339 lines
No EOL
16 KiB
JSON
339 lines
No EOL
16 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--5c9a14a9-fdb0-4cc9-bd13-4cbf950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-03-27T11:07:59.000Z",
|
|
"modified": "2019-03-27T11:07:59.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--5c9a14a9-fdb0-4cc9-bd13-4cbf950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-03-27T11:07:59.000Z",
|
|
"modified": "2019-03-27T11:07:59.000Z",
|
|
"name": "OSINT - Operation ShadowHammer",
|
|
"published": "2019-03-27T11:08:21Z",
|
|
"object_refs": [
|
|
"observed-data--5c9a14e7-fc60-4b49-ac81-44ae950d210f",
|
|
"url--5c9a14e7-fc60-4b49-ac81-44ae950d210f",
|
|
"x-misp-attribute--5c9a2d32-3adc-4bf9-9f82-4fee950d210f",
|
|
"indicator--5c9a33f9-2020-4101-928d-479e950d210f",
|
|
"indicator--5c9a33f9-88fc-48a0-a359-4453950d210f",
|
|
"indicator--5c9a3465-9d28-4850-b023-4764950d210f",
|
|
"indicator--5c9a3465-66cc-416c-a6fd-4ca0950d210f",
|
|
"indicator--5c9a3465-d084-4aaf-8fea-42ac950d210f",
|
|
"indicator--5c9a3465-934c-4151-a89c-4162950d210f",
|
|
"indicator--5c9a3526-754c-4934-8909-4a25950d210f",
|
|
"indicator--537ea655-a98c-4e82-be08-82c443bb1cf5",
|
|
"x-misp-object--d2b9c7e0-17ac-4a21-8d16-a5c22bc59962",
|
|
"relationship--0c831c1c-1360-4135-af3c-9e5fb16488b1"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"type:OSINT",
|
|
"osint:lifetime=\"perpetual\"",
|
|
"osint:certainty=\"50\"",
|
|
"osint:source-type=\"blog-post\"",
|
|
"misp-galaxy:threat-actor=\"Operation ShadowHammer\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5c9a14e7-fc60-4b49-ac81-44ae950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-03-26T13:46:40.000Z",
|
|
"modified": "2019-03-26T13:46:40.000Z",
|
|
"first_observed": "2019-03-26T13:46:40Z",
|
|
"last_observed": "2019-03-26T13:46:40Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5c9a14e7-fc60-4b49-ac81-44ae950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5c9a14e7-fc60-4b49-ac81-44ae950d210f",
|
|
"value": "https://securelist.com/operation-shadowhammer/89992/"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--5c9a2d32-3adc-4bf9-9f82-4fee950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-03-26T13:46:39.000Z",
|
|
"modified": "2019-03-26T13:46:39.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "Earlier today, Motherboard published a story by Kim Zetter on Operation ShadowHammer, a newly discovered supply chain attack that leveraged ASUS Live Update software.\r\n\r\nWhile the investigation is still in progress and full results and technical paper will be published during SAS 2019 conference in Singapore, we would like to share some important details about the attack.\r\n\r\nIn January 2019, we discovered a sophisticated supply chain attack involving the ASUS Live Update Utility. The attack took place between June and November 2018 and according to our telemetry, it affected a large number of users.\r\n\r\nASUS Live Update is an utility that is pre-installed on most ASUS computers and is used to automatically update certain components such as BIOS, UEFI, drivers and applications. According to Gartner, ASUS is the world\u00e2\u20ac\u2122s 5th-largest PC vendor by 2017 unit sales. This makes it an extremely attractive target for APT groups that might want to take advantage of their userbase.\r\n\r\nBased on our statistics, over 57,000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time. We are not able to calculate the total count of affected users based only on our data; however, we estimate that the real scale of the problem is much bigger and is possibly affecting over a million users worldwide.\r\n\r\nThe goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters\u00e2\u20ac\u2122 MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c9a33f9-2020-4101-928d-479e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-03-26T14:15:21.000Z",
|
|
"modified": "2019-03-26T14:15:21.000Z",
|
|
"pattern": "[domain-name:value = 'asushotfix.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-03-26T14:15:21Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c9a33f9-88fc-48a0-a359-4453950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-03-26T14:15:21.000Z",
|
|
"modified": "2019-03-26T14:15:21.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '141.105.71.116']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-03-26T14:15:21Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c9a3465-9d28-4850-b023-4764950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-03-26T14:17:09.000Z",
|
|
"modified": "2019-03-26T14:17:09.000Z",
|
|
"description": "Some of the URLs used to distribute the compromised packages",
|
|
"pattern": "[url:value = 'http://liveupdate01.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER365.zip']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-03-26T14:17:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c9a3465-66cc-416c-a6fd-4ca0950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-03-26T14:17:09.000Z",
|
|
"modified": "2019-03-26T14:17:09.000Z",
|
|
"description": "Some of the URLs used to distribute the compromised packages",
|
|
"pattern": "[url:value = 'https://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER362.zip']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-03-26T14:17:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c9a3465-d084-4aaf-8fea-42ac950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-03-26T14:17:09.000Z",
|
|
"modified": "2019-03-26T14:17:09.000Z",
|
|
"description": "Some of the URLs used to distribute the compromised packages",
|
|
"pattern": "[url:value = 'https://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER360.zip']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-03-26T14:17:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c9a3465-934c-4151-a89c-4162950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-03-26T14:17:09.000Z",
|
|
"modified": "2019-03-26T14:17:09.000Z",
|
|
"description": "Some of the URLs used to distribute the compromised packages",
|
|
"pattern": "[url:value = 'https://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER359.zip']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-03-26T14:17:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c9a3526-754c-4934-8909-4a25950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-03-26T14:20:22.000Z",
|
|
"modified": "2019-03-26T14:20:22.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'aa15eb28292321b586c27d8401703494' AND file:hashes.SHA256 = 'bebb16193e4b80f4bc053e4fa818aa4e2832885392469cd5b8ace5cec7e4ca19' AND file:name = 'Liveupdate_Test_VER365.zip' AND file:name_enc = 'Adobe-Standard-Encoding' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-03-26T14:20:22Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--537ea655-a98c-4e82-be08-82c443bb1cf5",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-03-27T11:07:50.000Z",
|
|
"modified": "2019-03-27T11:07:50.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'aa15eb28292321b586c27d8401703494' AND file:hashes.SHA1 = '69c08086c164e58a6d0398b0ffdcb957930b4cf2' AND file:hashes.SHA256 = 'bebb16193e4b80f4bc053e4fa818aa4e2832885392469cd5b8ace5cec7e4ca19']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-03-27T11:07:50Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--d2b9c7e0-17ac-4a21-8d16-a5c22bc59962",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-03-27T11:07:50.000Z",
|
|
"modified": "2019-03-27T11:07:50.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-03-27T08:56:52",
|
|
"category": "Other",
|
|
"uuid": "87e5433a-a1ed-4904-8270-06888e4ae806"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/bebb16193e4b80f4bc053e4fa818aa4e2832885392469cd5b8ace5cec7e4ca19/analysis/1553677012/",
|
|
"category": "Payload delivery",
|
|
"uuid": "72c6e7c9-8c37-4da4-9e25-c46786a7b4c4"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "34/63",
|
|
"category": "Payload delivery",
|
|
"uuid": "d024a395-7683-4662-b1ea-2bcb72aca5bc"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--0c831c1c-1360-4135-af3c-9e5fb16488b1",
|
|
"created": "2019-03-27T11:07:50.000Z",
|
|
"modified": "2019-03-27T11:07:50.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--537ea655-a98c-4e82-be08-82c443bb1cf5",
|
|
"target_ref": "x-misp-object--d2b9c7e0-17ac-4a21-8d16-a5c22bc59962"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |