154 lines
No EOL
6 KiB
JSON
154 lines
No EOL
6 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2017-01-13",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Targeted Threat Leads to Keylogger via Fake Silverlight Update",
|
|
"publish_timestamp": "1484305746",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1484303923",
|
|
"uuid": "5878acc1-7fdc-4ec3-9e09-47d4950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": false,
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"local": false,
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484303571",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5878acd3-6ea0-4be2-bd6b-4f98950d210f",
|
|
"value": "Proofpoint researchers recently discovered a small email-based campaign attacking a major financial services provider. This attack was notable for a few reasons:\r\n\r\nThe attack was very narrow in scope - a small number of malicious emails appear to have been sent to users in a single organization\r\nThe emails included a Microsoft Word attachment that used an embedded object rather than macros to avoid detection; the embedded object was also highly obfuscated\r\nThe payload was an unidentified keylogger hardcoded to send logs from infected computers to two Gmail addresses.\r\nWhile the use of embedded objects instead of macros is not new, malicious macros remain the vector of choice for most threat actors at this time. However, we expect that this technique will become more popular in 2017."
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484303586",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5878ace2-c9f4-4ce1-8144-4205950d210f",
|
|
"value": "https://www.proofpoint.com/us/threat-insight/post/targeted-threat-leads-to-keylogger-via-fake-silverlight-update"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Attachment",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484303648",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5878ad20-f5ac-4cf2-86b5-4789950d210f",
|
|
"value": "8b7845f5487847085753f940dbbd65c7e75e6be48918fcf9f0d98df169607003"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Hosted keylogger (since removed)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484303649",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5878ad21-0fac-4ec7-b459-498f950d210f",
|
|
"value": "https://a.pomf.cat/sfkpiff.exe"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Keylogger",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484303649",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5878ad21-e778-422e-8df3-4c26950d210f",
|
|
"value": "9a0b0832ac47b48475901269a0eb67f6287a2da64ec9a5cc8faf351ecd91d0e3"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Attachment - Xchecked via VT: 8b7845f5487847085753f940dbbd65c7e75e6be48918fcf9f0d98df169607003",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484303924",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5878ae34-0a14-4916-9491-4ba202de0b81",
|
|
"value": "22a88634423a79c649babda7391a500edd9b4ffb"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Attachment - Xchecked via VT: 8b7845f5487847085753f940dbbd65c7e75e6be48918fcf9f0d98df169607003",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484303924",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5878ae34-07f4-4f6e-a97a-49ca02de0b81",
|
|
"value": "42f587b277f02445b526e3887893c2c5"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Attachment - Xchecked via VT: 8b7845f5487847085753f940dbbd65c7e75e6be48918fcf9f0d98df169607003",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484303925",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5878ae35-6f78-4c76-a330-4b8c02de0b81",
|
|
"value": "https://www.virustotal.com/file/8b7845f5487847085753f940dbbd65c7e75e6be48918fcf9f0d98df169607003/analysis/1483629467/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Keylogger - Xchecked via VT: 9a0b0832ac47b48475901269a0eb67f6287a2da64ec9a5cc8faf351ecd91d0e3",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484303926",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5878ae36-ca8c-4616-95f6-4a9202de0b81",
|
|
"value": "74b120c7e54f635b85e01ed744ef87d018e316f6"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Keylogger - Xchecked via VT: 9a0b0832ac47b48475901269a0eb67f6287a2da64ec9a5cc8faf351ecd91d0e3",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484303926",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5878ae36-59a4-46f6-afa2-4ddc02de0b81",
|
|
"value": "f7b81cff17ea72ccc0031669d7575493"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Keylogger - Xchecked via VT: 9a0b0832ac47b48475901269a0eb67f6287a2da64ec9a5cc8faf351ecd91d0e3",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484303927",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5878ae37-b5c8-419d-80fc-4da102de0b81",
|
|
"value": "https://www.virustotal.com/file/9a0b0832ac47b48475901269a0eb67f6287a2da64ec9a5cc8faf351ecd91d0e3/analysis/1483629543/"
|
|
}
|
|
]
|
|
}
|
|
} |