c-4b7f-b37c-8aaa950d210f", "relationship_type": "contains", "timestamp": "1568192831", "uuid": "5d78b93f-3854-4613-9a16-e7f0950d210f" } ], "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "description", "timestamp": "1568193120", "to_ids": false, "type": "text", "uuid": "5d78b6f7-b7a4-49ac-9369-c534950d210f", "value": "Win32/StealthFalcon is a DLL file which, after execution, schedules itself as a task running on each user login. It only supports basic commands but displays a systematic approach to data collection, data exfiltration, employing further malicious tools, and updating its configuration." }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "trigger", "timestamp": "1568193120", "to_ids": false, "type": "text", "uuid": "5d78b6f7-17a8-4b54-8725-c534950d210f", "value": "Network" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "location", "timestamp": "1568193120", "to_ids": false, "type": "text", "uuid": "5d78b6f7-be18-4e99-add1-c534950d210f", "value": "Bundled" } ] } ] } }