adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/5b1ace23-25c0-4c98-b257-9cc8950d210f.json

428 lines
No EOL
15 KiB
JSON
Raw Blame History

{
"Event": {
"analysis": "2",
"date": "2018-06-08",
"extends_uuid": "",
"info": "OSINT - InvisiMole: surprisingly equipped spyware, undercover since 2013",
"publish_timestamp": "1528487226",
"published": true,
"threat_level_id": "3",
"timestamp": "1528487219",
"uuid": "5b1ace23-25c0-4c98-b257-9cc8950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
"name": "tlp:white"
},
{
"colour": "#00223b",
"name": "osint:source-type=\"blog-post\""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483381",
"to_ids": false,
"type": "link",
"uuid": "5b1ace35-e620-4825-bf2e-5ae9950d210f",
"value": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483403",
"to_ids": false,
"type": "text",
"uuid": "5b1ace4b-5578-4230-9fb5-9cd4950d210f",
"value": "This is the modus operandi of the two malicious components of InvisiMole. They turn the affected computer into a video camera, letting the attackers see and hear what\u00e2\u20ac\u2122s going on in the victim\u00e2\u20ac\u2122s office or wherever their device may be. Uninvited, InvisiMole\u00e2\u20ac\u2122s operators access the system, closely monitoring the victim\u00e2\u20ac\u2122s activities and stealing the victim\u00e2\u20ac\u2122s secrets.\r\n\r\nOur telemetry indicates that the malicious actors behind this malware have been active at least since 2013, yet the cyber-espionage tool was never analyzed nor detected until discovered by ESET products on compromised computers in Ukraine and Russia.\r\n\r\nThe campaign is highly targeted \u00e2\u20ac\u201c no wonder the malware has a low infection ratio, with only a few dozen computers being affected.\r\n\r\nInvisiMole has a modular architecture, starting its journey with a wrapper DLL, and performing its activities using two other modules that are embedded in its resources. Both of the modules are feature-rich backdoors, which together give it the ability to gather as much information about the target as possible.\r\n\r\nExtra measures are taken to avoid attracting the attention of the compromised user, enabling the malware to reside on the system for a longer period of time. How the spyware was spread to the infected machines is yet to be determined by further investigation. All infection vectors are possible, including installation facilitated by physical access to the machine."
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483424",
"to_ids": true,
"type": "hostname",
"uuid": "5b1ace60-d590-4f99-969f-bb64950d210f",
"value": "activationstate.sytes.net"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483425",
"to_ids": true,
"type": "hostname",
"uuid": "5b1ace61-0534-458d-8af8-bb64950d210f",
"value": "advstatecheck.sytes.net"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483425",
"to_ids": true,
"type": "hostname",
"uuid": "5b1ace61-7f54-4349-9100-bb64950d210f",
"value": "akamai.sytes.net"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483426",
"to_ids": true,
"type": "hostname",
"uuid": "5b1ace62-fbc8-4b2f-9d24-bb64950d210f",
"value": "statbfnl.sytes.net"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483426",
"to_ids": true,
"type": "hostname",
"uuid": "5b1ace62-41ac-4fbe-a887-bb64950d210f",
"value": "updchecking.sytes.net"
},
{
"category": "Network activity",
"comment": "2013-2014 - InvisiMole\u00e2\u20ac\u2122s C&C servers IP addresses",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483602",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b1acf12-34bc-4413-8203-5ae9950d210f",
"value": "46.165.231.85"
},
{
"category": "Network activity",
"comment": "2013-2014 - InvisiMole\u00e2\u20ac\u2122s C&C servers IP addresses",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483602",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b1acf12-bfbc-48ec-8748-5ae9950d210f",
"value": "213.239.220.41"
},
{
"category": "Network activity",
"comment": "2014-2017 - InvisiMole\u00e2\u20ac\u2122s C&C servers IP addresses",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483603",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b1acf13-cd78-4d22-816e-5ae9950d210f",
"value": "46.165.241.129"
},
{
"category": "Network activity",
"comment": "2014-2016 - InvisiMole\u00e2\u20ac\u2122s C&C servers IP addresses",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483603",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b1acf13-3228-47ae-b2cb-5ae9950d210f",
"value": "46.165.241.153"
},
{
"category": "Network activity",
"comment": "2014-2018 - InvisiMole\u00e2\u20ac\u2122s C&C servers IP addresses",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483604",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b1acf14-f6ec-49b6-b202-5ae9950d210f",
"value": "78.46.35.74"
},
{
"category": "Network activity",
"comment": "2016-2016 - InvisiMole\u00e2\u20ac\u2122s C&C servers IP addresses",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483604",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b1acf14-bc4c-45e7-906e-5ae9950d210f",
"value": "95.215.111.109"
},
{
"category": "Network activity",
"comment": "2016-2018 - InvisiMole\u00e2\u20ac\u2122s C&C servers IP addresses",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483604",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b1acf14-bbec-4f33-a31d-5ae9950d210f",
"value": "185.118.66.163"
},
{
"category": "Network activity",
"comment": "2017-2017 - InvisiMole\u00e2\u20ac\u2122s C&C servers IP addresses",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483605",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b1acf15-9950-483f-893b-5ae9950d210f",
"value": "185.118.67.233"
},
{
"category": "Network activity",
"comment": "2017-2018 - InvisiMole\u00e2\u20ac\u2122s C&C servers IP addresses",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483605",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b1acf15-66f4-46e8-9ce5-5ae9950d210f",
"value": "185.156.173.92"
},
{
"category": "Network activity",
"comment": "2018-2018 - InvisiMole\u00e2\u20ac\u2122s C&C servers IP addresses",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483606",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b1acf16-63b4-4024-8118-5ae9950d210f",
"value": "46.165.230.241"
},
{
"category": "Network activity",
"comment": "2018-2018 - InvisiMole\u00e2\u20ac\u2122s C&C servers IP addresses",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483606",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b1acf16-fbd4-46f0-b85b-5ae9950d210f",
"value": "194.187.249.157"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483638",
"to_ids": true,
"type": "sha1",
"uuid": "5b1acf36-10e0-40dd-ada5-9ddc950d210f",
"value": "5ee6e0410052029eafa10d1669ae3aa04b508bf9"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483638",
"to_ids": true,
"type": "sha1",
"uuid": "5b1acf36-ed10-4d47-9ae7-9ddc950d210f",
"value": "2fcc87ab226f4a1cc713b13a12421468c82cd586"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483639",
"to_ids": true,
"type": "sha1",
"uuid": "5b1acf37-64fc-4c56-bd2b-9ddc950d210f",
"value": "b6ba65a48ffeb800c29822265190b8eaea3935b1"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483639",
"to_ids": true,
"type": "sha1",
"uuid": "5b1acf37-41fc-46e9-b18d-9ddc950d210f",
"value": "c8c4b6bcb4b583ba69663ec3aed8e1e01f310f9f"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483640",
"to_ids": true,
"type": "sha1",
"uuid": "5b1acf38-9420-4075-9b47-9ddc950d210f",
"value": "a5a20bc333f22fd89c34a532680173cbcd287ff8"
},
{
"category": "Antivirus detection",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483655",
"to_ids": false,
"type": "text",
"uuid": "5b1acf47-9ebc-4f6a-a1ea-43fb950d210f",
"value": "Win32/InvisiMole.A"
},
{
"category": "Antivirus detection",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483655",
"to_ids": false,
"type": "text",
"uuid": "5b1acf47-5f08-4e3d-b95e-4aec950d210f",
"value": "Win32/InvisiMole.B"
},
{
"category": "Antivirus detection",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483655",
"to_ids": false,
"type": "text",
"uuid": "5b1acf47-d580-4fe4-ac23-4400950d210f",
"value": "Win32/InvisiMole.C"
},
{
"category": "Antivirus detection",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483655",
"to_ids": false,
"type": "text",
"uuid": "5b1acf47-5300-45e2-996e-4c66950d210f",
"value": "Win32/InvisiMole.D"
},
{
"category": "Antivirus detection",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483655",
"to_ids": false,
"type": "text",
"uuid": "5b1acf47-e278-4e65-af1f-4458950d210f",
"value": "Win64/InvisiMole.B"
},
{
"category": "Antivirus detection",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483655",
"to_ids": false,
"type": "text",
"uuid": "5b1acf47-75d8-4232-913a-40aa950d210f",
"value": "Win64/InvisiMole.C"
},
{
"category": "Antivirus detection",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483655",
"to_ids": false,
"type": "text",
"uuid": "5b1acf47-ed18-489a-9699-460b950d210f",
"value": "Win64/InvisiMole.D"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483713",
"to_ids": true,
"type": "filename",
"uuid": "5b1acf81-6b60-4689-99aa-4184950d210f",
"value": "%APPDATA%\\Microsoft\\Internet Explorer\\Cache\\AMB6HER8\\"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483713",
"to_ids": true,
"type": "filename",
"uuid": "5b1acf81-d6c4-452a-a6ad-45bb950d210f",
"value": "%APPDATA%\\Microsoft\\Internet Explorer\\Cache\\MX0ROSB1\\"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1528483713",
"to_ids": true,
"type": "filename",
"uuid": "5b1acf81-d07c-4190-932b-46e9950d210f",
"value": "%APPDATA%\\Microsoft\\Internet Explorer\\Cache\\index0.dat"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "11",
"timestamp": "1528483790",
"uuid": "e26da548-11e0-4052-9746-f7814d8e11b9",
"ObjectReference": [
{
"comment": "",
"object_uuid": "e26da548-11e0-4052-9746-f7814d8e11b9",
"referenced_uuid": "d2836a0a-7b84-44c6-91b9-af25d4d73791",
"relationship_type": "analysed-with",
"timestamp": "1528483789",
"uuid": "5b1acfcd-8978-4030-a422-bb7002de0b81"
}
],
"Attribute": []
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1528483788",
"uuid": "d2836a0a-7b84-44c6-91b9-af25d4d73791",
"Attribute": []
}
]
}
}
Reference in a new issue View git blame Copy permalink