114 lines
No EOL
5.3 KiB
JSON
114 lines
No EOL
5.3 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2016-09-29",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - TeamXRat: Brazilian cybercrime meets ransomware",
|
|
"publish_timestamp": "1477291752",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1477291239",
|
|
"uuid": "580dabb4-0938-48b7-abf9-4e37950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#006c6c",
|
|
"name": "ecsirt:malicious-code=\"ransomware\""
|
|
},
|
|
{
|
|
"colour": "#420053",
|
|
"name": "ms-caro-malware:malware-type=\"Ransom\""
|
|
},
|
|
{
|
|
"colour": "#2c4f00",
|
|
"name": "malware_classification:malware-category=\"Ransomware\""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"name": "tlp:white"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477291026",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "580dac12-2cec-4e51-9a4e-4731950d210f",
|
|
"value": "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477291042",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "580dac22-98c0-478c-ae59-4118950d210f",
|
|
"value": "Brazilian cybercriminals are notorious for their ability to develop banking trojans but now they have started to focus their efforts in new areas, including ransomware. We discovered a new variant of a Brazilian-made ransomware, Trojan-Ransom.Win32.Xpan, that is being used to infect local companies and hospitals, directly affecting innocent people, encrypting their files using the extension \u00e2\u20ac\u0153.___xratteamLucked\u00e2\u20ac\u009d and asking to pay the ransom.\r\n\r\nThe Kaspersky Anti-Ransom team decrypted the Xpan Trojan, allowing them to rescue the files of a Hospital in Brazil that had fallen victim to this Ransomware family.\r\n\r\nActually, this is not the first ransomware to come out of Brazil. In the past, we investigated TorLocker and its flawed encryption, which was created and negotiated worldwide by a Brazilian cybercriminal. We also saw a lot of copycats use HiddenTear in local attacks. Trojan Ransom Xpan was created by an organized gang, which used targeted attacks via RDP that abused weak passwords and wrong implementations.\r\n\r\nIn this post, we\u00e2\u20ac\u2122ll explain this new Ransomware family and how Brazilian coders are creating new ransomware from scratch."
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477291070",
|
|
"to_ids": false,
|
|
"type": "pattern-in-memory",
|
|
"uuid": "580dac3e-98f0-4f78-a6a9-4f5d950d210f",
|
|
"value": ".___xratteamLucked"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477291135",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "580dac7f-93d8-46f4-bbcb-4371950d210f",
|
|
"value": "34260178f9e3b2e769accdee56dac793"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "The ransom texts used by the group are written in Portuguese from Brazil. The messages do not inform how much the victim has to pay to retrieve their files, nor the payment method required (which is usually Bitcoins). Instead, they instruct the victim to send an email to one of the anonymous email services Mail2Tor or Email.tg.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477291239",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "580dace7-1508-4f27-8e8a-4dc9950d210f",
|
|
"value": "corporacaoxrat@mail2tor.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "The ransom texts used by the group are written in Portuguese from Brazil. The messages do not inform how much the victim has to pay to retrieve their files, nor the payment method required (which is usually Bitcoins). Instead, they instruct the victim to send an email to one of the anonymous email services Mail2Tor or Email.tg.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477291239",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "580dace7-d574-4770-af0f-4171950d210f",
|
|
"value": "xratteam@mail2tor.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "The ransom texts used by the group are written in Portuguese from Brazil. The messages do not inform how much the victim has to pay to retrieve their files, nor the payment method required (which is usually Bitcoins). Instead, they instruct the victim to send an email to one of the anonymous email services Mail2Tor or Email.tg.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477291240",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "580dace8-ac34-4aaa-b094-4344950d210f",
|
|
"value": "xratteam@email.tg"
|
|
}
|
|
]
|
|
}
|
|
} |