{ "type": "bundle", "id": "bundle--589718fa-353c-411d-bbee-4c1902de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T12:26:57.000Z", "modified": "2017-02-05T12:26:57.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--589718fa-353c-411d-bbee-4c1902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T12:26:57.000Z", "modified": "2017-02-05T12:26:57.000Z", "name": "OSINT - Doctor Web detects several thousand infected Linux devices Linux.Proxy.10", "published": "2017-02-05T12:27:55Z", "object_refs": [ "observed-data--5897193a-54a0-422f-986b-4e9502de0b81", "url--5897193a-54a0-422f-986b-4e9502de0b81", "x-misp-attribute--5897195c-7044-4bdb-816b-41d302de0b81", "indicator--58971973-6c14-41ab-9aea-442602de0b81", "x-misp-attribute--58971997-7c34-4fb7-b0c9-4f5302de0b81", "indicator--589719db-cab0-4eb4-afd3-418602de0b81", "indicator--589719dc-7264-434a-a1a1-4c9202de0b81", "observed-data--589719dd-7200-4dbc-9b08-478202de0b81", "url--589719dd-7200-4dbc-9b08-478202de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "estimative-language:likelihood-probability=\"very-likely\"", "ms-caro-malware:malware-platform=\"Linux\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5897193a-54a0-422f-986b-4e9502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T12:26:28.000Z", "modified": "2017-02-05T12:26:28.000Z", "first_observed": "2017-02-05T12:26:28Z", "last_observed": "2017-02-05T12:26:28Z", "number_observed": 1, "object_refs": [ "url--5897193a-54a0-422f-986b-4e9502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"", "admiralty-scale:source-reliability=\"b\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5897193a-54a0-422f-986b-4e9502de0b81", "value": "http://news.drweb.com/news/?i=11115&lng=en" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5897195c-7044-4bdb-816b-41d302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T12:25:31.000Z", "modified": "2017-02-05T12:25:31.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Back at the end of last year, Doctor Web security researchers noted the growing number of malicious programs for Linux. And at the end of January, they detected several thousand Linux devices infected with a new Trojan.\r\n\r\nThe Trojan, used by cybercriminals to infect numerous Linux network devices, has been named Linux.Proxy.10. As the name of this malicious program suggests, it is designed to run a SOCKS5 proxy server on the infected device on the basis of the freeware source code of the Satanic Socks Server. Cybercriminals use this Trojan to ensure that they remain anonymous online.\r\n\r\nTo distribute Linux.Proxy.10, cybercriminals log in to the vulnerable devices via the SSH protocol, and at the same time the list of devices, as well as the logins and passwords that go with them, are stored on their server. The list looks like this: \u00c2\u00abIP address:login:password\u00c2\u00bb. It is notable that users with such account details are usually created by other Linux Trojans. In other words, Linux.Proxy.10 infiltrates computers and devices that either have standard settings or are already infected with Linux malware." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58971973-6c14-41ab-9aea-442602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T12:25:45.000Z", "modified": "2017-02-05T12:25:45.000Z", "description": "Linux.Proxy.10", "pattern": "[file:hashes.SHA1 = 'f23c4e3dd93bc54ec67dc97023c0b1251a6ca784']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T12:25:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"", "ms-caro-malware:malware-platform=\"Linux\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--58971997-7c34-4fb7-b0c9-4f5302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T12:24:55.000Z", "modified": "2017-02-05T12:24:55.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_comment": "Port for access to proxy server is saved in the Trojan\u00e2\u20ac\u2122s body during its compilation. Examined samples use the following ports:", "x_misp_type": "text", "x_misp_value": "18902\r\n27891\r\n28910\r\n33922\r\n37912\r\n39012\r\n48944\r\n49082\r\n49098\r\n56494\r\n61092\r\n61301" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589719db-cab0-4eb4-afd3-418602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T12:26:57.000Z", "modified": "2017-02-05T12:26:57.000Z", "description": "Linux.Proxy.10 - Xchecked via VT: f23c4e3dd93bc54ec67dc97023c0b1251a6ca784", "pattern": "[file:hashes.SHA256 = 'b15c7445dc66cb1fe24a8f372c2a380e4969b66ae6a7f44a4bce265a6254f80e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T12:26:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"", "ms-caro-malware:malware-platform=\"Linux\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589719dc-7264-434a-a1a1-4c9202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T12:26:49.000Z", "modified": "2017-02-05T12:26:49.000Z", "description": "Linux.Proxy.10 - Xchecked via VT: f23c4e3dd93bc54ec67dc97023c0b1251a6ca784", "pattern": "[file:hashes.MD5 = 'feb78d1ba686d5c151c3305cf5bc9675']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T12:26:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"", "ms-caro-malware:malware-platform=\"Linux\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--589719dd-7200-4dbc-9b08-478202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T12:26:05.000Z", "modified": "2017-02-05T12:26:05.000Z", "first_observed": "2017-02-05T12:26:05Z", "last_observed": "2017-02-05T12:26:05Z", "number_observed": 1, "object_refs": [ "url--589719dd-7200-4dbc-9b08-478202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--589719dd-7200-4dbc-9b08-478202de0b81", "value": "https://www.virustotal.com/file/b15c7445dc66cb1fe24a8f372c2a380e4969b66ae6a7f44a4bce265a6254f80e/analysis/1486083549/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }