adulau/misp-circl-feed
1
0
Fork 0
Code Issues Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/3594b211-1c7c-4e20-8c85-62564c2e7267.json

456 lines
No EOL
19 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--3594b211-1c7c-4e20-8c85-62564c2e7267",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-08-23T12:20:50.000Z",
"modified": "2024-08-23T12:20:50.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--3594b211-1c7c-4e20-8c85-62564c2e7267",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-08-23T12:20:50.000Z",
"modified": "2024-08-23T12:20:50.000Z",
"name": "OSINT - NGate Android malware relays NFC traffic to steal cash",
"published": "2024-08-23T12:24:48Z",
"object_refs": [
"indicator--c778b40f-401f-477c-acc0-1ac6326f4828",
"x-misp-object--b664e0c0-e94c-4811-813b-591ab0fa6230",
"indicator--670685e7-856e-457a-ab8b-5d50b99c951d",
"indicator--8a1c1eaf-fb1f-4192-bfb3-e39ccdcb15b3",
"indicator--2a96d936-8d8e-4833-a84c-995747fcea47",
"indicator--f7ef3692-2d4f-4e0f-80c0-cc96e626c3a9",
"x-misp-object--6b219eb5-41e8-469a-8cc5-3ecb54a84332",
"x-misp-object--56c8a4e9-c52a-4377-8def-71524d6b8715",
"x-misp-object--77a91913-41d6-40e8-9cbc-0e989dc54ee6",
"x-misp-object--6db83e7d-e8b9-4af7-b066-9eeeda3c916c",
"x-misp-object--a7e7a430-0053-4575-b02a-887781f3d366",
"x-misp-object--27848d85-df48-41a8-9b49-487e5dead30e"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:sector=\"Finance\"",
"misp-galaxy:sector=\"Retail\"",
"misp-galaxy:mitre-attack-pattern=\"Phishing - T1660\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"tlp:clear"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c778b40f-401f-477c-acc0-1ac6326f4828",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-08-23T12:09:46.000Z",
"modified": "2024-08-23T12:09:46.000Z",
"description": "NGate C&C server.",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '172.187.98.211']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-08-23T12:09:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--b664e0c0-e94c-4811-813b-591ab0fa6230",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-08-23T12:07:26.000Z",
"modified": "2024-08-23T12:07:26.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://www.welivesecurity.com/en/eset-research/ngate-android-malware-relays-nfc-traffic-to-steal-cash/",
"category": "External analysis",
"uuid": "404f429d-75fe-45c5-a62f-d025e478fe8b"
},
{
"type": "text",
"object_relation": "summary",
"value": "Android malware discovered by ESET Research relays NFC data from victims\u2019 payment cards, via victims\u2019 mobile phones, to the device of a perpetrator waiting at an ATM",
"category": "Other",
"uuid": "390e6769-ecd7-4a0e-9dfa-5e095f8f1735"
},
{
"type": "text",
"object_relation": "title",
"value": "NGate Android malware relays NFC traffic to steal cash",
"category": "Other",
"uuid": "cc82d712-5537-4376-a7b1-9391a174d286"
},
{
"type": "text",
"object_relation": "type",
"value": "Blog",
"category": "Other",
"uuid": "e434a86a-c69b-4506-bc04-c1e04c66e284"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--670685e7-856e-457a-ab8b-5d50b99c951d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-08-23T12:08:54.000Z",
"modified": "2024-08-23T12:08:54.000Z",
"description": "NGate distribution website.",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '91.222.136.153') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'raiffeisen-cz.eu')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-08-23T12:08:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8a1c1eaf-fb1f-4192-bfb3-e39ccdcb15b3",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-08-23T12:09:17.000Z",
"modified": "2024-08-23T12:09:17.000Z",
"description": "Phishing website.",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.21.7.213') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'client.nfcpay.workers.dev')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-08-23T12:09:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2a96d936-8d8e-4833-a84c-995747fcea47",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-08-23T12:10:06.000Z",
"modified": "2024-08-23T12:10:06.000Z",
"description": "NGate distribution website.",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.104.45.51') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'app.mobil-csob-cz.eu')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-08-23T12:10:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f7ef3692-2d4f-4e0f-80c0-cc96e626c3a9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-08-23T12:10:45.000Z",
"modified": "2024-08-23T12:10:45.000Z",
"description": "NGate C&C server.",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.181.165.124') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'nfc.cryptomaker.info')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-08-23T12:10:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--6b219eb5-41e8-469a-8cc5-3ecb54a84332",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-08-23T12:13:09.000Z",
"modified": "2024-08-23T12:13:09.000Z",
"labels": [
"misp:name=\"attack-step\"",
"misp:meta-category=\"misc\"",
"misp-galaxy:mitre-attack-pattern=\"Phishing - T1660\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "NGate has been distributed using dedicated websites impersonating legitimate services.",
"category": "Other",
"uuid": "a0e43ef8-1ed3-46d7-9742-a751e6f1d736"
},
{
"type": "boolean",
"object_relation": "key-step",
"value": "1",
"category": "Other",
"uuid": "2a5ae6e7-da1b-4f94-8e4e-3ff43cb675e0"
},
{
"type": "boolean",
"object_relation": "succesful",
"value": "1",
"category": "Other",
"uuid": "74a75b4d-d19d-42d2-b230-61e85138eb58"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "attack-step"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--56c8a4e9-c52a-4377-8def-71524d6b8715",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-08-23T12:14:44.000Z",
"modified": "2024-08-23T12:14:44.000Z",
"labels": [
"misp:name=\"attack-step\"",
"misp:meta-category=\"misc\"",
"misp-galaxy:mitre-attack-pattern=\"GUI Input Capture - T1417.002\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "NGate tries to obtain victims\u2019 sensitive information via a phishing WebView pretending to be a banking service.",
"category": "Other",
"uuid": "4f6963ef-3bb5-4bdb-b40d-6178126bcc06"
},
{
"type": "boolean",
"object_relation": "key-step",
"value": "1",
"category": "Other",
"uuid": "7c4f878d-1b89-47bb-a7f0-b1c868133688"
},
{
"type": "boolean",
"object_relation": "succesful",
"value": "1",
"category": "Other",
"uuid": "fed9ae65-503d-45c2-80df-d43e39285885"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "attack-step"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--77a91913-41d6-40e8-9cbc-0e989dc54ee6",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-08-23T12:15:53.000Z",
"modified": "2024-08-23T12:15:53.000Z",
"labels": [
"misp:name=\"attack-step\"",
"misp:meta-category=\"misc\"",
"misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1426\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "NGate can extract information about the device including device model, Android version, and information about NFC.",
"category": "Other",
"uuid": "da979af4-c499-4610-b1af-7820f3dc628f"
},
{
"type": "boolean",
"object_relation": "key-step",
"value": "1",
"category": "Other",
"uuid": "888930cd-782c-4bd9-99c4-2239c6cab3a6"
},
{
"type": "boolean",
"object_relation": "succesful",
"value": "1",
"category": "Other",
"uuid": "e871cb13-a5d9-4fd5-9f00-288297b6e8f2"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "attack-step"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--6db83e7d-e8b9-4af7-b066-9eeeda3c916c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-08-23T12:17:08.000Z",
"modified": "2024-08-23T12:17:08.000Z",
"labels": [
"misp:name=\"attack-step\"",
"misp:meta-category=\"misc\"",
"misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1437.001\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "NGate uses a JavaScript interface to send and execute commands to compromised devices.",
"category": "Other",
"uuid": "ca52e318-d16a-49be-b6e2-b7613b6d2a5a"
},
{
"type": "boolean",
"object_relation": "key-step",
"value": "1",
"category": "Other",
"uuid": "b0889480-3b42-4c97-85c3-67f8856d8025"
},
{
"type": "boolean",
"object_relation": "succesful",
"value": "1",
"category": "Other",
"uuid": "efe0764c-6c26-4c54-af83-8da6d778e745"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "attack-step"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--a7e7a430-0053-4575-b02a-887781f3d366",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-08-23T12:18:36.000Z",
"modified": "2024-08-23T12:18:36.000Z",
"labels": [
"misp:name=\"attack-step\"",
"misp:meta-category=\"misc\"",
"misp-galaxy:mitre-attack-pattern=\"Non-Standard Port - T1509\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "NGate uses port 5566 to communicate with its server to exfiltrate NFC traffic.",
"category": "Other",
"uuid": "7e3569d4-82a3-43c3-a442-49ac998f5f98"
},
{
"type": "boolean",
"object_relation": "key-step",
"value": "1",
"category": "Other",
"uuid": "40a6d4dd-fd27-44a0-9b0f-852e35675301"
},
{
"type": "boolean",
"object_relation": "succesful",
"value": "1",
"category": "Other",
"uuid": "0b72b277-4b84-49bb-81f4-c2e10bf29447"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "attack-step"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--27848d85-df48-41a8-9b49-487e5dead30e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-08-23T12:20:00.000Z",
"modified": "2024-08-23T12:20:00.000Z",
"labels": [
"misp:name=\"attack-step\"",
"misp:meta-category=\"misc\"",
"misp-galaxy:mitre-attack-pattern=\"Out of Band Data - T1644\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "description",
"value": "NGate can exfiltrate NFC traffic.",
"category": "Other",
"uuid": "ea267d0d-3ec9-48a2-ae63-1fd63f2ee08e"
},
{
"type": "boolean",
"object_relation": "key-step",
"value": "1",
"category": "Other",
"uuid": "f82b6eaa-3c80-4c8c-a6dd-beb307454d60"
},
{
"type": "boolean",
"object_relation": "succesful",
"value": "1",
"category": "Other",
"uuid": "53c9d6b4-1417-4d01-bb55-fec10c3009c4"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "attack-step"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink