{ "type": "bundle", "id": "bundle--58d4c745-a110-4623-a9e6-497d950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-24T07:19:58.000Z", "modified": "2017-03-24T07:19:58.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--58d4c745-a110-4623-a9e6-497d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-24T07:19:58.000Z", "modified": "2017-03-24T07:19:58.000Z", "name": "OSINT - New targeted attack against Saudi Arabia Government", "published": "2017-03-24T07:20:29Z", "object_refs": [ "observed-data--58d4c76a-f634-4a57-bcb3-464a950d210f", "url--58d4c76a-f634-4a57-bcb3-464a950d210f", "x-misp-attribute--58d4c781-4518-4271-a552-4672950d210f", "indicator--58d4c7ca-4c18-44f8-b75d-43e1950d210f", "indicator--58d4c7cb-575c-4396-8757-4020950d210f", "indicator--58d4c7f4-6c64-41ca-bfa2-4314950d210f", "indicator--58d4c7f5-678c-453a-9648-483f950d210f", "indicator--58d4c826-ab38-491e-85d1-48f2950d210f", "indicator--58d4c827-9264-4eeb-8d3c-4aef950d210f", "indicator--58d4c834-23b4-4f6a-b87f-4729950d210f", "indicator--58d4c835-5d98-4a80-9386-4ab1950d210f", "indicator--58d4c8a7-306c-405e-aa6b-4e4102de0b81", "observed-data--58d4c8a8-bf0c-4c05-9288-491a02de0b81", "url--58d4c8a8-bf0c-4c05-9288-491a02de0b81", "indicator--58d4c8a9-905c-4628-b347-4f3502de0b81", "observed-data--58d4c8aa-f6e0-4953-b357-43a102de0b81", "url--58d4c8aa-f6e0-4953-b357-43a102de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58d4c76a-f634-4a57-bcb3-464a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-24T07:19:58.000Z", "modified": "2017-03-24T07:19:58.000Z", "first_observed": "2017-03-24T07:19:58Z", "last_observed": "2017-03-24T07:19:58Z", "number_observed": 1, "object_refs": [ "url--58d4c76a-f634-4a57-bcb3-464a950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"", "estimative-language:likelihood-probability=\"almost-certain\"", "admiralty-scale:source-reliability=\"b\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58d4c76a-f634-4a57-bcb3-464a950d210f", "value": "https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--58d4c781-4518-4271-a552-4672950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-24T07:19:58.000Z", "modified": "2017-03-24T07:19:58.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"", "estimative-language:likelihood-probability=\"almost-certain\"", "admiralty-scale:source-reliability=\"b\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "A new spear phishing campaign is targeting Saudi Arabia governmental organizations. The attack originates from a phishing email containing a Word document in Arabic language. If the victim opens it up, it will not only infect their system but send the same phishing document to other contacts via their Outlook inbox.\r\n\r\nWe know that at least about a dozen Saudi agencies were targeted. As with most email-borne attacks, this one leverages social engineering to execute malicious code via a Macro." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d4c7ca-4c18-44f8-b75d-43e1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-24T07:19:58.000Z", "modified": "2017-03-24T07:19:58.000Z", "description": "C2 - potentialy compromised", "pattern": "[url:value = 'mail.spa.gov.sa/ews/exchange/exchange.asmx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-24T07:19:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"", "adversary:infrastructure-status=\"compromised\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d4c7cb-575c-4396-8757-4020950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-24T07:19:58.000Z", "modified": "2017-03-24T07:19:58.000Z", "description": "C2 - potentialy compromised", "pattern": "[url:value = 'webmail.ecra/ews/exchange/exchange.asmx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-24T07:19:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"", "adversary:infrastructure-status=\"compromised\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d4c7f4-6c64-41ca-bfa2-4314950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-24T07:19:58.000Z", "modified": "2017-03-24T07:19:58.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '62.149.118.67']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-24T07:19:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"", "adversary:infrastructure-status=\"compromised\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d4c7f5-678c-453a-9648-483f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-24T07:19:58.000Z", "modified": "2017-03-24T07:19:58.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '85.194.112.9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-24T07:19:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"", "adversary:infrastructure-status=\"compromised\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d4c826-ab38-491e-85d1-48f2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-24T07:19:58.000Z", "modified": "2017-03-24T07:19:58.000Z", "description": "Binary payload", "pattern": "[file:hashes.MD5 = '4ed42233962a89deaa89fd7b989db081']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-24T07:19:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d4c827-9264-4eeb-8d3c-4aef950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-24T07:19:58.000Z", "modified": "2017-03-24T07:19:58.000Z", "description": "Binary payload", "pattern": "[file:hashes.SHA256 = 'a96c57c35df18ac20d83b08a88e502071bd0033add0914b951adbd1639b0b873']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-24T07:19:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d4c834-23b4-4f6a-b87f-4729950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-24T07:19:58.000Z", "modified": "2017-03-24T07:19:58.000Z", "description": "Word dropper", "pattern": "[file:hashes.MD5 = '3cd5fa46507657f723719b7809d2d1f9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-24T07:19:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d4c835-5d98-4a80-9386-4ab1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-24T07:19:58.000Z", "modified": "2017-03-24T07:19:58.000Z", "description": "Word dropper", "pattern": "[file:hashes.SHA256 = 'a6dbc36c472b3ba70a98efd0db35e75c340086be15d3c3ab4e39033604d0bcf9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-24T07:19:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d4c8a7-306c-405e-aa6b-4e4102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-24T07:20:07.000Z", "modified": "2017-03-24T07:20:07.000Z", "description": "Word dropper - Xchecked via VT: a6dbc36c472b3ba70a98efd0db35e75c340086be15d3c3ab4e39033604d0bcf9", "pattern": "[file:hashes.SHA1 = '34ddc14b9a04eba98c3aa1cb27033e12ec847e03']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-24T07:20:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58d4c8a8-bf0c-4c05-9288-491a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-24T07:20:08.000Z", "modified": "2017-03-24T07:20:08.000Z", "first_observed": "2017-03-24T07:20:08Z", "last_observed": "2017-03-24T07:20:08Z", "number_observed": 1, "object_refs": [ "url--58d4c8a8-bf0c-4c05-9288-491a02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58d4c8a8-bf0c-4c05-9288-491a02de0b81", "value": "https://www.virustotal.com/file/a6dbc36c472b3ba70a98efd0db35e75c340086be15d3c3ab4e39033604d0bcf9/analysis/1490338453/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d4c8a9-905c-4628-b347-4f3502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-24T07:20:09.000Z", "modified": "2017-03-24T07:20:09.000Z", "description": "Binary payload - Xchecked via VT: a96c57c35df18ac20d83b08a88e502071bd0033add0914b951adbd1639b0b873", "pattern": "[file:hashes.SHA1 = 'cf731ee0af5c19231ff51af589f7434c0367d508']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-24T07:20:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58d4c8aa-f6e0-4953-b357-43a102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-24T07:20:10.000Z", "modified": "2017-03-24T07:20:10.000Z", "first_observed": "2017-03-24T07:20:10Z", "last_observed": "2017-03-24T07:20:10Z", "number_observed": 1, "object_refs": [ "url--58d4c8aa-f6e0-4953-b357-43a102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58d4c8aa-f6e0-4953-b357-43a102de0b81", "value": "https://www.virustotal.com/file/a96c57c35df18ac20d83b08a88e502071bd0033add0914b951adbd1639b0b873/analysis/1490319480/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }