294 lines
No EOL
10 KiB
JSON
294 lines
No EOL
10 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2017-04-28",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Similarities Between Carbanak and FIN7 Malware Suggest Actors Are Closely Related",
|
|
"publish_timestamp": "1493360094",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1493360090",
|
|
"uuid": "5902dd26-4a34-4d46-be1f-45f8950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": false,
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#007c97",
|
|
"local": false,
|
|
"name": "veris:actor:motive=\"Financial\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#6bd600",
|
|
"local": false,
|
|
"name": "circl:topic=\"finance\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#12e400",
|
|
"local": false,
|
|
"name": "misp-galaxy:threat-actor=\"Anunak\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1493360021",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5902dd5b-bf98-4955-823f-4667950d210f",
|
|
"value": "https://blog.cyber4sight.com/2017/04/similarities-between-carbanak-and-fin7-malware-suggest-actors-are-closely-related/",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": false,
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#001cad",
|
|
"local": false,
|
|
"name": "estimative-language:likelihood-probability=\"very-likely\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#14ff00",
|
|
"local": false,
|
|
"name": "admiralty-scale:information-credibility=\"6\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1493360021",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5902dd6b-c95c-466f-af0b-4c20950d210f",
|
|
"value": "Several days ago, researchers at FireEye attributed a recent phishing campaign to FIN7, a campaign in which cybercriminals delivered malicious Microsoft Office documents to users, deploying both Cobalt Strike and a VBS-based backdoor on infected workstations. This report contained a sentence of particular interest to Cyber4Sight: \u00e2\u20ac\u0153FIN7 is referred to by many vendors as \u00e2\u20ac\u02dcCarbanak Group,\u00e2\u20ac\u2122 although we do not equate all usage of the Carbanak backdoor with FIN7.\u00e2\u20ac\u009d In their previous report on this threat actor group, FireEye stopped short of making this direct connection, stating instead that \u00e2\u20ac\u0153The use of the CARBANAK malware in FIN7 operations also provides limited evidence that these campaigns are linked to previously observed CARBANAK operations leading to fraudulent banking transactions, ATM compromise, and other monetization schemes.\u00e2\u20ac\u009d\r\n\r\nWe\u00e2\u20ac\u2122ve ultimately concluded that this nuanced change in language is probably not a coincidence: during our investigation, we determined that the malware used in this most recent FIN7 campaign is a modified version of the malware used in Operation Grand Mars, a Carbanak-attributed campaign with similar TTPs identified by Trustwave researchers in January 2017.\r\n\r\nBased on these technical similarities, we believe that Carbanak and FIN7 are likely the same actor or very closely associated actors.",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": false,
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#001cad",
|
|
"local": false,
|
|
"name": "estimative-language:likelihood-probability=\"very-likely\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#14ff00",
|
|
"local": false,
|
|
"name": "admiralty-scale:information-credibility=\"6\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2 Domains and IP Addresses",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1493360061",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5902ddbd-5898-4c0e-86a5-4aa9950d210f",
|
|
"value": "http://31.148.219.141:80/cd"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2 Domains and IP Addresses",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1493360061",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5902ddbd-272c-404e-be85-4045950d210f",
|
|
"value": "http://31.148.219.141:443/cd"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2 Domains and IP Addresses",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1493360061",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5902ddbd-f1f8-4510-8b29-42f4950d210f",
|
|
"value": "http://31.148.219.141:8080/cd"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2 Domains and IP Addresses",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1493360062",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5902ddbe-daa8-48fe-a224-4cf4950d210f",
|
|
"value": "http://204.155.31.174:80/cd"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2 Domains and IP Addresses",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1493360062",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5902ddbe-4890-463a-b36a-41f6950d210f",
|
|
"value": "http://204.155.31.174:443/cd"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2 Domains and IP Addresses",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1493360063",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5902ddbf-0ef8-4d7a-9852-4bdd950d210f",
|
|
"value": "http://204.155.31.174:8080/cd"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2 Domains and IP Addresses",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1493360063",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5902ddbf-da7c-4d95-be0c-4523950d210f",
|
|
"value": "http://198.100.119.7:443/cd"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2 Domains and IP Addresses",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1493360063",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5902ddbf-5174-4d2c-ade3-400f950d210f",
|
|
"value": "http://198.100.119.7:80/cd"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2 Domains and IP Addresses",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1493360064",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5902ddc0-3d28-4eb9-bed0-4f61950d210f",
|
|
"value": "http://198.100.119.7:8080/cd"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2 Domains and IP Addresses",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1493360064",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5902ddc0-c7b4-4b3b-beec-4225950d210f",
|
|
"value": "http://204.155.31.167:80/cd"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2 Domains and IP Addresses",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1493360065",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5902ddc1-07ec-4193-b7f0-4367950d210f",
|
|
"value": "http://204.155.31.167:443/cd"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2 Domains and IP Addresses",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1493360065",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5902ddc1-a004-4a5b-95c2-481a950d210f",
|
|
"value": "http://204.155.31.167:8080/cd"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2 Domains and IP Addresses",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1493360065",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5902ddc1-51e0-4def-b819-4ae2950d210f",
|
|
"value": "31.148.219.141"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2 Domains and IP Addresses",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1493360066",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5902ddc2-5f98-494b-9f58-4875950d210f",
|
|
"value": "204.155.31.174"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2 Domains and IP Addresses",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1493360066",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5902ddc2-a364-4c0d-af03-4d61950d210f",
|
|
"value": "198.100.119.7"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2 Domains and IP Addresses",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1493360067",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5902ddc3-4778-4cd8-9dcd-4ebc950d210f",
|
|
"value": "204.155.31.167"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2 Domains and IP Addresses",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1493360067",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5902ddc3-1184-44af-aeb9-4717950d210f",
|
|
"value": "198.100.119.6"
|
|
}
|
|
]
|
|
}
|
|
} |