misp-circl-feed/feeds/circl/stix-2.1/636cabbd-4bde-4fb2-bc6b-6b2c05fafcd5.json

280 lines
No EOL
16 KiB
JSON

{
"type": "bundle",
"id": "bundle--636cabbd-4bde-4fb2-bc6b-6b2c05fafcd5",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-07-24T13:19:01.000Z",
"modified": "2024-07-24T13:19:01.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--636cabbd-4bde-4fb2-bc6b-6b2c05fafcd5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-07-24T13:19:01.000Z",
"modified": "2024-07-24T13:19:01.000Z",
"name": "OSINT - RDGAs: The Next Chapter in Domain Generation Algorithms",
"published": "2024-07-24T16:01:37Z",
"object_refs": [
"indicator--0894b4f6-7a29-4bfa-9ad7-251ea49131c1",
"indicator--171dd00a-c539-44c8-8aba-548b6d5cf522",
"indicator--f1110fb8-5ca5-4402-b8bf-15aeb4b15c8c",
"indicator--ea557bab-91b5-46e4-8bc4-69220dad491f",
"indicator--f730c5ae-9131-4b52-9a43-07ba48929cad",
"indicator--fbfd7b15-4943-4039-b4e5-c9bed2c00d20",
"indicator--df812c0a-5280-4247-9fe2-1cd09d060be5",
"indicator--58b85abd-78cc-4671-a80b-8712acd0564b",
"x-misp-object--aed9d622-6409-4fb6-b012-436228a3d0b1"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"tlp:clear",
"misp-galaxy:nice-framework-skills=\"Skill in performing network data analysis - S0688\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0894b4f6-7a29-4bfa-9ad7-251ea49131c1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-07-24T09:33:48.000Z",
"modified": "2024-07-24T09:33:48.000Z",
"pattern": "[domain-name:value = '6rnd9mitqt1rz82.top' AND domain-name:value = '7r7suw52ls00i20.top' AND domain-name:value = '9w9ohb5vky5p3dz.top' AND domain-name:value = 'bjbntaxmh09r09e.top' AND domain-name:value = 'qcj4pirltkpqrcu.top']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-07-24T09:33:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--171dd00a-c539-44c8-8aba-548b6d5cf522",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-07-24T09:34:53.000Z",
"modified": "2024-07-24T09:34:53.000Z",
"pattern": "[domain-name:value = 'h87e1mbm0u5f85.xyz' AND domain-name:value = 'n8j1nau3os4otr.xyz' AND domain-name:value = 'xnnxr1jquyupjc.xyz' AND domain-name:value = 'xqajkr8fbrdryp0.xyz' AND domain-name:value = 'xryqcgcb2upb28k.xyz']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-07-24T09:34:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f1110fb8-5ca5-4402-b8bf-15aeb4b15c8c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-07-24T09:35:27.000Z",
"modified": "2024-07-24T09:35:27.000Z",
"pattern": "[domain-name:value = 'arriveplanetsnow.buzz' AND domain-name:value = 'coatthinkverb.buzz' AND domain-name:value = 'debtgenepub.live' AND domain-name:value = 'poemtrainsurprise.top' AND domain-name:value = 'quarterneighbourforward.xyz']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-07-24T09:35:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ea557bab-91b5-46e4-8bc4-69220dad491f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-07-24T09:36:01.000Z",
"modified": "2024-07-24T09:36:01.000Z",
"pattern": "[domain-name:value = 'castrocountyjail.org' AND domain-name:value = 'killeencityjail.org' AND domain-name:value = 'lasalleparishjail.org' AND domain-name:value = 'miamidadecountyjail.org' AND domain-name:value = 'northcentralregionaljail.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-07-24T09:36:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f730c5ae-9131-4b52-9a43-07ba48929cad",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-07-24T09:37:06.000Z",
"modified": "2024-07-24T09:37:06.000Z",
"pattern": "[domain-name:value = 'arenadiploma.com' AND domain-name:value = 'area-diploman24.com' AND domain-name:value = 'area-diplomans24.com' AND domain-name:value = 'area-diploms24.com' AND domain-name:value = 'area-diplomy24.com' AND domain-name:value = 'areas-diplom.com' AND domain-name:value = 'areas-diplom24.com' AND domain-name:value = 'areas-diplomy24.com' AND domain-name:value = 'arena-diplomsy24.com' AND domain-name:value = 'arena-diplomy24.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-07-24T09:37:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--fbfd7b15-4943-4039-b4e5-c9bed2c00d20",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-07-24T09:37:40.000Z",
"modified": "2024-07-24T09:37:40.000Z",
"pattern": "[domain-name:value = 'chopprousite.ru' AND domain-name:value = 'patiennerrhe.com' AND domain-name:value = 'thougolograrly.ru' AND domain-name:value = 'dintretonid.com' AND domain-name:value = 'dintretrewor.com' AND domain-name:value = 'dintrolletone.com' AND domain-name:value = 'dintromparsup.com' AND domain-name:value = 'direnrolpar.ru' AND domain-name:value = 'hadhecrecled.com' AND domain-name:value = 'hadrecrolof.ru' AND domain-name:value = 'hadsparmirat.com' AND domain-name:value = 'hanparolhar.com' AND domain-name:value = 'rofromandfor.ru' AND domain-name:value = 'rowrorofrat.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-07-24T09:37:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--df812c0a-5280-4247-9fe2-1cd09d060be5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-07-24T09:38:33.000Z",
"modified": "2024-07-24T09:38:33.000Z",
"pattern": "[domain-name:value = 'assisted-living-11607.bond' AND domain-name:value = 'online-jobs-42681.bond' AND domain-name:value = 'perfumes-76753.bond' AND domain-name:value = 'security-surveillance-cameras-42345.bond' AND domain-name:value = 'yoga-classes-35904.bond' AND domain-name:value = 'ai-courses-12139.bond' AND domain-name:value = 'ai-courses-13069.bond' AND domain-name:value = 'ai-courses-14729.bond' AND domain-name:value = 'ai-courses-16651.bond' AND domain-name:value = 'ai-courses-17621.bond' AND domain-name:value = 'app-software-development-training-52686.bond' AND domain-name:value = 'app-software-development-training-54449.bond' AND domain-name:value = 'app-software-development-training-55554.bond' AND domain-name:value = 'app-software-development-training-57549.bond' AND domain-name:value = 'ai-courses-2024-pe.bond' AND domain-name:value = 'ai-courses-2024-pk.bond' AND domain-name:value = 'ai-courses-2024sa.bond' AND domain-name:value = 'ai-courses2023-in.bond' AND domain-name:value = 'ai-courses2023in.bond' AND domain-name:value = 'ai-courses2024in.bond' AND domain-name:value = 'app-software-development-italy.bond' AND domain-name:value = 'app-software-development-training-usa.bond' AND domain-name:value = 'online-degrees-16099.bond' AND domain-name:value = 'portable-air-conditioner-12322.bond' AND domain-name:value = 'river-cruises-13890.bond' AND domain-name:value = 'roofing-services-10175.bond' AND domain-name:value = 'travel-insurance-43494.bond' AND domain-name:value = 'usa-online-degree-29o.bond' AND domain-name:value = 'bra-portable-air-conditioner-9o.bond' AND domain-name:value = 'uk-river-cruises-8n.bond' AND domain-name:value = 'rsa-roofing-services-8n.bond' AND domain-name:value = 'col-travel-insurance-3n.bond' AND domain-name:value = 'welding-machines-10120.bond' AND domain-name:value = 'welding-machines-35450.bond' AND domain-name:value = 'welding-machines-56397.bond' AND domain-name:value = 'welding-machines-76813.bond' AND domain-name:value = 'welding-machines-99146.bond']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-07-24T09:38:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58b85abd-78cc-4671-a80b-8712acd0564b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-07-24T09:39:01.000Z",
"modified": "2024-07-24T09:39:01.000Z",
"pattern": "[domain-name:value = 'tires-book-robust.bond' AND domain-name:value = 'laser-skin-treatment-19799.bond' AND domain-name:value = 'pool-repair-35063.bond' AND domain-name:value = 'apartments-for-rent-72254.bond' AND domain-name:value = 'hemophilia-treatment-41433.bond']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-07-24T09:39:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--aed9d622-6409-4fb6-b012-436228a3d0b1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-07-24T09:39:52.000Z",
"modified": "2024-07-24T09:39:52.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://blogs.infoblox.com/threat-intelligence/rdgas-the-next-chapter-in-domain-generation-algorithms/",
"category": "External analysis",
"uuid": "41667fe2-4456-4354-9068-379072c9b7f7"
},
{
"type": "text",
"object_relation": "summary",
"value": "This trailblazing report explores a burgeoning technique that threat actors are using to covertly transform the DNS threat landscape with millions of new domains. You\u2019ll learn how traditional malware-based domain generation algorithms (DGAs) have evolved into registered DGAs (RDGAs) that can be used for malware, phishing, spam, scams, gambling, traffic distribution systems (TDS), virtual private networks (VPNs), and more. We\u2019ll unveil a new RDGA threat actor named Revolver Rabbit who\u2019s associated with XLoader malware. We\u2019ll also reveal how the notorious Hancitor malware used an RDGA to generate its C2 domains for years while most of the security industry remained oblivious to their methods. This blog discusses some of the highlights from our full research paper, which is available here.\r\n\r\nFor nearly two decades, threat actors have used domain generation algorithms (DGAs) to distribute malware. In recent years, threat actors have been employing a technique we call registered domain generation algorithms (RDGAs), in which the actor uses an algorithm to register many domain names at one time. RDGAs are considerably harder to detect and defend against than traditional DGAs, and despite their prevalence on the internet, they have been woefully underreported by the security community. We originally described RDGAs in October 2023 and have published on the topic multiple times since then.",
"category": "Other",
"uuid": "33edb1d2-6fb9-4eac-a967-1b57d3d7a127"
},
{
"type": "text",
"object_relation": "type",
"value": "Blog",
"category": "Other",
"uuid": "781d8f8a-40d2-4b3d-98d3-aa468b490f33"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}