496 lines
No EOL
21 KiB
JSON
496 lines
No EOL
21 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--f3eda2d3-840b-46ba-ac74-50b68a58b0fe",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-22T10:41:30.000Z",
|
|
"modified": "2023-03-22T10:41:30.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--f3eda2d3-840b-46ba-ac74-50b68a58b0fe",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-22T10:41:30.000Z",
|
|
"modified": "2023-03-22T10:41:30.000Z",
|
|
"name": "OSINT - Bad magic: new APT found in the area of Russo-Ukrainian conflict",
|
|
"published": "2023-03-22T10:44:51Z",
|
|
"object_refs": [
|
|
"indicator--3f7f43d2-3f5b-4889-bce9-1e7db7e98b8c",
|
|
"indicator--f53a9fc1-30de-49ad-aecc-cd126e75420e",
|
|
"indicator--7670fb0e-124a-4f63-a2db-7bd9b0a20955",
|
|
"indicator--c364b5a4-6a58-48d4-ae44-acae539c5ec2",
|
|
"indicator--f4d9620e-8f7c-485c-baaa-8f4e29767337",
|
|
"indicator--0262e716-cf69-4575-9242-2ad91defd641",
|
|
"indicator--63e75a16-29eb-4779-b201-045152b4c3ea",
|
|
"indicator--2c3bed63-f9a6-4958-8101-578fbcba16fa",
|
|
"indicator--abd928f6-cb7f-4df9-8d8a-c2e0cbb34734",
|
|
"indicator--dadef232-712d-40c1-98bf-a6bdd6090b3c",
|
|
"indicator--891b078e-61b9-4e73-a255-c33d4056a9ff",
|
|
"indicator--75ba0f15-99c8-405f-985d-c1c29b93b69e",
|
|
"indicator--82597eec-ca83-44ef-9891-0001c9b8b859",
|
|
"indicator--fa31ec03-99c9-4591-aa13-8ef7d9b54735",
|
|
"indicator--53fcdd8e-d471-4a5a-979a-b568bd92315e",
|
|
"indicator--ee838d3f-f333-4347-9bc2-4bc3dc7bec16",
|
|
"x-misp-object--18623db4-3137-4d12-9c7f-6611ecc9bba3"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"type:OSINT",
|
|
"osint:lifetime=\"perpetual\"",
|
|
"osint:certainty=\"50\"",
|
|
"tlp:clear",
|
|
"collaborative-intelligence:request=\"context\"",
|
|
"estimative-language:confidence-in-analytic-judgment=\"moderate\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"",
|
|
"misp-galaxy:country=\"ukraine\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--3f7f43d2-3f5b-4889-bce9-1e7db7e98b8c",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-22T09:57:23.000Z",
|
|
"modified": "2023-03-22T09:57:23.000Z",
|
|
"description": "Distribution servers",
|
|
"pattern": "[domain-name:value = 'webservice-srv.online']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-22T09:57:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--f53a9fc1-30de-49ad-aecc-cd126e75420e",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-22T09:57:23.000Z",
|
|
"modified": "2023-03-22T09:57:23.000Z",
|
|
"description": "Distribution servers",
|
|
"pattern": "[domain-name:value = 'webservice-srv1.online']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-22T09:57:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--7670fb0e-124a-4f63-a2db-7bd9b0a20955",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-22T09:57:23.000Z",
|
|
"modified": "2023-03-22T09:57:23.000Z",
|
|
"description": "Distribution servers",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.166.217.184']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-22T09:57:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--c364b5a4-6a58-48d4-ae44-acae539c5ec2",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-22T10:38:47.000Z",
|
|
"modified": "2023-03-22T10:38:47.000Z",
|
|
"description": "Lure archives",
|
|
"pattern": "[file:hashes.MD5 = '0a95a985e6be0918fdb4bfabf0847b5a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2021-09-22T00:00:00Z",
|
|
"valid_until": "2023-03-22T00:00:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--f4d9620e-8f7c-485c-baaa-8f4e29767337",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-22T10:39:39.000Z",
|
|
"modified": "2023-03-22T10:39:39.000Z",
|
|
"description": "Lure archives",
|
|
"pattern": "[file:hashes.MD5 = 'ecb7af5771f4fe36a3065dc4d5516d84']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-04-28T00:00:00Z",
|
|
"valid_until": "2023-03-22T00:00:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--0262e716-cf69-4575-9242-2ad91defd641",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-22T10:40:03.000Z",
|
|
"modified": "2023-03-22T10:40:03.000Z",
|
|
"description": "Lure archives",
|
|
"pattern": "[file:hashes.MD5 = '765f45198cb8039079a28289eab761c5']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-06-06T00:00:00Z",
|
|
"valid_until": "2023-03-22T00:00:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--63e75a16-29eb-4779-b201-045152b4c3ea",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-22T10:40:27.000Z",
|
|
"modified": "2023-03-22T10:40:27.000Z",
|
|
"description": "Lure archives",
|
|
"pattern": "[file:hashes.MD5 = 'ebaf3c6818bfc619ca2876abd6979f6d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-08-05T00:00:00Z",
|
|
"valid_until": "2023-03-22T00:00:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--2c3bed63-f9a6-4958-8101-578fbcba16fa",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-22T10:41:05.000Z",
|
|
"modified": "2023-03-22T10:41:05.000Z",
|
|
"description": "Lure archives",
|
|
"pattern": "[file:hashes.MD5 = '1032986517836a8b1f87db954722a33f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-08-12T00:00:00Z",
|
|
"valid_until": "2023-03-22T00:00:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--abd928f6-cb7f-4df9-8d8a-c2e0cbb34734",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-22T10:41:30.000Z",
|
|
"modified": "2023-03-22T10:41:30.000Z",
|
|
"description": "Lure archives",
|
|
"pattern": "[file:hashes.MD5 = '1de44e8da621cdeb62825d367693c75e']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-09-23T00:00:00Z",
|
|
"valid_until": "2023-03-22T00:00:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--dadef232-712d-40c1-98bf-a6bdd6090b3c",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-22T10:19:33.000Z",
|
|
"modified": "2023-03-22T10:19:33.000Z",
|
|
"description": "CommonMagic network communication module",
|
|
"pattern": "[file:hashes.MD5 = '7c0e5627fd25c40374bc22035d3fadd8' AND file:name = 'Overall.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-20T00:00:00Z",
|
|
"valid_until": "2023-03-22T00:00:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--891b078e-61b9-4e73-a255-c33d4056a9ff",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-22T10:23:16.000Z",
|
|
"modified": "2023-03-22T10:23:16.000Z",
|
|
"pattern": "[file:hashes.MD5 = '9e19fe5c3cf3e81f347dd78cf3c2e0c2' AND file:name = 'Clean.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-20T00:00:00Z",
|
|
"valid_until": "2023-03-22T00:00:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--75ba0f15-99c8-405f-985d-c1c29b93b69e",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-22T10:22:20.000Z",
|
|
"modified": "2023-03-22T10:22:20.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'ce8d77af445e3a7c7e56a6ea53af8c0d' AND file:name = 'All.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-10-20T00:00:00Z",
|
|
"valid_until": "2023-03-22T00:00:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--82597eec-ca83-44ef-9891-0001c9b8b859",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-22T10:00:20.000Z",
|
|
"modified": "2023-03-22T10:00:20.000Z",
|
|
"pattern": "[file:hashes.MD5 = '1fe3a2502e330432f3cf37ca7acbffac']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-22T10:00:20Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--fa31ec03-99c9-4591-aa13-8ef7d9b54735",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-22T10:20:30.000Z",
|
|
"modified": "2023-03-22T10:20:30.000Z",
|
|
"pattern": "[file:hashes.MD5 = '8c2f5e7432f1e6ad22002991772d589b' AND file:name = 'manutil.vbs']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-21T00:00:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--53fcdd8e-d471-4a5a-979a-b568bd92315e",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-22T10:01:15.000Z",
|
|
"modified": "2023-03-22T10:01:15.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'bec44b3194c78f6e858b1768c071c5db' AND file:name = 'service_pack.dat']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-22T10:01:15Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--ee838d3f-f333-4347-9bc2-4bc3dc7bec16",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-22T10:21:19.000Z",
|
|
"modified": "2023-03-22T10:21:19.000Z",
|
|
"description": "PowerMagic installer",
|
|
"pattern": "[file:hashes.MD5 = 'fee3db5db8817e82b1af4cedafd2f346' AND file:name = 'attachment.msi']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2022-09-23T00:00:00Z",
|
|
"valid_until": "2023-03-22T00:00:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--18623db4-3137-4d12-9c7f-6611ecc9bba3",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-22T10:06:32.000Z",
|
|
"modified": "2023-03-22T10:06:32.000Z",
|
|
"labels": [
|
|
"misp:name=\"report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "link",
|
|
"value": "https://securelist.com/bad-magic-apt/109087/",
|
|
"category": "External analysis",
|
|
"uuid": "b4470f51-5001-41db-9c75-a0253285d620"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "summary",
|
|
"value": "Since the start of the Russo-Ukrainian conflict, Kaspersky researchers and the international community at large have identified a significant number of cyberattacks executed in a political and geopolitical context. We previously published an overview of cyber activities and the threat landscape related to the conflict between Russia and Ukraine and continue to monitor new threats in these regions.\r\n\r\nIn October 2022, we identified an active infection of government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods. The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server.",
|
|
"category": "Other",
|
|
"uuid": "1223eb19-ea81-4e8b-86ba-b532d31c6afd"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "type",
|
|
"value": "Blog",
|
|
"category": "Other",
|
|
"uuid": "176b4d82-2fe3-46f5-81f6-b4c64442e447"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "report"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |