misp-circl-feed/feeds/circl/misp/5a69e332-f944-46f8-b172-637202de0b81.json

210 lines
No EOL
7 KiB
JSON

{
"Event": {
"analysis": "2",
"date": "2018-01-25",
"extends_uuid": "",
"info": "OSINT - Masuta : Satori Creators\u00e2\u20ac\u2122 Second Botnet Weaponizes A New Router Exploit.",
"publish_timestamp": "1518771128",
"published": true,
"threat_level_id": "3",
"timestamp": "1516935657",
"uuid": "5a69e332-f944-46f8-b172-637202de0b81",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
"local": "0",
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#670080",
"local": "0",
"name": "ms-caro-malware:malware-platform=\"Linux\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:threat-actor=\"Nexus Zeta\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:tool=\"Masuta\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516888894",
"to_ids": false,
"type": "link",
"uuid": "5a69e33e-c4d8-40e4-95d5-4ea302de0b81",
"value": "https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516888919",
"to_ids": false,
"type": "text",
"uuid": "5a69e357-429c-4316-8060-4ae502de0b81",
"value": "Since the inception of the Mirai code leak, many botnets have been seen in the IoT threat landscape. While some of them are clearly Mirai carbon copies, others have added new attack methods, often taking the route of exploits to perform an attack. We analyzed two variants of an IoT botnet named \u00e2\u20ac\u0153Masuta\u00e2\u20ac\u009d where we observed the involvement of a well-known IoT threat actor and discovered a router exploit being weaponized for the first time in a botnet campaign."
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516890222",
"to_ids": true,
"type": "url",
"uuid": "5a69e86e-d27c-403a-b897-4c5f02de0b81",
"value": "http://purenetworks.com/HNAP1/GetDeviceSettings"
},
{
"category": "External analysis",
"comment": "Hacking the D-Link DIR-890L - Hence in simple words, whatever code is written after GetDeviceSettings will be executed.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516890265",
"to_ids": false,
"type": "link",
"uuid": "5a69e899-1048-4d87-b715-47f002de0b81",
"value": "http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516890585",
"to_ids": false,
"type": "link",
"uuid": "5a69e9d9-f204-4cfc-8b59-492e02de0b81",
"value": "https://www.exploit-db.com/exploits/38722/"
},
{
"category": "External analysis",
"comment": "(UPnP) HNAP Exploit Loader | By; LiGhT",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516890618",
"to_ids": false,
"type": "link",
"uuid": "5a69e9fa-c15c-4663-af99-4d0d02de0b81",
"value": "https://pastebin.com/WhGBivrU"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1516890935",
"to_ids": true,
"type": "pattern-in-memory",
"uuid": "5a69eb37-ae04-447b-a4ef-401402de0b81",
"value": "/bin/busybox MASUTA"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Whois records information for a domain name.",
"meta-category": "network",
"name": "whois",
"template_uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a",
"template_version": "7",
"timestamp": "1516888989",
"uuid": "5a69e390-b5f0-42c1-a638-446502de0b81",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1516888976",
"to_ids": true,
"type": "domain",
"uuid": "5a69e390-ee44-4042-a56d-4d4302de0b81",
"value": "nexusiotsolutions.net"
},
{
"category": "Attribution",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "registrant-email",
"timestamp": "1516888988",
"to_ids": true,
"type": "whois-registrant-email",
"uuid": "5a69e391-c430-4537-99fc-4f9e02de0b81",
"value": "nexuszeta1337@gmail.com"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01",
"meta-category": "network",
"name": "passive-dns",
"template_uuid": "b77b7b1c-66ab-4a41-8da4-83810f6d2d6c",
"template_version": "2",
"timestamp": "1516889028",
"uuid": "5a69e3c4-c604-4e3a-b1ed-4b1a02de0b81",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "rrtype",
"timestamp": "1516889028",
"to_ids": false,
"type": "text",
"uuid": "5a69e3c4-df00-4ebd-8214-4f0102de0b81",
"value": "A"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "rrname",
"timestamp": "1516889029",
"to_ids": false,
"type": "text",
"uuid": "5a69e3c5-6274-4308-99bf-488e02de0b81",
"value": "93.174.93.63"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "rdata",
"timestamp": "1516889030",
"to_ids": false,
"type": "text",
"uuid": "5a69e3c6-1d74-4d92-b433-4a1e02de0b81",
"value": "n.cf0.pw"
}
]
}
]
}
}