{"Event": {"info": "OSINT - SHELLTEA + POSLURP MALWARE", "Tag": [{"colour": "#004646", "exportable": true, "name": "type:OSINT"}, {"colour": "#ffffff", "exportable": true, "name": "tlp:white"}, {"colour": "#002b4a", "exportable": true, "name": "osint:source-type=\"technical-report\""}], "publish_timestamp": "0", "timestamp": "1498121691", "analysis": "2", "Attribute": [{"comment": "POWERSNIFF C2 DOMAINS", "category": "Network activity", "uuid": "594b78db-60cc-465b-996d-4fba950d210f", "timestamp": "1498118363", "to_ids": true, "value": "vseflijkoindex.net", "disable_correlation": false, "object_relation": null, "type": "domain"}, {"comment": "POWERSNIFF C2 DOMAINS", "category": "Network activity", "uuid": "594b78db-f59c-4e23-9722-4fba950d210f", "timestamp": "1498118363", "to_ids": true, "value": "vortexclothings.biz", "disable_correlation": false, "object_relation": null, "type": "domain"}, {"comment": "POWERSNIFF C2 DOMAINS", "category": "Network activity", "uuid": "594b78db-91c0-44ba-b7fa-49e8950d210f", "timestamp": "1498118363", "to_ids": true, "value": "unkerdubsonics.org", "disable_correlation": false, "object_relation": null, "type": "domain"}, {"comment": "POWERSNIFF C2 DOMAINS", "category": "Network activity", "uuid": "594b78db-9b14-400c-b5be-419a950d210f", "timestamp": "1498118363", "to_ids": true, "value": "popskentown.com", "disable_correlation": false, "object_relation": null, "type": "domain"}, {"comment": "SHELLTEA C2 DOMAIN", "category": "Network activity", "uuid": "594b7980-34e4-453d-8991-4a0d950d210f", "timestamp": "1498118528", "to_ids": true, "value": "neofilgestunin.org", "disable_correlation": false, "object_relation": null, "type": "domain"}, {"comment": "SHELLTEA C2 DOMAIN", "category": "Network activity", "uuid": "594b7980-1188-4102-9437-4d8e950d210f", "timestamp": "1498118528", "to_ids": true, "value": "verfgainling.net", "disable_correlation": false, "object_relation": null, "type": "domain"}, {"comment": "SHELLTEA C2 DOMAIN", "category": "Network activity", "uuid": "594b7980-bfa0-4d66-b37d-4d3a950d210f", "timestamp": "1498118528", "to_ids": true, "value": "straubeoldscles.org", "disable_correlation": false, "object_relation": null, "type": "domain"}, {"comment": "SHELLTEA C2 DOMAIN", "category": "Network activity", "uuid": "594b7980-1ed0-4f03-b209-40ec950d210f", "timestamp": "1498118528", "to_ids": true, "value": "olohvikoend.org", "disable_correlation": false, "object_relation": null, "type": "domain"}, {"comment": "SHELLTEA C2 DOMAIN", "category": "Network activity", "uuid": "594b7980-be10-497c-9580-4ced950d210f", "timestamp": "1498118528", "to_ids": true, "value": "menoograskilllev.net", "disable_correlation": false, "object_relation": null, "type": "domain"}, {"comment": "SHELLTEA C2 DOMAIN", "category": "Payload delivery", "uuid": "594b7980-8ac4-4ebf-b66e-480f950d210f", "timestamp": "1498118528", "to_ids": true, "value": "asojinoviesder.org", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "Function  Hash  Resolution  Tool,  IDA  Script,  and  Process  Name  CRC32  Code:", "category": "External analysis", "uuid": "594b7a1d-5108-41ca-b719-4db5950d210f", "timestamp": "1498118685", "to_ids": false, "value": "https://gist.github.com/root9b/24b9b25f3b0b06a6939881e68d0bd2d0", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "", "category": "External analysis", "uuid": "594b7a39-1740-4ca2-b45a-4379950d210f", "timestamp": "1498118713", "to_ids": false, "value": "https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp_1.pdf", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "", "category": "External analysis", "uuid": "594b7a39-c7cc-4ef2-aa31-410a950d210f", "timestamp": "1498118713", "to_ids": false, "value": "https://www.root9b.com/newsroom/shelltea-poslurp-malware", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "", "category": "External analysis", "uuid": "594b7adc-c1c4-4ba7-84e4-4612950d210f", "timestamp": "1498118876", "to_ids": false, "value": "Retail Point-of-Sale (PoS) systems remain a top target for the financially-motivated hacker. Theft of payment card data in large volume exists not only as its own segment within financial crime, but also serves to facilitate other even more harmful motives of today\u2019s criminal elements. To the businesses targeted by cyber criminals, the negative effects are far reaching with impact on brand reputation, consumer and investor confidence, and business growth strategies. With such a lucrative target as payment card data, adversary groups continue to adapt Tactics, Techniques, and Procedures (TTPs) in response to defenders\u2019 change in security practices. One effective attacker TTP is to use so-called \u201cfileless,\u201d or memory-resident malware, to carry out attacks against retailer PoS systems. \r\n\r\nroot9B discovered an advanced, targeted PoS intrusion focused on harvesting payment card information for exfiltration. The adversary\u2019s campaign has active and operational Command and Control (C2) servers. root9B\u2019s analysis determined that the adversary is using advanced memory-resident techniques to maintain persistence and avoid detection. The malware likely required a significant amount of time and knowledge to create. We typically see techniques at this level by well-resourced, well-funded, motivated adversaries.\r\n\r\nThis ongoing campaign has targeted numerous organizations and their PoS systems. root9B uncovered the TTPs utilized and describes them in a detailed analysis.", "disable_correlation": false, "object_relation": null, "type": "comment"}], "extends_uuid": "", "published": false, "date": "2017-06-19", "Orgc": {"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", "name": "CIRCL"}, "threat_level_id": "3", "uuid": "594b770c-b54c-41b5-b1a9-4edb950d210f"}}