adulau/misp-circl-feed
1
0
Fork 0
Code Issues Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/8506c95a-f2da-48c2-a1e0-339db58b1ba7.json

266 lines
No EOL
15 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--8506c95a-f2da-48c2-a1e0-339db58b1ba7",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-12-13T20:36:31.000Z",
"modified": "2024-12-13T20:36:31.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--8506c95a-f2da-48c2-a1e0-339db58b1ba7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-12-13T20:36:31.000Z",
"modified": "2024-12-13T20:36:31.000Z",
"name": "spearphishing campaign targeted at least 20 Autonomous System (AS) owners",
"published": "2024-12-13T20:37:10Z",
"object_refs": [
"indicator--15eb78ff-9062-470d-b8e9-6d78f3e084a8",
"indicator--dcb4259c-e99d-4fac-8993-a88cb9a1c3f8",
"indicator--3a250caf-3c24-4068-9aa2-fdffb63556b1",
"indicator--a9f82f7b-d466-4b3b-a829-2e22cc4f0610",
"indicator--e58246d2-3b4e-4089-84d7-5321b9fafa08",
"indicator--f0d5b558-8292-464c-b46d-29c770cbd889",
"x-misp-object--e89baf1b-dabe-4443-9cff-d6433ecdd7eb",
"note--5ef57360-9774-4a10-9dcd-a0aa994bf5fe"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"tlp:clear",
"misp-galaxy:sector=\"Telecoms\"",
"misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--15eb78ff-9062-470d-b8e9-6d78f3e084a8",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-12-13T20:29:35.000Z",
"modified": "2024-12-13T20:29:35.000Z",
"description": "Detailed explanation of as relationships and the impact of bgp flapping on upstream networks.rar",
"pattern": "[file:hashes.SHA256 = '4ec4b396bfa932756c90833e781f95c07b15108526a9c218efb35526ad956535']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-12-13T20:29:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--dcb4259c-e99d-4fac-8993-a88cb9a1c3f8",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-12-13T20:30:03.000Z",
"modified": "2024-12-13T20:30:03.000Z",
"description": "Detailed explanation of as relationships and the impact of bgp flapping on upstream networks.lnk",
"pattern": "[file:hashes.SHA256 = '12031213e31dca91eddc9d4a16d2e2c18da9fb355ee98dc4acbbaa16e35faec3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-12-13T20:30:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3a250caf-3c24-4068-9aa2-fdffb63556b1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-12-13T20:30:37.000Z",
"modified": "2024-12-13T20:30:37.000Z",
"description": "Adobe PDF Extractor.exe)",
"pattern": "[file:hashes.SHA256 = 'afc971f687303d0b3f3699883aa428f885d0a3fc20576953a28d31844328ccda']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-12-13T20:30:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a9f82f7b-d466-4b3b-a829-2e22cc4f0610",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-12-13T20:30:50.000Z",
"modified": "2024-12-13T20:30:50.000Z",
"pattern": "[domain-name:value = 'swisscoms.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-12-13T20:30:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e58246d2-3b4e-4089-84d7-5321b9fafa08",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-12-13T20:31:22.000Z",
"modified": "2024-12-13T20:31:22.000Z",
"description": "C2 domain: onnetmais[.]org (behind Cloudflare CDN)",
"pattern": "[domain-name:value = 'onnetmais.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-12-13T20:31:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f0d5b558-8292-464c-b46d-29c770cbd889",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-12-13T20:31:40.000Z",
"modified": "2024-12-13T20:31:40.000Z",
"description": "Backend C2 IP address: 47.251.162[.]130",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.251.162.130']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-12-13T20:31:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--e89baf1b-dabe-4443-9cff-d6433ecdd7eb",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-12-13T20:29:04.000Z",
"modified": "2024-12-13T20:29:04.000Z",
"labels": [
"misp:name=\"microblog\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "type",
"value": "fediverse",
"category": "Other",
"uuid": "8b88db1e-7291-42d7-808f-19d9d5159838"
},
{
"type": "text",
"object_relation": "post",
"value": "Between December 11 and 12, 2024, a spearphishing campaign targeted at least 20 Autonomous System (AS) owners, predominantly Internet Service Providers (ISPs), and purported to come from the Network Operations Center (NOC) of a prominent European ISP.\r\n\r\nAll of the observed targeted entities peer with the spoofed ISP and phishing emails were sent to contact addresses present in the AS's WHOIS records, indicative of a highly deliberate targeting effort.\r\n\r\nEach spearphishing email was personalized to the target based on their Autonomous System Number (ASN) and purported to relate to a detected BGP (Border Gateway Protocol) flapping session within the target\u2019s network.\r\n\r\nThe email contained a password protected RAR archive named \u201cDetailed Explanation of AS Relationships and the Impact of BGP Flapping on Upstream Networks.rar\u201d. The RAR contains a Microsoft Shortcut (LNK) file which executes a Portable Executable (PE) file contained in a hidden folder named \u201c_MACOSX\u201d.\r\n\r\nFollowing execution, the target is shown a decoy document related to BGP Flapping, and the executable file uses indirect syscalls to load shellcode into memory before it deletes itself from disk.\r\n\r\nWe are raising early awareness of this campaign given the coordinated effort to target network infrastructure administration personnel across a broad range of AS owners.\r\n\r\nIOCs for this campaign:\r\n\r\n4ec4b396bfa932756c90833e781f95c07b15108526a9c218efb35526ad956535 (Detailed explanation of as relationships and the impact of bgp flapping on upstream networks.rar)\r\n\r\n12031213e31dca91eddc9d4a16d2e2c18da9fb355ee98dc4acbbaa16e35faec3 (Detailed explanation of as relationships and the impact of bgp flapping on upstream networks.lnk)\r\n\r\nafc971f687303d0b3f3699883aa428f885d0a3fc20576953a28d31844328ccda (Adobe PDF Extractor.exe)\r\n\r\nActor-controlled sender domain:\r\nswisscoms[.]com\r\n\r\nC2 domain: onnetmais[.]org (behind Cloudflare CDN)\r\nBackend C2 IP address: 47.251.162[.]130",
"category": "Other",
"uuid": "333928ae-3187-43c4-900c-26ea650cc011"
},
{
"type": "link",
"object_relation": "link",
"value": "https://infosec.exchange/@threatinsight/113641860084873613",
"category": "External analysis",
"uuid": "ef77cddf-c4f9-4699-b2d5-db376cbbb8e7"
},
{
"type": "text",
"object_relation": "state",
"value": "Informative",
"category": "Other",
"uuid": "da813c69-48d4-4682-aa87-9ccd3fd6ebf0"
},
{
"type": "text",
"object_relation": "verified-username",
"value": "Unknown",
"category": "Other",
"uuid": "a78540d4-4a10-4ed9-bc9b-25b605e3cd4f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "microblog"
},
{
"type": "note",
"spec_version": "2.1",
"id": "note--5ef57360-9774-4a10-9dcd-a0aa994bf5fe",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-12-13T20:35:52.000Z",
"modified": "2024-12-13T20:35:52.000Z",
"abstract": "Fediverse report",
"content": "Between December 11 and 12, 2024, a spearphishing campaign targeted at least 20 Autonomous System (AS) owners, predominantly Internet Service Providers (ISPs), and purported to come from the Network Operations Center (NOC) of a prominent European ISP.\r\n\r\nAll of the observed targeted entities peer with the spoofed ISP and phishing emails were sent to contact addresses present in the AS's WHOIS records, indicative of a highly deliberate targeting effort.\r\n\r\nEach spearphishing email was personalized to the target based on their Autonomous System Number (ASN) and purported to relate to a detected BGP (Border Gateway Protocol) flapping session within the target\u2019s network.\r\n\r\nThe email contained a password protected RAR archive named \u201cDetailed Explanation of AS Relationships and the Impact of BGP Flapping on Upstream Networks.rar\u201d. The RAR contains a Microsoft Shortcut (LNK) file which executes a Portable Executable (PE) file contained in a hidden folder named \u201c_MACOSX\u201d.\r\n\r\nFollowing execution, the target is shown a decoy document related to BGP Flapping, and the executable file uses indirect syscalls to load shellcode into memory before it deletes itself from disk.\r\n\r\nWe are raising early awareness of this campaign given the coordinated effort to target network infrastructure administration personnel across a broad range of AS owners.\r\n\r\nIOCs for this campaign:\r\n\r\n4ec4b396bfa932756c90833e781f95c07b15108526a9c218efb35526ad956535 (Detailed explanation of as relationships and the impact of bgp flapping on upstream networks.rar)\r\n\r\n12031213e31dca91eddc9d4a16d2e2c18da9fb355ee98dc4acbbaa16e35faec3 (Detailed explanation of as relationships and the impact of bgp flapping on upstream networks.lnk)\r\n\r\nafc971f687303d0b3f3699883aa428f885d0a3fc20576953a28d31844328ccda (Adobe PDF Extractor.exe)\r\n\r\nActor-controlled sender domain:\r\nswisscoms[.]com\r\n\r\nC2 domain: onnetmais[.]org (behind Cloudflare CDN)\r\nBackend C2 IP address: 47.251.162[.]130",
"object_refs": [
"report--8506c95a-f2da-48c2-a1e0-339db58b1ba7"
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink