255 lines
No EOL
11 KiB
JSON
255 lines
No EOL
11 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--5743f37c-c11c-426d-843b-4d83950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-05-24T06:29:19.000Z",
|
|
"modified": "2016-05-24T06:29:19.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--5743f37c-c11c-426d-843b-4d83950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-05-24T06:29:19.000Z",
|
|
"modified": "2016-05-24T06:29:19.000Z",
|
|
"name": "OSINT - Targeted Attacks against Banks in the Middle East",
|
|
"published": "2016-05-24T06:51:41Z",
|
|
"object_refs": [
|
|
"observed-data--5743f3a0-432c-4528-af39-6725950d210f",
|
|
"url--5743f3a0-432c-4528-af39-6725950d210f",
|
|
"x-misp-attribute--5743f3b0-3790-41ee-baef-4522950d210f",
|
|
"x-misp-attribute--5743f3cd-7aa0-4fe8-bfe9-4bbf950d210f",
|
|
"indicator--5743f406-6e3c-40d8-988a-6cbe950d210f",
|
|
"indicator--5743f407-9098-4ee5-af45-6cbe950d210f",
|
|
"observed-data--5743f446-ef1c-458e-9750-40cb950d210f",
|
|
"url--5743f446-ef1c-458e-9750-40cb950d210f",
|
|
"observed-data--5743f447-cbe4-4f33-ac7c-40cb950d210f",
|
|
"url--5743f447-cbe4-4f33-ac7c-40cb950d210f",
|
|
"indicator--5743f484-51d0-442c-aba2-4fb8950d210f",
|
|
"indicator--5743f4be-bed8-49d7-8abe-4ff4950d210f"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"circl:topic=\"finance\"",
|
|
"type:OSINT"
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5743f3a0-432c-4528-af39-6725950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-05-24T06:24:32.000Z",
|
|
"modified": "2016-05-24T06:24:32.000Z",
|
|
"first_observed": "2016-05-24T06:24:32Z",
|
|
"last_observed": "2016-05-24T06:24:32Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5743f3a0-432c-4528-af39-6725950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5743f3a0-432c-4528-af39-6725950d210f",
|
|
"value": "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--5743f3b0-3790-41ee-baef-4522950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-05-24T06:24:48.000Z",
|
|
"modified": "2016-05-24T06:24:48.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "In the first week of May 2016, FireEye\u00e2\u20ac\u2122s DTI identified a wave of emails containing malicious attachments being sent to multiple banks in the Middle East region. The threat actors appear to be performing initial reconnaissance against would-be targets, and the attacks caught our attention since they were using unique scripts not commonly seen in crimeware campaigns.\r\n\r\nIn this blog we discuss in detail the tools, tactics, techniques and procedures (TTPs) used in these targeted attacks.\r\nDelivery Method\r\n\r\nThe attackers sent multiple emails containing macro-enabled XLS files to employees working in the banking sector in the Middle East. The themes of the messages used in the attacks are related to IT Infrastructure such as a log of Server Status Report or a list of Cisco Iron Port Appliance details. In one case, the content of the email appeared to be a legitimate email conversation between several employees, even containing contact details of employees from several banks. This email was then forwarded to several people, with the malicious Excel file attached."
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--5743f3cd-7aa0-4fe8-bfe9-4bbf950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-05-24T06:25:17.000Z",
|
|
"modified": "2016-05-24T06:25:17.000Z",
|
|
"labels": [
|
|
"misp:type=\"windows-scheduled-task\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
],
|
|
"x_misp_category": "Artifacts dropped",
|
|
"x_misp_type": "windows-scheduled-task",
|
|
"x_misp_value": "GoogleUpdateTaskMachineUI"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5743f406-6e3c-40d8-988a-6cbe950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-05-24T06:26:14.000Z",
|
|
"modified": "2016-05-24T06:26:14.000Z",
|
|
"pattern": "[file:name = '\\\\%PUBLIC\\\\%\\\\Libraries\\\\update.vbs']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-05-24T06:26:14Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5743f407-9098-4ee5-af45-6cbe950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-05-24T06:26:15.000Z",
|
|
"modified": "2016-05-24T06:26:15.000Z",
|
|
"pattern": "[file:name = '\\\\%PUBLIC\\\\%\\\\Libraries\\\\dns.ps1']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-05-24T06:26:15Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5743f446-ef1c-458e-9750-40cb950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-05-24T06:27:18.000Z",
|
|
"modified": "2016-05-24T06:27:18.000Z",
|
|
"first_observed": "2016-05-24T06:27:18Z",
|
|
"last_observed": "2016-05-24T06:27:18Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5743f446-ef1c-458e-9750-40cb950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5743f446-ef1c-458e-9750-40cb950d210f",
|
|
"value": "http://go0gIe.com/sysupdate.aspx?req=xxx.wn&m=d"
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5743f447-cbe4-4f33-ac7c-40cb950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-05-24T06:27:19.000Z",
|
|
"modified": "2016-05-24T06:27:19.000Z",
|
|
"first_observed": "2016-05-24T06:27:19Z",
|
|
"last_observed": "2016-05-24T06:27:19Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5743f447-cbe4-4f33-ac7c-40cb950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5743f447-cbe4-4f33-ac7c-40cb950d210f",
|
|
"value": "http://go0gIe.com/sysupdate.aspx?req=xxx.at&m=d"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5743f484-51d0-442c-aba2-4fb8950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-05-24T06:28:20.000Z",
|
|
"modified": "2016-05-24T06:28:20.000Z",
|
|
"pattern": "[domain-name:value = 'go0gie.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-05-24T06:28:20Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5743f4be-bed8-49d7-8abe-4ff4950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-05-24T06:29:18.000Z",
|
|
"modified": "2016-05-24T06:29:18.000Z",
|
|
"description": "First Stage Download",
|
|
"pattern": "[url:value = 'http://go0gIe.com/sysupdate.aspx']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-05-24T06:29:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |