177 lines
No EOL
6.3 KiB
JSON
177 lines
No EOL
6.3 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2018-11-26",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - `event-stream` dependency attack steals wallets from users of copay",
|
|
"publish_timestamp": "1543270402",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1543270394",
|
|
"uuid": "5bfc6891-b838-44fe-bc17-16b702de0b81",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": false,
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#00a0a0",
|
|
"local": false,
|
|
"name": "ecsirt:intrusions=\"application-compromise\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0029ff",
|
|
"local": false,
|
|
"name": "estimative-language:confidence-in-analytic-judgment=\"high\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#001fc2",
|
|
"local": false,
|
|
"name": "estimative-language:likelihood-probability=\"almost-certain\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1543268515",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5bfc68a3-19e0-4f70-81d4-48d502de0b81",
|
|
"value": "https://github.com/bitpay/copay/issues/9346#issuecomment-441749542"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "\"HTTP POST traffic on port 8080 to copayapi.host (which currently resolves to 51.38.112.212 and previously resolved to 145.249.104.239) or 111.90.151.134 indicates compromised and exfiltrated wallet private keys.\"",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1543268542",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5bfc68be-0b50-47a2-a33e-16c502de0b81",
|
|
"value": "copayapi.host"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "\"HTTP POST traffic on port 8080 to copayapi.host (which currently resolves to 51.38.112.212 and previously resolved to 145.249.104.239) or 111.90.151.134 indicates compromised and exfiltrated wallet private keys.\"",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1543268543",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bfc68bf-51a0-4f93-84ff-16c502de0b81",
|
|
"value": "51.38.112.212"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "\"HTTP POST traffic on port 8080 to copayapi.host (which currently resolves to 51.38.112.212 and previously resolved to 145.249.104.239) or 111.90.151.134 indicates compromised and exfiltrated wallet private keys.\"",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1543268543",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bfc68bf-4798-421d-b09f-16c502de0b81",
|
|
"value": "145.249.104.239"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "\"HTTP POST traffic on port 8080 to copayapi.host (which currently resolves to 51.38.112.212 and previously resolved to 145.249.104.239) or 111.90.151.134 indicates compromised and exfiltrated wallet private keys.\"",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1543268544",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5bfc68c0-af3c-4165-8243-16c502de0b81",
|
|
"value": "111.90.151.134"
|
|
},
|
|
{
|
|
"category": "Attribution",
|
|
"comment": "copayapi.host's SOA record indicates the domain registrant's email address is \"kvlguuvh@sharklasers.co\" (very likely a throwaway email address).",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1543268846",
|
|
"to_ids": true,
|
|
"type": "dns-soa-email",
|
|
"uuid": "5bfc68ef-2698-4780-b1f5-45c902de0b81",
|
|
"value": "kvlguuvh@sharklasers.co"
|
|
},
|
|
{
|
|
"category": "Social network",
|
|
"comment": "The GitHub account of the event-stream hijacker: https://github.com/right9ctrl (email address right9ctrl@outlook.com)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1543268635",
|
|
"to_ids": false,
|
|
"type": "github-username",
|
|
"uuid": "5bfc691b-da14-4228-997c-40e802de0b81",
|
|
"value": "right9ctrl"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "The NPM account of the event-stream hijacker: https://www.npmjs.com/~right9ctrlh",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1543268714",
|
|
"to_ids": false,
|
|
"type": "url",
|
|
"uuid": "5bfc696a-2a8c-4e1d-9f1c-4ef902de0b81",
|
|
"value": "https://www.npmjs.com/~right9ctrl"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "The GitHub repo for the malicious flat-map package: https://github.com/hugeglass/flatmap-stream",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1543268733",
|
|
"to_ids": false,
|
|
"type": "url",
|
|
"uuid": "5bfc697d-ab8c-4a6b-9083-453702de0b81",
|
|
"value": "https://github.com/hugeglass/flatmap-stream"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1543268752",
|
|
"to_ids": false,
|
|
"type": "url",
|
|
"uuid": "5bfc6990-28ec-4517-a397-4b8502de0b81",
|
|
"value": "https://www.npmjs.com/~hugeglass"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1543268789",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5bfc69b5-bd34-40c5-a2da-42e202de0b81",
|
|
"value": "https://github.com/dominictarr/event-stream/issues/116"
|
|
},
|
|
{
|
|
"category": "Attribution",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1543268830",
|
|
"to_ids": false,
|
|
"type": "whois-registrant-email",
|
|
"uuid": "5bfc69de-2090-455c-8b3c-45b102de0b81",
|
|
"value": "right9ctrl@outlook.com"
|
|
}
|
|
]
|
|
}
|
|
} |