204 lines
No EOL
8 KiB
JSON
204 lines
No EOL
8 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2016-10-31",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - PSA: Conference Invite used as a Lure by Operation Lotus Blossom Actors",
|
|
"publish_timestamp": "1477941454",
|
|
"published": true,
|
|
"threat_level_id": "2",
|
|
"timestamp": "1477941449",
|
|
"uuid": "58179275-f030-4dce-a626-4c9802de0b81",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#10c500",
|
|
"local": "0",
|
|
"name": "misp-galaxy:threat-actor=\"Lotus Blossom\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Financial fraud",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477939870",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "5817929e-271c-4ba8-9cbc-4acc02de0b81",
|
|
"value": "Actors related to the Operation Lotus Blossom campaign continue their attack campaigns in the Asia Pacific region. It appears that these threat actors have begun using Palo Alto Networks upcoming Cyber Security Summit hosted on November 3, 2016 in Jakarta, Indonesia as a lure to compromise targeted individuals. The payload installed in attacks using this lure is a variant of the Emissary Trojan that we have analyzed in the past, which has direct links to threat actors associated with Operation Lotus Blossom.\r\n\r\nAs our readers and customers in Indonesia are likely recipients of this phishing e-mail, we want to release some key facts to clarify the situation.\r\n\r\nThe malicious email will have an attachment named \u00e2\u20ac\u0153[FREE INVITATIONS] CyberSecurity Summit.doc\u00e2\u20ac\u009d that if opened will exploit CVE-2012-0158. The legitimate invitation emails from Palo Alto Networks did not carry any attachments.\r\nIn response to this incident, we have halted our email invitations, so please disregard all new emails related to invitations to this conference, as it may be malicious.\r\nIndividuals wishing to attend the conference should register on our official CYBERSECURITY SUMMIT \u00e2\u20ac\u201c JAKARTA website."
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477939906",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "581792c2-2d30-4403-8c99-68fc02de0b81",
|
|
"value": "http://researchcenter.paloaltonetworks.com/2016/10/unit42-psa-conference-invite-used-lure-operation-lotus-blossom-actors/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Delivery Document",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477939965",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "581792fd-75f0-4464-a327-405602de0b81",
|
|
"value": "61de3df463f94f8583934edb227b174c7e4473b89bd110a6f6ba44fad8c41943"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Emissary Loader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477939965",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "581792fd-2920-4f99-9a62-4ad902de0b81",
|
|
"value": "aefa519feab9c8741af98ae2ddc287c404117e208cecd6479ee427f682814286"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2 server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477939966",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "581792fe-c394-45b7-8619-4c5102de0b81",
|
|
"value": "103.249.31.49"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477940016",
|
|
"to_ids": true,
|
|
"type": "email-attachment",
|
|
"uuid": "58179330-e5b0-4884-a984-44f602de0b81",
|
|
"value": "[FREE INVITATIONS] CyberSecurity Summit.doc"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477940104",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "58179388-3ee4-4ed7-b686-664702de0b81",
|
|
"value": "%APPDATA%\\Programs\\Dsdcmsoon.dll"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477940104",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "58179388-dbbc-4176-ad81-664702de0b81",
|
|
"value": "%APPDATA%\\Programs\\DCMOS3124.DAT"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477940105",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "58179389-d75c-4be4-b0d1-664702de0b81",
|
|
"value": "%APPDATA%\\Programs\\CVNX044.DAT"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Emissary Loader - Xchecked via VT: aefa519feab9c8741af98ae2ddc287c404117e208cecd6479ee427f682814286",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477940399",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "581794af-6c90-40a6-98a6-68fc02de0b81",
|
|
"value": "93352181787450e9147ef40124ebde818a361947"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Emissary Loader - Xchecked via VT: aefa519feab9c8741af98ae2ddc287c404117e208cecd6479ee427f682814286",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477940399",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "581794af-9e54-48e9-8b3a-68fc02de0b81",
|
|
"value": "9c06ac2eabd50ebfdd988df3b1a633fe"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Emissary Loader - Xchecked via VT: aefa519feab9c8741af98ae2ddc287c404117e208cecd6479ee427f682814286",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477940400",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "581794b0-afdc-4251-bf01-68fc02de0b81",
|
|
"value": "https://www.virustotal.com/file/aefa519feab9c8741af98ae2ddc287c404117e208cecd6479ee427f682814286/analysis/1477934763/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Delivery Document - Xchecked via VT: 61de3df463f94f8583934edb227b174c7e4473b89bd110a6f6ba44fad8c41943",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477940400",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "581794b0-4840-46aa-a35a-68fc02de0b81",
|
|
"value": "6f2688d24c67b766c4e3fc5de08e3f2137b71fad"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Delivery Document - Xchecked via VT: 61de3df463f94f8583934edb227b174c7e4473b89bd110a6f6ba44fad8c41943",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477940401",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "581794b1-f328-47eb-9020-68fc02de0b81",
|
|
"value": "20c96609d10b2d497031e1e42970913a"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Delivery Document - Xchecked via VT: 61de3df463f94f8583934edb227b174c7e4473b89bd110a6f6ba44fad8c41943",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477940401",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "581794b1-2df8-4426-8302-68fc02de0b81",
|
|
"value": "https://www.virustotal.com/file/61de3df463f94f8583934edb227b174c7e4473b89bd110a6f6ba44fad8c41943/analysis/1476950396/"
|
|
}
|
|
]
|
|
}
|
|
} |