misp-circl-feed/feeds/circl/misp/59120865-27e0-4e6d-9b74-4a9f950d210f.json

390 lines
No EOL
15 KiB
JSON

{
"Event": {
"analysis": "2",
"date": "2017-05-09",
"extends_uuid": "",
"info": "OSINT - EPS Processing Zero-Days Exploited by Multiple Threat Actors",
"publish_timestamp": "1494354449",
"published": true,
"threat_level_id": "3",
"timestamp": "1494354378",
"uuid": "59120865-27e0-4e6d-9b74-4a9f950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:tool=\"GAMEFISH\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354378",
"to_ids": false,
"type": "link",
"uuid": "59120872-11dc-4982-8a6c-4c95950d210f",
"value": "https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html",
"Tag": [
{
"colour": "#00223b",
"local": false,
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
}
]
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354378",
"to_ids": false,
"type": "text",
"uuid": "59120885-4620-48a4-a028-4080950d210f",
"value": "In 2015, FireEye published details about two attacks exploiting vulnerabilities in Encapsulated PostScript (EPS) of Microsoft Office. One was a zero-day and one was patched weeks before the attack launched.\r\n\r\nRecently, FireEye identified three new zero-day vulnerabilities in Microsoft Office products that are being exploited in the wild.\r\n\r\nAt the end of March 2017, we detected another malicious document leveraging an unknown vulnerability in EPS and a recently patched vulnerability in Windows Graphics Device Interface (GDI) to drop malware. Following the April 2017 Patch Tuesday, in which Microsoft disabled EPS, FireEye detected a second unknown vulnerability in EPS.\r\n\r\nFireEye believes that two actors \u00e2\u20ac\u201c Turla and an unknown financially motivated actor \u00e2\u20ac\u201c were using the first EPS zero-day (CVE-2017-0261), and APT28 was using the second EPS zero-day (CVE-2017-0262) along with a new Escalation of Privilege (EOP) zero-day (CVE-2017-0263). Turla and APT28 are Russian cyber espionage groups that have used these zero-days against European diplomatic and military entities. The unidentified financial group targeted regional and global banks with offices in the Middle East. The following is a description of the EPS zero-days, associated malware, and the new EOP zero-day. Each EPS zero-day is accompanied by an EOP exploit, with the EOP being required to escape the sandbox that executes the FLTLDR.EXE instance used for EPS processing.\r\n\r\nThe malicious documents have been used to deliver three different payloads. CVE-2017-0261 was used to deliver SHIRIME (Turla) and NETWIRE (unknown financially motivated actor), and CVE-2017-0262 was used to deliver GAMEFISH (APT28). CVE-2017-0263 is used to escalate privileges during the delivery of the GAMEFISH payload.\r\n\r\nFireEye email and network products detected the malicious documents.\r\n\r\nFireEye has been coordinating with the Microsoft Security Response Center (MSRC) for the responsible disclosure of this information. Microsoft advises all customers to follow the guidance in security advisory ADV170005 as a defense-in-depth measure against EPS filter vulnerabilities.",
"Tag": [
{
"colour": "#00223b",
"local": false,
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
}
]
},
{
"category": "Payload delivery",
"comment": "Confirmation_letter.docx.bin (NETWIRE) \t 84.200.2.12",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354378",
"to_ids": true,
"type": "md5",
"uuid": "5912092f-9670-4c21-a7cc-4a72950d210f",
"value": "2abe3cc4bff46455a945d56c27e9fb45"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354378",
"to_ids": true,
"type": "filename",
"uuid": "5912092f-0350-4ec0-8889-4981950d210f",
"value": "Confirmation_letter.docx.bin"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354378",
"to_ids": true,
"type": "ip-dst",
"uuid": "59120930-cf28-472d-87ce-4e33950d210f",
"value": "84.200.2.12"
},
{
"category": "Payload delivery",
"comment": "Confirmation_letter.docx (NETWIRE) \t 138.201.44.30",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354378",
"to_ids": true,
"type": "md5",
"uuid": "59120931-b868-4c65-a6c4-46f6950d210f",
"value": "e091425d23b8db6082b40d25e938f871"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354378",
"to_ids": true,
"type": "filename",
"uuid": "59120932-07d8-4a85-bb43-4a1e950d210f",
"value": "Confirmation_letter.docx"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354378",
"to_ids": true,
"type": "ip-dst",
"uuid": "59120933-240c-4b71-a453-4b08950d210f",
"value": "138.201.44.30"
},
{
"category": "Payload delivery",
"comment": "Confirmation_letter_ACM.docx (NETWIRE) \t 185.106.122.113",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354378",
"to_ids": true,
"type": "md5",
"uuid": "59120934-89c8-4690-891f-4c10950d210f",
"value": "006bdb19b6936329bffd4054e270dc6a"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354378",
"to_ids": true,
"type": "filename",
"uuid": "59120934-d538-482c-b474-419c950d210f",
"value": "Confirmation_letter_ACM.docx"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354378",
"to_ids": true,
"type": "ip-dst",
"uuid": "59120935-0118-43c3-ba70-4d42950d210f",
"value": "185.106.122.113"
},
{
"category": "Payload delivery",
"comment": "st07383.en17.docx (SHIRIME) \t tnsc.webredirect.org",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354378",
"to_ids": true,
"type": "md5",
"uuid": "59120936-b704-4115-b3e5-4ab1950d210f",
"value": "15660631e31c1172ba5a299a90938c02"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354378",
"to_ids": true,
"type": "filename",
"uuid": "59120936-92fc-46d2-9c9c-4e97950d210f",
"value": "st07383.en17.docx"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354378",
"to_ids": true,
"type": "hostname",
"uuid": "59120936-9164-47fd-96c3-4280950d210f",
"value": "tnsc.webredirect.org"
},
{
"category": "Payload delivery",
"comment": "Trump's_Attack_on_Syria_English.docx (GAMEFISH) \t wmdmediacodecs.com",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354378",
"to_ids": true,
"type": "md5",
"uuid": "59120937-db24-41aa-be2c-48aa950d210f",
"value": "f8e92d8b5488ea76c40601c8f1a08790"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354378",
"to_ids": true,
"type": "filename",
"uuid": "59120937-b208-448d-bc97-450e950d210f",
"value": "Trump's_Attack_on_Syria_English.docx"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354378",
"to_ids": true,
"type": "domain",
"uuid": "59120938-2cbc-4597-adaf-4f96950d210f",
"value": "wmdmediacodecs.com"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354378",
"to_ids": false,
"type": "vulnerability",
"uuid": "5912097c-fc58-4e8e-bb3d-41d3950d210f",
"value": "CVE-2017-0261"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354378",
"to_ids": false,
"type": "vulnerability",
"uuid": "5912097c-f01c-4ed1-a5d2-4ab0950d210f",
"value": "CVE-2017-0262"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354378",
"to_ids": false,
"type": "vulnerability",
"uuid": "5912097c-b424-49ac-a062-4926950d210f",
"value": "CVE-2017-0263"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354378",
"to_ids": false,
"type": "vulnerability",
"uuid": "5912097c-a1f8-45be-921c-465c950d210f",
"value": "CVE-2017-0001"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354378",
"to_ids": false,
"type": "vulnerability",
"uuid": "5912097c-7794-40c9-8c31-42a0950d210f",
"value": "CVE-2016-7255"
},
{
"category": "Payload delivery",
"comment": "Trump's_Attack_on_Syria_English.docx (GAMEFISH) \t wmdmediacodecs.com - Xchecked via VT: f8e92d8b5488ea76c40601c8f1a08790",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354387",
"to_ids": true,
"type": "sha256",
"uuid": "591209d3-4180-4edf-8d5d-4f2902de0b81",
"value": "91acb0d56771af0196e34ac95194b3d0bf3200bc5f6208caf3a91286958876f9"
},
{
"category": "Payload delivery",
"comment": "Trump's_Attack_on_Syria_English.docx (GAMEFISH) \t wmdmediacodecs.com - Xchecked via VT: f8e92d8b5488ea76c40601c8f1a08790",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354388",
"to_ids": true,
"type": "sha1",
"uuid": "591209d4-70f8-4afa-9a5f-4b9502de0b81",
"value": "d5235d136cfcadbef431eea7253d80bde414db9d"
},
{
"category": "External analysis",
"comment": "Trump's_Attack_on_Syria_English.docx (GAMEFISH) \t wmdmediacodecs.com - Xchecked via VT: f8e92d8b5488ea76c40601c8f1a08790",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354389",
"to_ids": false,
"type": "link",
"uuid": "591209d5-2d24-404e-8039-423502de0b81",
"value": "https://www.virustotal.com/file/91acb0d56771af0196e34ac95194b3d0bf3200bc5f6208caf3a91286958876f9/analysis/1494351849/"
},
{
"category": "Payload delivery",
"comment": "Confirmation_letter_ACM.docx (NETWIRE) \t 185.106.122.113 - Xchecked via VT: 006bdb19b6936329bffd4054e270dc6a",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354390",
"to_ids": true,
"type": "sha256",
"uuid": "591209d6-a5f4-4877-b157-418b02de0b81",
"value": "ef783cc3c4e1e0649b4629f3396cff4c0e0e0e67c07cacb8a9ae7c0cfa16bf0c"
},
{
"category": "Payload delivery",
"comment": "Confirmation_letter_ACM.docx (NETWIRE) \t 185.106.122.113 - Xchecked via VT: 006bdb19b6936329bffd4054e270dc6a",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354391",
"to_ids": true,
"type": "sha1",
"uuid": "591209d7-08a0-488a-877c-435d02de0b81",
"value": "b266bee50d80269f6e70f2cace7c38f393da9513"
},
{
"category": "External analysis",
"comment": "Confirmation_letter_ACM.docx (NETWIRE) \t 185.106.122.113 - Xchecked via VT: 006bdb19b6936329bffd4054e270dc6a",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354391",
"to_ids": false,
"type": "link",
"uuid": "591209d7-f754-48df-ba71-401f02de0b81",
"value": "https://www.virustotal.com/file/ef783cc3c4e1e0649b4629f3396cff4c0e0e0e67c07cacb8a9ae7c0cfa16bf0c/analysis/1494352684/"
},
{
"category": "Payload delivery",
"comment": "Confirmation_letter.docx.bin (NETWIRE) \t 84.200.2.12 - Xchecked via VT: 2abe3cc4bff46455a945d56c27e9fb45",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354392",
"to_ids": true,
"type": "sha256",
"uuid": "591209d8-1834-4dbc-87ce-418002de0b81",
"value": "6785e29698444243677300db6a0c519909ae9e620d575e76d9be4862b33ed490"
},
{
"category": "Payload delivery",
"comment": "Confirmation_letter.docx.bin (NETWIRE) \t 84.200.2.12 - Xchecked via VT: 2abe3cc4bff46455a945d56c27e9fb45",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354393",
"to_ids": true,
"type": "sha1",
"uuid": "591209d9-d360-453b-b6a7-4fcc02de0b81",
"value": "0bd354d1eea9e4864f4c17e6c22bfdb81d88ddee"
},
{
"category": "External analysis",
"comment": "Confirmation_letter.docx.bin (NETWIRE) \t 84.200.2.12 - Xchecked via VT: 2abe3cc4bff46455a945d56c27e9fb45",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494354394",
"to_ids": false,
"type": "link",
"uuid": "591209da-a29c-46c2-aeac-421e02de0b81",
"value": "https://www.virustotal.com/file/6785e29698444243677300db6a0c519909ae9e620d575e76d9be4862b33ed490/analysis/1494351848/"
}
]
}
}