407 lines
No EOL
15 KiB
JSON
407 lines
No EOL
15 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2016-03-10",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Shifting Tactics: Tracking changes in years-long espionage campaign against Tibetans",
|
|
"publish_timestamp": "1457619152",
|
|
"published": true,
|
|
"threat_level_id": "2",
|
|
"timestamp": "1457618310",
|
|
"uuid": "56e177ef-38cc-441b-a398-4f66950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#004646",
|
|
"local": "0",
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457616909",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "56e1780d-270c-4cc7-ac76-4a92950d210f",
|
|
"value": "https://citizenlab.org/2016/03/shifting-tactics/"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457616926",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "56e1781e-46c4-4d39-b770-413c950d210f",
|
|
"value": "This report describes the latest iteration in a long-running espionage campaign against the Tibetan community. We detail how the attackers continuously adapt their campaigns to their targets, shifting tactics from document-based malware to conventional phishing that draws on \u00e2\u20ac\u0153inside\u00e2\u20ac\u009d knowledge of community activities. This adaptation appears to track changes in security behaviors within the Tibetan community, which has been promoting a move from sharing attachments via e-mail to using cloud-based file sharing alternatives such as Google Drive.\r\n\r\nWe connect the attack group\u00e2\u20ac\u2122s infrastructure and techniques to a group previously identified by Palo Alto Networks, which they named Scarlet Mimic. We provide further context on Scarlet Mimic\u00e2\u20ac\u2122s targeting and tactics, and the intended victims of their attack campaigns. In addition, while Scarlet Mimic may be conducting malware attacks using other infrastructure, we analyze how the attackers re-purposed a cluster of their malware Command and Control (C2) infrastructure to mount the recent phishing campaign.\r\n\r\nThis move is only the latest development in the ongoing cat and mouse game between attack groups like Scarlet Mimic and the Tibetan community. The speed and ease with which attackers continue to adapt highlights the challenges faced by Tibetans who are trying to remain safe online."
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Phishing campaign infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457616964",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "56e17844-e498-42ac-a6ea-4c13950d210f",
|
|
"value": "filegoogle.firewall-gateway.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Phishing campaign infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457616964",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "56e17844-a20c-48a2-939f-4f67950d210f",
|
|
"value": "accountgoogle.firewall-gateway.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Phishing campaign infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457616964",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "56e17844-51dc-4556-a088-46c4950d210f",
|
|
"value": "detail43.myfirewall.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Phishing campaign infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457616965",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e17845-d6f0-429c-b890-4079950d210f",
|
|
"value": "http://filegoogle.firewall-gateway.com/servicelogin"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Phishing campaign infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457616965",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e17845-8224-4308-a3a6-4702950d210f",
|
|
"value": "http://accountgoogle.firewall-gateway.com/serviclogin"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Phishing campaign infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457616965",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "56e17845-8ef0-479b-944d-41b3950d210f",
|
|
"value": "http://accountgoogle.firewall-gateway.com/servicclogin"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Command and Control Servers",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457617123",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "56e178e3-cf8c-4f0e-8dc4-4fae950d210f",
|
|
"value": "sys.firewall-gateway.net"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457617482",
|
|
"to_ids": true,
|
|
"type": "filename|md5",
|
|
"uuid": "56e17a4a-dee8-461f-9d0d-4594950d210f",
|
|
"value": "uroyh.exe|ea45265fe98b25e719d5a9cc3b412d66"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457617482",
|
|
"to_ids": true,
|
|
"type": "filename|md5",
|
|
"uuid": "56e17a4a-0678-4fc2-985c-4912950d210f",
|
|
"value": "uroyh-unpacked.exe|5c030802ad411fea059cc9cc4c118125"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457617614",
|
|
"to_ids": true,
|
|
"type": "filename|md5",
|
|
"uuid": "56e17ace-1a58-46e1-ba4a-4f89950d210f",
|
|
"value": "Reappraisal_of_India_Tibet_Policy.doc|7735e571d0450e2a31e97e4f8e0f66fa"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457617614",
|
|
"to_ids": true,
|
|
"type": "filename|md5",
|
|
"uuid": "56e17ace-007c-4f0d-b564-4166950d210f",
|
|
"value": "Genuine autonomy or complete independance.doc|7735e571d0450e2a31e97e4f8e0f66fa"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457617615",
|
|
"to_ids": true,
|
|
"type": "filename|md5",
|
|
"uuid": "56e17acf-a6e0-4daf-97e5-422e950d210f",
|
|
"value": "Application for Mentee.doc|7735e571d0450e2a31e97e4f8e0f66fa"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457617804",
|
|
"to_ids": true,
|
|
"type": "filename|md5",
|
|
"uuid": "56e17b8c-398c-450a-bd76-498b950d210f",
|
|
"value": "iph.bat|d2e9412428c3bcf3ec98dba8a78adb7b"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457617805",
|
|
"to_ids": true,
|
|
"type": "filename|md5",
|
|
"uuid": "56e17b8d-449c-446a-bbcb-4d96950d210f",
|
|
"value": "cghnt.exe|1bf438b5744db73eea58379a3b9f30e5"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457617991",
|
|
"to_ids": true,
|
|
"type": "filename|md5",
|
|
"uuid": "56e17c47-9ca0-4037-afb1-4c8d950d210f",
|
|
"value": "20140317144336097.DOC|3b869c8e23d66ad0527882fc79ff7237"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Command and Control Servers",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457618090",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "56e17caa-2740-4d49-8b47-4c56950d210f",
|
|
"value": "news.firewall-gateway.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Scarlet Mimic Malware Campaign 1",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457618234",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "56e17d3a-44d4-47f9-aa6d-4722950d210f",
|
|
"value": "fef27f432e0ae8218143bc410fda340e"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "- Xchecked via VT: 1bf438b5744db73eea58379a3b9f30e5",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457618310",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56e17d86-0c10-4c04-b412-4e6a02de0b81",
|
|
"value": "df9872d1dc1dbb101bf83c7e7d689d2d6df09966481a365f92cd451ef55f047d"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "- Xchecked via VT: 1bf438b5744db73eea58379a3b9f30e5",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457618311",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56e17d87-9904-442d-bfe2-4dc902de0b81",
|
|
"value": "67762474fb66217bf2594ede3d15abe12ac4d9e7"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457618311",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "56e17d87-3b08-44c5-9dfb-486202de0b81",
|
|
"value": "https://www.virustotal.com/file/df9872d1dc1dbb101bf83c7e7d689d2d6df09966481a365f92cd451ef55f047d/analysis/1453744608/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Scarlet Mimic Malware Campaign 1 - Xchecked via VT: fef27f432e0ae8218143bc410fda340e",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457618311",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56e17d87-a608-4e4c-bdb2-443502de0b81",
|
|
"value": "caf76e19a2681dd000c96d8389afc749e774c083aef09f023d4f42fbc49d4d3d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Scarlet Mimic Malware Campaign 1 - Xchecked via VT: fef27f432e0ae8218143bc410fda340e",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457618312",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56e17d88-deb8-4f0a-a0cd-4f3902de0b81",
|
|
"value": "6d81d2ad1acfd707a2ea35672bdd76948889d16b"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457618312",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "56e17d88-f460-4120-ad15-4ea802de0b81",
|
|
"value": "https://www.virustotal.com/file/caf76e19a2681dd000c96d8389afc749e774c083aef09f023d4f42fbc49d4d3d/analysis/1453903417/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 3b869c8e23d66ad0527882fc79ff7237",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457618312",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56e17d88-9390-4464-b901-466f02de0b81",
|
|
"value": "cc8936507438fcf8757ff40309c6057aa780c394b158723b7e8fb07e09793344"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 3b869c8e23d66ad0527882fc79ff7237",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457618313",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56e17d89-f498-448c-bad0-4d4802de0b81",
|
|
"value": "a7e90928e96a44b5223053fd0c1b96d9a3a36e01"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457618313",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "56e17d89-a69c-40a0-9352-45f002de0b81",
|
|
"value": "https://www.virustotal.com/file/cc8936507438fcf8757ff40309c6057aa780c394b158723b7e8fb07e09793344/analysis/1398640507/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 7735e571d0450e2a31e97e4f8e0f66fa",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457618313",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56e17d89-4d84-4ac6-80a5-47de02de0b81",
|
|
"value": "8d98155283c4d8373d2cf2c7b8a79302251a0ce76d227a8a2abdc2a244fc550e"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 7735e571d0450e2a31e97e4f8e0f66fa",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457618314",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56e17d8a-0c60-4f56-87bf-448f02de0b81",
|
|
"value": "e2126ebc4910ea0308a150466f70534854ec201d"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457618314",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "56e17d8a-d9c0-4638-9158-4de502de0b81",
|
|
"value": "https://www.virustotal.com/file/8d98155283c4d8373d2cf2c7b8a79302251a0ce76d227a8a2abdc2a244fc550e/analysis/1437647138/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: ea45265fe98b25e719d5a9cc3b412d66",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457618314",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56e17d8a-4294-4c3e-80c9-48d102de0b81",
|
|
"value": "3d9bd26f5bd5401efa17690357f40054a3d7b438ce8c91367dbf469f0d9bd520"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: ea45265fe98b25e719d5a9cc3b412d66",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457618314",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56e17d8a-414c-4f93-8496-40c002de0b81",
|
|
"value": "95cecef175012f145df2e0f8255fe92f55f10414"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1457618315",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "56e17d8b-231c-4363-8006-4b5202de0b81",
|
|
"value": "https://www.virustotal.com/file/3d9bd26f5bd5401efa17690357f40054a3d7b438ce8c91367dbf469f0d9bd520/analysis/1453744600/"
|
|
}
|
|
]
|
|
}
|
|
} |