misp-circl-feed/feeds/circl/misp/758d96ed-9dd4-4009-9270-65f2c3dd30cc.json

529 lines
No EOL
22 KiB
JSON

{
"type": "bundle",
"id": "bundle--758d96ed-9dd4-4009-9270-65f2c3dd30cc",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-24T09:23:30.000Z",
"modified": "2022-10-24T09:23:30.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--758d96ed-9dd4-4009-9270-65f2c3dd30cc",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-10-24T09:23:30.000Z",
"modified": "2022-10-24T09:23:30.000Z",
"name": "Buzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From BookWorm",
"published": "2022-10-24T09:24:17Z",
"object_refs": [
"indicator--35a4ef92-4ae2-4a9b-b23e-d03024f278a1",
"indicator--5823caf2-1ab2-4c0d-a24e-de7edd58b23e",
"indicator--d56163b8-3f70-494a-8c03-b5cd66da7aca",
"indicator--dba0f86f-314c-4aac-b08c-5b4d47e2a1da",
"indicator--903429af-87ca-4865-ab0a-da4febe313e9",
"indicator--01769315-d698-45fe-8388-4853f1f7a30d",
"indicator--c9e05448-4911-489a-a310-2f6bd3b0c8f5",
"indicator--5cb19648-900a-4363-ac92-f0dcef307ef1",
"indicator--39fff771-4832-4181-abf2-1aadd9a9d815",
"indicator--f25b964c-9158-436e-8f77-86e949f4c5ac",
"indicator--6516e8c0-eb91-45f4-9436-cdce2e06e1ab",
"indicator--79256a9e-de15-47c7-a361-eb7281617e36",
"indicator--11ac46b5-49f4-44cc-9eb4-edf82ec428da",
"indicator--2f9eb12e-0e85-4498-aee6-e01f9855fe79",
"x-misp-object--a68b22f1-a68b-4866-b711-3e20fd9914b2",
"indicator--807f2024-9752-456a-be70-284533077af6",
"indicator--01ffa6b4-4c4a-4e4d-848c-2e8834970353",
"indicator--788f4f53-7c1e-4528-9315-17e4af67cae6"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:mitre-attack-pattern=\"Hijack Execution Flow - T1574\"",
"misp-galaxy:mitre-attack-pattern=\"Indicator Removal on Host - T1070\"",
"misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"",
"misp-galaxy:mitre-attack-pattern=\"Execution Guardrails - T1480\"",
"misp-galaxy:mitre-attack-pattern=\"Boot or Logon Autostart Execution - T1547\"",
"misp-galaxy:mitre-attack-pattern=\"Boot or Logon Initialization Scripts - T1037\"",
"misp-galaxy:mitre-attack-pattern=\"Create or Modify System Process - T1543\"",
"misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"",
"misp-galaxy:mitre-attack-pattern=\"Input Capture - T1417\"",
"misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"",
"misp-galaxy:mitre-attack-pattern=\"Gather Victim Host Information - T1592\"",
"misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"",
"misp-galaxy:mitre-attack-pattern=\"Bypass User Access Control - T1548.002\"",
"misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"",
"misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\"",
"misp-galaxy:mitre-attack-pattern=\"Malware - T1587.001\"",
"misp-galaxy:malpedia=\"BumbleBee\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"misp-galaxy:tool=\"BumbleBee\"",
"ecsirt:intrusions=\"backdoor\"",
"veris:action:malware:variety=\"Backdoor\"",
"ms-caro-malware:malware-type=\"Backdoor\"",
"ms-caro-malware-full:malware-type=\"Backdoor\"",
"misp-galaxy:malpedia=\"Bookworm\"",
"misp-galaxy:tool=\"Bookworm\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--35a4ef92-4ae2-4a9b-b23e-d03024f278a1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-09T13:14:25.000Z",
"modified": "2022-09-09T13:14:25.000Z",
"description": "Backdoor.Win32.BUMBLEB.ZTIC - ore",
"pattern": "[file:hashes.SHA256 = 'eeca34fba68754e05e7307de61708e4ce74441754fcc6ae762148edf9e8e2ca0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-09T13:14:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5823caf2-1ab2-4c0d-a24e-de7edd58b23e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-09T13:14:34.000Z",
"modified": "2022-09-09T13:14:34.000Z",
"description": "Backdoor.Win32.BUMBLEB.ZTIC - bin",
"pattern": "[file:hashes.SHA256 = '6690b7ace461b60b7a72613c202d70f4684c8cdc5afbb4267c67b5fe5dbf828e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-09T13:14:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d56163b8-3f70-494a-8c03-b5cd66da7aca",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-09T13:14:41.000Z",
"modified": "2022-09-09T13:14:41.000Z",
"description": "Backdoor.Win32.BUMBLEB.ZTIC - bin",
"pattern": "[file:hashes.SHA256 = '4ecde81a476f1e4622d192fe2f120f7c5c3ec58bf118b791d5532f3ff61c09ee']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-09T13:14:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--dba0f86f-314c-4aac-b08c-5b4d47e2a1da",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-09T13:14:49.000Z",
"modified": "2022-09-09T13:14:49.000Z",
"description": "Backdoor.Win32.BUMBLEB.ZTIC - bin",
"pattern": "[file:hashes.SHA256 = '8ab8bb836b074e170c129b7f0523d256930fd1f8cf126ca1875b450fdb6c4c05']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-09T13:14:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--903429af-87ca-4865-ab0a-da4febe313e9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-09T13:14:53.000Z",
"modified": "2022-09-09T13:14:53.000Z",
"description": "Backdoor.Win32.BUMBLEB.ZTIC - ore",
"pattern": "[file:hashes.SHA256 = '515cb31b2c89df83ea6d54d5c0c3e4fe9a024319d9bd8fd76ad351860bd67ea3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-09T13:14:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--01769315-d698-45fe-8388-4853f1f7a30d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-09T13:14:59.000Z",
"modified": "2022-09-09T13:14:59.000Z",
"description": "Backdoor.Win32.BUMBLEB.ZTIC - bin",
"pattern": "[file:hashes.SHA256 = '8e340746339614ca105a1873dad471188b24421648d080e37d52b87f4ced5e6d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-09T13:14:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c9e05448-4911-489a-a310-2f6bd3b0c8f5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-09T13:23:25.000Z",
"modified": "2022-09-09T13:23:25.000Z",
"description": "C&C",
"pattern": "[url:value = 'http://www.synolo.ns01.biz:80/update']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-09T13:23:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cb19648-900a-4363-ac92-f0dcef307ef1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-09T13:23:25.000Z",
"modified": "2022-09-09T13:23:25.000Z",
"description": "C&C",
"pattern": "[url:value = 'http://118.163.105.130:80/update']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-09T13:23:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--39fff771-4832-4181-abf2-1aadd9a9d815",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-12T06:21:17.000Z",
"modified": "2022-09-12T06:21:17.000Z",
"pattern": "[file:name = 'launcher.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-12T06:21:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f25b964c-9158-436e-8f77-86e949f4c5ac",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-12T06:21:17.000Z",
"modified": "2022-09-12T06:21:17.000Z",
"pattern": "[file:name = 'kernel.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-12T06:21:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6516e8c0-eb91-45f4-9436-cdce2e06e1ab",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-12T06:21:17.000Z",
"modified": "2022-09-12T06:21:17.000Z",
"pattern": "[file:name = 'installer.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-12T06:21:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--79256a9e-de15-47c7-a361-eb7281617e36",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-12T06:21:17.000Z",
"modified": "2022-09-12T06:21:17.000Z",
"pattern": "[file:name = 'keylog.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-12T06:21:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--11ac46b5-49f4-44cc-9eb4-edf82ec428da",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-12T06:21:17.000Z",
"modified": "2022-09-12T06:21:17.000Z",
"pattern": "[file:name = 'loader.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-12T06:21:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2f9eb12e-0e85-4498-aee6-e01f9855fe79",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-12T06:21:17.000Z",
"modified": "2022-09-12T06:21:17.000Z",
"pattern": "[file:name = 'slaver.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-12T06:21:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--a68b22f1-a68b-4866-b711-3e20fd9914b2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-09T07:28:51.000Z",
"modified": "2022-09-09T07:28:51.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html",
"category": "External analysis",
"uuid": "56256c65-96f3-4ffc-b9d2-b2cd01e49cdc"
},
{
"type": "text",
"object_relation": "summary",
"value": "\"In March 2021, we investigated a backdoor with a unique modular architecture. Its type of modular framework made our static analysis more challenging because it required us to first rebuild its structure or use dynamic analysis to understand its functionality and behavior.\"",
"category": "Other",
"uuid": "72c873ac-5a7e-4cde-a97f-7d6a1fe8d4e9"
},
{
"type": "text",
"object_relation": "type",
"value": "Report",
"category": "Other",
"uuid": "72b488f3-fd16-46c6-a46e-787709228af3"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--807f2024-9752-456a-be70-284533077af6",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-09T11:50:49.000Z",
"modified": "2022-09-09T11:50:49.000Z",
"description": " Trojan.Win32.MULTICOM.ZTIC",
"pattern": "[file:hashes.SHA256 = 'f8809c6c56d2a0f8a08fe181614e6d9488eeb6983f044f2e6a8fa6a617ef2475' AND file:name = 'slaver.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-09T11:50:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--01ffa6b4-4c4a-4e4d-848c-2e8834970353",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-09T11:56:32.000Z",
"modified": "2022-09-09T11:56:32.000Z",
"description": "Trojan.Win32.REGLOAD.ZTI",
"pattern": "[file:hashes.SHA256 = '3fc6c5df4a04d555d5cbf2ca53bed7769b5595fc6143a2599097cb6193ef8810' AND file:name = 'XecureIO_v20.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-09T11:56:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--788f4f53-7c1e-4528-9315-17e4af67cae6",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2022-09-09T11:56:55.000Z",
"modified": "2022-09-09T11:56:55.000Z",
"description": "Trojan.Win32.REGLOAD.ZTI",
"pattern": "[file:hashes.SHA256 = 'ea5db8d658f42acad38106cbc46eea5944607eb709fb00f8adb501d4779fbea0' AND file:name = 'XecureIO_v20.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-09-09T11:56:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}