{ "type": "bundle", "id": "bundle--58538c11-4694-47ba-a01c-4cfe02de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-16T06:47:25.000Z", "modified": "2016-12-16T06:47:25.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--58538c11-4694-47ba-a01c-4cfe02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-16T06:47:25.000Z", "modified": "2016-12-16T06:47:25.000Z", "name": "OSINT - One, if by email, and two, if by EK: The Cerbers are coming!", "published": "2016-12-16T06:48:34Z", "object_refs": [ "observed-data--58538c1d-82a0-4d24-867d-41a202de0b81", "url--58538c1d-82a0-4d24-867d-41a202de0b81", "x-misp-attribute--58538c3f-4960-4980-bab9-4c6b02de0b81", "indicator--58538ce3-601c-4716-bb6f-417b02de0b81", "indicator--58538ce4-7814-4334-8180-418102de0b81", "indicator--58538ce4-7bec-4498-b89a-445302de0b81", "indicator--58538ce5-3240-4327-bcc6-4e1a02de0b81", "indicator--58538ce6-3e80-4e94-8ab8-46fe02de0b81", "indicator--58538ce8-2d7c-49ca-89ae-48bd02de0b81", "indicator--58538cea-d9f0-4ef3-8d22-453e02de0b81", "indicator--58538cea-4fe0-4dca-b42e-450802de0b81", "indicator--58538ceb-a834-43a4-aa47-4a9802de0b81", "indicator--58538d21-bb20-4511-b10a-4a7402de0b81", "indicator--58538d8d-0888-4b53-a42a-4a4102de0b81", "indicator--58538da1-7b68-45ed-abb7-436b02de0b81", "observed-data--58538dae-a6d8-4f69-bc5c-4fa502de0b81", "url--58538dae-a6d8-4f69-bc5c-4fa502de0b81", "indicator--58538dfd-53a0-4703-ad4e-4e0e02de0b81", "indicator--58538dfe-0c74-4137-aa72-4db102de0b81", "observed-data--58538dfe-0750-4380-83c4-448802de0b81", "url--58538dfe-0750-4380-83c4-448802de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "enisa:nefarious-activity-abuse=\"exploits-exploit-kits\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58538c1d-82a0-4d24-867d-41a202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-16T06:39:25.000Z", "modified": "2016-12-16T06:39:25.000Z", "first_observed": "2016-12-16T06:39:25Z", "last_observed": "2016-12-16T06:39:25Z", "number_observed": 1, "object_refs": [ "url--58538c1d-82a0-4d24-867d-41a202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58538c1d-82a0-4d24-867d-41a202de0b81", "value": "https://isc.sans.edu/forums/diary/One+if+by+email+and+two+if+by+EK+The+Cerbers+are+coming/21823" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--58538c3f-4960-4980-bab9-4c6b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-16T06:39:59.000Z", "modified": "2016-12-16T06:39:59.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "As I've discussed before, EKs are merely a method to distribute malware. Criminal groups establish campaigns utilizing EKs to distribute their malware. I often see indicators of campaigns that use Magnitude EK or Rig EK to distribute Cerber ransomware.\r\n\r\nIn my lab environment, I generally don't generate much Magnitude EK. Why? Because Magnitude usually happens through a malvertising campaign, and that's quite difficult to replicate. By the time any particular malvertisement's indicators are known, the criminals have moved to a new malvertisement.\r\n\r\nSince early October 2016, I've typically seen Cerber ransomware from the pseudoDarkleech campaign using Rig EK. PseudoDarkleech currently uses a variant of Rig EK that researcher Kafeine has designated as Rig-V, because it's a \"vip\" version that's evolved from the old Rig EK.\r\n\r\nEITest is another major campaign that utilizes EKs to distribute malware. Although EITest distributes a variety of malware, I'll occasionally see Cerber sent by this campaign." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58538ce3-601c-4716-bb6f-417b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-16T06:42:43.000Z", "modified": "2016-12-16T06:42:43.000Z", "description": "Rig-V from the EITest campaign", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '195.133.49.182']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-16T06:42:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58538ce4-7814-4334-8180-418102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-16T06:42:44.000Z", "modified": "2016-12-16T06:42:44.000Z", "description": "Rig-V from the EITest campaign", "pattern": "[domain-name:value = 'hit.thincoachmd.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-16T06:42:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58538ce4-7bec-4498-b89a-445302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-16T06:42:44.000Z", "modified": "2016-12-16T06:42:44.000Z", "description": "Rig-V from the pseudoDarkleech campaign", "pattern": "[domain-name:value = 'new.slimcoachmd.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-16T06:42:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58538ce5-3240-4327-bcc6-4e1a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-16T06:42:45.000Z", "modified": "2016-12-16T06:42:45.000Z", "description": "1.11.32.0 to 1.11.32.31 (1.11.32.0/27) UDP port 6892 - Cerber post-infection UDP traffic", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '1.11.32.0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-16T06:42:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58538ce6-3e80-4e94-8ab8-46fe02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-16T06:42:46.000Z", "modified": "2016-12-16T06:42:46.000Z", "description": "1.11.32.0 to 1.11.32.31 (1.11.32.0/27) UDP port 6892 - Cerber post-infection UDP traffic", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '55.15.15.0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-16T06:42:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58538ce8-2d7c-49ca-89ae-48bd02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-16T06:42:48.000Z", "modified": "2016-12-16T06:42:48.000Z", "description": "194.165.16.0/23) UDP port 6892 - Cerber post-infection UDP traffic", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '194.165.16.0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-16T06:42:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58538cea-d9f0-4ef3-8d22-453e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-16T06:42:50.000Z", "modified": "2016-12-16T06:42:50.000Z", "description": "attempted HTTP connections by Cerber from pseudoDarkleech campaign", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.45.192.155']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-16T06:42:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58538cea-4fe0-4dca-b42e-450802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-16T06:42:50.000Z", "modified": "2016-12-16T06:42:50.000Z", "pattern": "[domain-name:value = 'ftoxmpdipwobp4qy.19dmua.top']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-16T06:42:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58538ceb-a834-43a4-aa47-4a9802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-16T06:42:51.000Z", "modified": "2016-12-16T06:42:51.000Z", "description": "attempted HTTP connections by Cerber from EITest campaign", "pattern": "[domain-name:value = 'ffoqr3ug7m726zou.19dmua.top']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-16T06:42:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58538d21-bb20-4511-b10a-4a7402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-16T06:43:45.000Z", "modified": "2016-12-16T06:43:45.000Z", "description": "Rig-V Flash exploit seen on 2016-12-15", "pattern": "[file:hashes.SHA256 = 'df65f65dc15cfa999f07869b587c74c645da66129c009db5d8b8c2c29ae4fadf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-16T06:43:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58538d8d-0888-4b53-a42a-4a4102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-16T06:45:33.000Z", "modified": "2016-12-16T06:45:33.000Z", "description": "C:\\Users\\[username]\\AppData\\Local\\Temp\\rad8AA1F.tmp.exe", "pattern": "[file:hashes.SHA256 = '4e877be5523d5ab453342695fef1d03adb854d215bde2cff647421bd3d583060']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-16T06:45:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58538da1-7b68-45ed-abb7-436b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-16T06:45:53.000Z", "modified": "2016-12-16T06:45:53.000Z", "description": "C:\\Users\\[username]\\AppData\\Local\\Temp\\rad8DE79.tmp.exe", "pattern": "[file:hashes.SHA256 = '0e395c547547a79bd29280ea7f918a0559058a58ffc789940ceb4caf7a708610']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-16T06:45:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58538dae-a6d8-4f69-bc5c-4fa502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-16T06:46:06.000Z", "modified": "2016-12-16T06:46:06.000Z", "first_observed": "2016-12-16T06:46:06Z", "last_observed": "2016-12-16T06:46:06Z", "number_observed": 1, "object_refs": [ "url--58538dae-a6d8-4f69-bc5c-4fa502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58538dae-a6d8-4f69-bc5c-4fa502de0b81", "value": "http://www.malware-traffic-analysis.net/2016/12/16/index.html" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58538dfd-53a0-4703-ad4e-4e0e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-16T06:47:25.000Z", "modified": "2016-12-16T06:47:25.000Z", "description": "Rig-V Flash exploit seen on 2016-12-15 - Xchecked via VT: df65f65dc15cfa999f07869b587c74c645da66129c009db5d8b8c2c29ae4fadf", "pattern": "[file:hashes.SHA1 = '9284df1374b35d929f07e010e88b78a8495c0cfd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-16T06:47:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58538dfe-0c74-4137-aa72-4db102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-16T06:47:26.000Z", "modified": "2016-12-16T06:47:26.000Z", "description": "Rig-V Flash exploit seen on 2016-12-15 - Xchecked via VT: df65f65dc15cfa999f07869b587c74c645da66129c009db5d8b8c2c29ae4fadf", "pattern": "[file:hashes.MD5 = '2b3e5fa9c8932e27531dd26dc92c81f8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-16T06:47:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58538dfe-0750-4380-83c4-448802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-16T06:47:26.000Z", "modified": "2016-12-16T06:47:26.000Z", "first_observed": "2016-12-16T06:47:26Z", "last_observed": "2016-12-16T06:47:26Z", "number_observed": 1, "object_refs": [ "url--58538dfe-0750-4380-83c4-448802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58538dfe-0750-4380-83c4-448802de0b81", "value": "https://www.virustotal.com/file/df65f65dc15cfa999f07869b587c74c645da66129c009db5d8b8c2c29ae4fadf/analysis/1481853351/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }