misp-circl-feed/feeds/circl/misp/586ccbb7-3b08-4fdb-a034-4a8b950d210f.json

265 lines
No EOL
10 KiB
JSON

{
"Event": {
"analysis": "2",
"date": "2016-07-26",
"extends_uuid": "",
"info": "OSINT - Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan",
"publish_timestamp": "1483525561",
"published": true,
"threat_level_id": "3",
"timestamp": "1483525555",
"uuid": "586ccbb7-3b08-4fdb-a034-4a8b950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
"local": "0",
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": "0",
"name": "misp-galaxy:tool=\"Chthonic\"",
"relationship_type": ""
},
{
"colour": "#00223b",
"local": "0",
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
},
{
"colour": "#075200",
"local": "0",
"name": "admiralty-scale:source-reliability=\"b\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483525077",
"to_ids": false,
"type": "comment",
"uuid": "586ccbd5-0478-4d13-bcce-43c1950d210f",
"value": "While many email providers, clients, and anti-spam engines have become adept at detecting spam, malicious messages sent via high-profile, legitimate providers are much harder to catch. Threat actors continue to look for new ways to bypass these engines and, in the latest example of innovative approaches to malware distribution, have managed to co-opt PayPal services in a small campaign.\r\n\r\nProofpoint analysts recently noticed an interesting abuse of legitimate service in order to deliver malicious content. Specifically, we observed emails with the subject \u00e2\u20ac\u0153You\u00e2\u20ac\u2122ve got a money request\u00e2\u20ac\u009d that came from PayPal. The sender does not appear to be faked: instead, the spam is generated by registering with PayPal (or using stolen accounts) and then using the portal to \u00e2\u20ac\u0153request money.\u00e2\u20ac\u009d We are not sure how much of this process was automated and how much manual, but the email volume was low."
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483525109",
"to_ids": false,
"type": "link",
"uuid": "586ccbf5-f54c-4456-b041-475b950d210f",
"value": "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan"
},
{
"category": "Payload delivery",
"comment": "Chthonic 2nd Stage (AZORult)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483525254",
"to_ids": true,
"type": "sha256",
"uuid": "586ccc86-8444-4cb1-9cb2-4172950d210f",
"value": "10d159b0ddb92e9f4b395e90f9cfaa554622c4e77f66f7da176783777db5526a"
},
{
"category": "Network activity",
"comment": "AZORult C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483525280",
"to_ids": true,
"type": "url",
"uuid": "586ccca0-1a7c-4d38-a541-4cdf950d210f",
"value": "91.215.154.202/AZORult/gate.php"
},
{
"category": "Network activity",
"comment": "Chthonic 2nd Stage hosting",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483525305",
"to_ids": true,
"type": "url",
"uuid": "586cccb9-bf7c-4b6b-97f2-41da950d210f",
"value": "http://www.viscot.com/system/helper/bzr.exe"
},
{
"category": "Network activity",
"comment": "Chthonic C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483525321",
"to_ids": true,
"type": "domain",
"uuid": "586cccc9-c97c-4291-be73-4956950d210f",
"value": "kingstonevikte.com"
},
{
"category": "Payload delivery",
"comment": "flash.exe",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483525338",
"to_ids": true,
"type": "sha256",
"uuid": "586cccda-f028-4aef-b394-4eb4950d210f",
"value": "0d2def167ecf39a69a7e949c88bb2096cfd76f7d4bf72f1b0fe27a9da686c141"
},
{
"category": "Network activity",
"comment": "JavaScript payload",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483525360",
"to_ids": true,
"type": "url",
"uuid": "586cccf0-fdc0-4761-b125-4e99950d210f",
"value": "http://wasingo.info/2/flash.exe"
},
{
"category": "Payload delivery",
"comment": "paypalTransactionDetails.jpeg.js",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483525379",
"to_ids": true,
"type": "sha256",
"uuid": "586ccd03-db28-4afc-afb0-4b86950d210f",
"value": "865d2e9cbf5d88ae8b483f0f5e2397449298651381f66c55b7afd4b750eb4da4"
},
{
"category": "Network activity",
"comment": "URL after the goo.gl redirect (hosting the js)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483525400",
"to_ids": true,
"type": "url",
"uuid": "586ccd18-bd60-4870-af14-423b950d210f",
"value": "http://katyaflash.com/pp.php"
},
{
"category": "Network activity",
"comment": "URL in the email message",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483525423",
"to_ids": true,
"type": "url",
"uuid": "586ccd2f-3a24-4a6d-8585-4bc1950d210f",
"value": "http://goo.gl/G7z1aS?paypal-nonauthtransaction.jpg"
},
{
"category": "Payload delivery",
"comment": "Chthonic 2nd Stage (AZORult) - Xchecked via VT: 10d159b0ddb92e9f4b395e90f9cfaa554622c4e77f66f7da176783777db5526a",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483525455",
"to_ids": true,
"type": "sha1",
"uuid": "586ccd4f-af68-4426-b9f6-4dbd02de0b81",
"value": "c887916b08543cb3e3f112add117a9dfa790b9ee"
},
{
"category": "Payload delivery",
"comment": "Chthonic 2nd Stage (AZORult) - Xchecked via VT: 10d159b0ddb92e9f4b395e90f9cfaa554622c4e77f66f7da176783777db5526a",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483525455",
"to_ids": true,
"type": "md5",
"uuid": "586ccd4f-0104-4bb0-86e9-45fe02de0b81",
"value": "d7c19ba47401f69aafed551138ad7e7c"
},
{
"category": "External analysis",
"comment": "Chthonic 2nd Stage (AZORult) - Xchecked via VT: 10d159b0ddb92e9f4b395e90f9cfaa554622c4e77f66f7da176783777db5526a",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483525456",
"to_ids": false,
"type": "link",
"uuid": "586ccd50-9fd8-4b0a-acd3-4b6d02de0b81",
"value": "https://www.virustotal.com/file/10d159b0ddb92e9f4b395e90f9cfaa554622c4e77f66f7da176783777db5526a/analysis/1476464665/"
},
{
"category": "Payload delivery",
"comment": "flash.exe - Xchecked via VT: 0d2def167ecf39a69a7e949c88bb2096cfd76f7d4bf72f1b0fe27a9da686c141",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483525457",
"to_ids": true,
"type": "sha1",
"uuid": "586ccd51-847c-452f-be60-48a202de0b81",
"value": "47bff3e98e086f821fff1721a8a4b2674102a2ff"
},
{
"category": "Payload delivery",
"comment": "flash.exe - Xchecked via VT: 0d2def167ecf39a69a7e949c88bb2096cfd76f7d4bf72f1b0fe27a9da686c141",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483525457",
"to_ids": true,
"type": "md5",
"uuid": "586ccd51-357c-44b1-adcc-4b4e02de0b81",
"value": "c136a0702442b8b02fbad5ed7e6203d7"
},
{
"category": "External analysis",
"comment": "flash.exe - Xchecked via VT: 0d2def167ecf39a69a7e949c88bb2096cfd76f7d4bf72f1b0fe27a9da686c141",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483525458",
"to_ids": false,
"type": "link",
"uuid": "586ccd52-ad44-487c-8b58-428e02de0b81",
"value": "https://www.virustotal.com/file/0d2def167ecf39a69a7e949c88bb2096cfd76f7d4bf72f1b0fe27a9da686c141/analysis/1470300877/"
},
{
"category": "Payload delivery",
"comment": "paypalTransactionDetails.jpeg.js - Xchecked via VT: 865d2e9cbf5d88ae8b483f0f5e2397449298651381f66c55b7afd4b750eb4da4",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483525459",
"to_ids": true,
"type": "sha1",
"uuid": "586ccd53-4f1c-418a-881a-4efc02de0b81",
"value": "c53fca1e1fee6f0be377837f258ae671a7604677"
},
{
"category": "Payload delivery",
"comment": "paypalTransactionDetails.jpeg.js - Xchecked via VT: 865d2e9cbf5d88ae8b483f0f5e2397449298651381f66c55b7afd4b750eb4da4",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483525459",
"to_ids": true,
"type": "md5",
"uuid": "586ccd53-ad1c-4728-8817-41ed02de0b81",
"value": "04f75d12660b13d972ac4c8cbf143de9"
},
{
"category": "External analysis",
"comment": "paypalTransactionDetails.jpeg.js - Xchecked via VT: 865d2e9cbf5d88ae8b483f0f5e2397449298651381f66c55b7afd4b750eb4da4",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483525460",
"to_ids": false,
"type": "link",
"uuid": "586ccd54-4b88-4996-b19d-49c702de0b81",
"value": "https://www.virustotal.com/file/865d2e9cbf5d88ae8b483f0f5e2397449298651381f66c55b7afd4b750eb4da4/analysis/1476581905/"
}
]
}
}