adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/584003cf-ec58-48c8-933e-4172950d210f.json

510 lines
No EOL
18 KiB
JSON
Raw Blame History

{
"Event": {
"analysis": "2",
"date": "2016-12-01",
"extends_uuid": "",
"info": "OSINT - New SmsSecurity Variant Roots Phones, Abuses Accessibility Features and TeamViewer",
"publish_timestamp": "1480590692",
"published": true,
"threat_level_id": "3",
"timestamp": "1480590587",
"uuid": "584003cf-ec58-48c8-933e-4172950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
"name": "tlp:white"
},
{
"colour": "#37ab00",
"name": "enisa:nefarious-activity-abuse=\"mobile-malware\""
},
{
"colour": "#6edb00",
"name": "circl:topic=\"finance\""
},
{
"colour": "#001cad",
"name": "estimative-language:likelihood-probability=\"very-likely\""
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590373",
"to_ids": false,
"type": "comment",
"uuid": "58400425-0490-4bb9-80ec-4454950d210f",
"value": "In January of 2016, we found various \u00e2\u20ac\u0153SmsSecurity\u00e2\u20ac\u009d mobile apps that claimed to be from various banks. These apps supposedly generated one-time passwords (OTPs) that account holders could use to log into the bank; instead they turned out to be malicious apps that stole any password sent via SMS messages. These apps were also capable of receiving commands from a remote attacker, allowing them to take control of a user\u00e2\u20ac\u2122s device.\r\n\r\nSince then, we\u00e2\u20ac\u2122ve found some new variants of this attack that add new malicious capabilities. These capabilities include: anti-analysis measures, automatic rooting, language detection, and remote access via TeamViewer. In addition, SmsSecurity now cleverly uses the accessibility features of Android to help carry out its routines in a stealthy manner, without interaction from the user. We detect these malicious apps as ANDROIDOS_FAKEBANK.OPSA."
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590390",
"to_ids": false,
"type": "link",
"uuid": "58400436-13f4-4c54-a3fd-d943950d210f",
"value": "http://blog.trendmicro.com/trendlabs-security-intelligence/new-smssecurity-variant-roots-phones-abuses-accessibility-features-teamviewer"
},
{
"category": "Payload delivery",
"comment": "ANDROIDOS_FAKEBANK.OPSA",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590420",
"to_ids": true,
"type": "sha1",
"uuid": "58400454-171c-4465-99be-b82a950d210f",
"value": "323bf07667bf9d65055f80a15a90508e99e05632"
},
{
"category": "Payload delivery",
"comment": "ANDROIDOS_FAKEBANK.OPSA",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590420",
"to_ids": true,
"type": "sha1",
"uuid": "58400454-b7a0-49df-890f-b82a950d210f",
"value": "d84353986ee05ac61308063271ade3f8f2876ef9"
},
{
"category": "Payload delivery",
"comment": "ANDROIDOS_FAKEBANK.OPSA",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590420",
"to_ids": true,
"type": "sha1",
"uuid": "58400454-b8d8-4f88-8f62-b82a950d210f",
"value": "8d0dfd97194f8aef5a15f16e2d410af1f3dcfeae"
},
{
"category": "Network activity",
"comment": "The following command-and-control (C&C) servers were used by variants",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590447",
"to_ids": true,
"type": "url",
"uuid": "5840046f-4aa8-4a52-ad8b-4249950d210f",
"value": "http://clubk-ginza.net/css/3.php"
},
{
"category": "Network activity",
"comment": "The following command-and-control (C&C) servers were used by variants",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590447",
"to_ids": true,
"type": "url",
"uuid": "5840046f-a8c0-41dd-83c4-4624950d210f",
"value": "http://edda-mally.at/css/3.php"
},
{
"category": "Network activity",
"comment": "The following command-and-control (C&C) servers were used by variants",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590447",
"to_ids": true,
"type": "url",
"uuid": "5840046f-d7ec-4fda-88d0-4874950d210f",
"value": "http://gruposoluciomatica.com.br/os3/inc/main.php"
},
{
"category": "Network activity",
"comment": "The following command-and-control (C&C) servers were used by variants",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590447",
"to_ids": true,
"type": "url",
"uuid": "5840046f-c7f0-4ce6-9afe-41e9950d210f",
"value": "http://izmirsatranckursu.net/includes/main.php"
},
{
"category": "Network activity",
"comment": "The following command-and-control (C&C) servers were used by variants",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590448",
"to_ids": true,
"type": "url",
"uuid": "58400470-d4b0-48fd-b9ac-4c67950d210f",
"value": "http://jbrianwashman.com/images/photo26962/main.php"
},
{
"category": "Network activity",
"comment": "The following command-and-control (C&C) servers were used by variants",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590448",
"to_ids": true,
"type": "url",
"uuid": "58400470-6ad8-424f-94dc-4d60950d210f",
"value": "http://losbalonazos.com/wp-admin/3.php"
},
{
"category": "Network activity",
"comment": "The following command-and-control (C&C) servers were used by variants",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590448",
"to_ids": true,
"type": "url",
"uuid": "58400470-7a78-4a71-a237-4b31950d210f",
"value": "http://moseybook.com/blog/wp-includes/main.php"
},
{
"category": "Network activity",
"comment": "The following command-and-control (C&C) servers were used by variants",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590448",
"to_ids": true,
"type": "url",
"uuid": "58400470-a5ac-49fc-84f5-4a4b950d210f",
"value": "http://naritamemorial.com/analog/3.php"
},
{
"category": "Network activity",
"comment": "The following command-and-control (C&C) servers were used by variants",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590449",
"to_ids": true,
"type": "url",
"uuid": "58400471-870c-4b6c-bf7e-4015950d210f",
"value": "http://pplweb.pplmotorhomes.com/includes/main.php"
},
{
"category": "Network activity",
"comment": "The following command-and-control (C&C) servers were used by variants",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590449",
"to_ids": true,
"type": "url",
"uuid": "58400471-28ac-4d9f-8281-4b52950d210f",
"value": "http://sedalbi.com/img/main.php"
},
{
"category": "Network activity",
"comment": "The following command-and-control (C&C) servers were used by variants",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590449",
"to_ids": true,
"type": "url",
"uuid": "58400471-90f4-42ea-ad64-4cca950d210f",
"value": "http://szaivert-numis.at/standardbilder/dll/3.php"
},
{
"category": "Network activity",
"comment": "The following command-and-control (C&C) servers were used by variants",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590449",
"to_ids": true,
"type": "url",
"uuid": "58400471-7f5c-4863-be26-44d2950d210f",
"value": "http://www.ircvenezia.it/free/main.php"
},
{
"category": "Network activity",
"comment": "The following command-and-control (C&C) servers were used by variants",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590450",
"to_ids": true,
"type": "url",
"uuid": "58400472-36dc-4b9e-abba-4cc2950d210f",
"value": "http://www.oguhtell.ch/cart/3.php"
},
{
"category": "Network activity",
"comment": "The following command-and-control (C&C) servers were used by variants",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590450",
"to_ids": true,
"type": "url",
"uuid": "58400472-bcc4-4701-aa67-4f13950d210f",
"value": "http://www.santamariagorettimestre.it/img/main.php"
},
{
"category": "Network activity",
"comment": "The following command-and-control (C&C) servers were used by variants",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590450",
"to_ids": true,
"type": "url",
"uuid": "58400472-46c0-440d-aeb7-4704950d210f",
"value": "http://www.vanca.com/media/3.php"
},
{
"category": "Targeting data",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590490",
"to_ids": false,
"type": "target-org",
"uuid": "5840049a-e6b4-4da7-a071-4666950d210f",
"value": "Aargauische Kantonalbank"
},
{
"category": "Targeting data",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590491",
"to_ids": false,
"type": "target-org",
"uuid": "5840049b-b858-4d3b-8819-472e950d210f",
"value": "Bank Austria"
},
{
"category": "Targeting data",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590491",
"to_ids": false,
"type": "target-org",
"uuid": "5840049b-1fc4-4e76-9646-46c6950d210f",
"value": "Banque Cantonale de Fribourg"
},
{
"category": "Targeting data",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590491",
"to_ids": false,
"type": "target-org",
"uuid": "5840049b-de64-49e2-bc68-44f1950d210f",
"value": "BKB Bank"
},
{
"category": "Targeting data",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590491",
"to_ids": false,
"type": "target-org",
"uuid": "5840049b-23ec-4710-abf4-4839950d210f",
"value": "Credit Suisse"
},
{
"category": "Targeting data",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590492",
"to_ids": false,
"type": "target-org",
"uuid": "5840049c-dc4c-4899-ac27-4188950d210f",
"value": "Glarner Kantonalbank"
},
{
"category": "Targeting data",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590492",
"to_ids": false,
"type": "target-org",
"uuid": "5840049c-71e0-49ab-9a17-4620950d210f",
"value": "Luzerner Kantonalbank"
},
{
"category": "Targeting data",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590492",
"to_ids": false,
"type": "target-org",
"uuid": "5840049c-5dac-488e-b24b-457d950d210f",
"value": "Ober Bank"
},
{
"category": "Targeting data",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590492",
"to_ids": false,
"type": "target-org",
"uuid": "5840049c-7e84-45a0-b8ce-44e0950d210f",
"value": "Obwaldner Kantonalbank"
},
{
"category": "Targeting data",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590492",
"to_ids": false,
"type": "target-org",
"uuid": "5840049c-7538-414b-b391-46e2950d210f",
"value": "Raiffeisen Bank"
},
{
"category": "Targeting data",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590493",
"to_ids": false,
"type": "target-org",
"uuid": "5840049d-5230-4978-9ca6-47f7950d210f",
"value": "Schaffhauser Kantonalbank"
},
{
"category": "Targeting data",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590493",
"to_ids": false,
"type": "target-org",
"uuid": "5840049d-6af8-4467-b9f8-4644950d210f",
"value": "Sparkasse"
},
{
"category": "Targeting data",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590493",
"to_ids": false,
"type": "target-org",
"uuid": "5840049d-da18-4052-93ad-41bb950d210f",
"value": "Volksbank"
},
{
"category": "Targeting data",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590493",
"to_ids": false,
"type": "target-org",
"uuid": "5840049d-43b8-4505-9f90-49c1950d210f",
"value": "Z\u00c3\u00bcrcher Kantonalbank"
},
{
"category": "Payload delivery",
"comment": "ANDROIDOS_FAKEBANK.OPSA - Xchecked via VT: 8d0dfd97194f8aef5a15f16e2d410af1f3dcfeae",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590588",
"to_ids": true,
"type": "sha256",
"uuid": "584004fc-10f8-4b8e-9b38-b82a02de0b81",
"value": "448d0cb7c84f79233908d9387c81551f50f5288597dd71432c641c7c29683186"
},
{
"category": "Payload delivery",
"comment": "ANDROIDOS_FAKEBANK.OPSA - Xchecked via VT: 8d0dfd97194f8aef5a15f16e2d410af1f3dcfeae",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590588",
"to_ids": true,
"type": "md5",
"uuid": "584004fc-6104-4404-9c1e-b82a02de0b81",
"value": "032f7b1e11010a0d9abb6bcfd805e31a"
},
{
"category": "External analysis",
"comment": "ANDROIDOS_FAKEBANK.OPSA - Xchecked via VT: 8d0dfd97194f8aef5a15f16e2d410af1f3dcfeae",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590588",
"to_ids": false,
"type": "link",
"uuid": "584004fc-4cbc-4e76-8ada-b82a02de0b81",
"value": "https://www.virustotal.com/file/448d0cb7c84f79233908d9387c81551f50f5288597dd71432c641c7c29683186/analysis/1471948127/"
},
{
"category": "Payload delivery",
"comment": "ANDROIDOS_FAKEBANK.OPSA - Xchecked via VT: d84353986ee05ac61308063271ade3f8f2876ef9",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590588",
"to_ids": true,
"type": "sha256",
"uuid": "584004fc-34b8-4fb4-954a-b82a02de0b81",
"value": "839727158d3a3a6c342a154d07bfd70ad342d82a65c672163cc287213e72da80"
},
{
"category": "Payload delivery",
"comment": "ANDROIDOS_FAKEBANK.OPSA - Xchecked via VT: d84353986ee05ac61308063271ade3f8f2876ef9",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590589",
"to_ids": true,
"type": "md5",
"uuid": "584004fd-b944-4e04-b745-b82a02de0b81",
"value": "eea6183fa2dda392976d318b7123bf36"
},
{
"category": "External analysis",
"comment": "ANDROIDOS_FAKEBANK.OPSA - Xchecked via VT: d84353986ee05ac61308063271ade3f8f2876ef9",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590589",
"to_ids": false,
"type": "link",
"uuid": "584004fd-77dc-4fa8-9503-b82a02de0b81",
"value": "https://www.virustotal.com/file/839727158d3a3a6c342a154d07bfd70ad342d82a65c672163cc287213e72da80/analysis/1473457620/"
},
{
"category": "Payload delivery",
"comment": "ANDROIDOS_FAKEBANK.OPSA - Xchecked via VT: 323bf07667bf9d65055f80a15a90508e99e05632",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590589",
"to_ids": true,
"type": "sha256",
"uuid": "584004fd-5b30-4ca5-a993-b82a02de0b81",
"value": "3b34615ab4dfbe984ec3ac6c8a266cd25b7d78b1a1db14a9d37c10c1a84007e5"
},
{
"category": "Payload delivery",
"comment": "ANDROIDOS_FAKEBANK.OPSA - Xchecked via VT: 323bf07667bf9d65055f80a15a90508e99e05632",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590589",
"to_ids": true,
"type": "md5",
"uuid": "584004fd-4e08-4c7c-bb7e-b82a02de0b81",
"value": "c89dd35061a5500a0e9db4b1d5ad1326"
},
{
"category": "External analysis",
"comment": "ANDROIDOS_FAKEBANK.OPSA - Xchecked via VT: 323bf07667bf9d65055f80a15a90508e99e05632",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480590590",
"to_ids": false,
"type": "link",
"uuid": "584004fe-0ab4-4dd9-8b6f-b82a02de0b81",
"value": "https://www.virustotal.com/file/3b34615ab4dfbe984ec3ac6c8a266cd25b7d78b1a1db14a9d37c10c1a84007e5/analysis/1473459659/"
}
]
}
}
Reference in a new issue View git blame Copy permalink