476 lines
No EOL
16 KiB
JSON
476 lines
No EOL
16 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "1",
|
|
"date": "2023-03-22",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Bad magic: new APT found in the area of Russo-Ukrainian conflict",
|
|
"publish_timestamp": "1679481891",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1679481690",
|
|
"uuid": "f3eda2d3-840b-46ba-ac74-50b68a58b0fe",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"name": "type:OSINT"
|
|
},
|
|
{
|
|
"colour": "#0071c3",
|
|
"name": "osint:lifetime=\"perpetual\""
|
|
},
|
|
{
|
|
"colour": "#0087e8",
|
|
"name": "osint:certainty=\"50\""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"name": "tlp:white"
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"name": "tlp:clear"
|
|
},
|
|
{
|
|
"colour": "#a80032",
|
|
"name": "collaborative-intelligence:request=\"context\""
|
|
},
|
|
{
|
|
"colour": "#0026eb",
|
|
"name": "estimative-language:confidence-in-analytic-judgment=\"moderate\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:country=\"ukraine\""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Distribution servers",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1679479043",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "3f7f43d2-3f5b-4889-bce9-1e7db7e98b8c",
|
|
"value": "webservice-srv.online"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Distribution servers",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1679479043",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "f53a9fc1-30de-49ad-aecc-cd126e75420e",
|
|
"value": "webservice-srv1.online"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Distribution servers",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1679479043",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "7670fb0e-124a-4f63-a2db-7bd9b0a20955",
|
|
"value": "185.166.217.184"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Lure archives",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2021-09-22T00:00:00+00:00",
|
|
"last_seen": "2023-03-22T00:00:00+00:00",
|
|
"timestamp": "1679481527",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "c364b5a4-6a58-48d4-ae44-acae539c5ec2",
|
|
"value": "0a95a985e6be0918fdb4bfabf0847b5a"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Lure archives",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2022-04-28T00:00:00+00:00",
|
|
"last_seen": "2023-03-22T00:00:00+00:00",
|
|
"timestamp": "1679481579",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "f4d9620e-8f7c-485c-baaa-8f4e29767337",
|
|
"value": "ecb7af5771f4fe36a3065dc4d5516d84"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Lure archives",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2022-06-06T00:00:00+00:00",
|
|
"last_seen": "2023-03-22T00:00:00+00:00",
|
|
"timestamp": "1679481603",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "0262e716-cf69-4575-9242-2ad91defd641",
|
|
"value": "765f45198cb8039079a28289eab761c5"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Lure archives",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2022-08-05T00:00:00+00:00",
|
|
"last_seen": "2023-03-22T00:00:00+00:00",
|
|
"timestamp": "1679481627",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "63e75a16-29eb-4779-b201-045152b4c3ea",
|
|
"value": "ebaf3c6818bfc619ca2876abd6979f6d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Lure archives",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2022-08-12T00:00:00+00:00",
|
|
"last_seen": "2023-03-22T00:00:00+00:00",
|
|
"timestamp": "1679481665",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "2c3bed63-f9a6-4958-8101-578fbcba16fa",
|
|
"value": "1032986517836a8b1f87db954722a33f"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Lure archives",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2022-09-23T00:00:00+00:00",
|
|
"last_seen": "2023-03-22T00:00:00+00:00",
|
|
"timestamp": "1679481690",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "abd928f6-cb7f-4df9-8d8a-c2e0cbb34734",
|
|
"value": "1de44e8da621cdeb62825d367693c75e"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "CommonMagic network communication module",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"first_seen": "2022-10-20T00:00:00+00:00",
|
|
"last_seen": "2023-03-22T00:00:00+00:00",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1679480373",
|
|
"uuid": "dadef232-712d-40c1-98bf-a6bdd6090b3c",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1679480373",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "c05bade1-e39d-442a-a373-32a872eaa910",
|
|
"value": "7c0e5627fd25c40374bc22035d3fadd8"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1679480373",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "864979c3-0ddb-4e76-a36b-378e634f6330",
|
|
"value": "Overall.exe"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"first_seen": "2022-10-20T00:00:00+00:00",
|
|
"last_seen": "2023-03-22T00:00:00+00:00",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1679480596",
|
|
"uuid": "891b078e-61b9-4e73-a255-c33d4056a9ff",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "CommonMagic cryptography module",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1679480596",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "06c8dd6f-28aa-4638-b385-dcaa21c3ba22",
|
|
"value": "9e19fe5c3cf3e81f347dd78cf3c2e0c2"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "CommonMagic cryptography module",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1679480596",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "4c4f260a-08bf-4357-871b-d909e0a9a2c4",
|
|
"value": "Clean.exe"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"first_seen": "2022-10-20T00:00:00+00:00",
|
|
"last_seen": "2023-03-22T00:00:00+00:00",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1679480540",
|
|
"uuid": "75ba0f15-99c8-405f-985d-c1c29b93b69e",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "CommonMagic loader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1679480540",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "d039f294-7a41-4f11-96da-58c7e91b8448",
|
|
"value": "ce8d77af445e3a7c7e56a6ea53af8c0d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "CommonMagic loader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1679480540",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "3cf82e24-1783-40cf-b4f6-b7127730cd5f",
|
|
"value": "All.exe"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1679479220",
|
|
"uuid": "82597eec-ca83-44ef-9891-0001c9b8b859",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "PowerMagic backdoor",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1679479220",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5f9407af-d730-4d7a-b49f-bcfd2fc7604d",
|
|
"value": "1fe3a2502e330432f3cf37ca7acbffac"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"first_seen": "2023-03-21T00:00:00+00:00",
|
|
"last_seen": "2023-03-21T00:00:00+00:00",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1679480430",
|
|
"uuid": "fa31ec03-99c9-4591-aa13-8ef7d9b54735",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "PowerMagic loader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1679480430",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "2c137c6f-27aa-4890-83a1-fccb4f2d9b02",
|
|
"value": "8c2f5e7432f1e6ad22002991772d589b"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "PowerMagic loader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1679480430",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "db336699-756c-49cd-81b7-b58d5947b11f",
|
|
"value": "manutil.vbs"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1679479275",
|
|
"uuid": "53fcdd8e-d471-4a5a-979a-b568bd92315e",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "PowerMagic dropper",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1679479275",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "8bc136ad-f36c-41d1-9a64-3c9431956d18",
|
|
"value": "bec44b3194c78f6e858b1768c071c5db"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "PowerMagic dropper",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1679479275",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "44a823e5-1ec2-4fc1-a12b-77ae7035c7cf",
|
|
"value": "service_pack.dat"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "PowerMagic installer",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"first_seen": "2022-09-23T00:00:00+00:00",
|
|
"last_seen": "2023-03-22T00:00:00+00:00",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1679480479",
|
|
"uuid": "ee838d3f-f333-4347-9bc2-4bc3dc7bec16",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1679480479",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "663e7cb1-5df9-4b1a-9578-81c4ce94c5fb",
|
|
"value": "fee3db5db8817e82b1af4cedafd2f346"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1679480479",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "65e4339c-33fa-41fb-827f-f22248aad017",
|
|
"value": "attachment.msi"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Metadata used to generate an executive level report",
|
|
"meta-category": "misc",
|
|
"name": "report",
|
|
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
|
|
"template_version": "7",
|
|
"timestamp": "1679479592",
|
|
"uuid": "18623db4-3137-4d12-9c7f-6611ecc9bba3",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "link",
|
|
"timestamp": "1679479592",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "b4470f51-5001-41db-9c75-a0253285d620",
|
|
"value": "https://securelist.com/bad-magic-apt/109087/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "summary",
|
|
"timestamp": "1679479592",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "1223eb19-ea81-4e8b-86ba-b532d31c6afd",
|
|
"value": "Since the start of the Russo-Ukrainian conflict, Kaspersky researchers and the international community at large have identified a significant number of cyberattacks executed in a political and geopolitical context. We previously published an overview of cyber activities and the threat landscape related to the conflict between Russia and Ukraine and continue to monitor new threats in these regions.\r\n\r\nIn October 2022, we identified an active infection of government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods. The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server."
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "type",
|
|
"timestamp": "1679479592",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "176b4d82-2fe3-46f5-81f6-b4c64442e447",
|
|
"value": "Blog"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |