misp-circl-feed/feeds/circl/misp/571fd18a-efc4-4099-93f5-447502de0b81.json

143 lines
No EOL
5.7 KiB
JSON

{
"Event": {
"analysis": "2",
"date": "2016-04-26",
"extends_uuid": "",
"info": "OSINT - Macro Malware Employs Advanced Obfuscation to Avoid Detection",
"publish_timestamp": "1461705018",
"published": true,
"threat_level_id": "3",
"timestamp": "1461705011",
"uuid": "571fd18a-efc4-4099-93f5-447502de0b81",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#004646",
"local": false,
"name": "type:OSINT",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461703176",
"to_ids": true,
"type": "md5",
"uuid": "571fd208-f4c8-4446-8c29-47e602de0b81",
"value": "d80c15fd4ee1b10512d81bde32daaf30"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461703176",
"to_ids": true,
"type": "md5",
"uuid": "571fd208-4444-4bed-b668-429802de0b81",
"value": "c1787d80ad7beb46646d5c20cdd7eff2"
},
{
"category": "Payload installation",
"comment": "- Xchecked via VT: c1787d80ad7beb46646d5c20cdd7eff2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461703369",
"to_ids": true,
"type": "sha256",
"uuid": "571fd2c9-4488-4aef-8c95-47cb02de0b81",
"value": "25f7bf9246534c7aad3b728c0bad60dd62e31d9bd7695de8ac0ec7ec0270f104"
},
{
"category": "Payload installation",
"comment": "- Xchecked via VT: c1787d80ad7beb46646d5c20cdd7eff2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461703369",
"to_ids": true,
"type": "sha1",
"uuid": "571fd2c9-e9b4-40a6-9903-4c0602de0b81",
"value": "c779587e7280121be0725fbecef2e449607f5833"
},
{
"category": "External analysis",
"comment": "- Xchecked via VT: c1787d80ad7beb46646d5c20cdd7eff2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461703370",
"to_ids": false,
"type": "link",
"uuid": "571fd2ca-8558-4dae-b316-413002de0b81",
"value": "https://www.virustotal.com/file/25f7bf9246534c7aad3b728c0bad60dd62e31d9bd7695de8ac0ec7ec0270f104/analysis/1461421247/"
},
{
"category": "Payload installation",
"comment": "- Xchecked via VT: d80c15fd4ee1b10512d81bde32daaf30",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461703370",
"to_ids": true,
"type": "sha256",
"uuid": "571fd2ca-19cc-4cbe-b5d1-408b02de0b81",
"value": "1fcdc054fbd0ecefbb895502d271c94e4733dbb5dc0a0152d8d4864ce82cd916"
},
{
"category": "Payload installation",
"comment": "- Xchecked via VT: d80c15fd4ee1b10512d81bde32daaf30",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461703371",
"to_ids": true,
"type": "sha1",
"uuid": "571fd2cb-e308-4004-b0b6-465502de0b81",
"value": "2f0219710dd785f94f7970b87c6ec19ba1635fc5"
},
{
"category": "External analysis",
"comment": "- Xchecked via VT: d80c15fd4ee1b10512d81bde32daaf30",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461703371",
"to_ids": false,
"type": "link",
"uuid": "571fd2cb-36dc-4351-abc4-4a9f02de0b81",
"value": "https://www.virustotal.com/file/1fcdc054fbd0ecefbb895502d271c94e4733dbb5dc0a0152d8d4864ce82cd916/analysis/1461421238/"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461703392",
"to_ids": false,
"type": "link",
"uuid": "571fd2e0-8cfc-466c-acc3-489f02de0b81",
"value": "https://blogs.mcafee.com/mcafee-labs/macro-malware-employs-advanced-obfuscation-to-avoid-detection/"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461705011",
"to_ids": false,
"type": "comment",
"uuid": "571fd934-8b5c-441f-bab2-42d702de0b81",
"value": "Attacks by macro malware carrying ransomware are growing, as we have recently reported on Blog Central here and here. Now McAfee Labs researchers have witnessed a new variant of macro malware that employs fudging techniques such as virtual machine awareness, sandbox awareness, and more.\r\n\r\nSince early March we have seen macro malware using high-obfuscation algorithms to protect itself from static and traditional antimalware detection techniques. These algorithms do not change frequently; we noticed updates only over a period of one month. This slow evolution suggests that the actors are able to sustain their binaries with few changes. So far we have seen three obfuscating algorithms deployed in such malware. The version we noticed in mid-April was quite interesting; here is our analysis.\r\n\r\nThis new variant of macro malware not only has high-level obfuscation techniques but also several layers of evasion. In addition to obfuscation, the functions are scattered across the macros. I have converted the obfuscation algorithm to an equivalent Python and the scripts used for evasion techniques into VBA scripts for easy understanding."
}
]
}
}