{ "Event": { "analysis": "2", "date": "2017-10-16", "extends_uuid": "", "info": "OSINT - BlackOasis APT and new targeted attacks leveraging zero-day exploit", "publish_timestamp": "1508166265", "published": true, "threat_level_id": "3", "timestamp": "1508166251", "uuid": "59e4c923-a6e0-4894-a6a8-994d950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:tool=\"FINSPY\"", "relationship_type": "" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1508166188", "to_ids": false, "type": "vulnerability", "uuid": "59e4c942-4eb8-44f5-b7cc-9449950d210f", "value": "CVE-2017-11292" }, { "category": "Payload delivery", "comment": "As mentioned earlier, the \u00e2\u20ac\u0153mo.exe\u00e2\u20ac\u009d payload (MD5: 4a49135d2ecc07085a8b7c5925a36c0a) is the newest version of Gamma International\u00e2\u20ac\u2122s FinSpy malware, typically sold to nation states and other law enforcement agencies to use in lawful surveillance operations.", "deleted": false, "disable_correlation": false, "timestamp": "1508166188", "to_ids": true, "type": "md5", "uuid": "59e4c96e-85bc-46cd-bec2-9448950d210f", "value": "4a49135d2ecc07085a8b7c5925a36c0a" }, { "category": "Network activity", "comment": "Download the final payload (FinSpy) from", "deleted": false, "disable_correlation": false, "timestamp": "1508166188", "to_ids": true, "type": "ip-dst", "uuid": "59e4c96e-0c9c-4cfe-9482-9448950d210f", "value": "89.45.67.107" }, { "category": "Network activity", "comment": "Download the final payload (FinSpy) from", "deleted": false, "disable_correlation": false, "timestamp": "1508166188", "to_ids": true, "type": "url", "uuid": "59e4c983-e064-4473-b9bc-9375950d210f", "value": "http://89.45.67.107/rss/mo.exe" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1508166188", "to_ids": false, "type": "link", "uuid": "59e4c9b1-358c-47f4-9435-4fe0950d210f", "value": "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1508166188", "to_ids": false, "type": "text", "uuid": "59e4c9e5-ff50-466e-bf41-931b950d210f", "value": "Kaspersky Lab has always worked closely with vendors to protect users. As soon as we find new vulnerabilities we immediately inform the vendor in a responsible manner and provide all the details required for a fix.\r\n\r\nOn October 10, 2017, Kaspersky Lab\u00e2\u20ac\u2122s advanced exploit prevention systems identified a new Adobe Flash zero day exploit used in the wild against our customers. The exploit was delivered through a Microsoft Office document and the final payload was the latest version of FinSpy malware. We have reported the bug to Adobe who assigned it CVE-2017-11292 and released a patch earlier today:\r\n\r\nSo far only one attack has been observed in our customer base, leading us to believe the number of attacks are minimal and highly targeted.\r\n\r\nAnalysis of the payload allowed us to confidently link this attack to an actor we track as \u00e2\u20ac\u0153BlackOasis\u00e2\u20ac\u009d. We are also highly confident that BlackOasis was also responsible for another zero day exploit (CVE-2017-8759) discovered by FireEye in September 2017. The FinSpy payload used in the current attacks (CVE-2017-11292) shares the same command and control (C2) server as the payload used with CVE-2017-8759 uncovered by FireEye.", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "As mentioned earlier, the \u00e2\u20ac\u0153mo.exe\u00e2\u20ac\u009d payload (MD5: 4a49135d2ecc07085a8b7c5925a36c0a) is the newest version of Gamma International\u00e2\u20ac\u2122s FinSpy malware, typically sold to nation states and other law enforcement agencies to use in lawful surveillance operations. - Xchecked via VT: 4a49135d2ecc07085a8b7c5925a36c0a", "deleted": false, "disable_correlation": false, "timestamp": "1508166188", "to_ids": true, "type": "sha256", "uuid": "59e4ca2c-86f4-49eb-aafb-4a1a02de0b81", "value": "16070014b86f2254dcf273bbce78fb6eca43df9a6fc3c6ab85ec8f06a4063b06" }, { "category": "Payload delivery", "comment": "As mentioned earlier, the \u00e2\u20ac\u0153mo.exe\u00e2\u20ac\u009d payload (MD5: 4a49135d2ecc07085a8b7c5925a36c0a) is the newest version of Gamma International\u00e2\u20ac\u2122s FinSpy malware, typically sold to nation states and other law enforcement agencies to use in lawful surveillance operations. - Xchecked via VT: 4a49135d2ecc07085a8b7c5925a36c0a", "deleted": false, "disable_correlation": false, "timestamp": "1508166188", "to_ids": true, "type": "sha1", "uuid": "59e4ca2c-e124-45a7-bf3d-4c7802de0b81", "value": "949da212307259f53b17eb19b353e7c1051fba82" }, { "category": "External analysis", "comment": "As mentioned earlier, the \u00e2\u20ac\u0153mo.exe\u00e2\u20ac\u009d payload (MD5: 4a49135d2ecc07085a8b7c5925a36c0a) is the newest version of Gamma International\u00e2\u20ac\u2122s FinSpy malware, typically sold to nation states and other law enforcement agencies to use in lawful surveillance operations. - Xchecked via VT: 4a49135d2ecc07085a8b7c5925a36c0a", "deleted": false, "disable_correlation": false, "timestamp": "1508166188", "to_ids": false, "type": "link", "uuid": "59e4ca2c-7160-47d4-9589-463a02de0b81", "value": "https://www.virustotal.com/file/16070014b86f2254dcf273bbce78fb6eca43df9a6fc3c6ab85ec8f06a4063b06/analysis/1508127395/" } ] } }