misp-circl-feed/feeds/circl/misp/5981907c-ee6c-4ed5-bc87-40af02de0b81.json

203 lines
No EOL
8.1 KiB
JSON

{
"Event": {
"analysis": "2",
"date": "2017-08-02",
"extends_uuid": "",
"info": "OSINT - Real News, Fake Flash: Mac OS X Users Targeted",
"publish_timestamp": "1501663708",
"published": true,
"threat_level_id": "3",
"timestamp": "1501663696",
"uuid": "5981907c-ee6c-4ed5-bc87-40af02de0b81",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
"local": "0",
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#6a0084",
"local": "0",
"name": "ms-caro-malware:malware-platform=\"MacOS_X\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1501663696",
"to_ids": false,
"type": "link",
"uuid": "598190a8-00ec-4767-b912-418602de0b81",
"value": "https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/",
"Tag": [
{
"colour": "#00223b",
"local": "0",
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
}
]
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1501663696",
"to_ids": false,
"type": "text",
"uuid": "598190b8-24d0-4da9-84d0-48ac02de0b81",
"value": "Volexity recently identified a breach to the website of a well regarded media outlet in the country of Georgia. As part of this breach, the media organization\u00e2\u20ac\u2122s website was being leveraged as a component of a malware campaign targeting select visitors. The news organization provides reporting on its website in English, Georgian, and Russian. However, only the Georgian language portion of the website was impacted and used in an effort to distribute malware. The targets were then further narrowed to those that were running the Mac OS X operating system, had not previously visited the website, and had specific browser versions. The attackers accomplished much of this with JavaScript they placed on the media organization\u00e2\u20ac\u2122s website.",
"Tag": [
{
"colour": "#00223b",
"local": "0",
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
}
]
},
{
"category": "Payload delivery",
"comment": "GetFlashPlayer.zip - ZIP file containing the OSX/Leverage.A GetFlashPlayer.app application/directory.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1501663696",
"to_ids": true,
"type": "md5",
"uuid": "59819106-c5cc-4df8-ab93-4ac502de0b81",
"value": "6597ffd7d1d241b1bf776bc7e1e3f840"
},
{
"category": "Payload delivery",
"comment": "GetFlashPlayer.zip - ZIP file containing the OSX/Leverage.A GetFlashPlayer.app application/directory.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1501663696",
"to_ids": true,
"type": "sha1",
"uuid": "59819106-f024-4177-9670-400902de0b81",
"value": "2810d554b2e9e14551cef7293e5240b058fb78c3"
},
{
"category": "Payload delivery",
"comment": "GetFlashPlayer - Signed OSX/Leverage.A binary masquerading as a legitimate file from Adobe",
"deleted": false,
"disable_correlation": false,
"timestamp": "1501663696",
"to_ids": true,
"type": "md5",
"uuid": "59819106-ac44-4f4d-b1c5-425602de0b81",
"value": "28064805242b3aa9c138061d6c18e7f5"
},
{
"category": "Payload delivery",
"comment": "GetFlashPlayer - Signed OSX/Leverage.A binary masquerading as a legitimate file from Adobe",
"deleted": false,
"disable_correlation": false,
"timestamp": "1501663696",
"to_ids": true,
"type": "sha1",
"uuid": "59819106-7e30-446e-bcae-44e902de0b81",
"value": "2441e2e9f68b4110218e1fcdc2cfce864b96e2da"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1501663696",
"to_ids": true,
"type": "hostname",
"uuid": "5981912b-da70-4840-bfe2-483402de0b81",
"value": "updatesec.webredirect.org"
},
{
"category": "Network activity",
"comment": "updatesec.webredirect[.]org",
"deleted": false,
"disable_correlation": false,
"timestamp": "1501663696",
"to_ids": true,
"type": "ip-dst",
"uuid": "5981912b-e808-49bf-8f5a-4bac02de0b81",
"value": "45.77.53.146"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1501663696",
"to_ids": true,
"type": "hostname",
"uuid": "5981912b-7ea8-4a36-b091-445102de0b81",
"value": "downloadarchives.servehttp.com"
},
{
"category": "Network activity",
"comment": "downloadarchives.servehttp[.]com",
"deleted": false,
"disable_correlation": false,
"timestamp": "1501663696",
"to_ids": true,
"type": "ip-dst",
"uuid": "5981912b-cb3c-4848-b644-4fd802de0b81",
"value": "213.200.14.138"
},
{
"category": "Network activity",
"comment": "Volexity was also able to find ties between the updatesec.webredirect[.]org exploitation and malware delivery server and the IP address 176.9.192.223. Volexity believes this IP is likely used for similar purposes and is directly related with the threat activity described in this blog.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1501663696",
"to_ids": true,
"type": "ip-dst",
"uuid": "59819159-0430-4878-bc81-4ed502de0b81",
"value": "176.9.192.223"
},
{
"category": "Network activity",
"comment": "In a final interesting twist, while writing this blog, Volexity noted that the IP address for the hostname updatesec.webredirect[.]org was updated to resolve to the Lithuanian IP address 185.28.22.22. This IP address does not appear to be responding on port 80, so no content would be served to visitors. However, it should be noted that this IP address is listed as a command and control server in the Stantinko report that was just released by ESET last week. Volexity is not aware of any ties between this threat activity and those behind Stantinko.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1501663696",
"to_ids": true,
"type": "ip-dst",
"uuid": "5981918a-06a8-4acb-ab14-402102de0b81",
"value": "185.28.22.22"
},
{
"category": "Payload delivery",
"comment": "GetFlashPlayer - Signed OSX/Leverage.A binary masquerading as a legitimate file from Adobe - Xchecked via VT: 2441e2e9f68b4110218e1fcdc2cfce864b96e2da",
"deleted": false,
"disable_correlation": false,
"timestamp": "1501663696",
"to_ids": true,
"type": "sha256",
"uuid": "598191d0-f6b8-44ba-b774-448f02de0b81",
"value": "58509ec67ce9a271bf4a1ec3cad3a37bb666c1df4cc90f16db7038982b57dcf1"
},
{
"category": "External analysis",
"comment": "GetFlashPlayer - Signed OSX/Leverage.A binary masquerading as a legitimate file from Adobe - Xchecked via VT: 2441e2e9f68b4110218e1fcdc2cfce864b96e2da",
"deleted": false,
"disable_correlation": false,
"timestamp": "1501663696",
"to_ids": false,
"type": "link",
"uuid": "598191d0-1f28-4cd2-96d9-479402de0b81",
"value": "https://www.virustotal.com/file/58509ec67ce9a271bf4a1ec3cad3a37bb666c1df4cc90f16db7038982b57dcf1/analysis/1501618896/"
}
]
}
}