misp-circl-feed/feeds/circl/misp/58638245-8b08-4bb0-8bed-fcb802de0b81.json

326 lines
No EOL
15 KiB
JSON

{
"type": "bundle",
"id": "bundle--58638245-8b08-4bb0-8bed-fcb802de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-17T15:23:13.000Z",
"modified": "2017-01-17T15:23:13.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--58638245-8b08-4bb0-8bed-fcb802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-17T15:23:13.000Z",
"modified": "2017-01-17T15:23:13.000Z",
"name": "OSINT - Switcher: Android joins the \u00e2\u20ac\u02dcattack-the-router\u00e2\u20ac\u2122 club",
"published": "2017-01-17T15:24:59Z",
"object_refs": [
"observed-data--58638259-c9e8-4088-b086-4b7102de0b81",
"url--58638259-c9e8-4088-b086-4b7102de0b81",
"x-misp-attribute--58638269-40bc-445a-bf3a-410d02de0b81",
"indicator--586382be-6074-4438-ae9f-405702de0b81",
"indicator--586382da-f680-423e-9749-486402de0b81",
"x-misp-attribute--5863831c-49b8-4b71-90df-fcb902de0b81",
"x-misp-attribute--5863831c-03e0-42fe-9f79-fcb902de0b81",
"indicator--58638363-3d7c-4aca-a0b0-fcbd02de0b81",
"indicator--58638364-4f10-4a03-aa8a-fcbd02de0b81",
"indicator--58638364-b520-492b-8fbb-fcbd02de0b81",
"indicator--586383c5-b9c4-40a5-9cff-415902de0b81",
"indicator--586383c6-8d48-4538-b730-485b02de0b81",
"observed-data--586383c6-307c-499d-be91-4c4502de0b81",
"url--586383c6-307c-499d-be91-4c4502de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"enisa:nefarious-activity-abuse=\"DNS-poisoning-or-DNS-spoofing-or-DNS-Manipulations\"",
"osint:source-type=\"blog-post\"",
"ms-caro-malware:malware-platform=\"AndroidOS\"",
"enisa:nefarious-activity-abuse=\"infected-trusted-mobile-apps\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58638259-c9e8-4088-b086-4b7102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-28T09:14:01.000Z",
"modified": "2016-12-28T09:14:01.000Z",
"first_observed": "2016-12-28T09:14:01Z",
"last_observed": "2016-12-28T09:14:01Z",
"number_observed": 1,
"object_refs": [
"url--58638259-c9e8-4088-b086-4b7102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58638259-c9e8-4088-b086-4b7102de0b81",
"value": "https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58638269-40bc-445a-bf3a-410d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-28T09:14:17.000Z",
"modified": "2016-12-28T09:14:17.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Recently, in our never-ending quest to protect the world from malware, we found a misbehaving Android trojan. Although malware targeting the Android OS stopped being a novelty quite some time ago, this trojan is quite unique. Instead of attacking a user, it attacks the Wi-Fi network the user is connected to, or, to be precise, the wireless router that serves the network. The trojan, dubbed Trojan.AndroidOS.Switcher, performs a brute-force password guessing attack on the router\u00e2\u20ac\u2122s admin web interface. If the attack succeeds, the malware changes the addresses of the DNS servers in the router\u00e2\u20ac\u2122s settings, thereby rerouting all DNS queries from devices in the attacked Wi-Fi network to the servers of the cybercriminals (such an attack is also known as DNS-hijacking). So, let us explain in detail how Switcher performs its brute-force attacks, gets into the routers and undertakes its DNS-hijack."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--586382be-6074-4438-ae9f-405702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-28T09:15:42.000Z",
"modified": "2016-12-28T09:15:42.000Z",
"description": "; package name \u00e2\u20ac\u201c com.baidu.com",
"pattern": "[file:hashes.MD5 = 'acdb7bfebf04affd227c93c97df536cf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-28T09:15:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--586382da-f680-423e-9749-486402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-28T09:16:10.000Z",
"modified": "2016-12-28T09:16:10.000Z",
"description": "package name \u00e2\u20ac\u201c com.snda.wifi",
"pattern": "[file:hashes.MD5 = '64490fbecefa3fcdacd41995887fe510']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-28T09:16:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5863831c-49b8-4b71-90df-fcb902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-17T15:22:09.000Z",
"modified": "2017-01-17T15:22:09.000Z",
"labels": [
"misp:type=\"mobile-application-id\"",
"misp:category=\"Payload delivery\"",
"enisa:nefarious-activity-abuse=\"mobile-malware\""
],
"x_misp_category": "Payload delivery",
"x_misp_type": "mobile-application-id",
"x_misp_value": "com.baidu.com"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5863831c-03e0-42fe-9f79-fcb902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-17T15:23:13.000Z",
"modified": "2017-01-17T15:23:13.000Z",
"labels": [
"misp:type=\"mobile-application-id\"",
"misp:category=\"Payload delivery\"",
"enisa:nefarious-activity-abuse=\"mobile-malware\""
],
"x_misp_category": "Payload delivery",
"x_misp_type": "mobile-application-id",
"x_misp_value": "com.snda.wifi"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58638363-3d7c-4aca-a0b0-fcbd02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-28T09:18:27.000Z",
"modified": "2016-12-28T09:18:27.000Z",
"description": "We recommend that all users check their DNS settings and search for the following rogue DNS servers:",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '101.200.147.153']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-28T09:18:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58638364-4f10-4a03-aa8a-fcbd02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-28T09:18:28.000Z",
"modified": "2016-12-28T09:18:28.000Z",
"description": "We recommend that all users check their DNS settings and search for the following rogue DNS servers:",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '112.33.13.11']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-28T09:18:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58638364-b520-492b-8fbb-fcbd02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-28T09:18:28.000Z",
"modified": "2016-12-28T09:18:28.000Z",
"description": "We recommend that all users check their DNS settings and search for the following rogue DNS servers:",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '120.76.249.59']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-28T09:18:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--586383c5-b9c4-40a5-9cff-415902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-28T09:20:05.000Z",
"modified": "2016-12-28T09:20:05.000Z",
"description": "; package name \u00e2\u20ac\u201c com.baidu.com - Xchecked via VT: acdb7bfebf04affd227c93c97df536cf",
"pattern": "[file:hashes.SHA256 = 'd3aee0e8fa264a33f77bdd59d95759de8f6d4ed6790726e191e39bcfd7b5e150']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-28T09:20:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--586383c6-8d48-4538-b730-485b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-28T09:20:06.000Z",
"modified": "2016-12-28T09:20:06.000Z",
"description": "; package name \u00e2\u20ac\u201c com.baidu.com - Xchecked via VT: acdb7bfebf04affd227c93c97df536cf",
"pattern": "[file:hashes.SHA1 = '12c74cd9a54563c087faa057eae6e46b8d9dc0c1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-28T09:20:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--586383c6-307c-499d-be91-4c4502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-28T09:20:06.000Z",
"modified": "2016-12-28T09:20:06.000Z",
"first_observed": "2016-12-28T09:20:06Z",
"last_observed": "2016-12-28T09:20:06Z",
"number_observed": 1,
"object_refs": [
"url--586383c6-307c-499d-be91-4c4502de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--586383c6-307c-499d-be91-4c4502de0b81",
"value": "https://www.virustotal.com/file/d3aee0e8fa264a33f77bdd59d95759de8f6d4ed6790726e191e39bcfd7b5e150/analysis/1482813091/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}