misp-circl-feed/feeds/circl/misp/581fadbd-7acc-4907-9133-4380950d210f.json

289 lines
No EOL
12 KiB
JSON

{
"type": "bundle",
"id": "bundle--581fadbd-7acc-4907-9133-4380950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-07T12:16:16.000Z",
"modified": "2016-11-07T12:16:16.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--581fadbd-7acc-4907-9133-4380950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-07T12:16:16.000Z",
"modified": "2016-11-07T12:16:16.000Z",
"name": "OSINT - Veil-Framework Infects Victims of Targeted OWA Phishing Attack",
"published": "2016-11-07T13:21:39Z",
"object_refs": [
"observed-data--581fade0-6a38-4c71-9f7d-4181950d210f",
"url--581fade0-6a38-4c71-9f7d-4181950d210f",
"x-misp-attribute--581fadf7-6d18-437e-88eb-4e59950d210f",
"indicator--581fae16-9808-48dc-877c-4c25950d210f",
"indicator--581fae31-7dec-40ef-9c2b-4d01950d210f",
"indicator--581fae48-89d8-4ae3-a458-49f1950d210f",
"indicator--581faec9-1f8c-4466-8e4b-4ac5950d210f",
"indicator--581faec9-14fc-4e35-b407-4379950d210f",
"indicator--581faeca-18a4-4889-b3da-49d3950d210f",
"observed-data--581faede-172c-4d8e-a6f7-44fe950d210f",
"url--581faede-172c-4d8e-a6f7-44fe950d210f",
"observed-data--58207090-a5d8-44d0-b793-49cf02de0b81",
"url--58207090-a5d8-44d0-b793-49cf02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--581fade0-6a38-4c71-9f7d-4181950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T22:25:36.000Z",
"modified": "2016-11-06T22:25:36.000Z",
"first_observed": "2016-11-06T22:25:36Z",
"last_observed": "2016-11-06T22:25:36Z",
"number_observed": 1,
"object_refs": [
"url--581fade0-6a38-4c71-9f7d-4181950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--581fade0-6a38-4c71-9f7d-4181950d210f",
"value": "https://www.proofpoint.com/us/threat-insight/post/veil-framework-infects-victims-targeted-owa-phishing-attack"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--581fadf7-6d18-437e-88eb-4e59950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T22:25:59.000Z",
"modified": "2016-11-06T22:25:59.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Proofpoint researchers recently observed a novel targeted phishing attack that combined Outlook Web Access (OWA) credential phishing with a malicious document download. In May we also observed an Office 365 credential phishing attack leading to iSpy Keylogger [1], but the combination of OWA with this infection chain takes a different approach. While it is not clear whether the primary goal of the attack was delivering the malicious payload or capturing the targets' OWA credentials, this attack uses an OWA phish to additionally pushes a malicious document with a Veil-Framework payload capable of downloading further malware."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581fae16-9808-48dc-877c-4c25950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T22:26:30.000Z",
"modified": "2016-11-06T22:26:30.000Z",
"pattern": "[file:name = 'ViolationReport.xls' AND file:hashes.SHA256 = 'ef9f15bcb18f34a47406ebdbb470a721a1f2ae90d8da7277c6dbcedf38969215']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-06T22:26:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581fae31-7dec-40ef-9c2b-4d01950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T22:26:57.000Z",
"modified": "2016-11-06T22:26:57.000Z",
"description": "Phishing link",
"pattern": "[url:value = 'http://www2.sendsecuremail.com/bellevue/index.php?id=6153']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-06T22:26:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581fae48-89d8-4ae3-a458-49f1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T22:27:20.000Z",
"modified": "2016-11-06T22:27:20.000Z",
"description": "Redirection to download of Excel file",
"pattern": "[url:value = 'http://www2.sendsecuremail.com/bellevue/ViolationReport.xls']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-06T22:27:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581faec9-1f8c-4466-8e4b-4ac5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T22:29:29.000Z",
"modified": "2016-11-06T22:29:29.000Z",
"description": "ViolationReport.xls",
"pattern": "[file:hashes.MD5 = 'bce71fda40b33921de7cbec44b64f3e3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-06T22:29:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581faec9-14fc-4e35-b407-4379950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T22:29:29.000Z",
"modified": "2016-11-06T22:29:29.000Z",
"description": "ViolationReport.xls",
"pattern": "[file:hashes.SHA1 = '1794d5756f1ea13fea2735b4485f0a8bd3faef4e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-06T22:29:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581faeca-18a4-4889-b3da-49d3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T22:29:30.000Z",
"modified": "2016-11-06T22:29:30.000Z",
"description": "ViolationReport.xls",
"pattern": "[file:hashes.SHA256 = 'ef9f15bcb18f34a47406ebdbb470a721a1f2ae90d8da7277c6dbcedf38969215']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-06T22:29:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--581faede-172c-4d8e-a6f7-44fe950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T22:29:50.000Z",
"modified": "2016-11-06T22:29:50.000Z",
"first_observed": "2016-11-06T22:29:50Z",
"last_observed": "2016-11-06T22:29:50Z",
"number_observed": 1,
"object_refs": [
"url--581faede-172c-4d8e-a6f7-44fe950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--581faede-172c-4d8e-a6f7-44fe950d210f",
"value": "https://www.virustotal.com/cs/file/ef9f15bcb18f34a47406ebdbb470a721a1f2ae90d8da7277c6dbcedf38969215/analysis/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58207090-a5d8-44d0-b793-49cf02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-07T12:16:16.000Z",
"modified": "2016-11-07T12:16:16.000Z",
"first_observed": "2016-11-07T12:16:16Z",
"last_observed": "2016-11-07T12:16:16Z",
"number_observed": 1,
"object_refs": [
"url--58207090-a5d8-44d0-b793-49cf02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58207090-a5d8-44d0-b793-49cf02de0b81",
"value": "https://www.virustotal.com/file/ef9f15bcb18f34a47406ebdbb470a721a1f2ae90d8da7277c6dbcedf38969215/analysis/1477917993/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}