diff --git "a/data/processed/backup/enriched_13class_test.jsonl" "b/data/processed/backup/enriched_13class_test.jsonl"
new file mode 100644--- /dev/null
+++ "b/data/processed/backup/enriched_13class_test.jsonl"
@@ -0,0 +1,3897 @@
+{"text": "Why Did Chinese Spyware Linger in U.S .", "spans": {}, "info": {"id": "cyner_test_000000", "source": "cyner_test"}}
+{"text": "Phones ?", "spans": {}, "info": {"id": "cyner_test_000001", "source": "cyner_test"}}
+{"text": "November 16 , 2016 In what 's being chalked up as an apparent mistake , more than 120,000 Android phones sold in the U.S. were shipped with spying code that sent text messages , call logs and other sensitive data to a server in Shanghai .", "spans": {"SYSTEM: Android": [[90, 97]]}, "info": {"id": "cyner_test_000002", "source": "cyner_test"}}
+{"text": "The New York Times reported on Nov. 15 that Kryptowire , a mobile enterprise security company , discovered the code on a lower-end smartphone made by BLU Products of Doral , Fla .", "spans": {"ORGANIZATION: New York Times": [[4, 18]], "ORGANIZATION: Kryptowire": [[44, 54]], "ORGANIZATION: BLU": [[150, 153]]}, "info": {"id": "cyner_test_000003", "source": "cyner_test"}}
+{"text": "The phones are sold at Best Buy and Amazon.com , among other retail outlets .", "spans": {"ORGANIZATION: Best Buy": [[23, 31]], "ORGANIZATION: Amazon.com": [[36, 46]]}, "info": {"id": "cyner_test_000004", "source": "cyner_test"}}
+{"text": "Kryptowire says the code , which it found on a BLU R1 HD devices , transmitted fine-grained location information and allowed for the remote installation of other apps .", "spans": {"ORGANIZATION: Kryptowire": [[0, 10]], "ORGANIZATION: BLU": [[47, 50]]}, "info": {"id": "cyner_test_000005", "source": "cyner_test"}}
+{"text": "Text message and call logs were transmitted every 72 hours to the Shanghai server , and once a day for other personally identifiable data , the company says .", "spans": {}, "info": {"id": "cyner_test_000006", "source": "cyner_test"}}
+{"text": "It turns out , however , that other security researchers noticed suspicious and faulty code on BLU devices as early as March 2015 , and it has taken nearly that long to remove it from the company 's devices .", "spans": {"ORGANIZATION: BLU": [[95, 98]]}, "info": {"id": "cyner_test_000007", "source": "cyner_test"}}
+{"text": "The finding , in part , shows the risk that can come in opting for less expensive smartphones , whose manufacturers may not diligently fix security vulnerabilities .", "spans": {"VULNERABILITY: security vulnerabilities": [[139, 163]]}, "info": {"id": "cyner_test_000008", "source": "cyner_test"}}
+{"text": "It 's also raising eyebrows because of the connection with China , which has frequently sparred with the U.S. over cyber espionage .", "spans": {}, "info": {"id": "cyner_test_000009", "source": "cyner_test"}}
+{"text": "BLU Products has now updated its phones to remove the spying code , which most likely would have never been detected by regular users .", "spans": {"ORGANIZATION: BLU": [[0, 3]]}, "info": {"id": "cyner_test_000010", "source": "cyner_test"}}
+{"text": "The code never informed phone users that it was collecting that data , a behavior uniformly viewed by many as a serious security concern .", "spans": {}, "info": {"id": "cyner_test_000011", "source": "cyner_test"}}
+{"text": "The developer of the code , Shanghai Adups Technology Co. , has apologized , contending that the code was intended for another one of its clients who requested better blocking of junk text messages and marketing calls .", "spans": {"ORGANIZATION: Shanghai Adups Technology Co.": [[28, 57]]}, "info": {"id": "cyner_test_000012", "source": "cyner_test"}}
+{"text": "Vulnerabilities Reported BLU Products , founded in 2009 , makes lower-end Android-powered smartphones that sell for as little as $ 50 on Amazon .", "spans": {"SYSTEM: Android-powered": [[74, 89]], "ORGANIZATION: Amazon": [[137, 143]]}, "info": {"id": "cyner_test_000013", "source": "cyner_test"}}
+{"text": "Like many original equipment manufacturers , it uses software components from other developers .", "spans": {}, "info": {"id": "cyner_test_000014", "source": "cyner_test"}}
+{"text": "The company uses a type of software from Adups that 's nicknamed FOTA , short for firmware over-the-air .", "spans": {"ORGANIZATION: Adups": [[41, 46]], "SYSTEM: FOTA": [[65, 69]]}, "info": {"id": "cyner_test_000015", "source": "cyner_test"}}
+{"text": "The software manages the delivery of firmware updates over-the-air , the term used for transmission via a mobile network .", "spans": {}, "info": {"id": "cyner_test_000016", "source": "cyner_test"}}
+{"text": "Firmware is low-level code deep in an operating system that often has high access privileges , so it 's critical that it 's verified and contains no software vulnerabilities .", "spans": {}, "info": {"id": "cyner_test_000017", "source": "cyner_test"}}
+{"text": "Long before Kryptowire 's announcement , Tim Strazzere , a mobile security researcher with RedNaga Security , contacted BLU Products in March 2015 after he found two vulnerabilities that could be traced to Adup 's code .", "spans": {"ORGANIZATION: Kryptowire": [[12, 22]], "ORGANIZATION: RedNaga Security": [[91, 107]], "ORGANIZATION: Adup": [[206, 210]]}, "info": {"id": "cyner_test_000018", "source": "cyner_test"}}
+{"text": "Those vulnerabilities could have enabled someone to gain broad access to an Android device .", "spans": {"SYSTEM: Android": [[76, 83]]}, "info": {"id": "cyner_test_000019", "source": "cyner_test"}}
+{"text": "Strazzere 's colleague , Jon Sawyer , suggested on Twitter that the vulnerabilities might have not been there by mistake , but rather included as intentionally coded backdoors .", "spans": {"ORGANIZATION: Twitter": [[51, 58]]}, "info": {"id": "cyner_test_000020", "source": "cyner_test"}}
+{"text": "He posted a tweet to The New York Times report , sarcastically writing , \" If only two people had called this company out for their backdoors several times over the last few years .", "spans": {"ORGANIZATION: New York Times": [[25, 39]]}, "info": {"id": "cyner_test_000021", "source": "cyner_test"}}
+{"text": "'' Strazzere 's experience in trying to contact both vendors last year is typical of the frustrations frequently faced by security researchers .", "spans": {}, "info": {"id": "cyner_test_000022", "source": "cyner_test"}}
+{"text": "\" I tried reaching out to Adups and never heard back , '' Strazzere tells Information Security Media Group .", "spans": {"ORGANIZATION: Adups": [[26, 31]], "ORGANIZATION: Information Security Media Group": [[74, 106]]}, "info": {"id": "cyner_test_000023", "source": "cyner_test"}}
+{"text": "\" BLU said they had no security department when I emailed them .", "spans": {"ORGANIZATION: BLU": [[2, 5]]}, "info": {"id": "cyner_test_000024", "source": "cyner_test"}}
+{"text": "'' Strazzere says he also failed to reach MediaTek , a Taiwanese fabless semiconductor manufacturer whose chipsets that powered BLU phones also contained Adups software .", "spans": {"ORGANIZATION: MediaTek": [[42, 50]], "ORGANIZATION: BLU": [[128, 131]], "ORGANIZATION: Adups": [[154, 159]]}, "info": {"id": "cyner_test_000025", "source": "cyner_test"}}
+{"text": "To their credit , both Google and Amazon appear to have put pressure on device manufacturers to fix their devices when flaws are found , Strazzere says .", "spans": {"ORGANIZATION: Google": [[23, 29]], "ORGANIZATION: Amazon": [[34, 40]]}, "info": {"id": "cyner_test_000026", "source": "cyner_test"}}
+{"text": "For Google , Android security issues - even if not in the core operating code - are a reputation threat , and for Amazon , a product quality issue .", "spans": {"ORGANIZATION: Google": [[4, 10]], "ORGANIZATION: Amazon": [[114, 120]]}, "info": {"id": "cyner_test_000027", "source": "cyner_test"}}
+{"text": "But devices sold outside of Amazon \" might not have ever seen fixes , '' he says .", "spans": {"ORGANIZATION: Amazon": [[28, 34]]}, "info": {"id": "cyner_test_000028", "source": "cyner_test"}}
+{"text": "Officials at BLU could n't be immediately reached for comment .", "spans": {"ORGANIZATION: BLU": [[13, 16]]}, "info": {"id": "cyner_test_000029", "source": "cyner_test"}}
+{"text": "Attitude Change The disinterest in the issues appears to have changed with The New York Times report , which lit a fire underneath Adups and BLU .", "spans": {"ORGANIZATION: New York Times": [[79, 93]], "ORGANIZATION: Adups": [[131, 136]], "ORGANIZATION: BLU": [[141, 144]]}, "info": {"id": "cyner_test_000030", "source": "cyner_test"}}
+{"text": "Adups addressed the issue in a Nov. 16 news release , writing that some products made by BLU were updated in June with a version of its FOTA that had actually been intended for other clients who had requested an ability to stop text spam .", "spans": {"ORGANIZATION: Adups": [[0, 5]], "ORGANIZATION: BLU": [[89, 92]], "SYSTEM: FOTA": [[136, 140]]}, "info": {"id": "cyner_test_000031", "source": "cyner_test"}}
+{"text": "That version flags messages \" containing certain language associated with junk texts and flags numbers associated with junk calls and not in a user 's contacts , '' the company says .", "spans": {}, "info": {"id": "cyner_test_000032", "source": "cyner_test"}}
+{"text": "Manufacturers should be keeping close tabs on what software ends up on their devices .", "spans": {}, "info": {"id": "cyner_test_000033", "source": "cyner_test"}}
+{"text": "But it would appear that BLU only took action after Kryptowire notified it along with Google , Adups and Amazon .", "spans": {"ORGANIZATION: BLU": [[25, 28]], "ORGANIZATION: Kryptowire": [[52, 62]], "ORGANIZATION: Google": [[86, 92]], "ORGANIZATION: Adups": [[95, 100]], "ORGANIZATION: Amazon": [[105, 111]]}, "info": {"id": "cyner_test_000034", "source": "cyner_test"}}
+{"text": "\" When BLU raised objections , Adups took immediate measures to disable that functionality on BLU phones , '' Adups says .", "spans": {"ORGANIZATION: BLU": [[7, 10], [94, 97]], "ORGANIZATION: Adups": [[31, 36]]}, "info": {"id": "cyner_test_000035", "source": "cyner_test"}}
+{"text": "The greater worry is that these situations may sometimes not be simple mistakes .", "spans": {}, "info": {"id": "cyner_test_000036", "source": "cyner_test"}}
+{"text": "Security experts have long warned of the ability of advanced adversaries to subvert hardware and software supply chains .", "spans": {}, "info": {"id": "cyner_test_000037", "source": "cyner_test"}}
+{"text": "Also , the software vulnerabilities pointed out in the FOTA software by Strazzere in 2015 could have been taken advantage of by cybercriminals looking to steal bank account details or execute other frauds .", "spans": {"VULNERABILITY: software vulnerabilities": [[11, 35]], "SYSTEM: FOTA": [[55, 59]]}, "info": {"id": "cyner_test_000038", "source": "cyner_test"}}
+{"text": "Strazzere advises that consumers should look at the pedigree of mobile manufacturers and take a close look at their security track record before making a decision on what device to buy .", "spans": {}, "info": {"id": "cyner_test_000039", "source": "cyner_test"}}
+{"text": "\" In the end , the consumer needs to vote with their wallet , '' he says .", "spans": {}, "info": {"id": "cyner_test_000040", "source": "cyner_test"}}
+{"text": "Skygofree : Following in the footsteps of HackingTeam 16 JAN 2018 At the beginning of October 2017 , we discovered new Android spyware with several features previously unseen in the wild .", "spans": {"MALWARE: Skygofree": [[0, 9]], "ORGANIZATION: HackingTeam": [[42, 53]], "SYSTEM: Android": [[119, 126]]}, "info": {"id": "cyner_test_000041", "source": "cyner_test"}}
+{"text": "In the course of further research , we found a number of related samples that point to a long-term development process .", "spans": {}, "info": {"id": "cyner_test_000042", "source": "cyner_test"}}
+{"text": "We believe the initial versions of this malware were created at least three years ago – at the end of 2014 .", "spans": {}, "info": {"id": "cyner_test_000043", "source": "cyner_test"}}
+{"text": "Since then , the implant ’ s functionality has been improving and remarkable new features implemented , such as the ability to record audio surroundings via the microphone when an infected device is in a specified location ; the stealing of WhatsApp messages via Accessibility Services ; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals .", "spans": {"SYSTEM: WhatsApp": [[241, 249]]}, "info": {"id": "cyner_test_000044", "source": "cyner_test"}}
+{"text": "We observed many web landing pages that mimic the sites of mobile operators and which are used to spread the Android implants .", "spans": {"SYSTEM: Android": [[109, 116]]}, "info": {"id": "cyner_test_000045", "source": "cyner_test"}}
+{"text": "These domains have been registered by the attackers since 2015 .", "spans": {}, "info": {"id": "cyner_test_000046", "source": "cyner_test"}}
+{"text": "According to our telemetry , that was the year the distribution campaign was at its most active .", "spans": {}, "info": {"id": "cyner_test_000047", "source": "cyner_test"}}
+{"text": "The activities continue : the most recently observed domain was registered on October 31 , 2017 .", "spans": {}, "info": {"id": "cyner_test_000048", "source": "cyner_test"}}
+{"text": "Based on our KSN statistics , there are several infected individuals , exclusively in Italy .", "spans": {}, "info": {"id": "cyner_test_000049", "source": "cyner_test"}}
+{"text": "Moreover , as we dived deeper into the investigation , we discovered several spyware tools for Windows that form an implant for exfiltrating sensitive data on a targeted machine .", "spans": {"SYSTEM: Windows": [[95, 102]]}, "info": {"id": "cyner_test_000050", "source": "cyner_test"}}
+{"text": "The version we found was built at the beginning of 2017 , and at the moment we are not sure whether this implant has been used in the wild .", "spans": {}, "info": {"id": "cyner_test_000051", "source": "cyner_test"}}
+{"text": "We named the malware Skygofree , because we found the word in one of the domains * .", "spans": {"MALWARE: Skygofree": [[21, 30]]}, "info": {"id": "cyner_test_000052", "source": "cyner_test"}}
+{"text": "Malware Features Android According to the observed samples and their signatures , early versions of this Android malware were developed by the end of 2014 and the campaign has remained active ever since .", "spans": {"SYSTEM: Android": [[17, 24], [105, 112]]}, "info": {"id": "cyner_test_000053", "source": "cyner_test"}}
+{"text": "The code and functionality have changed numerous times ; from simple unobfuscated malware at the beginning to sophisticated multi-stage spyware that gives attackers full remote control of the infected device .", "spans": {}, "info": {"id": "cyner_test_000054", "source": "cyner_test"}}
+{"text": "We have examined all the detected versions , including the latest one that is signed by a certificate valid from September 14 , 2017 .", "spans": {}, "info": {"id": "cyner_test_000055", "source": "cyner_test"}}
+{"text": "The implant provides the ability to grab a lot of exfiltrated data , like call records , text messages , geolocation , surrounding audio , calendar events , and other memory information stored on the device .", "spans": {}, "info": {"id": "cyner_test_000056", "source": "cyner_test"}}
+{"text": "After manual launch , it shows a fake welcome notification to the user : Dear Customer , we ’ re updating your configuration and it will be ready as soon as possible .", "spans": {}, "info": {"id": "cyner_test_000057", "source": "cyner_test"}}
+{"text": "At the same time , it hides an icon and starts background services to hide further actions from the user .", "spans": {}, "info": {"id": "cyner_test_000058", "source": "cyner_test"}}
+{"text": "Service Name Purpose AndroidAlarmManager Uploading last recorded .amr audio AndroidSystemService Audio recording AndroidSystemQueues Location tracking with movement detection ClearSystems GSM tracking ( CID , LAC , PSC ) ClipService Clipboard stealing AndroidFileManager Uploading all exfiltrated data AndroidPush XMPP С & C protocol ( url.plus:5223 ) RegistrationService Registration on C & C via HTTP ( url.plus/app/pro/ ) Interestingly , a self-protection feature was implemented in almost every service", "spans": {"SYSTEM: GSM": [[188, 191]]}, "info": {"id": "cyner_test_000059", "source": "cyner_test"}}
+{"text": ".", "spans": {}, "info": {"id": "cyner_test_000060", "source": "cyner_test"}}
+{"text": "Since in Android 8.0 ( SDK API 26 ) the system is able to kill idle services , this code raises a fake update notification to prevent it : Cybercriminals have the ability to control the implant via HTTP , XMPP , binary SMS and FirebaseCloudMessaging ( or GoogleCloudMessaging in older versions ) protocols .", "spans": {"SYSTEM: Android 8.0": [[9, 20]]}, "info": {"id": "cyner_test_000061", "source": "cyner_test"}}
+{"text": "Such a diversity of protocols gives the attackers more flexible control .", "spans": {}, "info": {"id": "cyner_test_000062", "source": "cyner_test"}}
+{"text": "In the latest implant versions there are 48 different commands .", "spans": {}, "info": {"id": "cyner_test_000063", "source": "cyner_test"}}
+{"text": "You can find a full list with short descriptions in the Appendix .", "spans": {}, "info": {"id": "cyner_test_000064", "source": "cyner_test"}}
+{"text": "Here are some of the most notable : ‘ geofence ’ – this command adds a specified location to the implant ’ s internal database and when it matches a device ’ s current location the malware triggers and begins to record surrounding audio .", "spans": {}, "info": {"id": "cyner_test_000065", "source": "cyner_test"}}
+{"text": "” social ” – this command that starts the ‘ AndroidMDMSupport ’ service – this allows the files of any other installed application to be grabbed .", "spans": {}, "info": {"id": "cyner_test_000066", "source": "cyner_test"}}
+{"text": "The service name makes it clear that by applications the attackers mean MDM solutions that are business-specific tools .", "spans": {}, "info": {"id": "cyner_test_000067", "source": "cyner_test"}}
+{"text": "The operator can specify a path with the database of any targeted application and server-side PHP script name for uploading .", "spans": {}, "info": {"id": "cyner_test_000068", "source": "cyner_test"}}
+{"text": "Several hardcoded applications targeted by the MDM-grabbing command ‘ wifi ’ – this command creates a new Wi-Fi connection with specified configurations from the command and enable Wi-Fi if it is disabled .", "spans": {}, "info": {"id": "cyner_test_000069", "source": "cyner_test"}}
+{"text": "So , when a device connects to the established network , this process will be in silent and automatic mode .", "spans": {}, "info": {"id": "cyner_test_000070", "source": "cyner_test"}}
+{"text": "This command is used to connect the victim to a Wi-Fi network controlled by the cybercriminals to perform traffic sniffing and man-in-the-middle ( MitM ) attacks .", "spans": {}, "info": {"id": "cyner_test_000071", "source": "cyner_test"}}
+{"text": "addWifiConfig method code fragments ‘ camera ’ – this command records a video/capture a photo using the front-facing camera when someone next unlocks the device .", "spans": {}, "info": {"id": "cyner_test_000072", "source": "cyner_test"}}
+{"text": "Some versions of the Skygofree feature the self-protection ability exclusively for Huawei devices .", "spans": {"MALWARE: Skygofree": [[21, 30]], "ORGANIZATION: Huawei": [[83, 89]]}, "info": {"id": "cyner_test_000073", "source": "cyner_test"}}
+{"text": "There is a ‘ protected apps ’ list in this brand ’ s smartphones , related to a battery-saving concept .", "spans": {}, "info": {"id": "cyner_test_000074", "source": "cyner_test"}}
+{"text": "Apps not selected as protected apps stop working once the screen is off and await re-activation , so the implant is able to determine that it is running on a Huawei device and add itself to this list .", "spans": {"ORGANIZATION: Huawei": [[158, 164]]}, "info": {"id": "cyner_test_000075", "source": "cyner_test"}}
+{"text": "Due to this feature , it is clear that the developers paid special attention to the work of the implant on Huawei devices .", "spans": {"ORGANIZATION: Huawei": [[107, 113]]}, "info": {"id": "cyner_test_000076", "source": "cyner_test"}}
+{"text": "Also , we found a debug version of the implant ( 70a937b2504b3ad6c623581424c7e53d ) that contains interesting constants , including the version of the spyware .", "spans": {}, "info": {"id": "cyner_test_000077", "source": "cyner_test"}}
+{"text": "Debug BuildConfig with the version After a deep analysis of all discovered versions of Skygofree , we made an approximate timeline of the implant ’ s evolution .", "spans": {"MALWARE: Skygofree": [[87, 96]]}, "info": {"id": "cyner_test_000078", "source": "cyner_test"}}
+{"text": "Mobile implant evolution timeline However , some facts indicate that the APK samples from stage two can also be used separately as the first step of the infection .", "spans": {}, "info": {"id": "cyner_test_000079", "source": "cyner_test"}}
+{"text": "Below is a list of the payloads used by the Skygofree implant in the second and third stages .", "spans": {"MALWARE: Skygofree": [[44, 53]]}, "info": {"id": "cyner_test_000080", "source": "cyner_test"}}
+{"text": "Reverse shell payload The reverse shell module is an external ELF file compiled by the attackers to run on Android .", "spans": {"SYSTEM: Android": [[107, 114]]}, "info": {"id": "cyner_test_000081", "source": "cyner_test"}}
+{"text": "The choice of a particular payload is determined by the implant ’ s version , and it can be downloaded from the command and control ( C & C ) server soon after the implant starts , or after a specific command .", "spans": {}, "info": {"id": "cyner_test_000082", "source": "cyner_test"}}
+{"text": "In the most recent case , the choice of the payload zip file depends on the device process architecture .", "spans": {}, "info": {"id": "cyner_test_000083", "source": "cyner_test"}}
+{"text": "For now , we observe only one payload version for following the ARM CPUs : arm64-v8a , armeabi , armeabi-v7a .", "spans": {"SYSTEM: ARM": [[64, 67]], "SYSTEM: arm64-v8a": [[75, 84]], "SYSTEM: armeabi": [[87, 94]], "SYSTEM: armeabi-v7a": [[97, 108]]}, "info": {"id": "cyner_test_000084", "source": "cyner_test"}}
+{"text": "Note that in almost all cases , this payload file , contained in zip archives , is named ‘ setting ’ or ‘ setting.o ’ .", "spans": {}, "info": {"id": "cyner_test_000085", "source": "cyner_test"}}
+{"text": "The main purpose of this module is providing reverse shell features on the device by connecting with the C & C server ’ s socket .", "spans": {}, "info": {"id": "cyner_test_000086", "source": "cyner_test"}}
+{"text": "Reverse shell payload The payload is started by the main module with a specified host and port as a parameter that is hardcoded to ‘ 54.67.109.199 ’ and ‘ 30010 ’ in some versions : Alternatively , they could be hardcoded directly into the payload code : We also observed variants that were equipped with similar reverse shell payloads directly in the main APK /lib/ path .", "spans": {}, "info": {"id": "cyner_test_000087", "source": "cyner_test"}}
+{"text": "Equipped reverse shell payload with specific string After an in-depth look , we found that some versions of the reverse shell payload code share similarities with PRISM – a stealth reverse shell backdoor that is available on Github .", "spans": {"MALWARE: PRISM": [[163, 168]], "ORGANIZATION: Github": [[225, 231]]}, "info": {"id": "cyner_test_000088", "source": "cyner_test"}}
+{"text": "Reverse shell payload from update_dev.zip Exploit payload At the same time , we found an important payload binary that is trying to exploit several known vulnerabilities and escalate privileges .", "spans": {}, "info": {"id": "cyner_test_000089", "source": "cyner_test"}}
+{"text": "According to several timestamps , this payload is used by implant versions created since 2016 .", "spans": {}, "info": {"id": "cyner_test_000090", "source": "cyner_test"}}
+{"text": "It can also be downloaded by a specific command .", "spans": {}, "info": {"id": "cyner_test_000091", "source": "cyner_test"}}
+{"text": "The exploit payload contains following file components : Component name Description run_root_shell/arrs_put_user.o/arrs_put_user/poc Exploit ELF db Sqlite3 tool ELF device.db Sqlite3 database with supported devices and their constants needed for privilege escalation ‘ device.db ’ is a database used by the exploit .", "spans": {}, "info": {"id": "cyner_test_000092", "source": "cyner_test"}}
+{"text": "It contains two tables – ‘ supported_devices ’ and ‘ device_address ’ .", "spans": {}, "info": {"id": "cyner_test_000093", "source": "cyner_test"}}
+{"text": "The first table contains 205 devices with some Linux properties ; the second contains the specific memory addresses associated with them that are needed for successful exploitation .", "spans": {"SYSTEM: Linux": [[47, 52]]}, "info": {"id": "cyner_test_000094", "source": "cyner_test"}}
+{"text": "You can find a full list of targeted models in the Appendix .", "spans": {}, "info": {"id": "cyner_test_000095", "source": "cyner_test"}}
+{"text": "Fragment of the database with targeted devices and specific memory addresses If the infected device is not listed in this database , the exploit tries to discover these addresses programmatically .", "spans": {}, "info": {"id": "cyner_test_000096", "source": "cyner_test"}}
+{"text": "After downloading and unpacking , the main module executes the exploit binary file .", "spans": {}, "info": {"id": "cyner_test_000097", "source": "cyner_test"}}
+{"text": "Once executed , the module attempts to get root privileges on the device by exploiting the following vulnerabilities : CVE-2013-2094 CVE-2013-2595 CVE-2013-6282 CVE-2014-3153 ( futex aka TowelRoot ) CVE-2015-3636 Exploitation process After an in-depth look , we found that the exploit payload code shares several similarities with the public project android-rooting-tools .", "spans": {"VULNERABILITY: CVE-2013-2094": [[119, 132]], "VULNERABILITY: CVE-2013-2595": [[133, 146]], "VULNERABILITY: CVE-2013-6282": [[147, 160]], "VULNERABILITY: CVE-2014-3153": [[161, 174]], "VULNERABILITY: futex": [[177, 182]], "VULNERABILITY: TowelRoot": [[187, 196]], "VULNERABILITY: CVE-2015-3636": [[199, 212]]}, "info": {"id": "cyner_test_000098", "source": "cyner_test"}}
+{"text": "Decompiled exploit function code fragment run_with_mmap function from the android-rooting-tools project As can be seen from the comparison , there are similar strings and also a unique comment in Italian , so it looks like the attackers created this exploit payload based on android-rooting-tools project source code .", "spans": {"SYSTEM: android-rooting-tools": [[74, 95], [275, 296]]}, "info": {"id": "cyner_test_000099", "source": "cyner_test"}}
+{"text": "Busybox payload Busybox is public software that provides several Linux tools in a single ELF file .", "spans": {}, "info": {"id": "cyner_test_000100", "source": "cyner_test"}}
+{"text": "In earlier versions , it operated with shell commands like this : Stealing WhatsApp encryption key with Busybox Social payload Actually , this is not a standalone payload file – in all the observed versions its code was compiled with exploit payload in one file ( ‘ poc_perm ’ , ‘ arrs_put_user ’ , ‘ arrs_put_user.o ’ ) .", "spans": {"MALWARE: Busybox Social payload": [[104, 126]]}, "info": {"id": "cyner_test_000101", "source": "cyner_test"}}
+{"text": "This is due to the fact that the implant needs to escalate privileges before performing social payload actions .", "spans": {}, "info": {"id": "cyner_test_000102", "source": "cyner_test"}}
+{"text": "This payload is also used by the earlier versions of the implant .", "spans": {}, "info": {"id": "cyner_test_000103", "source": "cyner_test"}}
+{"text": "It has similar functionality to the ‘ AndroidMDMSupport ’ command from the current versions – stealing data belonging to other installed applications .", "spans": {}, "info": {"id": "cyner_test_000104", "source": "cyner_test"}}
+{"text": "The payload will execute shell code to steal data from various applications .", "spans": {}, "info": {"id": "cyner_test_000105", "source": "cyner_test"}}
+{"text": "The example below steals Facebook data : All the other hardcoded applications targeted by the payload : Package name Name jp.naver.line.android LINE : Free Calls & Messages com.facebook.orca Facebook messenger com.facebook.katana Facebook com.whatsapp WhatsApp com.viber.voip Viber Parser payload Upon receiving a specific command , the implant can download a special payload to grab sensitive information from external applications .", "spans": {"SYSTEM: Facebook": [[25, 33], [230, 238]], "SYSTEM: LINE : Free Calls & Messages": [[144, 172]], "SYSTEM: Facebook messenger": [[191, 209]], "SYSTEM: WhatsApp": [[252, 260]], "SYSTEM: Viber": [[276, 281]]}, "info": {"id": "cyner_test_000106", "source": "cyner_test"}}
+{"text": "The case where we observed this involved WhatsApp .", "spans": {"SYSTEM: WhatsApp": [[41, 49]]}, "info": {"id": "cyner_test_000107", "source": "cyner_test"}}
+{"text": "In the examined version , it was downloaded from : hxxp : //url [ .", "spans": {}, "info": {"id": "cyner_test_000108", "source": "cyner_test"}}
+{"text": "] plus/Updates/tt/parser.apk The payload can be a .dex or .apk file which is a Java-compiled Android executable .", "spans": {"SYSTEM: Android": [[93, 100]]}, "info": {"id": "cyner_test_000109", "source": "cyner_test"}}
+{"text": "After downloading , it will be loaded by the main module via DexClassLoader api : As mentioned , we observed a payload that exclusively targets the WhatsApp messenger and it does so in an original way .", "spans": {"SYSTEM: WhatsApp messenger": [[148, 166]]}, "info": {"id": "cyner_test_000110", "source": "cyner_test"}}
+{"text": "The payload uses the Android Accessibility Service to get information directly from the displayed elements on the screen , so it waits for the targeted application to be launched and then parses all nodes to find text messages : Note that the implant needs special permission to use the Accessibility Service API , but there is a command that performs a request with a phishing text displayed to the user to obtain such permission .", "spans": {"SYSTEM: Android": [[21, 28]]}, "info": {"id": "cyner_test_000111", "source": "cyner_test"}}
+{"text": "Windows We have found multiple components that form an entire spyware system for the Windows platform .", "spans": {"SYSTEM: Windows": [[0, 7], [85, 92]]}, "info": {"id": "cyner_test_000112", "source": "cyner_test"}}
+{"text": "Name MD5 Purpose msconf.exe 55fb01048b6287eadcbd9a0f86d21adf Main module , reverse shell network.exe f673bb1d519138ced7659484c0b66c5b Sending exfiltrated data system.exe d3baa45ed342fbc5a56d974d36d5f73f Surrounding sound recording by mic update.exe 395f9f87df728134b5e3c1ca4d48e9fa Keylogging wow.exe", "spans": {}, "info": {"id": "cyner_test_000113", "source": "cyner_test"}}
+{"text": "16311b16fd48c1c87c6476a455093e7a Screenshot capturing skype_sync2.exe 6bcc3559d7405f25ea403317353d905f Skype call recording to MP3 All modules , except skype_sync2.exe , are written in Python and packed to binary files via the Py2exe tool .", "spans": {"SYSTEM: Skype": [[103, 108]], "SYSTEM: Python": [[185, 191]], "SYSTEM: Py2exe": [[227, 233]]}, "info": {"id": "cyner_test_000114", "source": "cyner_test"}}
+{"text": "This sort of conversion allows Python code to be run in a Windows environment without pre-installed Python binaries .", "spans": {"SYSTEM: Python": [[31, 37], [100, 106]], "SYSTEM: Windows": [[58, 65]]}, "info": {"id": "cyner_test_000115", "source": "cyner_test"}}
+{"text": "msconf.exe is the main module that provides control of the implant and reverse shell feature .", "spans": {}, "info": {"id": "cyner_test_000116", "source": "cyner_test"}}
+{"text": "It opens a socket on the victim ’ s machine and connects with a server-side component of the implant located at 54.67.109.199:6500 .", "spans": {}, "info": {"id": "cyner_test_000117", "source": "cyner_test"}}
+{"text": "Before connecting with the socket , it creates a malware environment in ‘ APPDATA/myupd ’ and creates a sqlite3 database there – ‘ myupd_tmp\\\\mng.db ’ : CREATE TABLE MANAGE ( ID INT PRIMARY KEY NOT NULL , Send INT NOT NULL , Keylogg INT NOT NULL , Screenshot INT NOT NULL , Audio INT NOT NULL ) ; INSERT INTO MANAGE ( ID , Send , Keylogg , Screenshot , Audio", "spans": {}, "info": {"id": "cyner_test_000118", "source": "cyner_test"}}
+{"text": ") VALUES ( 1 , 1 , 1 , 1 , 0 ) Finally , the malware modifies the ‘ Software\\Microsoft\\Windows\\CurrentVersion\\Run ’ registry key to enable autostart of the main module .", "spans": {}, "info": {"id": "cyner_test_000119", "source": "cyner_test"}}
+{"text": "The code contains multiple comments in Italian , here is the most noteworthy example : “ Receive commands from the remote server , here you can set the key commands to command the virus ” Here are the available commands : Name Description cd Change current directory to specified quit Close the socket nggexe Execute received command via Python ’ s subprocess.Popen ( ) without outputs ngguploads Upload specified file to the specified URL nggdownloads Download content from the specified URLs and save to specified file nggfilesystem Dump file structure of", "spans": {"SYSTEM: Python": [[338, 344]]}, "info": {"id": "cyner_test_000120", "source": "cyner_test"}}
+{"text": "the C : path , save it to the file in json format and zip it nggstart_screen nggstop_screen Enable/disable screenshot module .", "spans": {}, "info": {"id": "cyner_test_000121", "source": "cyner_test"}}
+{"text": "When enabled , it makes a screenshot every 25 seconds nggstart_key nggstop_key Enable/disable keylogging module nggstart_rec nggstop_rec Enable/disable surrounding sounds recording module ngg_status Send components status to the C & C socket * any other * Execute received command via Python ’ s subprocess.Popen ( ) , output result will be sent to the C & C socket .", "spans": {"SYSTEM: Python": [[285, 291]]}, "info": {"id": "cyner_test_000122", "source": "cyner_test"}}
+{"text": "All modules set hidden attributes to their files : Module Paths Exfiltrated data format msconf.exe % APPDATA % /myupd/gen/ % Y % m % d- % H % M % S_filesystem.zip ( file structure dump ) system.exe % APPDATA % /myupd/aud/ % d % m % Y % H % M % S.wav ( surrounding sounds ) update.exe % APPDATA % /myupd_tmp/txt/ % APPDATA % /myupd/txt/ % Y % m", "spans": {}, "info": {"id": "cyner_test_000123", "source": "cyner_test"}}
+{"text": "% d- % H % M % S.txt ( keylogging ) wow.exe % APPDATA % /myupd/scr/ % Y % m % d- % H % M % S.jpg ( screenshots ) skype_sync2.exe % APPDATA % /myupd_tmp/skype/ % APPDATA % /myupd/skype/ yyyyMMddHHmmss_in.mp3 yyyyMMddHHmmss_out.mp3 ( skype calls records ) Moreover , we found one module written", "spans": {}, "info": {"id": "cyner_test_000124", "source": "cyner_test"}}
+{"text": "in .Net – skype_sync2.exe .", "spans": {"SYSTEM: .Net": [[3, 7]]}, "info": {"id": "cyner_test_000125", "source": "cyner_test"}}
+{"text": "The main purpose of this module is to exfiltrate Skype call recordings .", "spans": {"SYSTEM: Skype": [[49, 54]]}, "info": {"id": "cyner_test_000126", "source": "cyner_test"}}
+{"text": "Just like the previous modules , it contains multiple strings in Italian .", "spans": {}, "info": {"id": "cyner_test_000127", "source": "cyner_test"}}
+{"text": "After launch , it downloads a codec for MP3 encoding directly from the C & C server : http : //54.67.109.199/skype_resource/libmp3lame.dll The skype_sync2.exe module has a compilation timestamp – Feb 06 2017 and the following PDB string : \\\\vmware-host\\Shared Folders\\dati\\Backup\\Projects\\REcodin_2\\REcodin_2\\obj\\x86\\Release\\REcodin_2.pdb network.exe is a", "spans": {}, "info": {"id": "cyner_test_000128", "source": "cyner_test"}}
+{"text": "module for submitting all exfiltrated data to the server .", "spans": {}, "info": {"id": "cyner_test_000129", "source": "cyner_test"}}
+{"text": "In the observed version of the implant it doesn ’ t have an interface to work with the skype_sync2.exe module .", "spans": {}, "info": {"id": "cyner_test_000130", "source": "cyner_test"}}
+{"text": "network.exe submitting to the server code snippet Code similarities We found some code similarities between the implant for Windows and other public accessible projects .", "spans": {"SYSTEM: Windows": [[124, 131]]}, "info": {"id": "cyner_test_000131", "source": "cyner_test"}}
+{"text": "https : //github.com/El3ct71k/Keylogger/ It appears the developers have copied the functional part of the keylogger module from this project .", "spans": {}, "info": {"id": "cyner_test_000132", "source": "cyner_test"}}
+{"text": "update.exe module and Keylogger by ‘ El3ct71k ’ code comparison Xenotix Python Keylogger including specified mutex ‘ mutex_var_xboz ’ .", "spans": {"SYSTEM: Xenotix Python Keylogger": [[64, 88]]}, "info": {"id": "cyner_test_000133", "source": "cyner_test"}}
+{"text": "update.exe module and Xenotix Python Keylogger code comparison ‘ addStartup ’ method from msconf.exe module ‘ addStartup ’ method from Xenotix Python Keylogger Distribution We found several landing pages that spread the Android implants .", "spans": {"SYSTEM: Xenotix Python Keylogger": [[22, 46], [135, 159]], "SYSTEM: Android": [[220, 227]]}, "info": {"id": "cyner_test_000134", "source": "cyner_test"}}
+{"text": "Malicious URL Referrer Dates http : //217.194.13.133/tre/internet/Configuratore_3.apk http : //217.194.13.133/tre/internet/ 2015-02-04 to present time http : //217.194.13.133/appPro_AC.apk – 2015-07-01 http : //217.194.13.133/190/configurazione/vodafone/smartphone/VODAFONE % 20Configuratore % 20v5_4_2.apk http : //217.194.13.133/190/configurazione/vodafone/smartphone/index.html", "spans": {}, "info": {"id": "cyner_test_000135", "source": "cyner_test"}}
+{"text": "2015-01-20 to present time http : //217.194.13.133/190/configurazione/vodafone/smartphone/Vodafone % 20Configuratore.apk http : //217.194.13.133/190/configurazione/vodafone/smartphone/index.html currently active http : //vodafoneinfinity.sytes.net/tim/internet/Configuratore_TIM.apk http : //vodafoneinfinity.sytes.net/tim/internet/ 2015-03-04 http : //vodafoneinfinity.sytes.net/190/configurazione/vodafone/smartphone/VODAFONE", "spans": {}, "info": {"id": "cyner_test_000136", "source": "cyner_test"}}
+{"text": "% 20Configuratore % 20v5_4_2.apk http : //vodafoneinfinity.sytes.net/190/configurazione/vodafone/smartphone/ 2015-01-14 http : //windupdate.serveftp.com/wind/LTE/WIND % 20Configuratore % 20v5_4_2.apk http : //windupdate.serveftp.com/wind/LTE/ 2015-03-31 http : //119.network/lte/Internet-TIM-4G-LTE.apk http : //119.network/lte/download.html", "spans": {}, "info": {"id": "cyner_test_000137", "source": "cyner_test"}}
+{"text": "2015-02-04 2015-07-20 http : //119.network/lte/Configuratore_TIM.apk 2015-07-08 Many of these domains are outdated , but almost all ( except one – appPro_AC.apk ) samples located on the 217.194.13.133 server are still accessible .", "spans": {}, "info": {"id": "cyner_test_000138", "source": "cyner_test"}}
+{"text": "All the observed landing pages mimic the mobile operators ’ web pages through their domain name and web page content as well .", "spans": {}, "info": {"id": "cyner_test_000139", "source": "cyner_test"}}
+{"text": "Further research of the attacker ’ s infrastructure revealed more related mimicking domains .", "spans": {}, "info": {"id": "cyner_test_000140", "source": "cyner_test"}}
+{"text": "Unfortunately , for now we can ’ t say in what environment these landing pages were used in the wild , but according to all the information at our dsiposal , we can assume that they are perfect for exploitation using malicious redirects or man-in-the-middle attacks .", "spans": {}, "info": {"id": "cyner_test_000141", "source": "cyner_test"}}
+{"text": "For example , this could be when the victim ’ s device connects to a Wi-Fi access point that is infected or controlled by the attackers .", "spans": {}, "info": {"id": "cyner_test_000142", "source": "cyner_test"}}
+{"text": "Artifacts During the research , we found plenty of traces of the developers and those doing the maintaining .", "spans": {}, "info": {"id": "cyner_test_000143", "source": "cyner_test"}}
+{"text": "As already stated in the ‘ malware features ’ part , there are multiple giveaways in the code .", "spans": {}, "info": {"id": "cyner_test_000144", "source": "cyner_test"}}
+{"text": "Here are just some of them : ngglobal – FirebaseCloudMessaging topic name Issuer : CN = negg – from several certificates negg.ddns [ .", "spans": {}, "info": {"id": "cyner_test_000145", "source": "cyner_test"}}
+{"text": "] net , negg1.ddns [ .", "spans": {}, "info": {"id": "cyner_test_000146", "source": "cyner_test"}}
+{"text": "] net , negg2.ddns [ .", "spans": {}, "info": {"id": "cyner_test_000147", "source": "cyner_test"}}
+{"text": "] net – C & C servers NG SuperShell – string from the reverse shell payload ngg – prefix in commands names of the implant for Windows Signature with specific issuer Whois records and IP relationships provide many interesting insights as well .", "spans": {"SYSTEM: Windows": [[126, 133]]}, "info": {"id": "cyner_test_000148", "source": "cyner_test"}}
+{"text": "There are a lot of other ‘ Negg ’ mentions in Whois records and references to it .", "spans": {}, "info": {"id": "cyner_test_000149", "source": "cyner_test"}}
+{"text": "For example : Conclusions The Skygofree Android implant is one of the most powerful spyware tools that we have ever seen for this platform .", "spans": {"MALWARE: Skygofree": [[30, 39]], "SYSTEM: Android": [[40, 47]]}, "info": {"id": "cyner_test_000150", "source": "cyner_test"}}
+{"text": "As a result of the long-term development process , there are multiple , exceptional capabilities : usage of multiple exploits for gaining root privileges , a complex payload structure , never-before-seen surveillance features such as recording surrounding audio in specified locations .", "spans": {}, "info": {"id": "cyner_test_000151", "source": "cyner_test"}}
+{"text": "Given the many artifacts we discovered in the malware code , as well as infrastructure analysis , we are pretty confident that the developer of the Skygofree implants is an Italian IT company that works on surveillance solutions , just like HackingTeam .", "spans": {"MALWARE: Skygofree": [[148, 157]], "ORGANIZATION: HackingTeam": [[241, 252]]}, "info": {"id": "cyner_test_000152", "source": "cyner_test"}}
+{"text": "HenBox : The Chickens Come Home to Roost March 13 , 2018 at 5:00 AM Unit 42 recently discovered a new Android malware family we named “ HenBox ” masquerading as a variety of legitimate Android apps .", "spans": {"MALWARE: HenBox": [[0, 6], [136, 142]], "SYSTEM: Android": [[102, 109], [185, 192]]}, "info": {"id": "cyner_test_000153", "source": "cyner_test"}}
+{"text": "We chose the name “ HenBox ” based on metadata found in most of the malicious apps such as package names and signer detail .", "spans": {"MALWARE: HenBox": [[20, 26]]}, "info": {"id": "cyner_test_000154", "source": "cyner_test"}}
+{"text": "HenBox masquerades as apps such as VPN and Android system apps and often installs legitimate versions of these apps along with HenBox to trick users into thinking they downloaded the legitimate app .", "spans": {"MALWARE: HenBox": [[0, 6], [127, 133]], "SYSTEM: Android": [[43, 50]]}, "info": {"id": "cyner_test_000155", "source": "cyner_test"}}
+{"text": "While some of the legitimate apps HenBox use as decoys can be found on Google Play , HenBox apps themselves have only been found on third-party ( non-Google Play ) app stores .", "spans": {"MALWARE: HenBox": [[34, 40], [85, 91]], "SYSTEM: Google Play": [[71, 82]], "SYSTEM: Play": [[157, 161]]}, "info": {"id": "cyner_test_000156", "source": "cyner_test"}}
+{"text": "HenBox appears to primarily target the Uyghurs – a minority Turkic ethnic group that is primarily Muslim and lives mainly in the Xinjiang Uyghur Autonomous Region in North West China .", "spans": {"MALWARE: HenBox": [[0, 6]]}, "info": {"id": "cyner_test_000157", "source": "cyner_test"}}
+{"text": "It also targets devices made by Chinese manufacturer Xiaomi and those running MIUI , an operating system based on Google Android made by Xiaomi .", "spans": {"ORGANIZATION: Xiaomi": [[53, 59], [137, 143]], "SYSTEM: MIUI": [[78, 82]], "SYSTEM: Google Android": [[114, 128]]}, "info": {"id": "cyner_test_000158", "source": "cyner_test"}}
+{"text": "Smartphones are the dominant form of internet access in the region and Xinjiang was recently above the national average of internet users in China .", "spans": {}, "info": {"id": "cyner_test_000159", "source": "cyner_test"}}
+{"text": "The result is a large online population who have been the subject of numerous cyber-attacks in the past .", "spans": {}, "info": {"id": "cyner_test_000160", "source": "cyner_test"}}
+{"text": "Once installed , HenBox steals information from the devices from a myriad of sources , including many mainstream chat , communication , and social media apps .", "spans": {"MALWARE: HenBox": [[17, 23]]}, "info": {"id": "cyner_test_000161", "source": "cyner_test"}}
+{"text": "The stolen information includes personal and device information .", "spans": {}, "info": {"id": "cyner_test_000162", "source": "cyner_test"}}
+{"text": "Of note , in addition to tracking the compromised device ’ s location , HenBox also harvests all outgoing phone numbers with an “ 86 ” prefix , which is the country code for the People ’ s Republic of China ( PRC ) .", "spans": {"MALWARE: HenBox": [[72, 78]]}, "info": {"id": "cyner_test_000163", "source": "cyner_test"}}
+{"text": "It can also access the phone ’ s cameras and microphone .", "spans": {}, "info": {"id": "cyner_test_000164", "source": "cyner_test"}}
+{"text": "HenBox has ties to infrastructure used in targeted attacks with a focus on politics in South East Asia .", "spans": {"MALWARE: HenBox": [[0, 6]]}, "info": {"id": "cyner_test_000165", "source": "cyner_test"}}
+{"text": "These attackers have used additional malware families in previous activity dating to at least 2015 that include PlugX , Zupdax , 9002 , and Poison Ivy .", "spans": {"MALWARE: PlugX": [[112, 117]], "MALWARE: Zupdax": [[120, 126]], "MALWARE: 9002": [[129, 133]], "MALWARE: Poison Ivy": [[140, 150]]}, "info": {"id": "cyner_test_000166", "source": "cyner_test"}}
+{"text": "This also aligns with HenBox ’ s timeline , as in total we have identified almost 200 HenBox samples , with the oldest dating to 2015 .", "spans": {"MALWARE: HenBox": [[22, 28], [86, 92]]}, "info": {"id": "cyner_test_000167", "source": "cyner_test"}}
+{"text": "Most of the samples we found date from the last half of 2017 , fewer samples date from 2016 , and a handful date back to 2015 .", "spans": {}, "info": {"id": "cyner_test_000168", "source": "cyner_test"}}
+{"text": "In 2018 , we have already observed a small but consistent number of samples .", "spans": {}, "info": {"id": "cyner_test_000169", "source": "cyner_test"}}
+{"text": "We believe this indicates a fairly sustained campaign that has gained momentum over recent months .", "spans": {}, "info": {"id": "cyner_test_000170", "source": "cyner_test"}}
+{"text": "HenBox Enters the Uyghur App Store In May 2016 , a HenBox app was downloaded from uyghurapps [ .", "spans": {"MALWARE: HenBox": [[0, 6], [51, 57]], "SYSTEM: Uyghur App Store": [[18, 34]]}, "info": {"id": "cyner_test_000171", "source": "cyner_test"}}
+{"text": "] net .", "spans": {}, "info": {"id": "cyner_test_000172", "source": "cyner_test"}}
+{"text": "Specifically , the app was an Android Package ( APK ) file that will be discussed in more detail shortly .", "spans": {"SYSTEM: Android Package": [[30, 45]]}, "info": {"id": "cyner_test_000173", "source": "cyner_test"}}
+{"text": "The domain name , language of the site and app content hosted suggest this site is a third-party app store for whom the intended users are the Uyghurs .", "spans": {}, "info": {"id": "cyner_test_000174", "source": "cyner_test"}}
+{"text": "Such app stores are so-called because they are not officially supported by Android , nor are they provided by Google , unlike the Play Store .", "spans": {"SYSTEM: Android": [[75, 82]], "ORGANIZATION: Google": [[110, 116]], "SYSTEM: Play Store": [[130, 140]]}, "info": {"id": "cyner_test_000175", "source": "cyner_test"}}
+{"text": "Third-party app stores are ubiquitous in China for a number of reasons including : evermore powerful Chinese Original Equipment Manufacturers ( OEM ) , a lack of an official Chinese Google Play app store , and a growing smartphone market .", "spans": {"ORGANIZATION: Chinese Original Equipment Manufacturers ( OEM )": [[101, 149]], "SYSTEM: Google Play": [[182, 193]]}, "info": {"id": "cyner_test_000176", "source": "cyner_test"}}
+{"text": "The HenBox app downloaded in May 2016 was masquerading as the DroidVPN app .", "spans": {"MALWARE: HenBox": [[4, 10]]}, "info": {"id": "cyner_test_000177", "source": "cyner_test"}}
+{"text": "At the time of writing , the content served at the given URL on uyghurapps [ .", "spans": {}, "info": {"id": "cyner_test_000178", "source": "cyner_test"}}
+{"text": "] net , is now a legitimate version of the DroidVPN app , and looks as shown in Figure 1 below .", "spans": {}, "info": {"id": "cyner_test_000179", "source": "cyner_test"}}
+{"text": "henbox_2 Figure 1 Uyghurapps [ .", "spans": {}, "info": {"id": "cyner_test_000180", "source": "cyner_test"}}
+{"text": "] net app store showing the current DroidVPN app Virtual Private Network ( VPN ) tools allow connections to remote private networks , increasing the security and privacy of the user ’ s communications .", "spans": {}, "info": {"id": "cyner_test_000181", "source": "cyner_test"}}
+{"text": "According to the DroidVPN app description , it “ helps bypass regional internet restrictions , web filtering and firewalls by tunneling traffic over ICMP. ” Some features may require devices to be rooted to function and according to some 3rd party app stores , unconditional rooting is required , which has additional security implications for the device .", "spans": {}, "info": {"id": "cyner_test_000182", "source": "cyner_test"}}
+{"text": "We have not been able to ascertain how the DroidVPN app on the uyghurapps [ .", "spans": {}, "info": {"id": "cyner_test_000183", "source": "cyner_test"}}
+{"text": "] net app store was replaced with the malicious HenBox app ; however , some indicators point to the server running an outdated version of Apache Web Server on a Windows 32-Bit operating system .", "spans": {"MALWARE: HenBox": [[48, 54]], "SYSTEM: Windows": [[161, 168]]}, "info": {"id": "cyner_test_000184", "source": "cyner_test"}}
+{"text": "In light of this , we believe an attack against unpatched vulnerabilities is a reasonable conjecture for how the server was compromised .", "spans": {"VULNERABILITY: unpatched vulnerabilities": [[48, 73]]}, "info": {"id": "cyner_test_000185", "source": "cyner_test"}}
+{"text": "The HenBox app downloaded in May 2016 , as described in Table 1 below , masquerades as a legitimate version of the DroidVPN app by using the same app name “ DroidVPN ” and the same iconography used when displaying the app in Android ’ s launcher view , as highlighted in Figure 2 below Table 1 .", "spans": {"SYSTEM: DroidVPN": [[157, 165]], "SYSTEM: Android": [[225, 232]]}, "info": {"id": "cyner_test_000186", "source": "cyner_test"}}
+{"text": "APK SHA256 Size ( bytes ) First Seen App Package name App name 0589bed1e3b3d6234c30061be3be1cc6685d786ab3a892a8d4dae8e2d7ed92f7 2,740,860 May 2016 com.android.henbox DroidVPN Table 1 Details of the HenBox DroidVPN app on the uyghurapps [ .", "spans": {"SYSTEM: DroidVPN": [[166, 174], [205, 213]], "MALWARE: HenBox": [[198, 204]]}, "info": {"id": "cyner_test_000187", "source": "cyner_test"}}
+{"text": "] net app store henbox_3 Figure 2 HenBox app installed , purporting to be DroidVPN Depending on the language setting on the device , and for this particular variant of HenBox , the installed HenBox app may have the name “ Backup ” but uses the same DroidVPN logo .", "spans": {"MALWARE: HenBox": [[34, 40], [168, 174], [191, 197]]}, "info": {"id": "cyner_test_000188", "source": "cyner_test"}}
+{"text": "Other variants use other names and logos , as described later .", "spans": {}, "info": {"id": "cyner_test_000189", "source": "cyner_test"}}
+{"text": "Given the DroidVPN look and feel being used by this variant of HenBox , it ’ s highly likely the uyghurapps [ .", "spans": {"MALWARE: HenBox": [[63, 69]]}, "info": {"id": "cyner_test_000190", "source": "cyner_test"}}
+{"text": "] net page for DroidVPN remained identical when serving either HenBox or DroidVPN apps , just that the legitimate APK file had been replaced with HenBox for an unknown period of time .", "spans": {"MALWARE: HenBox": [[63, 69]]}, "info": {"id": "cyner_test_000191", "source": "cyner_test"}}
+{"text": "In addition to the look and feel of DroidVPN , this HenBox variant also contained a legitimate DroidVPN app within its APK package as an asset , which could be compared to a resource item within a Windows Portable Executable ( PE ) file .", "spans": {"MALWARE: HenBox": [[52, 58]], "SYSTEM: Windows Portable Executable": [[197, 224]]}, "info": {"id": "cyner_test_000192", "source": "cyner_test"}}
+{"text": "Once the HenBox app is installed and launched , it launches an install process for the embedded app as a decoy to other malicious behaviors occurring in the background , and to satisfy the victim with the app they were requesting , assuming they requested to download a particular app , such as DroidVPN .", "spans": {"MALWARE: HenBox": [[9, 15]], "SYSTEM: DroidVPN": [[295, 303]]}, "info": {"id": "cyner_test_000193", "source": "cyner_test"}}
+{"text": "The version of the legitimate DroidVPN embedded inside this HenBox variant is the same version of DroidVPN available for download from uyghurapps [ .", "spans": {"MALWARE: HenBox": [[60, 66]]}, "info": {"id": "cyner_test_000194", "source": "cyner_test"}}
+{"text": "] net , at the time of writing .", "spans": {}, "info": {"id": "cyner_test_000195", "source": "cyner_test"}}
+{"text": "It ’ s worth noting , newer versions of the DroidVPN app are available on Google Play , as well as in some other third-party app stores , which could indicate uyghurapps [ .", "spans": {"SYSTEM: DroidVPN": [[44, 52]], "SYSTEM: Google Play": [[74, 85]]}, "info": {"id": "cyner_test_000196", "source": "cyner_test"}}
+{"text": "] net is not awfully well maintained or updated to the latest apps available .", "spans": {}, "info": {"id": "cyner_test_000197", "source": "cyner_test"}}
+{"text": "At the time of writing , to our knowledge no other third-party app stores , nor the official Google Play store , were or are hosting this malicious HenBox variant masquerading as DroidVPN .", "spans": {"SYSTEM: Google Play": [[93, 104]], "MALWARE: HenBox": [[148, 154]]}, "info": {"id": "cyner_test_000198", "source": "cyner_test"}}
+{"text": "The Right App at the Right Time The malicious HenBox and embedded DroidVPN app combination is one instance of the type of legitimate apps the attackers choose to mimic to compromise their victims .", "spans": {"MALWARE: HenBox": [[46, 52]]}, "info": {"id": "cyner_test_000199", "source": "cyner_test"}}
+{"text": "These threat actors frequently offer malicious apps purporting to be legitimate apps that are broadly used or important to a targeted population .", "spans": {}, "info": {"id": "cyner_test_000200", "source": "cyner_test"}}
+{"text": "It ’ s worth noting however , about one-third of the HenBox apps contained embedded APK objects that did not refer to legitimate apps .", "spans": {"MALWARE: HenBox": [[53, 59]]}, "info": {"id": "cyner_test_000201", "source": "cyner_test"}}
+{"text": "Some were only 3 bytes long , containing strings such as “ ddd ” and “ 333 ” , or were otherwise corrupted .", "spans": {}, "info": {"id": "cyner_test_000202", "source": "cyner_test"}}
+{"text": "Beyond the previously mentioned DroidVPN example , other viable embedded apps we found include apps currently available on Google Play , as well as many third-party app stores .", "spans": {"SYSTEM: Google Play": [[123, 134]]}, "info": {"id": "cyner_test_000203", "source": "cyner_test"}}
+{"text": "Table 2 below lists some of these apps with their respective metadata .", "spans": {}, "info": {"id": "cyner_test_000204", "source": "cyner_test"}}
+{"text": "Sample 1 marks the first HenBox sample we saw embedding a legitimate app within its assets to be dropped and installed on the victim device as a decoy .", "spans": {"MALWARE: HenBox": [[25, 31]]}, "info": {"id": "cyner_test_000205", "source": "cyner_test"}}
+{"text": "The legitimate app in question was a Uyghur language keyboard app targeted at native speakers of the Uyghur language and their smartphones .", "spans": {}, "info": {"id": "cyner_test_000206", "source": "cyner_test"}}
+{"text": "Sample 2 , has the package name cn.android.setting masquerading as Android ’ s Settings app , which has a similar package name ( com.android.settings ) .", "spans": {"SYSTEM: Settings app": [[79, 91]]}, "info": {"id": "cyner_test_000207", "source": "cyner_test"}}
+{"text": "This variant of HenBox also used the common green Android figure as the app logo and was named 设置 ( “ Backup ” in English ) .", "spans": {"MALWARE: HenBox": [[16, 22]], "SYSTEM: Android": [[50, 57]]}, "info": {"id": "cyner_test_000208", "source": "cyner_test"}}
+{"text": "This variant ’ s app name , along with many others , is written in Chinese and describes the app as a backup tool .", "spans": {}, "info": {"id": "cyner_test_000209", "source": "cyner_test"}}
+{"text": "Please see the IOCs section for all app and package name combinations .", "spans": {}, "info": {"id": "cyner_test_000210", "source": "cyner_test"}}
+{"text": "Interestingly , the embedded app in sample 2 is not a version of the Android Settings app but instead the “ Amaq Agency ” app , which reports on ISIS related news .", "spans": {"SYSTEM: Android Settings": [[69, 85]], "SYSTEM: Amaq Agency": [[108, 119]]}, "info": {"id": "cyner_test_000211", "source": "cyner_test"}}
+{"text": "Reports indicate fake versions of the Amaq app exist , likely in order to spy on those that use it .", "spans": {"SYSTEM: Amaq": [[38, 42]]}, "info": {"id": "cyner_test_000212", "source": "cyner_test"}}
+{"text": "A month after observing sample 2 , we obtained another which used the same package name as sample 2 ( cn.android.setting ) .", "spans": {}, "info": {"id": "cyner_test_000213", "source": "cyner_test"}}
+{"text": "However , this time the app name for both HenBox and the embedded app were identical : Islamawazi .", "spans": {"MALWARE: HenBox": [[42, 48]], "SYSTEM: Islamawazi": [[87, 97]]}, "info": {"id": "cyner_test_000214", "source": "cyner_test"}}
+{"text": "Islamawazi is also known as the Turkistan Islamic Party or “ TIP ” .", "spans": {"SYSTEM: Islamawazi": [[0, 10]], "ORGANIZATION: Turkistan Islamic Party": [[32, 55]]}, "info": {"id": "cyner_test_000215", "source": "cyner_test"}}
+{"text": "This organization was formerly known as the East Turkestan Islamic Party and is purported to be an Islamic extremist separatist organization founded by Uyghur jihadists .", "spans": {"ORGANIZATION: East Turkestan Islamic Party": [[44, 72]]}, "info": {"id": "cyner_test_000216", "source": "cyner_test"}}
+{"text": "The embedded app appears to be a media player .", "spans": {}, "info": {"id": "cyner_test_000217", "source": "cyner_test"}}
+{"text": "These examples , together with the HenBox app placed on a very specific third-party app store , point clearly to at least some of the intended targets of these malicious apps being Uyghurs , specifically those with interest in or association with terrorist groups .", "spans": {"MALWARE: HenBox": [[35, 41]]}, "info": {"id": "cyner_test_000218", "source": "cyner_test"}}
+{"text": "These threat actors appear to be choosing the right apps – those that could be popular with locals in the region , at the right time – while tensions grow in this region of China , to ensure a good victim install-base .", "spans": {}, "info": {"id": "cyner_test_000219", "source": "cyner_test"}}
+{"text": "HenBox Roosts HenBox has evolved over the past three years , and of the almost two hundred HenBox apps in AutoFocus , the vast majority contain several native libraries as well as other components in order to achieve their objective .", "spans": {"MALWARE: HenBox": [[0, 6], [14, 20], [91, 97]]}, "info": {"id": "cyner_test_000220", "source": "cyner_test"}}
+{"text": "Most components are obfuscated in some way , whether it be simple XOR with a single-byte key , or through the use of ZIP or Zlib compression wrapped with RC4 encryption .", "spans": {"SYSTEM: ZIP": [[117, 120]], "SYSTEM: Zlib": [[124, 128]]}, "info": {"id": "cyner_test_000221", "source": "cyner_test"}}
+{"text": "These components are responsible for a myriad of functions including handling decryption , network communications , gaining super-user privileges , monitoring system logs , loading additional Dalvik code files , tracking the device location and more .", "spans": {}, "info": {"id": "cyner_test_000222", "source": "cyner_test"}}
+{"text": "The remainder of this section describes at a high-level what HenBox is capable of , and how it operates .", "spans": {}, "info": {"id": "cyner_test_000223", "source": "cyner_test"}}
+{"text": "The description is based on analysis of the sample described in Table 3 below , which was of interest given its C2 domain mefound [ .", "spans": {}, "info": {"id": "cyner_test_000224", "source": "cyner_test"}}
+{"text": "] com overlaps with PlugX , Zupdax , and Poison Ivy malware families discussed in more detail later .", "spans": {"MALWARE: PlugX": [[20, 25]], "MALWARE: Zupdax": [[28, 34]], "MALWARE: Poison Ivy": [[41, 51]]}, "info": {"id": "cyner_test_000225", "source": "cyner_test"}}
+{"text": "SHA256 Package Name App Name a6c7351b09a733a1b3ff8a0901c5bde fdc3b566bfcedcdf5a338c3a97c9f249b com.android.henbox 备份 ( Backup ) Table 3 HenBox variant used in description Once this variant of HenBox is installed on the victim ’ s device , the app can be executed in two different ways : One method for executing HenBox is for the victim to launch the malicious app ( named “ Backup ” , in", "spans": {"MALWARE: HenBox": [[136, 142], [192, 198], [312, 318]]}, "info": {"id": "cyner_test_000226", "source": "cyner_test"}}
+{"text": "this instance ) from the launcher view on their device , as shown in Figure 3 below .", "spans": {}, "info": {"id": "cyner_test_000227", "source": "cyner_test"}}
+{"text": "This runs code in the onCreate ( ) method of the app ’ s MainActivity class , which in effect is the program ’ s entry point .", "spans": {}, "info": {"id": "cyner_test_000228", "source": "cyner_test"}}
+{"text": "This process is defined in the app ’ s AndroidManifest.xml config file , as shown in the following snippet .", "spans": {}, "info": {"id": "cyner_test_000229", "source": "cyner_test"}}
+{"text": "Doing so executes code checking if the device is manufactured by Xiaomi , or if Xiaomi ’ s fork of Android is running on the device .", "spans": {"ORGANIZATION: Xiaomi": [[65, 71]], "ORGANIZATION: Xiaomi ’ s": [[80, 90]], "SYSTEM: Android": [[99, 106]]}, "info": {"id": "cyner_test_000230", "source": "cyner_test"}}
+{"text": "Under these conditions , the app continues executing and the intent of targeting Xiaomi devices and users could be inferred , however poorly written code results in execution in more environments than perhaps intended ; further checks are made to ascertain whether the app is running on an emulator , perhaps to evade researcher analysis environments .", "spans": {"ORGANIZATION: Xiaomi": [[81, 87]]}, "info": {"id": "cyner_test_000231", "source": "cyner_test"}}
+{"text": "Assuming these checks pass , one of the main ELF libraries is loaded that orchestrates other components and provides functionality to the app ’ s Dalvik code through the Java Native Interface ( JNI ) .", "spans": {}, "info": {"id": "cyner_test_000232", "source": "cyner_test"}}
+{"text": "HenBox checks whether this execution is its first by using Android ’ s shared preferences feature to persist XML key-value pair data .", "spans": {"MALWARE: HenBox": [[0, 6]], "SYSTEM: Android": [[59, 66]]}, "info": {"id": "cyner_test_000233", "source": "cyner_test"}}
+{"text": "If it is the first execution , and if the app ’ s path does not contain “ /system/app ” ( i.e .", "spans": {}, "info": {"id": "cyner_test_000234", "source": "cyner_test"}}
+{"text": "HenBox is not running as a system app ) , another ELF library is loaded to aid with executing super-user commands .", "spans": {"MALWARE: HenBox": [[0, 6]]}, "info": {"id": "cyner_test_000235", "source": "cyner_test"}}
+{"text": "The second method uses intents , broadcasts , and receivers to execute HenBox code .", "spans": {}, "info": {"id": "cyner_test_000236", "source": "cyner_test"}}
+{"text": "Providing the app has registered an intent to process particular events from the system , and one of said events occurs , HenBox is effectively brought to life through external stimulus from another app on the system broadcasting a request , or the system itself broadcasting a particular event has occurred .", "spans": {}, "info": {"id": "cyner_test_000237", "source": "cyner_test"}}
+{"text": "These intents are typically defined statically in the app ’ s AndroidManifest.xml config file ; some HenBox variants register further intents from their code at run-time .", "spans": {"MALWARE: HenBox": [[101, 107]]}, "info": {"id": "cyner_test_000238", "source": "cyner_test"}}
+{"text": "Once a matching intent is triggered , the respective Receiver code will be executed , leading to other HenBox behaviors being launched , which are described later .", "spans": {}, "info": {"id": "cyner_test_000239", "source": "cyner_test"}}
+{"text": "Table 4 below lists the intents that are statically registered in this HenBox variant ’ s AndroidManifest.xml config file , together with a description of what that intent does , and when it would be used .", "spans": {"MALWARE: HenBox": [[71, 77]]}, "info": {"id": "cyner_test_000240", "source": "cyner_test"}}
+{"text": "Depending on the intent triggered , one of two Receivers would be called , in this instance they are called Boot or Time but the name is somewhat immaterial .", "spans": {}, "info": {"id": "cyner_test_000241", "source": "cyner_test"}}
+{"text": "Receiver Intent Name Description BootReceiver android.intent.action.BOOT_COMPLETED System notification that the device has finished booting .", "spans": {}, "info": {"id": "cyner_test_000242", "source": "cyner_test"}}
+{"text": "android.intent.action.restart A legacy intent used to indicate a system restart .", "spans": {}, "info": {"id": "cyner_test_000243", "source": "cyner_test"}}
+{"text": "android.intent.action.SIM_STATE_CHANGED System notification that the SIM card has changed or been removed .", "spans": {}, "info": {"id": "cyner_test_000244", "source": "cyner_test"}}
+{"text": "android.intent.action.PACKAGE_INSTALL System notification that the download and eventual installation of an app package is happening ( this is deprecated ) android.intent.action.PACKAGE_ADDED System notification that a new app package has been installed on the device , including the name of said package .", "spans": {}, "info": {"id": "cyner_test_000245", "source": "cyner_test"}}
+{"text": "com.xiaomi.smarthome.receive_alarm Received notifications from Xiaomi ’ s smart home IoT devices .", "spans": {"ORGANIZATION: Xiaomi": [[63, 69]]}, "info": {"id": "cyner_test_000246", "source": "cyner_test"}}
+{"text": "TimeReceiver android.intent.action.ACTION_TIME_CHANGED System notification that the time was set .", "spans": {}, "info": {"id": "cyner_test_000247", "source": "cyner_test"}}
+{"text": "android.intent.action.CONNECTIVITY_CHANGE System notification that a change in network connectivity has occurred , either lost or established .", "spans": {}, "info": {"id": "cyner_test_000248", "source": "cyner_test"}}
+{"text": "Since Android version 7 ( Nougat ) this information is gathered using other means , perhaps inferring the devices used by potential victim run older versions of Android .", "spans": {"SYSTEM: Android": [[6, 13], [161, 168]], "SYSTEM: Nougat": [[26, 32]]}, "info": {"id": "cyner_test_000249", "source": "cyner_test"}}
+{"text": "Table 4 HenBox variant 's Intents and Receivers Most of the intents registered in the AndroidManifest.xml file , or loaded during run-time , are commonly found in malicious Android apps .", "spans": {"MALWARE: HenBox": [[8, 14]], "SYSTEM: Android": [[173, 180]]}, "info": {"id": "cyner_test_000250", "source": "cyner_test"}}
+{"text": "What ’ s more interesting , and much less common , is the inclusion of the com.xiaomi.smarthome.receive_alarm intent filter .", "spans": {}, "info": {"id": "cyner_test_000251", "source": "cyner_test"}}
+{"text": "Xiaomi , a privately owned Chinese electronics and software company , is the 5th largest smart phone manufacturer in the world and also manufactures IoT devices for the home .", "spans": {"ORGANIZATION: Xiaomi": [[0, 6]]}, "info": {"id": "cyner_test_000252", "source": "cyner_test"}}
+{"text": "Most devices can be controlled by Xiaomi ’ s “ MiHome ” Android app , which is available on Google Play with between 1,000,000 and 5,000,000 downloads .", "spans": {"ORGANIZATION: Xiaomi": [[34, 40]], "SYSTEM: MiHome": [[47, 53]], "SYSTEM: Android": [[56, 63]], "SYSTEM: Google Play": [[92, 103]]}, "info": {"id": "cyner_test_000253", "source": "cyner_test"}}
+{"text": "Given the nature of connected devices in smart homes , it ’ s highly likely many of these devices , and indeed the controller app itself , communicate with one another sending status notifications , alerts and so on .", "spans": {}, "info": {"id": "cyner_test_000254", "source": "cyner_test"}}
+{"text": "Such notifications would be received by the MiHome app or any other , such as HenBox , so long as they register their intent to do so .", "spans": {"SYSTEM: MiHome": [[44, 50]], "MALWARE: HenBox": [[78, 84]]}, "info": {"id": "cyner_test_000255", "source": "cyner_test"}}
+{"text": "This could essentially allow for external devices to act as a trigger to execute the malicious HenBox code , or perhaps afford additional data HenBox can collect and exfiltrate .", "spans": {"MALWARE: HenBox": [[95, 101], [143, 149]]}, "info": {"id": "cyner_test_000256", "source": "cyner_test"}}
+{"text": "Either method to load HenBox ultimately results in an instance of a service being launched .", "spans": {"MALWARE: HenBox": [[22, 28]]}, "info": {"id": "cyner_test_000257", "source": "cyner_test"}}
+{"text": "This service hides the app from plain sight and loads another ELF library to gather environmental information about the device , such as running processes and apps , and details about device hardware , primarily through parsing system logs and querying running processes .", "spans": {}, "info": {"id": "cyner_test_000258", "source": "cyner_test"}}
+{"text": "The service continues by loading an ELF , created by Baidu , which is capable of tracking the device location before setting up a monitor to harvest phone numbers associated with outgoing calls for those numbers with a country code “ +86 ” prefix , which relates to the People ’ s Republic of China .", "spans": {"ORGANIZATION: Baidu": [[53, 58]]}, "info": {"id": "cyner_test_000259", "source": "cyner_test"}}
+{"text": "Further assets are decrypted and deployed , including another Dalvik DEX code file , which has various capabilities including registering itself as the incoming SMS handler for the device to intercept SMS messages , loading another ELF library that includes a version of BusyBox - a package containing various stripped-down Unix tools useful for administering such systems – and , interestingly , is capable of turning off the sound played when the device ’ s cameras take pictures .", "spans": {"SYSTEM: BusyBox": [[271, 278]]}, "info": {"id": "cyner_test_000260", "source": "cyner_test"}}
+{"text": "The Android permissions requested by HenBox , as defined in the apps ’ AndroidManifest.xml files , range from accessing location and network settings to messages , call , and contact data .", "spans": {"SYSTEM: Android": [[4, 11]], "MALWARE: HenBox": [[37, 43]]}, "info": {"id": "cyner_test_000261", "source": "cyner_test"}}
+{"text": "HenBox can also access sensors such as the device camera ( s ) and the microphone .", "spans": {"MALWARE: HenBox": [[0, 6]]}, "info": {"id": "cyner_test_000262", "source": "cyner_test"}}
+{"text": "Beyond the Android app itself , other components such as the aforementioned ELF libraries have additional data-stealing capabilities .", "spans": {"SYSTEM: Android": [[11, 18]]}, "info": {"id": "cyner_test_000263", "source": "cyner_test"}}
+{"text": "One ELF library , libloc4d.so , handles amongst other things the loading of the app-decoded ELF library file “ sux ” , as well as handling connectivity to the C2 .", "spans": {}, "info": {"id": "cyner_test_000264", "source": "cyner_test"}}
+{"text": "The sux library appears to be a customized super user ( su ) tool that includes code from the com.koushikdutta.superuser app and carries the equivalent of a super user ( su ) binary in order to run privileged commands on the system .", "spans": {}, "info": {"id": "cyner_test_000265", "source": "cyner_test"}}
+{"text": "The primary goal of sux appears to be steal messages and other data from popular messaging and social media apps specified within the HenBox sample .", "spans": {"MALWARE: HenBox": [[134, 140]]}, "info": {"id": "cyner_test_000266", "source": "cyner_test"}}
+{"text": "A similar tool , with the same filename , has been discussed in previous research but the SpyDealer malware appears unrelated to HenBox .", "spans": {"MALWARE: SpyDealer": [[90, 99]], "MALWARE: HenBox": [[129, 135]]}, "info": {"id": "cyner_test_000267", "source": "cyner_test"}}
+{"text": "More likely , this is a case of common attack tools being re-used between different threat actor groups .", "spans": {}, "info": {"id": "cyner_test_000268", "source": "cyner_test"}}
+{"text": "This particular HenBox variant , as listed in Table 3 above , harvests data from two popular messaging and social media apps : Voxer Walkie Talkie Messenger ( com.rebelvox.voxer ) and Tencent ’ s WeChat ( com.tencent.mm ) .", "spans": {"MALWARE: HenBox": [[16, 22]], "SYSTEM: Voxer": [[127, 132]], "SYSTEM: Walkie Talkie": [[133, 146]], "SYSTEM: Messenger": [[147, 156]], "ORGANIZATION: Tencent": [[184, 191]], "SYSTEM: WeChat": [[196, 202]]}, "info": {"id": "cyner_test_000269", "source": "cyner_test"}}
+{"text": "These types of apps tend to store their data in databases and , as an example , HenBox accesses Voxer ’ s database from the file “ /data/data/com.rebelvox.voxer/databases/rv.db ” .", "spans": {"MALWARE: HenBox": [[80, 86]]}, "info": {"id": "cyner_test_000270", "source": "cyner_test"}}
+{"text": "Once opened , HenBox runs the following query to gather message information .", "spans": {"MALWARE: HenBox": [[14, 20]]}, "info": {"id": "cyner_test_000271", "source": "cyner_test"}}
+{"text": "Not long after this variant was public , newer variants of HenBox were seen , and some had significant increases in the number of targeted apps .", "spans": {"MALWARE: HenBox": [[59, 65]]}, "info": {"id": "cyner_test_000272", "source": "cyner_test"}}
+{"text": "Table 5 describes the latest variant seen in AutoFocus .", "spans": {}, "info": {"id": "cyner_test_000273", "source": "cyner_test"}}
+{"text": "SHA256 Package Name App Name First Seen 07994c9f2eeeede199dd6b4e760fce3 71f03f3cc4307e6551c18d2fbd024a24f com.android.henbox 备份 ( Backup ) January 3rd 2018 Table 6 contains an updated list of targeted apps from which this newer variant of HenBox is capable of harvesting data .", "spans": {"MALWARE: HenBox": [[239, 245]]}, "info": {"id": "cyner_test_000274", "source": "cyner_test"}}
+{"text": "Interestingly , the two communication apps described above as being targeted by the HenBox variant listed in Table 3 do not appear in this updated list .", "spans": {}, "info": {"id": "cyner_test_000275", "source": "cyner_test"}}
+{"text": "Package Name App Name com.whatsapp WhatsApp Messenger com.pugna.magiccall n/a org.telegram.messenger Telegram com.facebook.katana Facebook com.twitter.android Twitter jp.naver.line.android LINE : Free Calls & Messages com.instanza.cocovoice Coco com.beetalk BeeTalk com.gtomato.talkbox TalkBox Voice Messenger - PTT com.viber.voip Viber Messenger com.immomo.momo MOMO陌陌 com.facebook.orca Messenger – Text and Video Chat for Free com.skype.rover", "spans": {"SYSTEM: WhatsApp": [[35, 43]], "SYSTEM: Messenger": [[44, 53], [300, 309], [337, 346], [388, 397]], "SYSTEM: Telegram": [[101, 109]], "SYSTEM: Facebook": [[130, 138]], "SYSTEM: Twitter": [[159, 166]], "SYSTEM: LINE": [[189, 193]], "SYSTEM: BeeTalk": [[258, 265]], "SYSTEM: TalkBox": [[286, 293]], "SYSTEM: Viber": [[331, 336]], "SYSTEM: MOMO陌陌": [[363, 369]]}, "info": {"id": "cyner_test_000276", "source": "cyner_test"}}
+{"text": "Skype ; 3rd party stores only Most of these apps are well established and available on Google Play , however , com.skype.rover appears to be available only on third-party app stores .", "spans": {"SYSTEM: Skype": [[0, 5]], "SYSTEM: Google Play": [[87, 98]]}, "info": {"id": "cyner_test_000277", "source": "cyner_test"}}
+{"text": "The same is likely to be the case for com.pugna.magiccall but this is unknown currently .", "spans": {}, "info": {"id": "cyner_test_000278", "source": "cyner_test"}}
+{"text": "It ’ s clear to see that the capabilities of HenBox are very comprehensive , both in terms of an Android app with its native libraries and given the amount of data it can glean from a victim .", "spans": {"MALWARE: HenBox": [[45, 51]], "SYSTEM: Android": [[97, 104]]}, "info": {"id": "cyner_test_000279", "source": "cyner_test"}}
+{"text": "Such data includes contact and location information , phone and message activity , the ability to record from the microphone , camera , and other sensors as well as the capability to access data from many popular messaging and social media apps .", "spans": {}, "info": {"id": "cyner_test_000280", "source": "cyner_test"}}
+{"text": "Infrastructure While investigating HenBox we discovered infrastructure ties to other malware families associated with targeted attacks against Windows users – notable overlaps included PlugX , Zupdax , 9002 , and Poison Ivy .", "spans": {"MALWARE: HenBox": [[35, 41]], "SYSTEM: Windows": [[143, 150]], "MALWARE: PlugX": [[185, 190]], "MALWARE: Zupdax": [[193, 199]], "MALWARE: 9002": [[202, 206]], "MALWARE: Poison Ivy": [[213, 223]]}, "info": {"id": "cyner_test_000281", "source": "cyner_test"}}
+{"text": "The overall image of these ties is below in Figure 5 and paints a picture of an adversary with at least 5 malware families in their toolbox dating back to at least 2015 .", "spans": {}, "info": {"id": "cyner_test_000282", "source": "cyner_test"}}
+{"text": "The overlap between the HenBox and 9002 malware families Unit 42 has seen involves three shared C2s between several samples ; the first IP below is used for more than half of the HenBox samples we have seen to date : 47.90.81 [ .", "spans": {"MALWARE: HenBox": [[24, 30], [179, 185]], "MALWARE: 9002": [[35, 39]]}, "info": {"id": "cyner_test_000283", "source": "cyner_test"}}
+{"text": "] 23 222.139.212 [ .", "spans": {}, "info": {"id": "cyner_test_000284", "source": "cyner_test"}}
+{"text": "] 16 lala513.gicp [ .", "spans": {}, "info": {"id": "cyner_test_000285", "source": "cyner_test"}}
+{"text": "] net The overlaps between the Henbox , PlugX , Zupdax , and Poison Ivy malware families involves a web of shared C2s and IP resolutions centered around the below : 59.188.196 [ .", "spans": {"MALWARE: Henbox": [[31, 37]], "MALWARE: PlugX": [[40, 45]], "MALWARE: Zupdax": [[48, 54]], "MALWARE: Poison Ivy": [[61, 71]]}, "info": {"id": "cyner_test_000286", "source": "cyner_test"}}
+{"text": "] 172 cdncool [ .", "spans": {}, "info": {"id": "cyner_test_000287", "source": "cyner_test"}}
+{"text": "] com ( and third-levels of this domain ) www3.mefound [ .", "spans": {}, "info": {"id": "cyner_test_000288", "source": "cyner_test"}}
+{"text": "] com www5.zyns [ .", "spans": {}, "info": {"id": "cyner_test_000289", "source": "cyner_test"}}
+{"text": "] com w3.changeip [ .", "spans": {}, "info": {"id": "cyner_test_000290", "source": "cyner_test"}}
+{"text": "] org Ties to previous activity The registrant of cdncool [ .", "spans": {}, "info": {"id": "cyner_test_000291", "source": "cyner_test"}}
+{"text": "] com also registered six other domains .", "spans": {}, "info": {"id": "cyner_test_000292", "source": "cyner_test"}}
+{"text": "To date , Unit 42 has seen four of the seven ( the first three in the list below , along with cdncool [ .", "spans": {}, "info": {"id": "cyner_test_000293", "source": "cyner_test"}}
+{"text": "] com ) used in malicious activity and it is reasonable to assume the remaining three are or were intended to serve the same purpose .", "spans": {}, "info": {"id": "cyner_test_000294", "source": "cyner_test"}}
+{"text": "tcpdo [ .", "spans": {}, "info": {"id": "cyner_test_000295", "source": "cyner_test"}}
+{"text": "] net adminsysteminfo [ .", "spans": {}, "info": {"id": "cyner_test_000296", "source": "cyner_test"}}
+{"text": "] com md5c [ .", "spans": {}, "info": {"id": "cyner_test_000297", "source": "cyner_test"}}
+{"text": "] net linkdatax [ .", "spans": {}, "info": {"id": "cyner_test_000298", "source": "cyner_test"}}
+{"text": "] com csip6 [ .", "spans": {}, "info": {"id": "cyner_test_000299", "source": "cyner_test"}}
+{"text": "] biz adminloader [ .", "spans": {}, "info": {"id": "cyner_test_000300", "source": "cyner_test"}}
+{"text": "] com Unit 42 published a blog in July 2016 about 9002 malware being delivered using a combination of shortened links and a file hosted on Google Drive .", "spans": {"MALWARE: 9002": [[50, 54]]}, "info": {"id": "cyner_test_000301", "source": "cyner_test"}}
+{"text": "The spear phishing emails had Myanmar political-themed lures and , if the 9002 C2 server responded , the Trojan sent system specific information along with the string “ jackhex ” .", "spans": {"MALWARE: 9002": [[74, 78]]}, "info": {"id": "cyner_test_000302", "source": "cyner_test"}}
+{"text": "“ jackhex ” has also been part of a C2 for what is likely related Poison Ivy activity detailed below , along with additional infrastructure ties .", "spans": {"MALWARE: Poison Ivy": [[66, 76]]}, "info": {"id": "cyner_test_000303", "source": "cyner_test"}}
+{"text": "The C2 for the aforementioned 9002 sample was logitechwkgame [ .", "spans": {"MALWARE: 9002": [[30, 34]]}, "info": {"id": "cyner_test_000304", "source": "cyner_test"}}
+{"text": "] com , which resolved to the IP address 222.239.91 [ .", "spans": {}, "info": {"id": "cyner_test_000305", "source": "cyner_test"}}
+{"text": "] 30 .", "spans": {}, "info": {"id": "cyner_test_000306", "source": "cyner_test"}}
+{"text": "At the same time , the domain admin.nslookupdns [ .", "spans": {}, "info": {"id": "cyner_test_000307", "source": "cyner_test"}}
+{"text": "] com also resolved to the same IP address , suggesting that these two domains are associated with the same threat actors .", "spans": {}, "info": {"id": "cyner_test_000308", "source": "cyner_test"}}
+{"text": "In addition , admin.nslookupdns [ .", "spans": {}, "info": {"id": "cyner_test_000309", "source": "cyner_test"}}
+{"text": "] com was a C2 for Poison Ivy samples associated with attacks on Myanmar and other Asian countries discussed in a blog published by Arbor Networks in April 2016 .", "spans": {"MALWARE: Poison Ivy": [[19, 29]], "ORGANIZATION: Arbor Networks": [[132, 146]]}, "info": {"id": "cyner_test_000310", "source": "cyner_test"}}
+{"text": "Another tie between the activity is the C2 jackhex.md5c [ .", "spans": {}, "info": {"id": "cyner_test_000311", "source": "cyner_test"}}
+{"text": "] net , which was also used as a Poison Ivy C2 in the Arbor Networks blog .", "spans": {"MALWARE: Poison Ivy": [[33, 43]], "ORGANIZATION: Arbor Networks": [[54, 68]]}, "info": {"id": "cyner_test_000312", "source": "cyner_test"}}
+{"text": "“ jackhex ” is not a common word or phrase and , as noted above , was also seen in the beacon activity with the previously discussed 9002 sample .", "spans": {"MALWARE: 9002": [[133, 137]]}, "info": {"id": "cyner_test_000313", "source": "cyner_test"}}
+{"text": "Finally , since publishing the 9002 blog , Unit 42 has also seen the aforementioned 9002 C2 used as a Poison Ivy C2 with a Myanmar political-themed lure .", "spans": {"MALWARE: 9002": [[31, 35], [84, 88]], "MALWARE: Poison Ivy": [[102, 112]]}, "info": {"id": "cyner_test_000314", "source": "cyner_test"}}
+{"text": "In our 9002 blog we noted some additional infrastructure used either as C2s for related Poison Ivy samples , or domain registrant overlap with those C2 domains .", "spans": {"MALWARE: 9002": [[7, 11]], "MALWARE: Poison Ivy": [[88, 98]]}, "info": {"id": "cyner_test_000315", "source": "cyner_test"}}
+{"text": "When we published that blog Unit 42 hadn ’ t seen any of the three registrants overlap domains used in malicious activity .", "spans": {}, "info": {"id": "cyner_test_000316", "source": "cyner_test"}}
+{"text": "Since then , we have seen Poison Ivy samples using third-levels of querlyurl [ .", "spans": {"MALWARE: Poison Ivy": [[26, 36]]}, "info": {"id": "cyner_test_000317", "source": "cyner_test"}}
+{"text": "] com , lending further credence the remaining two domains , gooledriveservice [ .", "spans": {}, "info": {"id": "cyner_test_000318", "source": "cyner_test"}}
+{"text": "] com and appupdatemoremagic [ .", "spans": {}, "info": {"id": "cyner_test_000319", "source": "cyner_test"}}
+{"text": "] com are or were intended for malicious use .", "spans": {}, "info": {"id": "cyner_test_000320", "source": "cyner_test"}}
+{"text": "While we do not have complete targeting , information associated with these Poison Ivy samples , several of the decoy files were in Chinese and appear to be part of a 2016 campaign targeting organizations in Taiwan with political-themed lures .", "spans": {"MALWARE: Poison Ivy": [[76, 86]]}, "info": {"id": "cyner_test_000321", "source": "cyner_test"}}
+{"text": "Conclusion Typically masquerading as legitimate Android system apps , and sometimes embedding legitimate apps within them , the primary goal of the malicious HenBox appears to be to spy on those who install them .", "spans": {"MALWARE: Android": [[48, 55]], "MALWARE: HenBox": [[158, 164]]}, "info": {"id": "cyner_test_000322", "source": "cyner_test"}}
+{"text": "Using similar traits , such as copycat iconography and app or package names , victims are likely socially engineered into installing the malicious apps , especially when available on so-called third-party ( i.e .", "spans": {}, "info": {"id": "cyner_test_000323", "source": "cyner_test"}}
+{"text": "non-Google Play ) app stores which often have fewer security and vetting procedures for the apps they host .", "spans": {"SYSTEM: Play": [[11, 15]]}, "info": {"id": "cyner_test_000324", "source": "cyner_test"}}
+{"text": "It ’ s possible , as with other Android malware , that some apps may also be available on forums , file-sharing sites or even sent to victims as email attachments , and we were only able to determine the delivery mechanism for a handful of the apps we have been able to find .", "spans": {"SYSTEM: Android": [[32, 39]]}, "info": {"id": "cyner_test_000325", "source": "cyner_test"}}
+{"text": "The hosting locations seen for some HenBox samples , together with the nature of some embedded apps including : those targeted at extremist groups , those who use VPN or other privacy-enabling apps , and those who speak the Uyghur language , highlights the victim profile the threat actors were seeking to attack .", "spans": {"MALWARE: HenBox": [[36, 42]]}, "info": {"id": "cyner_test_000326", "source": "cyner_test"}}
+{"text": "The targets and capabilities of HenBox , in addition to the ties to previous activity using four different Windows malware families with political-themed lures against several different South East Asian countries , indicates this activity likely represents an at least three-year-old espionage campaign .", "spans": {"MALWARE: HenBox": [[32, 38]]}, "info": {"id": "cyner_test_000327", "source": "cyner_test"}}
+{"text": "THURSDAY , OCTOBER 11 , 2018 GPlayed Trojan - .Net playing with Google Market Introduction In a world where everything is always connected , and mobile devices are involved in individuals ' day-to-day lives more and more often , malicious actors are seeing increased opportunities to attack these devices .", "spans": {"MALWARE: GPlayed": [[29, 36]], "ORGANIZATION: Google": [[64, 70]]}, "info": {"id": "cyner_test_000328", "source": "cyner_test"}}
+{"text": "Cisco Talos has identified the latest attempt to penetrate mobile devices — a new Android trojan that we have dubbed \" GPlayed .", "spans": {"ORGANIZATION: Cisco Talos": [[0, 11]], "SYSTEM: Android": [[82, 89]], "MALWARE: GPlayed": [[119, 126]]}, "info": {"id": "cyner_test_000329", "source": "cyner_test"}}
+{"text": "'' This is a trojan with many built-in capabilities .", "spans": {}, "info": {"id": "cyner_test_000330", "source": "cyner_test"}}
+{"text": "At the same time , it 's extremely flexible , making it a very effective tool for malicious actors .", "spans": {}, "info": {"id": "cyner_test_000331", "source": "cyner_test"}}
+{"text": "The sample we analyzed uses an icon very similar to Google Apps , with the label \" Google Play Marketplace '' to disguise itself .", "spans": {"SYSTEM: Google Apps": [[52, 63]], "SYSTEM: Google Play Marketplace": [[83, 106]]}, "info": {"id": "cyner_test_000332", "source": "cyner_test"}}
+{"text": "The malicious application is on the left-hand side .", "spans": {}, "info": {"id": "cyner_test_000333", "source": "cyner_test"}}
+{"text": "What makes this malware extremely powerful is the capability to adapt after it 's deployed .", "spans": {}, "info": {"id": "cyner_test_000334", "source": "cyner_test"}}
+{"text": "In order to achieve this adaptability , the operator has the capability to remotely load plugins , inject scripts and even compile new .NET code that can be executed .", "spans": {"SYSTEM: .NET": [[135, 139]]}, "info": {"id": "cyner_test_000335", "source": "cyner_test"}}
+{"text": "Our analysis indicates that this trojan is in its testing stage but given its potential , every mobile user should be aware of GPlayed .", "spans": {"MALWARE: GPlayed": [[127, 134]]}, "info": {"id": "cyner_test_000336", "source": "cyner_test"}}
+{"text": "Mobile developers have recently begun eschewing traditional app stores and instead want to deliver their software directly through their own means .", "spans": {}, "info": {"id": "cyner_test_000337", "source": "cyner_test"}}
+{"text": "But GPlayed is an example of where this can go wrong , especially if a mobile user is not aware of how to distinguish a fake app versus a real one .", "spans": {"MALWARE: GPlayed": [[4, 11]]}, "info": {"id": "cyner_test_000338", "source": "cyner_test"}}
+{"text": "Trojan architecture and capabilities This malware is written in .NET using the Xamarin environment for mobile applications .", "spans": {"SYSTEM: .NET": [[64, 68]], "SYSTEM: Xamarin": [[79, 86]]}, "info": {"id": "cyner_test_000339", "source": "cyner_test"}}
+{"text": "The main DLL is called \" Reznov.DLL .", "spans": {}, "info": {"id": "cyner_test_000340", "source": "cyner_test"}}
+{"text": "'' This DLL contains one root class called \" eClient , '' which is the core of the trojan .", "spans": {}, "info": {"id": "cyner_test_000341", "source": "cyner_test"}}
+{"text": "The imports reveal the use of a second DLL called \" eCommon.dll .", "spans": {}, "info": {"id": "cyner_test_000342", "source": "cyner_test"}}
+{"text": "'' We determined that the \" eCommon '' file contains support code and structures that are platform independent .", "spans": {}, "info": {"id": "cyner_test_000343", "source": "cyner_test"}}
+{"text": "The main DLL also contains eClient subclasses that implement some of the native capabilities .", "spans": {}, "info": {"id": "cyner_test_000344", "source": "cyner_test"}}
+{"text": "The package certificate is issued under the package name , which also resembles the name of the main DLL name .", "spans": {}, "info": {"id": "cyner_test_000345", "source": "cyner_test"}}
+{"text": "Certificate information The Android package is named \" verReznov.Coampany .", "spans": {"SYSTEM: Android": [[28, 35]]}, "info": {"id": "cyner_test_000346", "source": "cyner_test"}}
+{"text": "'' The application uses the label \" Installer '' and its name is \" android.app.Application .", "spans": {}, "info": {"id": "cyner_test_000347", "source": "cyner_test"}}
+{"text": "'' Package permissions The trojan declares numerous permissions in the manifest , from which we should highlight the BIND_DEVICE_ADMIN , which provides nearly full control of the device to the trojan .", "spans": {}, "info": {"id": "cyner_test_000348", "source": "cyner_test"}}
+{"text": "This trojan is highly evolved in its design .", "spans": {}, "info": {"id": "cyner_test_000349", "source": "cyner_test"}}
+{"text": "It has modular architecture implemented in the form of plugins , or it can receive new .NET source code , which will be compiled on the device in runtime .", "spans": {"SYSTEM: .NET": [[87, 91]]}, "info": {"id": "cyner_test_000350", "source": "cyner_test"}}
+{"text": "Initialization of the compiler object The plugins can be added in runtime , or they can be added as a package resource at packaging time .", "spans": {}, "info": {"id": "cyner_test_000351", "source": "cyner_test"}}
+{"text": "This means that the authors or the operators can add capabilities without the need to recompile and upgrade the trojan package on the device .", "spans": {}, "info": {"id": "cyner_test_000352", "source": "cyner_test"}}
+{"text": "Trojan native capabilities This is a full-fledged trojan with capabilities ranging from those of a banking trojan to a full spying trojan .", "spans": {}, "info": {"id": "cyner_test_000353", "source": "cyner_test"}}
+{"text": "This means that the malware can do anything from harvest the user 's banking credentials , to monitoring the device 's location .", "spans": {}, "info": {"id": "cyner_test_000354", "source": "cyner_test"}}
+{"text": "There are several indicators ( see section \" trojan activity '' below ) that it is in its last stages of development , but it has the potential to be a serious threat .", "spans": {}, "info": {"id": "cyner_test_000355", "source": "cyner_test"}}
+{"text": "Trojan details Upon boot , the trojan will start by populating a shared preferences file with the configuration it has on its internal structures .", "spans": {}, "info": {"id": "cyner_test_000356", "source": "cyner_test"}}
+{"text": "Afterward , it will start several timers to execute different tasks .", "spans": {}, "info": {"id": "cyner_test_000357", "source": "cyner_test"}}
+{"text": "The first timer will be fired on the configured interval ( 20 seconds in this case ) , pinging the command and control ( C2 ) server .", "spans": {}, "info": {"id": "cyner_test_000358", "source": "cyner_test"}}
+{"text": "The response can either be a simple \" OK , '' or can be a request to perform some action on the device .", "spans": {}, "info": {"id": "cyner_test_000359", "source": "cyner_test"}}
+{"text": "The second timer will run every five seconds and it will try to enable the WiFi if it 's disabled .", "spans": {}, "info": {"id": "cyner_test_000360", "source": "cyner_test"}}
+{"text": "The third timer will fire every 10 seconds and will attempt to register the device into the C2 and register wake-up locks on the system to control the device 's status .", "spans": {}, "info": {"id": "cyner_test_000361", "source": "cyner_test"}}
+{"text": "During the trojan registration stage , the trojan exfiltrates private information such as the phone 's model , IMEI , phone number and country .", "spans": {}, "info": {"id": "cyner_test_000362", "source": "cyner_test"}}
+{"text": "It will also report the version of Android that the phone is running and any additional capabilities .", "spans": {"SYSTEM: Android": [[35, 42]]}, "info": {"id": "cyner_test_000363", "source": "cyner_test"}}
+{"text": "Device registration This is the last of the three main timers that are created .", "spans": {}, "info": {"id": "cyner_test_000364", "source": "cyner_test"}}
+{"text": "The trojan will register the SMS handler , which will forward the contents and the sender of all of the SMS messages on the phone to the C2 .", "spans": {}, "info": {"id": "cyner_test_000365", "source": "cyner_test"}}
+{"text": "The final step in the trojan 's initialization is the escalation and maintenance of privileges in the device .", "spans": {}, "info": {"id": "cyner_test_000366", "source": "cyner_test"}}
+{"text": "This is done both by requesting admin privileges on the device and asking the user to allow the application to access the device 's settings .", "spans": {}, "info": {"id": "cyner_test_000367", "source": "cyner_test"}}
+{"text": "Privilege escalation requests The screens asking for the user 's approval wo n't close unless the user approves the privilege escalation .", "spans": {}, "info": {"id": "cyner_test_000368", "source": "cyner_test"}}
+{"text": "If the user closes the windows , they will appear again due to the timer configuration .", "spans": {}, "info": {"id": "cyner_test_000369", "source": "cyner_test"}}
+{"text": "After the installation of the trojan , it will wait randomly between three and five minutes to activate one of the native capabilities — these are implemented on the eClient subclass called \" GoogleCC .", "spans": {}, "info": {"id": "cyner_test_000370", "source": "cyner_test"}}
+{"text": "'' This class will open a WebView with a Google-themed page asking for payment in order to use the Google services .", "spans": {"ORGANIZATION: Google-themed": [[41, 54]], "ORGANIZATION: Google": [[99, 105]]}, "info": {"id": "cyner_test_000371", "source": "cyner_test"}}
+{"text": "This will take the user through several steps until it collects all the necessary credit card information , which will be checked online and exfiltrated to the C2 .", "spans": {}, "info": {"id": "cyner_test_000372", "source": "cyner_test"}}
+{"text": "During this process , an amount of money , configured by the malicious operator , is requested to the user .", "spans": {}, "info": {"id": "cyner_test_000373", "source": "cyner_test"}}
+{"text": "Steps to request the user 's credit card information In our sample configuration , the request for the views above can not be canceled or removed from the screen — behaving just like a screen lock that wo n't be disabled without providing credit card information .", "spans": {}, "info": {"id": "cyner_test_000374", "source": "cyner_test"}}
+{"text": "All communication with the C2 is done over HTTP .", "spans": {}, "info": {"id": "cyner_test_000375", "source": "cyner_test"}}
+{"text": "It will use either a standard web request or it will write data into a web socket if the first method fails .", "spans": {}, "info": {"id": "cyner_test_000376", "source": "cyner_test"}}
+{"text": "The C2 can also use WebSocket as a backup communication channel .", "spans": {}, "info": {"id": "cyner_test_000377", "source": "cyner_test"}}
+{"text": "Before sending any data to the C2 using the trojan attempts to disguise its data , the data is serialized using JSON , which is then encoded in Base64 .", "spans": {}, "info": {"id": "cyner_test_000378", "source": "cyner_test"}}
+{"text": "However , the trojan replaces the '= ' by 'AAAZZZXXX ' , the '+ ' by '| ' and the '/ ' by ' .", "spans": {}, "info": {"id": "cyner_test_000379", "source": "cyner_test"}}
+{"text": "' to disguise the Base64 .", "spans": {}, "info": {"id": "cyner_test_000380", "source": "cyner_test"}}
+{"text": "Request encoding process The HTTP requests follow the format below , while on the WebSocket only the query data is written .", "spans": {}, "info": {"id": "cyner_test_000381", "source": "cyner_test"}}
+{"text": "?", "spans": {}, "info": {"id": "cyner_test_000382", "source": "cyner_test"}}
+{"text": "q= - : As is common with trojans , the communication is always initiated by the trojan on the device to the C2 .", "spans": {}, "info": {"id": "cyner_test_000383", "source": "cyner_test"}}
+{"text": "The request codes are actually replies to the C2 action requests , which are actually called \" responses .", "spans": {}, "info": {"id": "cyner_test_000384", "source": "cyner_test"}}
+{"text": "'' There are 27 response codes that the C2 can use to make requests to the trojan , which pretty much match what 's listed in the capabilities section .", "spans": {}, "info": {"id": "cyner_test_000385", "source": "cyner_test"}}
+{"text": "Error Registration Ok Empty SendSMS RequestGoogleCC Wipe OpenBrowser SendUSSD RequestSMSList RequestAppList RequestLocation ShowNotification SetLockPassword LockNow MuteSound LoadScript LoadPlugin ServerChange StartApp CallPhone SetPingTimer SMSBroadcast RequestContacts AddInject RemoveInject Evaluate Another feature of this trojan is the ability to register injects , which are JavaScript snippets of code .", "spans": {}, "info": {"id": "cyner_test_000386", "source": "cyner_test"}}
+{"text": "These will be executed in a WebView object created by the trojan .", "spans": {}, "info": {"id": "cyner_test_000387", "source": "cyner_test"}}
+{"text": "This gives the operators the capability to trick the user into accessing any site while stealing the user 's cookies or forging form fields , like account numbers or phone numbers .", "spans": {}, "info": {"id": "cyner_test_000388", "source": "cyner_test"}}
+{"text": "Trojan activity At the time of the writing of this post , all URLs ( see IOC section ) found on the sample were inactive , and it does not seem to be widespread .", "spans": {}, "info": {"id": "cyner_test_000389", "source": "cyner_test"}}
+{"text": "There are some indicators that this sample is just a test sample on its final stages of development .", "spans": {}, "info": {"id": "cyner_test_000390", "source": "cyner_test"}}
+{"text": "There are several strings and labels still mentioning 'test ' or 'testcc ' — even the URL used for the credit card data exfiltration is named \" testcc.php .", "spans": {}, "info": {"id": "cyner_test_000391", "source": "cyner_test"}}
+{"text": "'' Debug information on logcat Another indicator is the amount of debugging information the trojan is still generating — a production-level trojan would keep its logging to a minimum .", "spans": {}, "info": {"id": "cyner_test_000392", "source": "cyner_test"}}
+{"text": "The only sample was found on public repositories and almost seemed to indicate a test run to determine the detection ratio of the sample .", "spans": {}, "info": {"id": "cyner_test_000393", "source": "cyner_test"}}
+{"text": "We have observed this trojan being submitted to public antivirus testing platforms , once as a package and once for each DLL to determine the detection ratio .", "spans": {}, "info": {"id": "cyner_test_000394", "source": "cyner_test"}}
+{"text": "The sample analyzed was targeted at Russian-speaking users , as most of the user interaction pages are written in Russian .", "spans": {}, "info": {"id": "cyner_test_000395", "source": "cyner_test"}}
+{"text": "However , given the way the trojan is built , it is highly customizable , meaning that adapting it to a different language would be extremely easy .", "spans": {}, "info": {"id": "cyner_test_000396", "source": "cyner_test"}}
+{"text": "The wide range of capabilities does n't limit this trojan to a specific malicious activity like a banking trojan or a ransomware .", "spans": {}, "info": {"id": "cyner_test_000397", "source": "cyner_test"}}
+{"text": "This makes it impossible to create a target profile .", "spans": {}, "info": {"id": "cyner_test_000398", "source": "cyner_test"}}
+{"text": "Conclusion This trojan shows a new path for threats to evolve .", "spans": {}, "info": {"id": "cyner_test_000399", "source": "cyner_test"}}
+{"text": "Having the ability to move code from desktops to mobile platforms with no effort , like the eCommon.DLL demonstrates that malicious actors can create hybrid threats faster and with fewer resources involved than ever before .", "spans": {}, "info": {"id": "cyner_test_000400", "source": "cyner_test"}}
+{"text": "This trojan 's design and implementation is of an uncommonly high level , making it a dangerous threat .", "spans": {}, "info": {"id": "cyner_test_000401", "source": "cyner_test"}}
+{"text": "These kinds of threats will become more common , as more and more companies decide to publish their software directly to consumers .", "spans": {}, "info": {"id": "cyner_test_000402", "source": "cyner_test"}}
+{"text": "There have been several recent examples of companies choosing to release their software directly to consumers , bypassing traditional storefronts .", "spans": {}, "info": {"id": "cyner_test_000403", "source": "cyner_test"}}
+{"text": "The average user might not have the necessary skills to distinguish legitimate sites from malicious ones .", "spans": {}, "info": {"id": "cyner_test_000404", "source": "cyner_test"}}
+{"text": "We 've seen that this has been the case for many years with spear-phishing campaigns on desktop and mobile platforms , so , unfortunately , it does n't seem that this will change any time soon .", "spans": {}, "info": {"id": "cyner_test_000405", "source": "cyner_test"}}
+{"text": "And this just means attackers will continue to be successful .", "spans": {}, "info": {"id": "cyner_test_000406", "source": "cyner_test"}}
+{"text": "Coverage Additional ways our customers can detect and block this threat are listed below .", "spans": {}, "info": {"id": "cyner_test_000407", "source": "cyner_test"}}
+{"text": "Advanced Malware Protection ( AMP ) is ideally suited to prevent the execution of the malware used by these threat actors .", "spans": {"SYSTEM: Advanced Malware Protection ( AMP )": [[0, 35]]}, "info": {"id": "cyner_test_000408", "source": "cyner_test"}}
+{"text": "Cisco Cloud Web Security ( CWS ) or Web Security Appliance ( WSA ) web scanning prevents access to malicious websites and detects malware used in these attacks .", "spans": {"SYSTEM: Cisco Cloud Web Security ( CWS )": [[0, 32]], "SYSTEM: Web Security Appliance ( WSA )": [[36, 66]]}, "info": {"id": "cyner_test_000409", "source": "cyner_test"}}
+{"text": "Email Security can block malicious emails sent by threat actors as part of their campaign .", "spans": {}, "info": {"id": "cyner_test_000410", "source": "cyner_test"}}
+{"text": "Network Security appliances such as Next-Generation Firewall ( NGFW ) , Next-Generation Intrusion Prevention System ( NGIPS ) , and Meraki MX can detect malicious activity associated with this threat .", "spans": {"SYSTEM: Next-Generation Firewall ( NGFW )": [[36, 69]], "SYSTEM: Next-Generation Intrusion Prevention System ( NGIPS )": [[72, 125]], "SYSTEM: Meraki MX": [[132, 141]]}, "info": {"id": "cyner_test_000411", "source": "cyner_test"}}
+{"text": "AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products .", "spans": {"ORGANIZATION: Cisco": [[80, 85]]}, "info": {"id": "cyner_test_000412", "source": "cyner_test"}}
+{"text": "Umbrella , our secure internet gateway ( SIG ) , blocks users from connecting to malicious domains , IPs , and URLs , whether users are on or off the corporate network .", "spans": {"SYSTEM: Umbrella": [[0, 8]]}, "info": {"id": "cyner_test_000413", "source": "cyner_test"}}
+{"text": "Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org .", "spans": {}, "info": {"id": "cyner_test_000414", "source": "cyner_test"}}
+{"text": "Indicators of compromise ( IOC ) URLs hxxp : //5.9.33.226:5416 hxxp : //172.110.10.171:85/testcc.php hxxp : //sub1.tdsworker.ru:5555/3ds/ Hash values Package.apk - A342a16082ea53d101f556b50532651cd3e3fdc7d9e0be3aa136680ad9c6a69f eCommon.dl - 604deb75eedf439766896f05799752de268baf437bf89a7185540627ab4a4bd1", "spans": {}, "info": {"id": "cyner_test_000415", "source": "cyner_test"}}
+{"text": "Reznov.dll - 17b8665cdbbb94482ca970a754d11d6e29c46af6390a2d8e8193d8d6a527dec3 Custom activity prefix com.cact.CAct Cerberus - A new banking Trojan from the underworld August 2019 In June 2019 , ThreatFabric analysts found a new Android malware , dubbed “ Cerberus ” , being rented out on underground forums .", "spans": {"MALWARE: Cerberus": [[115, 123], [255, 263]], "ORGANIZATION: ThreatFabric": [[194, 206]], "SYSTEM: Android": [[228, 235]]}, "info": {"id": "cyner_test_000416", "source": "cyner_test"}}
+{"text": "Its authors claim that it was used for private operations for two years preceding the start of the rental .", "spans": {}, "info": {"id": "cyner_test_000417", "source": "cyner_test"}}
+{"text": "They also state that the code is written from scratch and is not using parts of other existing banking Trojans unlike many other Trojans that are either based completely on the source of another Trojan ( such as the leaked Anubis source code that is now being resold ) or at least borrow parts of other Trojans .", "spans": {"MALWARE: Anubis": [[223, 229]]}, "info": {"id": "cyner_test_000418", "source": "cyner_test"}}
+{"text": "After thorough analysis we can confirm that Cerberus was indeed not based on the Anubis source code .", "spans": {"MALWARE: Cerberus": [[44, 52]], "MALWARE: Anubis": [[81, 87]]}, "info": {"id": "cyner_test_000419", "source": "cyner_test"}}
+{"text": "One peculiar thing about the actor group behind this banking malware is that they have an “ official ” twitter account that they use to post promotional content ( even videos ) about the malware .", "spans": {"ORGANIZATION: twitter": [[103, 110]]}, "info": {"id": "cyner_test_000420", "source": "cyner_test"}}
+{"text": "Oddly enough they also use it to make fun of the AV community , sharing detection screenshots from VirusTotal ( thus leaking IoC ) and even engaging in discussions with malware researchers directly The following screenshot shows tweets from their advertisement campaign : That unusual behavior could be explained by the combination of the need for attention and a probable lack of experience .", "spans": {"ORGANIZATION: VirusTotal": [[99, 109]]}, "info": {"id": "cyner_test_000421", "source": "cyner_test"}}
+{"text": "What is sure is that the gap in the Android banking malware rental business left open after the rental of the Anubis 2 and RedAlert 2 Trojans ended provides a good opportunity for the actors behind Cerberus to grow their business quickly .", "spans": {"SYSTEM: Android": [[36, 43]], "MALWARE: Anubis 2": [[110, 118]], "MALWARE: RedAlert 2": [[123, 133]], "MALWARE: Cerberus": [[198, 206]]}, "info": {"id": "cyner_test_000422", "source": "cyner_test"}}
+{"text": "The Android banking Trojan rental business Rental of banking Trojans is not new .", "spans": {"SYSTEM: Android": [[4, 11]]}, "info": {"id": "cyner_test_000423", "source": "cyner_test"}}
+{"text": "It was an existing business model when computer-based banking malware was the only form of banking malware and has shifted to the Android equivalent a few years later .", "spans": {"SYSTEM: Android": [[130, 137]]}, "info": {"id": "cyner_test_000424", "source": "cyner_test"}}
+{"text": "The life span of Android banking malware is limited to either the will of its author ( s ) to support it or the arrest of those actors .", "spans": {"SYSTEM: Android": [[17, 24]]}, "info": {"id": "cyner_test_000425", "source": "cyner_test"}}
+{"text": "This malware-life-cycle has been observed to reoccur every few years , bringing new malware families into light .", "spans": {}, "info": {"id": "cyner_test_000426", "source": "cyner_test"}}
+{"text": "Each time a rented malware reaches the end of its life it provides the opportunity for other actors a to take over the malware rental market-share .", "spans": {}, "info": {"id": "cyner_test_000427", "source": "cyner_test"}}
+{"text": "As visible on following chart , the lifespan of many well-known rented Android bankers is usually no more than one or two years .", "spans": {"SYSTEM: Android": [[71, 78]]}, "info": {"id": "cyner_test_000428", "source": "cyner_test"}}
+{"text": "When the family ceases to exist a new one is already available to fill the void , proving that the demand for such malware is always present and that therefore Cerberus has a good chance to survive .", "spans": {"MALWARE: Cerberus": [[160, 168]]}, "info": {"id": "cyner_test_000429", "source": "cyner_test"}}
+{"text": "After the actor behind RedAlert 2 decided to quit the rental business , we observed a surge in Anubis samples in the wild .", "spans": {"MALWARE: RedAlert 2": [[23, 33]], "MALWARE: Anubis": [[95, 101]]}, "info": {"id": "cyner_test_000430", "source": "cyner_test"}}
+{"text": "After the Anubis actor was allegedly arrested and the source code was leaked there was also huge increase in the number of Anubis samples found in the wild , but the new actors using Anubis have no support or updates .", "spans": {"MALWARE: Anubis": [[10, 16], [123, 129], [183, 189]]}, "info": {"id": "cyner_test_000431", "source": "cyner_test"}}
+{"text": "Due to this Cerberus will come in handy for actors that want to focus on performing fraud without having to develop and maintain a botnet and C2 infrastructure .", "spans": {"MALWARE: Cerberus": [[12, 20]]}, "info": {"id": "cyner_test_000432", "source": "cyner_test"}}
+{"text": "Analysis of evasion techniques Along with the standard payload and string obfuscation , Cerberus uses a rather interesting technique to prevent analysis of the Trojan .", "spans": {"MALWARE: Cerberus": [[88, 96]]}, "info": {"id": "cyner_test_000433", "source": "cyner_test"}}
+{"text": "Using the device accelerometer sensor it implements a simple pedometer that is used to measure movements of the victim .", "spans": {}, "info": {"id": "cyner_test_000434", "source": "cyner_test"}}
+{"text": "The idea is simple - if the infected device belongs to a real person , sooner or later this person will move around , increasing the step counter .", "spans": {}, "info": {"id": "cyner_test_000435", "source": "cyner_test"}}
+{"text": "The Trojan uses this counter to activate the bot - if aforementioned step counter hits the pre-configured threshold it considers running on the device to be safe .", "spans": {}, "info": {"id": "cyner_test_000436", "source": "cyner_test"}}
+{"text": "This simple measure prevents the Trojan from running and being analyzed in dynamic analysis environments ( sandboxes ) and on the test devices of malware analysts .", "spans": {}, "info": {"id": "cyner_test_000437", "source": "cyner_test"}}
+{"text": "The code responsible for this verification is shown in the following snippet : How it works When the malware is first started on the device it will begin by hiding its icon from the application drawer .", "spans": {}, "info": {"id": "cyner_test_000438", "source": "cyner_test"}}
+{"text": "Then it will ask for the accessibility service privilege as visible in the following screenshot : After the user grants the requested privilege , Cerberus starts to abuse it by granting itself additional permissions , such as permissions needed to send messages and make calls , without requiring any user interaction .", "spans": {"MALWARE: Cerberus": [[146, 154]]}, "info": {"id": "cyner_test_000439", "source": "cyner_test"}}
+{"text": "It also disables Play Protect ( Google ’ s preinstalled antivirus solution ) to prevent its discovery and deletion in the future .", "spans": {"SYSTEM: Play Protect": [[17, 29]], "ORGANIZATION: Google": [[32, 38]]}, "info": {"id": "cyner_test_000440", "source": "cyner_test"}}
+{"text": "After conveniently granting itself additional privileges and securing its persistence on the device , Cerberus registers the infected device in the botnet and waits for commands from the C2 server while also being ready to perform overlay attacks .", "spans": {"MALWARE: Cerberus": [[102, 110]]}, "info": {"id": "cyner_test_000441", "source": "cyner_test"}}
+{"text": "The commands supported by the analyzed version of the Cerberus bot are listed below .", "spans": {"MALWARE: Cerberus": [[54, 62]]}, "info": {"id": "cyner_test_000442", "source": "cyner_test"}}
+{"text": "As can be seen , the possibilities offered by the bot are pretty common .", "spans": {}, "info": {"id": "cyner_test_000443", "source": "cyner_test"}}
+{"text": "Command Description push Shows a push notification .", "spans": {}, "info": {"id": "cyner_test_000444", "source": "cyner_test"}}
+{"text": "Clicking on thenotification will result in launching a specified app startApp Starts the specified application getInstallApps Gets the list of installedapplications on the infected device getContacts Gets the contact names and phone numbers from the addressbook on the infected device deleteApplication Triggers the deletion of the specified application forwardCall Enables call forwarding to the specified number sendSms Sends a text message with specified text from the infecteddevice to the specified phone number startInject Triggers the overlay attack against the specified application startUssd", "spans": {}, "info": {"id": "cyner_test_000445", "source": "cyner_test"}}
+{"text": "Calls the specified USSD code openUrl Opens the specified URL in the WebView getSMS Gets all text messages from the infected device killMe Triggers the kill switch for the bot updateModule Updates the payload module Cerberus features Cerberus malware has the same capabilities as most other Android banking Trojans such as the use of overlay attacks , SMS control and contact list harvesting .", "spans": {"MALWARE: Cerberus": [[216, 224], [234, 242]], "SYSTEM: Android": [[291, 298]]}, "info": {"id": "cyner_test_000446", "source": "cyner_test"}}
+{"text": "The Trojan can also leverage keylogging to broaden the attack scope .", "spans": {}, "info": {"id": "cyner_test_000447", "source": "cyner_test"}}
+{"text": "Overall , Cerberus has a pretty common feature list and although the malware seems to have been written from scratch there does not seem to be any innovative functionality at this time .", "spans": {"MALWARE: Cerberus": [[10, 18]]}, "info": {"id": "cyner_test_000448", "source": "cyner_test"}}
+{"text": "For example , some of the more advanced banking Trojans now offer features such as a back-connect proxy , screen-streaming and even remote control .", "spans": {}, "info": {"id": "cyner_test_000449", "source": "cyner_test"}}
+{"text": "Cerberus embeds the following set of features that allows itself to remain under the radar and successfully perform attacks : Overlaying : Dynamic ( Local injects obtained from C2 ) Keylogging SMS harvesting : SMS listing SMS harvesting : SMS forwarding Device info collection Contact list collection Application listing Location collection Overlaying : Targets list update SMS : Sending Calls : USSD request making Calls : Call forwarding Remote actions : App installing Remote actions : App starting Remote actions : App removal Remote actions : Showing arbitrary web pages Remote actions : Screen-locking", "spans": {"MALWARE: Cerberus": [[0, 8]]}, "info": {"id": "cyner_test_000450", "source": "cyner_test"}}
+{"text": "Notifications : Push notifications C2 Resilience : Auxiliary C2 list Self-protection : Hiding the App icon Self-protection : Preventing removal Self-protection : Emulation-detection Architecture : Modular Overlay attack Most Android banking Trojans use overlay attacks to trick the victim into providing their personal information ( such as but not limited to : credit card information , banking credentials , mail credentials ) and Cerberus is no exception .", "spans": {"MALWARE: Cerberus": [[433, 441]]}, "info": {"id": "cyner_test_000451", "source": "cyner_test"}}
+{"text": "In this particular case , the bot abuses the accessibility service privilege to obtain the package name of the foreground application and determine whether or not to show a phishing overlay window , as shown in the following code snippet : Targets Some examples of phishing overlays are shown below .", "spans": {}, "info": {"id": "cyner_test_000452", "source": "cyner_test"}}
+{"text": "They exist in two types : the credentials stealers ( first 2 screenshots ) and the credit card grabbers ( last screenshot ) .", "spans": {}, "info": {"id": "cyner_test_000453", "source": "cyner_test"}}
+{"text": "The only active target list observed in the wild is available in the appendix and contains a total of 30 unique targets .", "spans": {}, "info": {"id": "cyner_test_000454", "source": "cyner_test"}}
+{"text": "It is interesting to observe that the actual target list contains : 7 French banking apps 7 U.S. banking apps 1 Japanese banking app 15 non-banking apps This uncommon target list might either be the result of specific customer demand , or due to some actors having partially reused an existing target list .", "spans": {}, "info": {"id": "cyner_test_000455", "source": "cyner_test"}}
+{"text": "Conclusion Although not yet mature enough to provide the equivalent of a full-blown set of Android banking malware features ( such as RAT , RAT with ATS ( Automated Transaction Script ) , back-connect proxy , media streaming ) , or providing an exhaustive target list , Cerberus should not be taken lightly .", "spans": {"SYSTEM: Android": [[91, 98]], "MALWARE: Cerberus": [[270, 278]]}, "info": {"id": "cyner_test_000456", "source": "cyner_test"}}
+{"text": "Due to the current absence of maintained and supported Android banking Malware-as-a-Service in the underground community , there is a certainly demand for a new service .", "spans": {"MALWARE: Android": [[55, 62]]}, "info": {"id": "cyner_test_000457", "source": "cyner_test"}}
+{"text": "Cerberus is already capable to fulfill this demand .", "spans": {"MALWARE: Cerberus": [[0, 8]]}, "info": {"id": "cyner_test_000458", "source": "cyner_test"}}
+{"text": "In addition to the feature base it already possesses and the money that can be made from the rental , it could evolve to compete with the mightiest Android banking Trojans .", "spans": {"SYSTEM: Android": [[148, 155]]}, "info": {"id": "cyner_test_000459", "source": "cyner_test"}}
+{"text": "Next to the features , we expect the target list to be expanded to contain additional ( banking ) apps in the near future .", "spans": {}, "info": {"id": "cyner_test_000460", "source": "cyner_test"}}
+{"text": "Knowledge of the threat landscape and implementation of the right detection tools remains crucial to be able to protect yourself from fraud ; Cerberus is yet a new Trojan active in the wild !", "spans": {"MALWARE: Cerberus": [[142, 150]]}, "info": {"id": "cyner_test_000461", "source": "cyner_test"}}
+{"text": "Appendix Samples Some of the latest Cerberus samples found in the wild : App name Package name SHA 256 hash Flash Player com.uxlgtsvfdc.zipvwntdy 728a6ea44aab94a2d0ebbccbf0c1b4a93fbd9efa8813c19a88d368d6a46b4f4f Flash Player com.ognbsfhszj.hqpquokjdp fe28aba6a942b6713d7142117afdf70f5e731c56eff8956ecdb40cdc28c7c329", "spans": {"MALWARE: Cerberus": [[36, 44]], "SYSTEM: Flash Player": [[108, 120], [211, 223]]}, "info": {"id": "cyner_test_000462", "source": "cyner_test"}}
+{"text": "Flash Player com.mwmnfwt.arhkrgajn ffa5ac3460998e7b9856fc136ebcd112196c3abf24816ccab1fbae11eae4954c Flash Player com.wogdjywtwq.oiofvpzpxyo 6ac7e7ed83b4b57cc4d28f14308d69d062d29a544bbde0856d5697b0fc50cde4 Flash Player com.hvdnaiujzwo.fovzeukzywfr", "spans": {"SYSTEM: Flash Player": [[0, 12], [100, 112], [205, 217]]}, "info": {"id": "cyner_test_000463", "source": "cyner_test"}}
+{"text": "cfd77ddc5c1ebb8498c899a68ea75d2616c1c92a0e618113d7c9e5fcc650094b Flash Player com.gzhlubw.pmevdiexmn 3f2ed928789c200e21fd0c2095619a346f75d84f76f1e54a8b3153385850ea63 Target list The actual observed list of mobile apps targeted by Cerberus contains a total of 30 unique applications .", "spans": {"SYSTEM: Flash Player": [[65, 77]], "MALWARE: Cerberus": [[230, 238]]}, "info": {"id": "cyner_test_000464", "source": "cyner_test"}}
+{"text": "This list is expected to expand : Package name Application name com.android.vending Play Market com.boursorama.android.clients Boursorama Banque com.caisseepargne.android.mobilebanking Banque com.chase.sig.android Chase Mobile com.clairmail.fth Fifth Third Mobile Banking com.connectivityapps.hotmail Connect for Hotmail com.google.android.gm Gmail com.imo.android.imoim imo free video calls and chat com.infonow.bofa Bank of America", "spans": {"SYSTEM: Play Market": [[84, 95]], "SYSTEM: Banque": [[138, 144], [185, 191]], "SYSTEM: Chase Mobile": [[214, 226]], "SYSTEM: Fifth Third Mobile Banking": [[245, 271]], "SYSTEM: Connect for Hotmail": [[301, 320]], "SYSTEM: Gmail": [[343, 348]], "SYSTEM: imo": [[371, 374]], "SYSTEM: Bank of America": [[418, 433]]}, "info": {"id": "cyner_test_000465", "source": "cyner_test"}}
+{"text": "Mobile Banking com.IngDirectAndroid ING com.instagram.android Instagram com.konylabs.capitalone Capital One® Mobile com.mail.mobile.android.mail mail.com mail com.microsoft.office.outlook Microsoft Outlook com.snapchat.android Snapchat com.tencent.mm WeChat com.twitter.android Twitter com.ubercab Uber com.usaa.mobile.android.usaa USAA Mobile com.usbank.mobilebanking U.S. Bank - Inspired by customers com.viber.voip Viber com.wf.wellsfargomobile", "spans": {"SYSTEM: Capital One® Mobile": [[96, 115]], "SYSTEM: mail": [[154, 158]], "SYSTEM: Microsoft Outlook": [[188, 205]], "SYSTEM: Snapchat": [[227, 235]], "SYSTEM: WeChat": [[251, 257]], "SYSTEM: Twitter": [[278, 285]], "ORGANIZATION: Uber": [[298, 302]], "SYSTEM: USAA Mobile": [[332, 343]], "SYSTEM: Viber": [[418, 423]]}, "info": {"id": "cyner_test_000466", "source": "cyner_test"}}
+{"text": "Wells Fargo Mobile com.whatsapp WhatsApp com.yahoo.mobile.client.android.mail Yahoo Mail – Organized Email fr.banquepopulaire.cyberplus Banque Populaire fr.creditagricole.androidapp Ma Banque jp.co.rakuten_bank.rakutenbank 楽天銀行 -個人のお客様向けアプリ mobi.societegenerale.mobile.lappli L ’ Appli Société Générale net.bnpparibas.mescomptes Mes Comptes BNP Paribas org.telegram.messenger Telegram Triout - Spyware Framework", "spans": {"SYSTEM: Wells Fargo Mobile": [[0, 18]], "SYSTEM: WhatsApp": [[32, 40]], "SYSTEM: Yahoo Mail": [[78, 88]], "SYSTEM: Banque": [[136, 142]], "SYSTEM: Ma Banque": [[182, 191]], "MALWARE: Triout": [[385, 391]]}, "info": {"id": "cyner_test_000467", "source": "cyner_test"}}
+{"text": "for Android with Extensive Surveillance Capabilities August 20 , 2018 No operating system is safe from malware , as cyber criminals will always want to steal , spy or tamper with your data .", "spans": {"SYSTEM: Android": [[4, 11]]}, "info": {"id": "cyner_test_000468", "source": "cyner_test"}}
+{"text": "The proliferation of Android devices – from smartphones to tablets and smart TVs – has opened up new possibilities for malware developers , as all these devices pack microphones , cameras and location-tracking hardware they can turn into the perfect spy tools .", "spans": {"MALWARE: Android": [[21, 28]]}, "info": {"id": "cyner_test_000469", "source": "cyner_test"}}
+{"text": "Bitdefender researchers have identified a new Android spyware , dubbed Triout , which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications .", "spans": {"ORGANIZATION: Bitdefender": [[0, 11]], "SYSTEM: Android": [[46, 53]], "MALWARE: Triout": [[71, 77]]}, "info": {"id": "cyner_test_000470", "source": "cyner_test"}}
+{"text": "Found bundled with a repackaged app , the spyware ’ s surveillance capabilities involve hiding its presence on the device , recording phone calls , logging incoming text messages , recoding videos , taking pictures and collecting GPS coordinates , then broadcasting all of that to an attacker-controlled C & C ( command and control ) server .", "spans": {"SYSTEM: GPS": [[230, 233]]}, "info": {"id": "cyner_test_000471", "source": "cyner_test"}}
+{"text": "It ’ s interesting that Triout , which is detected by Bitdefender ’ s machine learning algorithms , was first submitted from Russia , and most scans/reports came from Israel .", "spans": {"MALWARE: Triout": [[24, 30]], "ORGANIZATION: Bitdefender": [[54, 65]]}, "info": {"id": "cyner_test_000472", "source": "cyner_test"}}
+{"text": "The sample ’ s first appearance seems to be May 15 , 2018 , when it was uploaded to VirusTotal , but it ’ s unclear how the tainted sample is disseminated .", "spans": {"ORGANIZATION: VirusTotal": [[84, 94]]}, "info": {"id": "cyner_test_000473", "source": "cyner_test"}}
+{"text": "Third-party marketplaces or some other attacker-controlled domains are likely used to host the sample .", "spans": {}, "info": {"id": "cyner_test_000474", "source": "cyner_test"}}
+{"text": "A subsequent investigation revealed that the spyware has the following capabilities : Records every phone call ( literally the conversation as a media file ) , then sends it together with the caller id to the C & C ( incall3.php and outcall3.php ) Logs every incoming SMS message ( SMS body and SMS sender ) to C & C ( script3.php ) Has capability to hide self Can send all call logs ( “ content : //call_log/calls ” , info : callname , callnum , calldate , calltype , callduration", "spans": {}, "info": {"id": "cyner_test_000475", "source": "cyner_test"}}
+{"text": ") to C & C ( calllog.php ) Whenever the user snaps a picture , either with the front or rear camera , it gets sent to the C & C ( uppc.php , fi npic.php orreqpic.php ) Can send GPS coordinates to C & C ( gps3.php ) The C & C server to which the application seems to be sending collected data appears to be operational , as of this writing , and running since May 2018 .", "spans": {"SYSTEM: GPS": [[177, 180]]}, "info": {"id": "cyner_test_000476", "source": "cyner_test"}}
+{"text": "January 23 , 2017 SpyNote RAT posing as Netflix app As users have become more attached to their mobile devices , they want everything on those devices .", "spans": {"MALWARE: SpyNote RAT": [[18, 29]], "SYSTEM: Netflix app": [[40, 51]]}, "info": {"id": "cyner_test_000477", "source": "cyner_test"}}
+{"text": "There ’ s an app for just about any facet of one ’ s personal and professional life , from booking travel and managing projects , to buying groceries and binge-watching the latest Netflix series .", "spans": {"ORGANIZATION: Netflix": [[180, 187]]}, "info": {"id": "cyner_test_000478", "source": "cyner_test"}}
+{"text": "The iOS and Android apps for Netflix are enormously popular , effectively turning a mobile device into a television with which users can stream full movies and TV programs anytime , anywhere .", "spans": {"SYSTEM: iOS": [[4, 7]], "SYSTEM: Android": [[12, 19]], "ORGANIZATION: Netflix": [[29, 36]]}, "info": {"id": "cyner_test_000479", "source": "cyner_test"}}
+{"text": "But the apps , with their many millions of users , have captured the attention of the bad actors , too , who are exploiting the popularity of Netflix to spread malware .", "spans": {"ORGANIZATION: Netflix": [[142, 149]]}, "info": {"id": "cyner_test_000480", "source": "cyner_test"}}
+{"text": "Recently , the ThreatLabZ research team came across a fake Netflix app , which turned out to be a new variant of SpyNote RAT ( Remote Access Trojan ) .", "spans": {"ORGANIZATION: ThreatLabZ": [[15, 25]], "SYSTEM: fake Netflix app": [[54, 70]], "MALWARE: SpyNote RAT": [[113, 124]]}, "info": {"id": "cyner_test_000481", "source": "cyner_test"}}
+{"text": "SpyNote RAT is capable of performing a variety of alarming functions that includes : Activating the device ’ s microphone and listening to live conversations Executing commands on the device Copying files from the device to a Command & Control ( C & C ) center Recording screen captures Viewing contacts Reading SMS messages The screenshot below shows part of the sandbox ’ s report on the SpyNote RAT ’ s signature and detected functions : The fake Netflix app we are analyzing in this blog appears to be built using an updated version of SpyNote RAT builder ,", "spans": {"MALWARE: SpyNote RAT": [[0, 11], [390, 401], [540, 551]], "ORGANIZATION: Netflix": [[450, 457]]}, "info": {"id": "cyner_test_000482", "source": "cyner_test"}}
+{"text": "which was leaked last year .", "spans": {}, "info": {"id": "cyner_test_000483", "source": "cyner_test"}}
+{"text": "Technical details Please note that our research is not about the legitimate Netflix app on Google Play .", "spans": {"SYSTEM: Netflix app": [[76, 87]], "SYSTEM: Google Play": [[91, 102]]}, "info": {"id": "cyner_test_000484", "source": "cyner_test"}}
+{"text": "The spyware in this analysis was portraying itself as the Netflix app .", "spans": {"SYSTEM: Netflix app": [[58, 69]]}, "info": {"id": "cyner_test_000485", "source": "cyner_test"}}
+{"text": "Once installed , it displayed the icon found in the actual Netflix app on Google Play .", "spans": {"SYSTEM: Netflix app": [[59, 70]], "SYSTEM: Google Play": [[74, 85]]}, "info": {"id": "cyner_test_000486", "source": "cyner_test"}}
+{"text": "As soon as the user clicks the spyware ’ s icon for the first time , nothing seems to happen and the icon disappears from the home screen .", "spans": {}, "info": {"id": "cyner_test_000487", "source": "cyner_test"}}
+{"text": "This is a common trick played by malware developers , making the user think the app may have been removed .", "spans": {}, "info": {"id": "cyner_test_000488", "source": "cyner_test"}}
+{"text": "But , behind the scenes , the malware has not been removed ; instead it starts preparing its onslaught of attacks .", "spans": {}, "info": {"id": "cyner_test_000489", "source": "cyner_test"}}
+{"text": "For contacting C & C , the spyware was found to be using free DNS services , as shown in the screenshot below : SpyNote RAT uses an unusual trick to make sure that it remains up and running and that the spying does not stop .", "spans": {"MALWARE: SpyNote RAT": [[112, 123]]}, "info": {"id": "cyner_test_000490", "source": "cyner_test"}}
+{"text": "It does so using the Services , Broadcast Receivers , and Activities components of the Android platform .", "spans": {"SYSTEM: Android": [[87, 94]]}, "info": {"id": "cyner_test_000491", "source": "cyner_test"}}
+{"text": "Services can perform long-running operations in the background and does not need a user interface .", "spans": {}, "info": {"id": "cyner_test_000492", "source": "cyner_test"}}
+{"text": "Broadcast Receivers are Android components that can register themselves for particular events .", "spans": {"SYSTEM: Android": [[24, 31]]}, "info": {"id": "cyner_test_000493", "source": "cyner_test"}}
+{"text": "Activities are key building blocks , central to an app ’ s navigation , for example .", "spans": {}, "info": {"id": "cyner_test_000494", "source": "cyner_test"}}
+{"text": "The SpyNote RAT registers a service called AutoStartup and a broadcast receiver named BootComplete .", "spans": {"MALWARE: SpyNote RAT": [[4, 15]]}, "info": {"id": "cyner_test_000495", "source": "cyner_test"}}
+{"text": "MainActivity registers BootComplete with a boot event , so that whenever the device is booted , BootComplete gets triggered .", "spans": {}, "info": {"id": "cyner_test_000496", "source": "cyner_test"}}
+{"text": "BootComplete starts the AutoStartup service and the AutoStartup service makes sure that MainActivity is always running .", "spans": {}, "info": {"id": "cyner_test_000497", "source": "cyner_test"}}
+{"text": "What follows are some of the features exhibited by SpyNote RAT .", "spans": {"MALWARE: SpyNote RAT": [[51, 62]]}, "info": {"id": "cyner_test_000498", "source": "cyner_test"}}
+{"text": "Command execution Command execution can create havoc for victim if the malware developer decides to execute commands in the victim ’ s device .", "spans": {}, "info": {"id": "cyner_test_000499", "source": "cyner_test"}}
+{"text": "Leveraging this feature , the malware developer can root the device using a range of vulnerabilities , well-known or zero-day .", "spans": {}, "info": {"id": "cyner_test_000500", "source": "cyner_test"}}
+{"text": "The following screenshot shows the command execution functionality in action : The paramString parameter shown in the above screenshot can be any command received from C & C .", "spans": {}, "info": {"id": "cyner_test_000501", "source": "cyner_test"}}
+{"text": "Screen capture and audio recording SpyNote RAT was able to take screen captures and , using the device ’ s microphone , listen to audio conversations .", "spans": {"MALWARE: SpyNote RAT": [[35, 46]]}, "info": {"id": "cyner_test_000502", "source": "cyner_test"}}
+{"text": "This capability was confirmed when the Android permission , called android.permission.RECORD_AUDIO , was being requested along with code found in the app .", "spans": {"SYSTEM: Android": [[39, 46]]}, "info": {"id": "cyner_test_000503", "source": "cyner_test"}}
+{"text": "SpyNote RAT captured the device ’ s screen activities along with audio using the MediaProjectionCallback functionality ( available with Lollipop , the Android 5.0 release , and later ) and saved the output in a file named \" video.mp4 '' as shown in the following screenshot SMS stealing SpyNote RAT was also observed stealing SMS messages from the affected devices , as shown in screenshot below : Stealing contacts The ability to steal contacts is a favorite feature for spyware developers , as the stolen contacts can be used to further spread the spyware", "spans": {"MALWARE: SpyNote RAT": [[0, 11], [287, 298]], "SYSTEM: Lollipop": [[136, 144]], "SYSTEM: Android 5.0": [[151, 162]]}, "info": {"id": "cyner_test_000504", "source": "cyner_test"}}
+{"text": "The following screenshot shows the contacts being stolen and written in a local array , which is then sent to C & C : Uninstalling apps Uninstalling apps is another function favored by developers of Android spyware and malware .", "spans": {"SYSTEM: Android": [[199, 206]]}, "info": {"id": "cyner_test_000506", "source": "cyner_test"}}
+{"text": "They tend to target any antivirus protections on the device and uninstall them , which increases the possibility of their malware persisting on the device .", "spans": {}, "info": {"id": "cyner_test_000507", "source": "cyner_test"}}
+{"text": "Following screenshot shows this functionality in action : Other functions In addition to the functionalities we ’ ve described , the SpyNote RAT was exhibiting many other behaviors that make it more robust than most off-the-shelf malware .", "spans": {"MALWARE: SpyNote RAT": [[133, 144]]}, "info": {"id": "cyner_test_000508", "source": "cyner_test"}}
+{"text": "SpyNote RAT was designed to function only over Wi-Fi , which is the preferable mode for Android malware to send files to C & C .", "spans": {"MALWARE: SpyNote RAT": [[0, 11]], "SYSTEM: Android": [[88, 95]]}, "info": {"id": "cyner_test_000509", "source": "cyner_test"}}
+{"text": "The screenshot below shows SpyNote RAT scanning for Wi-Fi and enabling it if a known channel is found : Additional features - SpyNote RAT could click photos using the device 's camera , based on commands from C & C .", "spans": {"MALWARE: SpyNote RAT": [[27, 38], [126, 137]]}, "info": {"id": "cyner_test_000510", "source": "cyner_test"}}
+{"text": "- There were two interesting sub-classes found inside Main Activity : Receiver and Sender .", "spans": {}, "info": {"id": "cyner_test_000511", "source": "cyner_test"}}
+{"text": "Receiver was involved in receiving commands from the Server and the main functionality of Sender was to send all the data collected to the C & C over Wi-Fi .", "spans": {}, "info": {"id": "cyner_test_000512", "source": "cyner_test"}}
+{"text": "- SpyNote RAT was also collecting the device ’ s location to identify the exact location of the victim .", "spans": {"MALWARE: SpyNote RAT": [[2, 13]]}, "info": {"id": "cyner_test_000513", "source": "cyner_test"}}
+{"text": "SpyNote RAT builder The SpyNote Remote Access Trojan ( RAT ) builder is gaining popularity in the hacking community , so we decided to study its pervasiveness .", "spans": {"MALWARE: SpyNote RAT": [[0, 11]], "MALWARE: SpyNote": [[24, 31]]}, "info": {"id": "cyner_test_000514", "source": "cyner_test"}}
+{"text": "What we found were several other fake apps developed using the SpyNote builder , which should come as a warning to Android users .", "spans": {"MALWARE: SpyNote": [[63, 70]], "SYSTEM: Android": [[115, 122]]}, "info": {"id": "cyner_test_000515", "source": "cyner_test"}}
+{"text": "Some of the targeted apps were : Whatsapp YouTube Video Downloader Google Update Instagram Hack Wifi AirDroid WifiHacker Facebook Photoshop SkyTV Hotstar Trump Dash PokemonGo With many more to come .", "spans": {"SYSTEM: Whatsapp": [[33, 41]], "SYSTEM: YouTube Video Downloader": [[42, 66]], "SYSTEM: Google Update": [[67, 80]], "SYSTEM: Instagram": [[81, 90]], "SYSTEM: Hack Wifi": [[91, 100]], "SYSTEM: AirDroid": [[101, 109]], "SYSTEM: WifiHacker": [[110, 120]], "SYSTEM: Facebook": [[121, 129]], "SYSTEM: Photoshop": [[130, 139]], "SYSTEM: SkyTV": [[140, 145]], "SYSTEM: Hotstar": [[146, 153]], "SYSTEM: Trump Dash": [[154, 164]], "SYSTEM: PokemonGo": [[165, 174]]}, "info": {"id": "cyner_test_000516", "source": "cyner_test"}}
+{"text": "Furthermore , we found that in just the first two weeks of 2017 , there have been more than 120 such spyware variants already built using the same SpyNote Trojan builder as SpyNote RAT and roaming in the wild .", "spans": {"MALWARE: SpyNote": [[147, 154]], "MALWARE: SpyNote RAT": [[173, 184]]}, "info": {"id": "cyner_test_000517", "source": "cyner_test"}}
+{"text": "A complete list of sample hashes is available here .", "spans": {}, "info": {"id": "cyner_test_000518", "source": "cyner_test"}}
+{"text": "Conclusion The days when one needed in-depth coding knowledge to develop malware are long gone .", "spans": {}, "info": {"id": "cyner_test_000519", "source": "cyner_test"}}
+{"text": "Nowadays , script kiddies can build a piece of malware that can create real havoc .", "spans": {}, "info": {"id": "cyner_test_000520", "source": "cyner_test"}}
+{"text": "Moreover , there are many toolkits like the SpyNote Trojan builder that enable users to build malware with ease and few clicks .", "spans": {"MALWARE: SpyNote": [[44, 51]]}, "info": {"id": "cyner_test_000521", "source": "cyner_test"}}
+{"text": "In particular , avoid side-loading apps from third-party app stores and avoid the temptation to play games that are not yet available on Android .", "spans": {"SYSTEM: Android": [[137, 144]]}, "info": {"id": "cyner_test_000522", "source": "cyner_test"}}
+{"text": "Yes , we are talking about SuperMarioRun , which was recently launched by Nintendo only for iOS users .", "spans": {"SYSTEM: SuperMarioRun": [[27, 40]], "ORGANIZATION: Nintendo": [[74, 82]], "SYSTEM: iOS": [[92, 95]]}, "info": {"id": "cyner_test_000523", "source": "cyner_test"}}
+{"text": "Recent blogs by the Zscaler research team explain how some variants of Android malware are exploiting the popularity of this game and tricking Android users into downloading a fake version .", "spans": {"ORGANIZATION: Zscaler": [[20, 27]], "MALWARE: Android": [[71, 78]], "SYSTEM: Android": [[143, 150]]}, "info": {"id": "cyner_test_000524", "source": "cyner_test"}}
+{"text": "( Have a look here and here .", "spans": {}, "info": {"id": "cyner_test_000525", "source": "cyner_test"}}
+{"text": ") You should also avoid the temptation to play games from sources other than legitimate app stores ; such games are not safe and may bring harm to your reputation and your bank account .", "spans": {}, "info": {"id": "cyner_test_000526", "source": "cyner_test"}}
+{"text": "FakeSpy Masquerades as Postal Service Apps Around the World July 1 , 2020 KEY FINDINGS The Cybereason Nocturnus team is investigating a new campaign involving FakeSpy , an Android mobile malware that emerged around October 2017 .", "spans": {"MALWARE: FakeSpy": [[0, 7], [159, 166]], "ORGANIZATION: Cybereason Nocturnus": [[91, 111]], "SYSTEM: Android": [[172, 179]]}, "info": {"id": "cyner_test_000527", "source": "cyner_test"}}
+{"text": "FakeSpy is an information stealer used to steal SMS messages , send SMS messages , steal financial data , read account information and contact lists , steal application data , and do much more .", "spans": {"MALWARE: FakeSpy": [[0, 7]]}, "info": {"id": "cyner_test_000528", "source": "cyner_test"}}
+{"text": "FakeSpy first targeted South Korean and Japanese speakers .", "spans": {"MALWARE: FakeSpy": [[0, 7]]}, "info": {"id": "cyner_test_000529", "source": "cyner_test"}}
+{"text": "However , it has begun to target users all around the world , especially users in countries like China , Taiwan , France , Switzerland , Germany , United Kingdom , United States , and others .", "spans": {}, "info": {"id": "cyner_test_000530", "source": "cyner_test"}}
+{"text": "FakeSpy masquerades as legitimate postal service apps and transportation services in order to gain the users ' trust .", "spans": {"MALWARE: FakeSpy": [[0, 7]]}, "info": {"id": "cyner_test_000531", "source": "cyner_test"}}
+{"text": "Once installed , the application requests permissions so that it may control SMS messages and steal sensitive data on the device , as well as proliferate to other devices in the target device ’ s contact list .", "spans": {}, "info": {"id": "cyner_test_000532", "source": "cyner_test"}}
+{"text": "Cybereason 's investigation shows that the threat actor behind the FakeSpy campaign is a Chinese-speaking group dubbed \" Roaming Mantis '' , a group that has led similar campaigns .", "spans": {"ORGANIZATION: Cybereason": [[0, 10]], "MALWARE: FakeSpy": [[67, 74]], "ORGANIZATION: Roaming Mantis": [[121, 135]]}, "info": {"id": "cyner_test_000533", "source": "cyner_test"}}
+{"text": "FakeSpy has been in the wild since 2017 ; this latest campaign indicates that it has become more powerful .", "spans": {"MALWARE: FakeSpy": [[0, 7]]}, "info": {"id": "cyner_test_000534", "source": "cyner_test"}}
+{"text": "Code improvements , new capabilities , anti-emulation techniques , and new , global targets all suggest that this malware is well-maintained by its authors and continues to evolve .", "spans": {}, "info": {"id": "cyner_test_000535", "source": "cyner_test"}}
+{"text": "TABLE OF CONTENTS Key Findings Introduction Threat Analysis Fakespy Code Analysis Dynamic Library Loading Stealing Sensitive Information Anti-Emulator Techniques Under Active Development Who is Behind Fakespy 's Smishing Campaigns ?", "spans": {"MALWARE: Fakespy": [[60, 67], [201, 208]]}, "info": {"id": "cyner_test_000536", "source": "cyner_test"}}
+{"text": "Conclusions Cybereason Mobile Detects and Stops FakeSpy Indicators of Compromise INTRODUCTION For the past several weeks , Cybereason has been investigating a new version of Android malware dubbed FakeSpy , which was first identified in October 2017 and reported again in October 2018 .", "spans": {"ORGANIZATION: Cybereason Mobile": [[12, 29]], "MALWARE: FakeSpy": [[48, 55], [197, 204]], "ORGANIZATION: Cybereason": [[123, 133]], "SYSTEM: Android": [[174, 181]]}, "info": {"id": "cyner_test_000537", "source": "cyner_test"}}
+{"text": "A new campaign is up and running using newly improved , significantly more powerful malware as compared to previous versions .", "spans": {}, "info": {"id": "cyner_test_000538", "source": "cyner_test"}}
+{"text": "FakeSpy is under active development and is evolving rapidly ; new versions are released every week with additional evasion techniques and capabilities .", "spans": {"MALWARE: FakeSpy": [[0, 7]]}, "info": {"id": "cyner_test_000539", "source": "cyner_test"}}
+{"text": "Our analysis shows that the threat actor behind the FakeSpy malware is a Chinese-speaking group , commonly referred to as \" Roaming Mantis '' , a group that is known to have launched similar campaigns in the past .", "spans": {"MALWARE: FakeSpy": [[52, 59]], "ORGANIZATION: Roaming Mantis": [[124, 138]]}, "info": {"id": "cyner_test_000540", "source": "cyner_test"}}
+{"text": "FakeSpy is an information stealer that exfiltrates and sends SMS messages , steals financial and application data , reads account information and contact lists , and more .", "spans": {"MALWARE: FakeSpy": [[0, 7]]}, "info": {"id": "cyner_test_000541", "source": "cyner_test"}}
+{"text": "The malware uses smishing , or SMS phishing , to infiltrate target devices , which is a technique that relies on social engineering .", "spans": {}, "info": {"id": "cyner_test_000542", "source": "cyner_test"}}
+{"text": "The attackers send fake text messages to lure the victims to click on a malicious link .", "spans": {}, "info": {"id": "cyner_test_000543", "source": "cyner_test"}}
+{"text": "The link directs them to a malicious web page , which prompts them to download an Android application package ( APK ) .", "spans": {}, "info": {"id": "cyner_test_000544", "source": "cyner_test"}}
+{"text": "This most recent FakeSpy campaign appears to target users of postal services around the world .", "spans": {"MALWARE: FakeSpy": [[17, 24]]}, "info": {"id": "cyner_test_000545", "source": "cyner_test"}}
+{"text": "New versions of FakeSpy masquerade as government post office apps and transportation services apps .", "spans": {"MALWARE: FakeSpy": [[16, 23]]}, "info": {"id": "cyner_test_000546", "source": "cyner_test"}}
+{"text": "Our analysis indicates that the threat actors are no longer limiting their campaigns to East Asian countries , but are targeting additional countries around the world .", "spans": {}, "info": {"id": "cyner_test_000547", "source": "cyner_test"}}
+{"text": "THREAT ANALYSIS Infection Vector : Smishing Your Device Thus far , FakeSpy campaigns are characterized by SMS phishing ( a.k.a .", "spans": {"MALWARE: FakeSpy": [[67, 74]]}, "info": {"id": "cyner_test_000548", "source": "cyner_test"}}
+{"text": "smishing ) .", "spans": {}, "info": {"id": "cyner_test_000549", "source": "cyner_test"}}
+{"text": "These SMS messages masquerade as a message from the local post office and link to the FakeSpy download .", "spans": {"MALWARE: FakeSpy": [[86, 93]]}, "info": {"id": "cyner_test_000550", "source": "cyner_test"}}
+{"text": "In a previous campaign reported by JPCERT , mobile users were alerted by phishy messages containing “ delivery updates ” purportedly from Sagawa Express .", "spans": {"ORGANIZATION: JPCERT": [[35, 41]], "ORGANIZATION: Sagawa Express": [[138, 152]]}, "info": {"id": "cyner_test_000551", "source": "cyner_test"}}
+{"text": "Fake SMS message luring users to enter a fake website , which contains the malicious APK ( JPCERT report ) .", "spans": {"ORGANIZATION: JPCERT": [[91, 97]]}, "info": {"id": "cyner_test_000552", "source": "cyner_test"}}
+{"text": "Clicking the SMS link brings the user to a fake website that prompts them to download and install the FakeSpy APK , which is masquerading as a local postal service app .", "spans": {"MALWARE: FakeSpy": [[102, 109]]}, "info": {"id": "cyner_test_000553", "source": "cyner_test"}}
+{"text": "Targeting Postal and Transportation Services Companies One of the most significant findings is that new versions of FakeSpy target not only Korean and Japanese speakers , but also almost any postal service company around the world .", "spans": {"MALWARE: FakeSpy": [[116, 123]]}, "info": {"id": "cyner_test_000554", "source": "cyner_test"}}
+{"text": "Example of more recent FakeSpy campaigns targeting France .", "spans": {"MALWARE: FakeSpy": [[23, 30]]}, "info": {"id": "cyner_test_000555", "source": "cyner_test"}}
+{"text": "New FakeSpy campaign applications leveraging fake postal services apps .", "spans": {"MALWARE: FakeSpy": [[4, 11]]}, "info": {"id": "cyner_test_000556", "source": "cyner_test"}}
+{"text": "All recent FakeSpy versions contain the same code with minor changes .", "spans": {"MALWARE: FakeSpy": [[11, 18]]}, "info": {"id": "cyner_test_000557", "source": "cyner_test"}}
+{"text": "The FakeSpy malware has been found to masquerade as any of the following companies : United States Postal Service - An independent agency of the executive branch of the United States federal government .", "spans": {"MALWARE: FakeSpy": [[4, 11]], "ORGANIZATION: United States Postal Service": [[85, 113]]}, "info": {"id": "cyner_test_000558", "source": "cyner_test"}}
+{"text": "USPS is the most well-known branch of the US government and provides a publicly funded postal service .", "spans": {"ORGANIZATION: USPS": [[0, 4]]}, "info": {"id": "cyner_test_000559", "source": "cyner_test"}}
+{"text": "Royal Mail - British postal service and courier company .", "spans": {"ORGANIZATION: Royal Mail": [[0, 10]]}, "info": {"id": "cyner_test_000560", "source": "cyner_test"}}
+{"text": "For most of its history it operated as a government department or public corporation .", "spans": {}, "info": {"id": "cyner_test_000561", "source": "cyner_test"}}
+{"text": "Deutsche Post - Deutsche Post DHL Group , a German multinational package delivery and supply chain management company headquartered in Bonn .", "spans": {"ORGANIZATION: Deutsche Post": [[0, 13]], "ORGANIZATION: DHL Group": [[30, 39]]}, "info": {"id": "cyner_test_000562", "source": "cyner_test"}}
+{"text": "La Poste - La Poste is a public limited postal service company in France .", "spans": {"ORGANIZATION: La Poste": [[0, 8]]}, "info": {"id": "cyner_test_000563", "source": "cyner_test"}}
+{"text": "Japan Post - A private Japanese post , logistics and courier headquartered in Tokyo .", "spans": {"ORGANIZATION: Japan Post": [[0, 10]]}, "info": {"id": "cyner_test_000564", "source": "cyner_test"}}
+{"text": "Yamato Transport - One of Japan 's largest door-to-door delivery service companies , also in Tokyo .", "spans": {"ORGANIZATION: Yamato Transport": [[0, 16]]}, "info": {"id": "cyner_test_000565", "source": "cyner_test"}}
+{"text": "Chunghwa Post - The government-owned corporation Chunghwa is the official postal service of Taiwan .", "spans": {"ORGANIZATION: Chunghwa Post": [[0, 13]], "ORGANIZATION: Chunghwa": [[49, 57]]}, "info": {"id": "cyner_test_000566", "source": "cyner_test"}}
+{"text": "Swiss Post - The national postal service of Switzerland , a fully state-owned limited company ( AG ) regulated by public law .", "spans": {"ORGANIZATION: Swiss Post": [[0, 10]]}, "info": {"id": "cyner_test_000567", "source": "cyner_test"}}
+{"text": "The fake applications are built using WebView , a popular extension of Android ’ s View class that lets the developer show a webpage .", "spans": {"SYSTEM: WebView": [[38, 45]], "SYSTEM: Android": [[71, 78]]}, "info": {"id": "cyner_test_000568", "source": "cyner_test"}}
+{"text": "FakeSpy uses this view to redirect users to the original post office carrier webpage on launch of the application , continuing the deception .", "spans": {"MALWARE: FakeSpy": [[0, 7]]}, "info": {"id": "cyner_test_000569", "source": "cyner_test"}}
+{"text": "This allows the application to appear legitimate , especially given these applications icons and user interface .", "spans": {}, "info": {"id": "cyner_test_000570", "source": "cyner_test"}}
+{"text": "New FakeSpy applications masquerading as post office apps .", "spans": {"MALWARE: FakeSpy": [[4, 11]]}, "info": {"id": "cyner_test_000571", "source": "cyner_test"}}
+{"text": "FAKESPY CODE ANALYSIS Once the user clicks on the malicious link from the SMS message , the app asks them to approve installation from unknown resources .", "spans": {"MALWARE: FAKESPY": [[0, 7]]}, "info": {"id": "cyner_test_000572", "source": "cyner_test"}}
+{"text": "This configuration can be toggled on by going to ‘ Settings ’ - > ‘ Security ’ - > ‘ Unknown Resources ’ .", "spans": {}, "info": {"id": "cyner_test_000573", "source": "cyner_test"}}
+{"text": "PackageInstaller shows the app ’ s permission access and asks for the user 's approval , which then installs the application .", "spans": {}, "info": {"id": "cyner_test_000574", "source": "cyner_test"}}
+{"text": "This analysis dissects FakeSpy ’ s Chunghwa Post app version , which emerged in April 2020 .", "spans": {"MALWARE: FakeSpy": [[23, 30]]}, "info": {"id": "cyner_test_000575", "source": "cyner_test"}}
+{"text": "During the installation , the malware asks for the following permissions : READ_PHONE_STATE - Allows read-only access to the phone state , including the current cellular network information , the status of any ongoing calls , and a list of any PhoneAccounts registered on the device .", "spans": {}, "info": {"id": "cyner_test_000576", "source": "cyner_test"}}
+{"text": "READ_SMS - Allows the application to read text messages .", "spans": {}, "info": {"id": "cyner_test_000577", "source": "cyner_test"}}
+{"text": "RECEIVE_SMS - Allows the application to receive SMS messages .", "spans": {}, "info": {"id": "cyner_test_000578", "source": "cyner_test"}}
+{"text": "WRITE_SMS - Allows the application to write to SMS messages stored on the device or SIM card , including y deleting messages .", "spans": {}, "info": {"id": "cyner_test_000579", "source": "cyner_test"}}
+{"text": "SEND_SMS - Allows the application to send SMS messages .", "spans": {}, "info": {"id": "cyner_test_000580", "source": "cyner_test"}}
+{"text": "INTERNET - Allows the application to open network sockets .", "spans": {}, "info": {"id": "cyner_test_000581", "source": "cyner_test"}}
+{"text": "WRITE_EXTERNAL_STORAGE - Allows the application to write to external storage .", "spans": {}, "info": {"id": "cyner_test_000582", "source": "cyner_test"}}
+{"text": "READ_EXTERNAL_STORAGE - Allows the application to read from external storage .", "spans": {}, "info": {"id": "cyner_test_000583", "source": "cyner_test"}}
+{"text": "RECEIVE_BOOT_COMPLETED - Allows the application to receive a broadcast after the system finishes booting .", "spans": {}, "info": {"id": "cyner_test_000584", "source": "cyner_test"}}
+{"text": "GET_TASKS - Allows the application to get information about current or recently run tasks .", "spans": {}, "info": {"id": "cyner_test_000585", "source": "cyner_test"}}
+{"text": "( deprecated in API level 21 ) SYSTEM_ALERT_WINDOW - Allows the application to create windows shown on top of all other apps .", "spans": {}, "info": {"id": "cyner_test_000586", "source": "cyner_test"}}
+{"text": "WAKE_LOCK - Allows the application to use PowerManager WakeLocks to keep the processor from sleeping or the screen from dimming .", "spans": {}, "info": {"id": "cyner_test_000587", "source": "cyner_test"}}
+{"text": "ACCESS_NETWORK_STATE - Allows the application to access information about networks .", "spans": {}, "info": {"id": "cyner_test_000588", "source": "cyner_test"}}
+{"text": "REQUEST_IGNORE_BATTERY_OPTIMIZATIONS - Whitelists the application to allow it to ignore battery optimizations .", "spans": {}, "info": {"id": "cyner_test_000589", "source": "cyner_test"}}
+{"text": "READ_CONTACTS - Allows the application to read the user 's contacts data .", "spans": {}, "info": {"id": "cyner_test_000590", "source": "cyner_test"}}
+{"text": "FakeSpy package permissions .", "spans": {"MALWARE: FakeSpy": [[0, 7]]}, "info": {"id": "cyner_test_000591", "source": "cyner_test"}}
+{"text": "On opening the app , two pop-up messages appear on screen : Change SMS App : This sets permissions to intercept every SMS received on the device and send a copy of these messages to the C2 server .", "spans": {}, "info": {"id": "cyner_test_000592", "source": "cyner_test"}}
+{"text": "Ignore Battery Optimization : This sets permissions to continue to operate at full capacity while the phone 's screen is turned off and the phone locked .", "spans": {}, "info": {"id": "cyner_test_000593", "source": "cyner_test"}}
+{"text": "These requests rely on the end user accepting the permission changes and points to the importance of healthy skepticism when giving applications permissions .", "spans": {}, "info": {"id": "cyner_test_000594", "source": "cyner_test"}}
+{"text": "FakeSpy Chunghwa Post version installation process and application UI .", "spans": {"MALWARE: FakeSpy": [[0, 7]], "ORGANIZATION: Chunghwa Post": [[8, 21]]}, "info": {"id": "cyner_test_000595", "source": "cyner_test"}}
+{"text": "DYNAMIC LIBRARY LOADING Once the application has finished the installation process , the malware starts its real malicious activity .", "spans": {}, "info": {"id": "cyner_test_000596", "source": "cyner_test"}}
+{"text": "The malicious application da.hao.pao.bin ( Chunghwa Post ) loads a library file libmsy.so used to execute the packed mycode.jar file .", "spans": {"ORGANIZATION: Chunghwa Post": [[43, 56]]}, "info": {"id": "cyner_test_000597", "source": "cyner_test"}}
+{"text": "The JAR file is the decrypted version of the file tong.luo , which is located in the assets folder .", "spans": {}, "info": {"id": "cyner_test_000598", "source": "cyner_test"}}
+{"text": "Decompiled APK resources .", "spans": {}, "info": {"id": "cyner_test_000599", "source": "cyner_test"}}
+{"text": "By comparing the sizes of the encrypted asset file tong.luo vs the decrypted JAR file mycode.jar , it is interesting to note that it is the same file ( almost the same size ) .", "spans": {}, "info": {"id": "cyner_test_000600", "source": "cyner_test"}}
+{"text": "Comparing encrypted vs decrypted asset file .", "spans": {}, "info": {"id": "cyner_test_000601", "source": "cyner_test"}}
+{"text": "After libmsy.so decrypts the asset file tong.luo , it loads mycode.jar dynamically into FakeSpy ’ s process , as is shown from the output of the “ adb logcat ” command .", "spans": {"MALWARE: FakeSpy": [[88, 95]]}, "info": {"id": "cyner_test_000602", "source": "cyner_test"}}
+{"text": "Logcat logs show FakeSpy uses libmsy.so to execute the malicious packed mycode.jar file .", "spans": {"MALWARE: FakeSpy": [[17, 24]]}, "info": {"id": "cyner_test_000603", "source": "cyner_test"}}
+{"text": "By analyzing running processes on the infected device , it shows that the malware creates a child process of itself to perform the multi-process ptrace anti-debugging technique .", "spans": {}, "info": {"id": "cyner_test_000604", "source": "cyner_test"}}
+{"text": "FakeSpy uses an anti-debugging technique by creating another child process of itself .", "spans": {"MALWARE: FakeSpy": [[0, 7]]}, "info": {"id": "cyner_test_000605", "source": "cyner_test"}}
+{"text": "By performing a deep analysis of the malware , we were able to extract the unpacked JAR file mycode.jar and reveal some very interesting code .", "spans": {}, "info": {"id": "cyner_test_000606", "source": "cyner_test"}}
+{"text": "STEALING SENSITIVE INFORMATION FakeSpy has multiple built in information stealing capabilities .", "spans": {"MALWARE: FakeSpy": [[31, 38]]}, "info": {"id": "cyner_test_000607", "source": "cyner_test"}}
+{"text": "The first function is used for contact information stealing : the function upCon steals all contacts in the contact list and their information .", "spans": {}, "info": {"id": "cyner_test_000608", "source": "cyner_test"}}
+{"text": "Then , it sends it to the C2 server using the URL that ends with /servlet/ContactUpload .", "spans": {}, "info": {"id": "cyner_test_000609", "source": "cyner_test"}}
+{"text": "The stolen data fields are : Mobile - The infected device phone number and contact ’ s phone number Contacts - A headline used for the attacker to distinguish between the type of stolen information he gets Name - Contact ’ s full name ( Display name ) upCon ( upload contact ) function used for stealing contact list information .", "spans": {}, "info": {"id": "cyner_test_000610", "source": "cyner_test"}}
+{"text": "For testing purposes we inserted a fake contacts list to our Android Emulator and observed resultant behavior .", "spans": {"SYSTEM: Android": [[61, 68]]}, "info": {"id": "cyner_test_000611", "source": "cyner_test"}}
+{"text": "Exfiltrated contact list data sent to the C2 server .", "spans": {}, "info": {"id": "cyner_test_000612", "source": "cyner_test"}}
+{"text": "The second stealing function is the onStartCommand , which steals infected device data and additional information .", "spans": {}, "info": {"id": "cyner_test_000613", "source": "cyner_test"}}
+{"text": "The stolen data is sent to the C2 server using the URL ending with /servlet/xx .", "spans": {}, "info": {"id": "cyner_test_000614", "source": "cyner_test"}}
+{"text": "The stolen data fields are : Mobile - The infected device phone number Machine - The device model ( in our example : Google Pixel 2 ) Sversion - The OS version Bank - Checks if there are any banking-related or cryptocurrency trading apps Provider - The telecommunication provider ( IMSI value in device settings ) npki - Checks if the folder named NPKI ( National Public Key Infrastructure ) might contain authentication certificates related to financial transactions onStartCommand function for stealing device information and additional sensitive data .", "spans": {"SYSTEM: Google Pixel 2": [[117, 131]]}, "info": {"id": "cyner_test_000615", "source": "cyner_test"}}
+{"text": "Exfiltrated device information and additional sensitive data sent to the C2 server .", "spans": {}, "info": {"id": "cyner_test_000616", "source": "cyner_test"}}
+{"text": "FakeSpy asks to be the default SMS app because it uses the function onReceive to intercept incoming SMS messages .", "spans": {"MALWARE: FakeSpy": [[0, 7]]}, "info": {"id": "cyner_test_000617", "source": "cyner_test"}}
+{"text": "It saves the messages ’ metadata and content , filters the information by fields , and sends them to the C2 server using the URL /servlet/SendMassage2 .", "spans": {}, "info": {"id": "cyner_test_000618", "source": "cyner_test"}}
+{"text": "The fields it collects are : Mobile - The phone number which sent the SMS Content - The message body Sender - The contact name who sent the message Time - The time the message was received onReceive function used to intercept incoming SMS messages .", "spans": {}, "info": {"id": "cyner_test_000619", "source": "cyner_test"}}
+{"text": "The malware uses the function sendAll to send messages that spread the malware to other devices .", "spans": {}, "info": {"id": "cyner_test_000620", "source": "cyner_test"}}
+{"text": "It sends a smishing message to the entire contact list of the infected device along with the malicious link to the FakeSpy installation page .", "spans": {"MALWARE: FakeSpy": [[115, 122]]}, "info": {"id": "cyner_test_000621", "source": "cyner_test"}}
+{"text": "sendAll function used to spread malicious messages to the contact list .", "spans": {}, "info": {"id": "cyner_test_000622", "source": "cyner_test"}}
+{"text": "Another interesting feature in FakeSpy ’ s code is the collection of the device 's IMEI ( International Mobile Station Equipment Identity ) number and all installed applications using the function upAppinfos .", "spans": {"MALWARE: FakeSpy": [[31, 38]]}, "info": {"id": "cyner_test_000623", "source": "cyner_test"}}
+{"text": "It sends all of this data to the C2 server using the URL ending with /servlet/AppInfos .", "spans": {}, "info": {"id": "cyner_test_000624", "source": "cyner_test"}}
+{"text": "upAppinfos function used for obtaining the device IMEI and all of its installed applications .", "spans": {}, "info": {"id": "cyner_test_000625", "source": "cyner_test"}}
+{"text": "FakeSpy is able to check the network connectivity status by using the function isNetworkAvailable .", "spans": {"MALWARE: FakeSpy": [[0, 7]]}, "info": {"id": "cyner_test_000626", "source": "cyner_test"}}
+{"text": "What makes this function more suspicious is the two strings written in Chinese characters : ===状态=== ( ===Status=== ) - Checks whether the device is connected to a network ===类型=== ( ===Type=== ) - Checks whether the device sees available nearby Wifi networks isNetworkAvailable function used for monitoring network connectivity status .", "spans": {}, "info": {"id": "cyner_test_000627", "source": "cyner_test"}}
+{"text": "ANTI-EMULATOR TECHNIQUES FakeSpy appears to use multiple techniques to evade detection via the emulator .", "spans": {"MALWARE: FakeSpy": [[25, 32]]}, "info": {"id": "cyner_test_000628", "source": "cyner_test"}}
+{"text": "It shows that the malware can detect whether it ’ s running in an emulated environment or a real mobile device , and can change its code pattern accordingly .", "spans": {}, "info": {"id": "cyner_test_000629", "source": "cyner_test"}}
+{"text": "The first example of this is in the onStart function , where the malware looks for the string “ Emulator ” and a x86 processor model .", "spans": {}, "info": {"id": "cyner_test_000630", "source": "cyner_test"}}
+{"text": "Anti-emulator code .", "spans": {}, "info": {"id": "cyner_test_000631", "source": "cyner_test"}}
+{"text": "In order to simulate this technique , we took two videos side by side of how FakeSpy ( the Royal Mail sample ) behaves differently on a physical device versus an emulator .", "spans": {"MALWARE: FakeSpy": [[77, 84]], "ORGANIZATION: Royal Mail": [[91, 101]]}, "info": {"id": "cyner_test_000632", "source": "cyner_test"}}
+{"text": "FakeSpy behavior on physical device vs emulator ( anti-emulator ) .", "spans": {"MALWARE: FakeSpy": [[0, 7]]}, "info": {"id": "cyner_test_000633", "source": "cyner_test"}}
+{"text": "This simulation shows that FakeSpy behaves differently on a physical device versus an emulator .", "spans": {"MALWARE: FakeSpy": [[27, 34]]}, "info": {"id": "cyner_test_000634", "source": "cyner_test"}}
+{"text": "When executed the second time by clicking on the app on the physical device , FakeSpy redirects to the app settings .", "spans": {"MALWARE: FakeSpy": [[78, 85]]}, "info": {"id": "cyner_test_000635", "source": "cyner_test"}}
+{"text": "In contrast , on the emulator , a toast message is displayed that shows “ Install completed ” , at which point FakeSpy removes its shortcut from the device 's homescreen .", "spans": {"MALWARE: FakeSpy": [[111, 118]]}, "info": {"id": "cyner_test_000636", "source": "cyner_test"}}
+{"text": "Another example of FakeSpy ’ s anti-emulation techniques is how it uses the getMachine function , which uses the TelephonyManager class to check for the deviceID , phone number , IMEI , and IMSI .", "spans": {"MALWARE: FakeSpy": [[19, 26]]}, "info": {"id": "cyner_test_000637", "source": "cyner_test"}}
+{"text": "Some emulators build their phone number out of the default number created in the emulator software and the port number : 5554. getMachine function using anti-emulator technique .", "spans": {}, "info": {"id": "cyner_test_000638", "source": "cyner_test"}}
+{"text": "UNDER ACTIVE DEVELOPMENT An analysis of new FakeSpy samples to old ones showed code discrepancies and new features .", "spans": {"MALWARE: FakeSpy": [[44, 51]]}, "info": {"id": "cyner_test_000639", "source": "cyner_test"}}
+{"text": "These artifacts indicate that FakeSpy 's campaign is still live and under development .", "spans": {"MALWARE: FakeSpy": [[30, 37]]}, "info": {"id": "cyner_test_000640", "source": "cyner_test"}}
+{"text": "The newer version of FakeSpy uses new URL addresses for malicious communication with FakeSpy .", "spans": {"MALWARE: FakeSpy": [[21, 28], [85, 92]]}, "info": {"id": "cyner_test_000641", "source": "cyner_test"}}
+{"text": "The function main uses a DES encryption algorithm to encode these addresses .", "spans": {}, "info": {"id": "cyner_test_000642", "source": "cyner_test"}}
+{"text": "The examples below show the plaintext key “ TEST ” to decrypt encoded hexadecimal strings ( jUtils.decrypt ( ) ) .", "spans": {}, "info": {"id": "cyner_test_000643", "source": "cyner_test"}}
+{"text": "These encoded strings contain the new URL addresses not seen in older versions of FakeSpy .", "spans": {"MALWARE: FakeSpy": [[82, 89]]}, "info": {"id": "cyner_test_000644", "source": "cyner_test"}}
+{"text": "Comparing strings from an old FakeSpy sample to a new one .", "spans": {"MALWARE: FakeSpy": [[30, 37]]}, "info": {"id": "cyner_test_000645", "source": "cyner_test"}}
+{"text": "WHO IS BEHIND FAKESPY ’ S SMISHING CAMPAIGNS ?", "spans": {"MALWARE: FAKESPY": [[14, 21]]}, "info": {"id": "cyner_test_000646", "source": "cyner_test"}}
+{"text": "The Cybereason Nocturnus team suspects that the malware operators and authors are Chinese speakers .", "spans": {"ORGANIZATION: Cybereason Nocturnus": [[4, 24]]}, "info": {"id": "cyner_test_000647", "source": "cyner_test"}}
+{"text": "Our findings , along with previous research , indicates that the threat actor behind these recent campaigns is likely a Chinese group dubbed “ Roaming Mantis ” .", "spans": {"ORGANIZATION: Roaming Mantis": [[143, 157]]}, "info": {"id": "cyner_test_000648", "source": "cyner_test"}}
+{"text": "Roaming Mantis is believed to be a Chinese threat actor group first discovered in April 2018 that has continuously evolved .", "spans": {"ORGANIZATION: Roaming Mantis": [[0, 14]]}, "info": {"id": "cyner_test_000649", "source": "cyner_test"}}
+{"text": "In the beginning , this threat group mainly targeted Asian countries .", "spans": {}, "info": {"id": "cyner_test_000650", "source": "cyner_test"}}
+{"text": "Now , they are expanding their activity to audiences all around the world .", "spans": {}, "info": {"id": "cyner_test_000651", "source": "cyner_test"}}
+{"text": "As part of their activities , they are known for hijacking DNS settings on Japanese routers that redirect users to malicious IP addresses , creating disguised malicious Android apps that appear as popular apps , stealing Apple ID credentials by creating Apple phishing pages , as well as performing web crypto mining on browsers .", "spans": {"SYSTEM: Android": [[169, 176]], "ORGANIZATION: Apple": [[221, 226], [254, 259]]}, "info": {"id": "cyner_test_000652", "source": "cyner_test"}}
+{"text": "CONNECTION TO CHINA Chinese server infrastructure : FakeSpy applications send stolen information to C2 domains with .club TLDs and URLs ending with /servlet/ [ C2 Command ] ( mentioned above in the “ Stealing Sensitive Information ” section ) .", "spans": {"MALWARE: FakeSpy": [[52, 59]]}, "info": {"id": "cyner_test_000653", "source": "cyner_test"}}
+{"text": "All of these domains are registered to ‘ Li Jun Biao ’ on Bizcn , Inc , a Chinese Internet application service provider .", "spans": {"ORGANIZATION: Bizcn , Inc": [[58, 69]]}, "info": {"id": "cyner_test_000654", "source": "cyner_test"}}
+{"text": "Chinese language traces in the code : During the investigation , the Cybereason Nocturnus team discovered code artifacts that may indicate Chinese threat actors .", "spans": {"ORGANIZATION: Cybereason Nocturnus": [[69, 89]]}, "info": {"id": "cyner_test_000655", "source": "cyner_test"}}
+{"text": "For example , we found several suspicious strings written in the Chinese language in a function called isNetworkAvailable , previously discussed in this blog : An almost identical function is mentioned in an earlier research , that ties FakeSpy and other malware to the Roaming Mantis group .", "spans": {"MALWARE: FakeSpy": [[237, 244]], "ORGANIZATION: Roaming Mantis": [[270, 284]]}, "info": {"id": "cyner_test_000656", "source": "cyner_test"}}
+{"text": "Chinese APK names : Some of FakeSpy ’ s APK package names contain anglicized Chinese ( Mandarin ) words that might be related to Chinese songs and lyrics , food , provinces , etc .", "spans": {"MALWARE: FakeSpy": [[28, 35]]}, "info": {"id": "cyner_test_000657", "source": "cyner_test"}}
+{"text": "CONCLUSIONS FakeSpy was first seen in October 2017 and until recently mainly targeted East Asian countries .", "spans": {"MALWARE: FakeSpy": [[12, 19]]}, "info": {"id": "cyner_test_000658", "source": "cyner_test"}}
+{"text": "Our research shows fresh developments in the malware ’ s code and sophistication , as well as an expansion to target Europe and North America .", "spans": {}, "info": {"id": "cyner_test_000659", "source": "cyner_test"}}
+{"text": "This mobile malware masquerades as legitimate , trusted postal service applications so that it can gain the users trust .", "spans": {}, "info": {"id": "cyner_test_000660", "source": "cyner_test"}}
+{"text": "Once it has been installed , it requests permissions from the user so that it can steal sensitive data , manipulate SMS messages , and potentially infect contacts of the user .", "spans": {}, "info": {"id": "cyner_test_000661", "source": "cyner_test"}}
+{"text": "The malware now targets more countries all over the world by masquerading as official post office and transportation services apps .", "spans": {}, "info": {"id": "cyner_test_000662", "source": "cyner_test"}}
+{"text": "These apps appear legitimate due to their app logo , UI appearance , and redirects to the carrier webpage -- all luring end users to believe it ’ s the original one .", "spans": {}, "info": {"id": "cyner_test_000663", "source": "cyner_test"}}
+{"text": "In this blog , we showed that the threat actor behind the recent FakeSpy campaign is a Chinese-speaking group called “ Roaming Mantis ” known to operate mainly in Asia .", "spans": {"MALWARE: FakeSpy": [[65, 72]], "ORGANIZATION: Roaming Mantis": [[119, 133]]}, "info": {"id": "cyner_test_000664", "source": "cyner_test"}}
+{"text": "It is interesting to see that the group has expanded their operation to other regions , such as the United States and Europe .", "spans": {}, "info": {"id": "cyner_test_000665", "source": "cyner_test"}}
+{"text": "The malware authors seem to be putting a lot of effort into improving this malware , bundling it with numerous new upgrades that make it more sophisticated , evasive , and well-equipped .", "spans": {}, "info": {"id": "cyner_test_000666", "source": "cyner_test"}}
+{"text": "These improvements render FakeSpy one of the most powerful information stealers on the market .", "spans": {"MALWARE: FakeSpy": [[26, 33]]}, "info": {"id": "cyner_test_000667", "source": "cyner_test"}}
+{"text": "We anticipate this malware to continue to evolve with additional new features ; the only question now is when we will see the next wave .", "spans": {}, "info": {"id": "cyner_test_000668", "source": "cyner_test"}}
+{"text": "First Twitter‑controlled Android botnet discovered Detected by ESET as Android/Twitoor , this malware is unique because of its resilience mechanism .", "spans": {"SYSTEM: Twitter‑controlled": [[6, 24]], "SYSTEM: Android": [[25, 32]], "ORGANIZATION: ESET": [[63, 67]], "MALWARE: Android/Twitoor": [[71, 86]]}, "info": {"id": "cyner_test_000669", "source": "cyner_test"}}
+{"text": "Instead of being controlled by a traditional command-and-control server , it receives instructions via tweets .", "spans": {}, "info": {"id": "cyner_test_000670", "source": "cyner_test"}}
+{"text": "24 Aug 2016 - 02:05PM Android/Twitoor is a backdoor capable of downloading other malware onto an infected device .", "spans": {"MALWARE: Android/Twitoor": [[22, 37]]}, "info": {"id": "cyner_test_000671", "source": "cyner_test"}}
+{"text": "It has been active for around one month .", "spans": {}, "info": {"id": "cyner_test_000672", "source": "cyner_test"}}
+{"text": "This malicious app , detected by ESET as a variant of Android/Twitoor.A , can ’ t be found on any official Android app store – it probably spreads by SMS or via malicious URLs .", "spans": {"ORGANIZATION: ESET": [[33, 37]], "MALWARE: Android/Twitoor.A": [[54, 71]], "SYSTEM: Android app store": [[107, 124]]}, "info": {"id": "cyner_test_000673", "source": "cyner_test"}}
+{"text": "It impersonates a porn player app or MMS application but without having their functionality .", "spans": {}, "info": {"id": "cyner_test_000674", "source": "cyner_test"}}
+{"text": "After launching , it hides its presence on the system and checks the defined Twitter account at regular intervals for commands .", "spans": {"SYSTEM: Twitter": [[77, 84]]}, "info": {"id": "cyner_test_000675", "source": "cyner_test"}}
+{"text": "Based on received commands , it can either download malicious apps or switch the C & C Twitter account to another one .", "spans": {"SYSTEM: Twitter": [[87, 94]]}, "info": {"id": "cyner_test_000676", "source": "cyner_test"}}
+{"text": "“ Using Twitter instead of command-and-control ( C & C ) servers is pretty innovative for an Android botnet. ” “ Using Twitter instead of command-and-control ( C & C ) servers is pretty innovative for an Android botnet , ” says Lukáš Štefanko , the ESET malware researcher who discovered the malicious app .", "spans": {"SYSTEM: Twitter": [[8, 15]], "SYSTEM: Android": [[93, 100], [204, 211]], "ORGANIZATION: Twitter": [[119, 126]], "ORGANIZATION: ESET": [[249, 253]]}, "info": {"id": "cyner_test_000677", "source": "cyner_test"}}
+{"text": "Malware that enslaves devices to form botnets needs to be able to receive updated instructions .", "spans": {}, "info": {"id": "cyner_test_000678", "source": "cyner_test"}}
+{"text": "That communication is an Achilles heel for any botnet – it may raise suspicion and , cutting the bots off is always lethal to the botnet ’ s functioning .", "spans": {}, "info": {"id": "cyner_test_000679", "source": "cyner_test"}}
+{"text": "Additionally , should the command-and-control ( C & C ) servers get seized by the authorities , it would ultimately lead to disclosing information about the entire botnet .", "spans": {}, "info": {"id": "cyner_test_000680", "source": "cyner_test"}}
+{"text": "To make the Twitoor botnet ’ s communication more resilient , botnet designers took various steps like encrypting their messages , using complex topologies of the C & C network – or using innovative means for communication , among them the use of social networks .", "spans": {"MALWARE: Twitoor": [[12, 19]]}, "info": {"id": "cyner_test_000681", "source": "cyner_test"}}
+{"text": "“ These communication channels are hard to discover and even harder to block entirely .", "spans": {}, "info": {"id": "cyner_test_000682", "source": "cyner_test"}}
+{"text": "On the other hand , it ’ s extremely easy for the crooks to re-direct communications to another freshly created account , ” explains Štefanko .", "spans": {}, "info": {"id": "cyner_test_000683", "source": "cyner_test"}}
+{"text": "In the Windows space , Twitter , founded in 2006 , was first used to control botnets as early as in 2009 .", "spans": {"SYSTEM: Windows": [[7, 14]], "ORGANIZATION: Twitter": [[23, 30]]}, "info": {"id": "cyner_test_000684", "source": "cyner_test"}}
+{"text": "Android bots have also already been found being controlled via other non-traditional means – blogs or some of the many cloud messaging systems like Google ’ s or Baidu ’ s – but Twitoor is the first Twitter-based bot malware , according to Štefanko .", "spans": {"SYSTEM: Android": [[0, 7]], "ORGANIZATION: Google": [[148, 154]], "ORGANIZATION: Baidu": [[162, 167]], "MALWARE: Twitoor": [[178, 185]], "SYSTEM: Twitter-based": [[199, 212]]}, "info": {"id": "cyner_test_000685", "source": "cyner_test"}}
+{"text": "“ In the future , we can expect that the bad guys will try to make use of Facebook statuses or deploy LinkedIn and other social networks ” , states ESET ’ s researcher .", "spans": {"SYSTEM: Facebook": [[74, 82]], "SYSTEM: LinkedIn": [[102, 110]], "ORGANIZATION: ESET": [[148, 152]]}, "info": {"id": "cyner_test_000686", "source": "cyner_test"}}
+{"text": "Currently , the Twitoor trojan has been downloading several versions of mobile banking malware .", "spans": {"MALWARE: Twitoor": [[16, 23]]}, "info": {"id": "cyner_test_000687", "source": "cyner_test"}}
+{"text": "However , the botnet operators can start distributing other malware , including ransomware , at any time warns Štefanko .", "spans": {}, "info": {"id": "cyner_test_000688", "source": "cyner_test"}}
+{"text": "“ Twitoor serves as another example of how cybercriminals keep on innovating their business , ” Stefanko continues .", "spans": {"MALWARE: Twitoor": [[2, 9]]}, "info": {"id": "cyner_test_000689", "source": "cyner_test"}}
+{"text": "“ The takeaway ?", "spans": {}, "info": {"id": "cyner_test_000690", "source": "cyner_test"}}
+{"text": "Internet users should keep on securing their activities with good security solutions for both computers and mobile devices. ” Hashes : E5212D4416486AF42E7ED1F58A526AEF77BE89BE A9891222232145581FE8D0D483EDB4B18836BCFC AFF9F39A6CA5D68C599B30012D79DA29E2672C6E Insidious Android malware gives up all malicious features but one to gain stealth ESET researchers detect a new way of misusing Accessibility", "spans": {"SYSTEM: Android": [[268, 275]], "ORGANIZATION: ESET": [[340, 344]]}, "info": {"id": "cyner_test_000691", "source": "cyner_test"}}
+{"text": "Service , the Achilles ’ heel of Android security 22 May 2020 - 03:00PM ESET researchers have analyzed an extremely dangerous Android app that can perform a host of nefarious actions , notably wiping out the victim ’ s bank account or cryptocurrency wallet and taking over their email or social media accounts .", "spans": {"SYSTEM: Android": [[33, 40], [126, 133]], "ORGANIZATION: ESET": [[72, 76]]}, "info": {"id": "cyner_test_000692", "source": "cyner_test"}}
+{"text": "Called “ DEFENSOR ID ” , the banking trojan was available on Google Play at the time of the analysis .", "spans": {"MALWARE: DEFENSOR ID": [[9, 20]], "SYSTEM: Google Play": [[61, 72]]}, "info": {"id": "cyner_test_000693", "source": "cyner_test"}}
+{"text": "The app is fitted with standard information-stealing capabilities ; however , this banker is exceptionally insidious in that after installation it requires a single action from the victim – enable Android ’ s Accessibility Service – to fully unleash the app ’ s malicious functionality .", "spans": {"SYSTEM: Android": [[197, 204]]}, "info": {"id": "cyner_test_000694", "source": "cyner_test"}}
+{"text": "The DEFENSOR ID app made it onto the heavily guarded Google Play store thanks to its extreme stealth .", "spans": {"MALWARE: DEFENSOR ID": [[4, 15]], "SYSTEM: Google Play store": [[53, 70]]}, "info": {"id": "cyner_test_000695", "source": "cyner_test"}}
+{"text": "Its creators reduced the app ’ s malicious surface to the bare minimum by removing all potentially malicious functionalities but one : abusing Accessibility Service .", "spans": {}, "info": {"id": "cyner_test_000696", "source": "cyner_test"}}
+{"text": "Accessibility Service is long known to be the Achilles ’ heel of the Android operating system .", "spans": {"SYSTEM: Android": [[69, 76]]}, "info": {"id": "cyner_test_000697", "source": "cyner_test"}}
+{"text": "Security solutions can detect it in countless combinations with other suspicious permissions and functions , or malicious functionalities – but when faced with no additional functionality nor permission , all failed to trigger any alarm on DEFENSOR ID .", "spans": {"MALWARE: DEFENSOR ID": [[240, 251]]}, "info": {"id": "cyner_test_000698", "source": "cyner_test"}}
+{"text": "By “ all ” we mean all security mechanisms guarding the official Android app store ( including the detection engines of the members of the App Defense Alliance ) and all security vendors participating in the VirusTotal program ( see Figure 1 ) .", "spans": {"SYSTEM: Android app store": [[65, 82]], "ORGANIZATION: App Defense Alliance": [[139, 159]], "ORGANIZATION: VirusTotal": [[208, 218]]}, "info": {"id": "cyner_test_000699", "source": "cyner_test"}}
+{"text": "DEFENSOR ID was released on Feb 3 , 2020 and last updated to v1.4 on May 6 , 2020 .", "spans": {"MALWARE: DEFENSOR ID": [[0, 11]]}, "info": {"id": "cyner_test_000700", "source": "cyner_test"}}
+{"text": "The latest version is analyzed here ; we weren ’ t able to determine if the earlier versions were also malicious .", "spans": {}, "info": {"id": "cyner_test_000701", "source": "cyner_test"}}
+{"text": "According to its profile at Google Play ( see Figure 2 ) the app reached a mere 10+ downloads .", "spans": {"SYSTEM: Google Play": [[28, 39]]}, "info": {"id": "cyner_test_000702", "source": "cyner_test"}}
+{"text": "We reported it to Google on May 16 , 2020 and since May 19 , 2020 the app has no longer been available on Google Play .", "spans": {"ORGANIZATION: Google": [[18, 24]], "SYSTEM: Google Play": [[106, 117]]}, "info": {"id": "cyner_test_000703", "source": "cyner_test"}}
+{"text": "The developer name used , GAS Brazil , suggests the criminals behind the app targeted Brazilian users .", "spans": {}, "info": {"id": "cyner_test_000704", "source": "cyner_test"}}
+{"text": "Apart from including the country ’ s name , the app ’ s name is probably intended to imply a relationship with the antifraud solution named GAS Tecnologia .", "spans": {"SYSTEM: GAS Tecnologia": [[140, 154]]}, "info": {"id": "cyner_test_000705", "source": "cyner_test"}}
+{"text": "That security software is commonly installed on computers in Brazil as several banks require it to log into their online banking .", "spans": {}, "info": {"id": "cyner_test_000706", "source": "cyner_test"}}
+{"text": "However , there is also an English version of the DEFENSOR ID app ( see Figure 3 ) besides the Portuguese one , and that app has neither geographical nor language restrictions .", "spans": {"MALWARE: DEFENSOR ID": [[50, 61]]}, "info": {"id": "cyner_test_000707", "source": "cyner_test"}}
+{"text": "Playing further off the suggested GAS Tecnologia link , the app promises better security for its users .", "spans": {"SYSTEM: GAS Tecnologia": [[34, 48]]}, "info": {"id": "cyner_test_000708", "source": "cyner_test"}}
+{"text": "The description in Portuguese promises more protection for the user ’ s applications , including end-to-end encryption .", "spans": {}, "info": {"id": "cyner_test_000709", "source": "cyner_test"}}
+{"text": "Deceptively , the app was listed in the Education section .", "spans": {}, "info": {"id": "cyner_test_000710", "source": "cyner_test"}}
+{"text": "Functionality After starting , DEFENSOR ID requests the following permissions : allow modify system settings permit drawing over other apps , and activate accessibility services .", "spans": {"MALWARE: DEFENSOR ID": [[31, 42]]}, "info": {"id": "cyner_test_000711", "source": "cyner_test"}}
+{"text": "If an unsuspecting user grants these permissions ( see Figure 4 ) , the trojan can read any text displayed in any app the user may launch – and send it to the attackers .", "spans": {}, "info": {"id": "cyner_test_000712", "source": "cyner_test"}}
+{"text": "This means the attackers can steal the victim ’ s credentials for logging into apps , SMS and email messages , displayed cryptocurrency private keys , and even software-generated 2FA codes .", "spans": {}, "info": {"id": "cyner_test_000713", "source": "cyner_test"}}
+{"text": "The fact the trojan can steal both the victim ’ s credentials and also can control their SMS messages and generated 2FA codes means DEFENSOR ID ’ s operators can bypass two-factor authentication .", "spans": {"MALWARE: DEFENSOR ID": [[132, 143]]}, "info": {"id": "cyner_test_000714", "source": "cyner_test"}}
+{"text": "This opens the door to , for example , fully controlling the victim ’ s bank account .", "spans": {}, "info": {"id": "cyner_test_000715", "source": "cyner_test"}}
+{"text": "To make sure the trojan survives a device restart , it abuses already activated accessibility services that will launch the trojan right after start .", "spans": {}, "info": {"id": "cyner_test_000716", "source": "cyner_test"}}
+{"text": "Our analysis shows the DEFENSOR ID trojan can execute 17 commands received from the attacker-controlled server such as uninstalling an app , launching an app and then performing any click/tap action controlled remotely by the attacker ( see Figure 5 ) .", "spans": {"MALWARE: DEFENSOR ID": [[23, 34]]}, "info": {"id": "cyner_test_000717", "source": "cyner_test"}}
+{"text": "In 2018 , we saw similar behavior , but all the click actions were hardcoded and suited only for the app of the attacker ’ s choice .", "spans": {}, "info": {"id": "cyner_test_000718", "source": "cyner_test"}}
+{"text": "In this case , the attacker can get the list of all installed apps and then remotely launch the victim ’ s app of their choice to either steal credentials or perform malicious actions ( e.g .", "spans": {}, "info": {"id": "cyner_test_000719", "source": "cyner_test"}}
+{"text": "send funds via a wire transfer ) .", "spans": {}, "info": {"id": "cyner_test_000720", "source": "cyner_test"}}
+{"text": "We believe that this is the reason the DEFENSOR ID trojan requests the user to allow “ Modify system settings ” .", "spans": {"MALWARE: DEFENSOR ID": [[39, 50]]}, "info": {"id": "cyner_test_000721", "source": "cyner_test"}}
+{"text": "Subsequently , the malware will change the screen off time-out to 10 minutes .", "spans": {}, "info": {"id": "cyner_test_000722", "source": "cyner_test"}}
+{"text": "This means that , unless victims lock their devices via the hardware button , the timer provides plenty of time for the malware to remotely perform malicious , in-app operations .", "spans": {}, "info": {"id": "cyner_test_000723", "source": "cyner_test"}}
+{"text": "If the device gets locked , the malware can ’ t unlock it .", "spans": {}, "info": {"id": "cyner_test_000724", "source": "cyner_test"}}
+{"text": "Malware data leak When we analyzed the sample , we realized that the malware operators left the remote database with some of the victims ’ data freely accessible , without any authentication .", "spans": {}, "info": {"id": "cyner_test_000725", "source": "cyner_test"}}
+{"text": "The database contained the last activity performed on around 60 compromised devices .", "spans": {}, "info": {"id": "cyner_test_000726", "source": "cyner_test"}}
+{"text": "We found no other information stolen from the victims to be accessible .", "spans": {}, "info": {"id": "cyner_test_000727", "source": "cyner_test"}}
+{"text": "Thanks to this data leak , we were able to confirm that the malware really worked as designed : the attacker had access to the victims ’ entered credentials , displayed or written emails and messages , etc .", "spans": {}, "info": {"id": "cyner_test_000728", "source": "cyner_test"}}
+{"text": "Once we reached the non-secured database , we were able to directly observe the app ’ s malicious behavior .", "spans": {}, "info": {"id": "cyner_test_000729", "source": "cyner_test"}}
+{"text": "To illustrate the level of threat the DEFENSOR ID app posed , we performed three tests .", "spans": {"MALWARE: DEFENSOR ID": [[38, 49]]}, "info": {"id": "cyner_test_000730", "source": "cyner_test"}}
+{"text": "First , we launched a banking app and entered the credentials there .", "spans": {}, "info": {"id": "cyner_test_000731", "source": "cyner_test"}}
+{"text": "The credentials were immediately available in the leaky database – see Figure 6 .", "spans": {}, "info": {"id": "cyner_test_000732", "source": "cyner_test"}}
+{"text": "Figure 6 .", "spans": {}, "info": {"id": "cyner_test_000733", "source": "cyner_test"}}
+{"text": "The banking app test : the credentials as entered ( left ) and as available in the database ( right ) Second , we wrote a test message in an email client .", "spans": {}, "info": {"id": "cyner_test_000734", "source": "cyner_test"}}
+{"text": "We saw the message uploaded to the attackers ’ server within a second – see Figure 7 .", "spans": {}, "info": {"id": "cyner_test_000735", "source": "cyner_test"}}
+{"text": "Figure 7 .", "spans": {}, "info": {"id": "cyner_test_000736", "source": "cyner_test"}}
+{"text": "The email message test : the message as written ( left ) and as available in the database ( right ) Third , we documented the trojan retrieving the Google Authenticator 2FA code .", "spans": {"SYSTEM: Google Authenticator": [[148, 168]]}, "info": {"id": "cyner_test_000737", "source": "cyner_test"}}
+{"text": "Figure 8 .", "spans": {}, "info": {"id": "cyner_test_000738", "source": "cyner_test"}}
+{"text": "The software generated 2FA code as it appeared on the device ’ s display ( left ) and as available in the database ( right ) Along with the malicious DEFENSOR ID app , another malicious app named Defensor Digital was discovered .", "spans": {"MALWARE: Defensor Digital": [[196, 212]]}, "info": {"id": "cyner_test_000739", "source": "cyner_test"}}
+{"text": "Both apps shared the same C & C server , but we couldn ’ t investigate the latter as it had already been removed from the Google Play store .", "spans": {"SYSTEM: Google Play store": [[122, 139]]}, "info": {"id": "cyner_test_000740", "source": "cyner_test"}}
+{"text": "Indicators of Compromise ( IoCs ) Package Name Hash ESET detection name com.secure.protect.world F17AEBC741957AA21CFE7C7D7BAEC0900E863F61 Android/Spy.BanBra.A com.brazil.android.free EA069A5C96DC1DB0715923EB68192FD325F3D3CE Android/Spy.BanBra.A MITRE ATT & CK techniques Tactic ID Name Description Initial Access T1475 Deliver Malicious App", "spans": {"ORGANIZATION: ESET": [[52, 56]], "ORGANIZATION: MITRE": [[245, 250]]}, "info": {"id": "cyner_test_000741", "source": "cyner_test"}}
+{"text": "via Authorized App Store Impersonates security app on Google Play .", "spans": {"SYSTEM: App Store": [[15, 24]], "SYSTEM: Google Play": [[54, 65]]}, "info": {"id": "cyner_test_000742", "source": "cyner_test"}}
+{"text": "T1444 Masquerade as Legitimate Application Impersonates legitimate GAS Tecnologia application .", "spans": {"SYSTEM: GAS Tecnologia": [[67, 81]]}, "info": {"id": "cyner_test_000743", "source": "cyner_test"}}
+{"text": "Discovery T1418 Application Discovery Sends list of installed apps on device .", "spans": {}, "info": {"id": "cyner_test_000744", "source": "cyner_test"}}
+{"text": "Impact T1516 Input Injection Can enter text and perform clicks on behalf of user .", "spans": {}, "info": {"id": "cyner_test_000745", "source": "cyner_test"}}
+{"text": "Collection T1417 Input Capture Records user input data .", "spans": {}, "info": {"id": "cyner_test_000746", "source": "cyner_test"}}
+{"text": "Command and Control T1437 Standard Application Layer Protocol Uses Firebase Cloud Messaging for C & C .", "spans": {}, "info": {"id": "cyner_test_000747", "source": "cyner_test"}}
+{"text": "In the case of the infected application not specified in the code , “ Agent Smith ” will simply show ads on the activity being loaded .", "spans": {"MALWARE: Agent Smith": [[70, 81]]}, "info": {"id": "cyner2_test_000000", "source": "cyner2_test"}}
+{"text": "If the malware obtains device administrator rights , it will be able to lock the screen by itself , expire the password , and resist being uninstalled through normal methods .", "spans": {}, "info": {"id": "cyner2_test_000001", "source": "cyner2_test"}}
+{"text": "According to publicly available statistics , as well as confirmation from Google , most of these apps collected a few dozens installations each , with one case reaching over 350 .", "spans": {"ORGANIZATION: Google": [[74, 80]]}, "info": {"id": "cyner2_test_000002", "source": "cyner2_test"}}
+{"text": "Offensive security researchers then start experimenting with AV evasion, and the exploit finally ends up in underground exploit builders.", "spans": {"ORGANIZATION: Offensive security researchers": [[0, 30]], "SYSTEM: AV": [[61, 63]], "MALWARE: exploit": [[81, 88]], "THREAT_ACTOR: underground exploit builders.": [[108, 137]]}, "info": {"id": "cyner2_test_000003", "source": "cyner2_test"}}
+{"text": "This Trojan, which is still under development and regularly updated, is already capable of multiple malicious behaviors.", "spans": {"MALWARE: Trojan,": [[5, 12]], "MALWARE: multiple malicious behaviors.": [[91, 120]]}, "info": {"id": "cyner2_test_000004", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Win32.Dwn.eusizc Trojan.DownLoader25.49110 BehavesLike.Win32.BadFile.fc W32/Trojan.UQIH-2124 Trojan/Win32.Crypt.C2237672 Trj/GdSda.A Trojan.Crypt W32/DwnLdr.UQF!tr Win32/Trojan.cb1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000005", "source": "cyner2_test"}}
+{"text": "STRING & DATA OBFUSCATION Bread apps have used many innovative and classic techniques to hide strings from analysis engines .", "spans": {}, "info": {"id": "cyner2_test_000006", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Inject.RA Trojan/W32.Inject.33280.AC AdWare.Win32.PurityScan!O Trojan.Inject.RA Win32.Trojan.WisdomEyes.16070401.9500.9988 W32/MalwareS.BHSK Trojan.Cryect Win32/SillyDl.VHZ Win.Adware.Purityscan-27 Trojan.Inject.RA not-a-virus:AdWare.Win32.PurityScan.jz Trojan.Inject.RA Riskware.Win32.PurityScan.hbehp W32.W.AutoRun.kZzH Win32.Adware.Purityscan.Lpuz Trojan.Inject.RA Trojan.Inject.RA Adware.ClickSpring.338 W32/Risk.PDOJ-3563 Adware/PurityScan.h GrayWare[AdWare]/Win32.PurityScan Trojan.Inject.RA not-a-virus:AdWare.Win32.PurityScan.jz TrojanDownloader:Win32/Taleret.B Adware.PurityScan Trj/CI.A not-a-virus:AdWare.Win32.PurityScan Win32/Trojan.8c4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000007", "source": "cyner2_test"}}
+{"text": "In this case the payload was Kronos, a banking Trojan which was introduced in July of 2014.", "spans": {"MALWARE: payload": [[17, 24]], "MALWARE: Kronos,": [[29, 36]], "MALWARE: banking Trojan": [[39, 53]]}, "info": {"id": "cyner2_test_000008", "source": "cyner2_test"}}
+{"text": "This submitter has thousands of other submissions in VirusTotal , however , it is the only one that continues to submit EventBot samples via the VirusTotal API .", "spans": {"MALWARE: EventBot": [[120, 128]]}, "info": {"id": "cyner2_test_000009", "source": "cyner2_test"}}
+{"text": "Shodan tells us that more than 5 million devices make their TR-069 service available to the outside world.", "spans": {"ORGANIZATION: Shodan": [[0, 6]], "SYSTEM: devices": [[41, 48]], "SYSTEM: TR-069 service": [[60, 74]]}, "info": {"id": "cyner2_test_000010", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: HW32.Packed.9E95 Win32.Trojan.WisdomEyes.16070401.9500.9996 TrojWare.Win32.Kryptik.RS BehavesLike.Win32.Downloader.nh Trojan.Fareit.1 Win32.Trojan.Fareit.A Trojan/Win32.Jorik.R21377 Trojan.Kryptik!6N5GdNWw3hk Trojan-PWS.Win32.Fareit Win32/Trojan.b7a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000011", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9996 TROJ_FSYNA.AS Trojan/Win32.Fareit Trojan.Zusy.D1AACE", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000012", "source": "cyner2_test"}}
+{"text": "In 2015, there have already been a variety of new POS malware identified including a new Alina variant, LogPOS, FighterPOS and Punkey.", "spans": {"MALWARE: POS malware": [[50, 61]], "MALWARE: Alina variant, LogPOS, FighterPOS": [[89, 122]], "MALWARE: Punkey.": [[127, 134]]}, "info": {"id": "cyner2_test_000013", "source": "cyner2_test"}}
+{"text": "The malware known as TROJ_GATAK has been active since 2012 and uses steganography techniques to hide components in .PNG files.", "spans": {"MALWARE: malware": [[4, 11]]}, "info": {"id": "cyner2_test_000014", "source": "cyner2_test"}}
+{"text": "TrickMo uses accessibility services to identify and control some of these screens and make its own choices before giving the user a chance to react .", "spans": {"MALWARE: TrickMo": [[0, 7]]}, "info": {"id": "cyner2_test_000015", "source": "cyner2_test"}}
+{"text": "If one these commands is found , then the malware will encode the stolen data with Base64 and upload it to the command and control server .", "spans": {}, "info": {"id": "cyner2_test_000016", "source": "cyner2_test"}}
+{"text": "In this specific attack, a malicious Excel document was used to create a PowerShell script, which then used the Domain Name System DNS to communicate with an Internet Command and Control C2 server.", "spans": {"SYSTEM: PowerShell script,": [[73, 91]], "SYSTEM: Domain Name System DNS": [[112, 134]]}, "info": {"id": "cyner2_test_000017", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Injector.16825 Win32.Trojan.WisdomEyes.16070401.9500.9990 Trojan.Cidox!gm TROJ_LATOT.SM Trojan.Win32.Gofot.eci Win32.Trojan-gamethief.Onlinegames.Pgcv TROJ_LATOT.SM TrojanDownloader:Win32/Latot.A Trojan.Win32.Gofot.eci Trojan/Win32.Latot.R175617 W32/Onlinegames.QXA!tr Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000018", "source": "cyner2_test"}}
+{"text": "This post dismantles a sample of this malware to determine whether we need to take Bert the Turtle's advice to duck and cover.", "spans": {"MALWARE: sample": [[23, 29]], "MALWARE: malware": [[38, 45]]}, "info": {"id": "cyner2_test_000019", "source": "cyner2_test"}}
+{"text": "Recently, PaloAlto discovered another Windows Trojan we named DualToy which side loads malicious or risky apps to both Android and iOS devices via a USB connection.", "spans": {"ORGANIZATION: PaloAlto": [[10, 18]], "SYSTEM: Windows": [[38, 45]], "MALWARE: Trojan": [[46, 52]], "MALWARE: DualToy": [[62, 69]], "MALWARE: malicious": [[87, 96]], "SYSTEM: risky apps": [[100, 110]], "SYSTEM: Android": [[119, 126]], "SYSTEM: iOS devices": [[131, 142]], "SYSTEM: USB": [[149, 152]]}, "info": {"id": "cyner2_test_000020", "source": "cyner2_test"}}
+{"text": "On October 14th, a report was publicly released regarding the Sandworm team.", "spans": {"THREAT_ACTOR: Sandworm team.": [[62, 76]]}, "info": {"id": "cyner2_test_000021", "source": "cyner2_test"}}
+{"text": "The owners of the RAA cryptor, however, took a different tack.", "spans": {"THREAT_ACTOR: owners": [[4, 10]], "MALWARE: RAA cryptor,": [[18, 30]]}, "info": {"id": "cyner2_test_000022", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Madi.B Trojan.Win32.Upof!O Trojan.Madi.B Trojan.Madi.B Trojan.Madi TROJ_MADIH.SM Trojan.Madi.B Trojan.Win32.SMSSend.dtabeg Troj.W32.Upof.c!c Trojan.Madi.B TrojWare.Win32.Upof.C Trojan.Madi.B TROJ_MADIH.SM BehavesLike.Win32.Dropper.dc Trojan/Upof.z Trojan/Win32.Unknown TrojanDownloader:Win32/Upof.A Trojan.Win32.A.Upof.279552 Trojan.Madi.B Trojan/Win32.Madi.R30772 Trojan.Upof Trojan.Win32.Upof W32/Upof.C!tr Trj/Madi.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000023", "source": "cyner2_test"}}
+{"text": "The URL will trigger exploits for arbitrary memory read ( CVE-2012-2825 ) and heap buffer overflow ( CVE-2012-2871 ) vulnerabilities in the default browsers of Android versions 4.0 Ice Cream Sandwich to 4.3 Jelly Bean , allowing another local privilege escalation exploit to execute .", "spans": {"VULNERABILITY: arbitrary memory read ( CVE-2012-2825 )": [[34, 73]], "VULNERABILITY: heap buffer overflow ( CVE-2012-2871 )": [[78, 116]], "SYSTEM: Android versions 4.0 Ice Cream Sandwich": [[160, 199]], "SYSTEM: 4.3 Jelly Bean": [[203, 217]]}, "info": {"id": "cyner2_test_000024", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Win32.Vilsel!O Troj.W32.Patched.lnCt Trojan.Heur.E7F0E9 Win32.Trojan.ImPatch.a TROJ_FLYMUX.SMIB Win.Trojan.Toopu-1 Trojan.Win32.Vilsel.mwo Trojan.Win32.Vilsel.cxoek Trojan.DownLoad1.51956 TROJ_FLYMUX.SMIB Trojan-Dropper.Win32.Ekafod Trojan/Vilsel.aggq Trojan/Win32.Vilsel Trojan.Win32.Vilsel.mwo Trojan.BHORA.04931", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000025", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.VBS Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Disfa.dtznyx BehavesLike.Win32.AdwareLinkury.fc Trojan:Win32/Skeeyah.A!bit Win32/Trojan.2fe", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000026", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.Dycler!O Exploit.BypassUAC Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.MulDrop3.61094 Dropper.Dycler.Win32.309 BehavesLike.Win32.Dropper.tz TrojanDropper.Dycler.ca BDS/Dervec.3000832 Trojan[Dropper]/Win32.Dycler Trojan.Heur.EC561A Dropper/Win32.Dycler.C2335962 TrojanDropper.Dycler Win32.Trojan-Dropper.Dycler.dejx Win32/Trojan.4f0", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000027", "source": "cyner2_test"}}
+{"text": "The exploit appeared on day three of the Permanent Court of Arbitration tribunal, exposing an untold number of interested parties that visited the webpage to potential exploitation.", "spans": {"MALWARE: exploit": [[4, 11]], "ORGANIZATION: the Permanent Court of Arbitration tribunal,": [[37, 81]], "ORGANIZATION: parties": [[122, 129]], "VULNERABILITY: exploitation.": [[168, 181]]}, "info": {"id": "cyner2_test_000028", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.FamVT.CabisNHc.PE Worm/W32.Cosmu Trojan.Win32.Cosmu!O Trojan.Klaut.AB1 W32/Sural.a Trojan/Cosmu.so HT_COSMU_FI060D75.UVPM Win32.Trojan.Canbis.b Win32/LdPinch.AGZ TROJ_COSMU_0000000.TOMA Win.Trojan.Delf-2305 Win32.Trojan-Dropper.Cosmu.A Trojan.Win32.Cosmu.so Trojan.Win32.MLW.eelav Trojan.Win32.Cosmu.124928 Troj.W32.Cosmu.tnsc Trojan.DownLoader2.61876 Trojan.Cosmu.Win32.696 BehavesLike.Win32.Sural.vt Trojan/Cosmu.aja Trojan.Win32.Cosmu.so Trojan/Win32.Cosmu.R747 Trojan.Cosmu W32/Knase.C Trojan.Cosmu Win32/Canbis.B Virus.Win32.Tailer.a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000029", "source": "cyner2_test"}}
+{"text": "Using DNS for data exfiltration provides several advantages to the attacker.", "spans": {"SYSTEM: DNS": [[6, 9]], "VULNERABILITY: data exfiltration": [[14, 31]], "THREAT_ACTOR: attacker.": [[67, 76]]}, "info": {"id": "cyner2_test_000030", "source": "cyner2_test"}}
+{"text": "Figure 3 .", "spans": {}, "info": {"id": "cyner2_test_000032", "source": "cyner2_test"}}
+{"text": "Antivirus often detects the associated malware as Banload, a family of Trojans that downloads other malware.", "spans": {"SYSTEM: Antivirus": [[0, 9]], "MALWARE: malware": [[39, 46]], "MALWARE: Banload,": [[50, 58]], "MALWARE: family of Trojans": [[61, 78]], "MALWARE: malware.": [[100, 108]]}, "info": {"id": "cyner2_test_000033", "source": "cyner2_test"}}
+{"text": "We found two malicious gaming apps that were published on Google Play and are capable of rooting Android devices.", "spans": {"MALWARE: malicious": [[13, 22]], "SYSTEM: gaming apps": [[23, 34]], "SYSTEM: Google Play": [[58, 69]]}, "info": {"id": "cyner2_test_000034", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan/W32.Dimnie.61440 Trojan.Dimnie.Win32.50 Troj.Heur2.JP.lqY.mDK9 Trojan.Mikey.D1266C Trojan.Dimnie Trojan.Win32.Dimnie.he Trojan.Win32.Dimnie.elmtgi BackDoor.Bebloh.184 Trojan.Dimnie.w Trojan/Win32.Dimnie Trojan:Win32/Dimnie.G Trojan.Win32.Dimnie.he Trojan/Win32.Dimnie.C1889767", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000035", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.DL.Delf!Pzeg8X5RT2o W32/Downldr2.BXIW BKDR_ELLIKIC.B Trojan-Downloader.Win32.Delf.hhc Trojan.Win32.Delf.uibf TrojWare.Win32.Ellikic.C Trojan.DownLoader.62800 Trojan.Delf.Win32.7551 BKDR_ELLIKIC.B BehavesLike.Win32.Dropper.jh W32/Downloader.DSRK-7508 Trojan/Delf.jcy TR/Dldr.Delf.hhc.1 Malware_fam.A Spyware[AdWare:not-a-virus]/Win32.Iclick Win32.Troj.Delf.kcloud Trojan.Adware.Symmi.D11E5 Trojan/Win32.AdClicker TrojanDownloader.Delf Trj/CI.A Trojan-Dropper.Delf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000036", "source": "cyner2_test"}}
+{"text": "Spaghetti code makes the program flow hard to read by adding continuous code jumps , hence the name .", "spans": {}, "info": {"id": "cyner2_test_000038", "source": "cyner2_test"}}
+{"text": "From this initial message, we uncovered a watering hole website with malicious programs, malicious PowerPoint files, and Android malware, all apparently designed to appeal to members of the opposition.", "spans": {"MALWARE: Android malware,": [[121, 137]]}, "info": {"id": "cyner2_test_000039", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32/PWStealer.AH Backdoor.Botex W32/Mifeng.F TROJ_LEMIR.CS Trojan.PWS.Mifeng!erocD61I7Go Trojan.Win32.PSWMifeng.390156 TrojWare.Win32.PSW.Mifeng.E Trojan.MulDrop.2881 TR/PSW.Mifeng.e.2 TROJ_LEMIR.CS Backdoor/Hupigon.ckcc Win32.PSWTroj.Mifeng.bo.kcloud W32/PWStealer.AH Trojan/Win32.Bifrose Trojan-PSW.Win32.Mifeng.e Backdoor.Botex!rem Win32/PSW.Mifeng.E Trojan.PSW.Mifeng.bo Trojan-PWS.Win32.Mifeng.E W32/MIFENG.G!tr Collected.9.BK", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000040", "source": "cyner2_test"}}
+{"text": "“ As part of our ongoing efforts to protect users from the Ghost Push family of malware , we ’ ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall. ” We are very encouraged by the statement Google shared with us addressing the issue .", "spans": {"MALWARE: Ghost Push family": [[59, 76]], "SYSTEM: Android": [[172, 179]], "ORGANIZATION: Google": [[241, 247]]}, "info": {"id": "cyner2_test_000041", "source": "cyner2_test"}}
+{"text": "] com or hxxp : //apple-icloud [ .", "spans": {}, "info": {"id": "cyner2_test_000042", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Agobot.3.AA Backdoor.Agobot.3.AA Backdoor.Gaobot Backdoor.Agobot.3.AA W32/Agobot.CNB Backdoor.Gaobot Win32/Agobot.3.CQ BKDR_GAOBOT.A Backdoor.Win32.Agobot.aa Trojan.Win32.Agobot.daue Backdoor.Win32.A.Agobot.36864.A[h] Backdoor.Agobot.3.AA Backdoor.Win32.Agobot.3.CQ Backdoor.Agobot.3.AA Trojan.Starter.333 Backdoor.Agobot.Win32.1382 BKDR_GAOBOT.A W32/Agobot.SHCF-4880 Backdoor/SdBot.dtc WORM/AgoBot.AA W32/AgoBot.AA!tr.bdr Trojan[Backdoor]/Win32.Agobot Backdoor.Agobot.3.AA Backdoor.W32.Agobot.aa!c Backdoor:Win32/Gaobot.AA Win32/IRCBot.worm.variant Backdoor.Agobot.3.AA Backdoor.Gaobot Backdoor.Agobot Win32.Backdoor.Agobot.Sxyf Backdoor.Win32.Agobot Backdoor.Agobot.3.AA Backdoor.Win32.Agobot.aa", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000043", "source": "cyner2_test"}}
+{"text": "AlarmReceiver - Triggers every three minutes .", "spans": {}, "info": {"id": "cyner2_test_000044", "source": "cyner2_test"}}
+{"text": "On May 12, 2015, Unit 42 observed an apparent watering hole attack, also known as a strategic website compromise SWC, involving the President of Myanmar's website.", "spans": {"ORGANIZATION: Unit 42": [[17, 24]], "ORGANIZATION: the President of Myanmar's": [[128, 154]]}, "info": {"id": "cyner2_test_000045", "source": "cyner2_test"}}
+{"text": "On connecting a smartphone in the USB drive emulation mode to a computer running Windows XP , the system automatically starts the Trojan ( if AutoPlay on the external media is not disabled ) and is infected .", "spans": {"SYSTEM: USB drive": [[34, 43]], "SYSTEM: Windows XP": [[81, 91]]}, "info": {"id": "cyner2_test_000046", "source": "cyner2_test"}}
+{"text": "The replacement of a single character renders it nearly indistinguishable from the real Akamai-owned domain.", "spans": {}, "info": {"id": "cyner2_test_000047", "source": "cyner2_test"}}
+{"text": "In order to achieve this , mike.jar connects to rootdaemon through various TCP ports that the daemon binds on some extraction routines for supported applications : Port 6202 : WhatsApp extraction service .", "spans": {"SYSTEM: WhatsApp": [[176, 184]]}, "info": {"id": "cyner2_test_000048", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.B699 BehavesLike.Win32.Trojan.th Trojan.Win32.Cryptor TR/Crypt.Xpack.ihifb Trojan.Win32.Z.Crowti.1270272 Backdoor:Win32/Lisuife.A!dha Trojan.Swrort.ED Trj/GdSda.A Win32/Trojan.e6d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000049", "source": "cyner2_test"}}
+{"text": "Exodus is equipped with extensive collection and interception capabilities .", "spans": {"MALWARE: Exodus": [[0, 6]]}, "info": {"id": "cyner2_test_000050", "source": "cyner2_test"}}
+{"text": "Android ’ s accessibility services were originally developed by Google for the benefit of users with disabilities .", "spans": {"SYSTEM: Android": [[0, 7]], "ORGANIZATION: Google": [[64, 70]]}, "info": {"id": "cyner2_test_000051", "source": "cyner2_test"}}
+{"text": "Then , a request is formed in such a way that an activity that installs the application is called , bypassing all security checks .", "spans": {}, "info": {"id": "cyner2_test_000052", "source": "cyner2_test"}}
+{"text": "However, a closer look into a sample showed an interesting downloading method which I haven t seen before user R136a1", "spans": {}, "info": {"id": "cyner2_test_000053", "source": "cyner2_test"}}
+{"text": "If you answered c' you might be correct! FireEye Labs discovered a new piece of ATM malware 4BDD67FF852C221112337FECD0681EAC that we detect as Backdoor.ATM.Suceful the name comes from a typo made by the malware authors, which targets cardholders and is able to retain debit cards on infected ATMs, disable alarms, or read the debit card tracks.", "spans": {"ORGANIZATION: FireEye Labs": [[41, 53]], "MALWARE: ATM malware": [[80, 91]], "THREAT_ACTOR: malware authors,": [[203, 219]], "ORGANIZATION: cardholders": [[234, 245]], "ORGANIZATION: ATMs,": [[292, 297]]}, "info": {"id": "cyner2_test_000054", "source": "cyner2_test"}}
+{"text": "The instance we discovered and analyzed at the time was configured to steal information from customers of UK and Australian banks.", "spans": {"ORGANIZATION: UK": [[106, 108]], "ORGANIZATION: Australian banks.": [[113, 130]]}, "info": {"id": "cyner2_test_000055", "source": "cyner2_test"}}
+{"text": "Sensitive environments that process card data will often monitor, restrict, or entirely block the HTTP or FTP traffic often used for exfiltration in other environments.", "spans": {"SYSTEM: Sensitive environments": [[0, 22]], "VULNERABILITY: exfiltration": [[133, 145]], "SYSTEM: environments.": [[155, 168]]}, "info": {"id": "cyner2_test_000056", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Kazy.D780C Win32.Trojan.Zbot.a Win.Spyware.Zbot-1275 Trojan-Spy.Win32.Zbot.ymvi Win32.Trojan.Kazy.Pgcv Trojan.PWS.Panda.655 Constructor.Win32.Zbot TR/Crypt.ZPACK.ieoes Constructor:Win32/Zbot.A Trojan-Spy.Win32.Zbot.ymvi Win32.Trojan-Spy.Zbot.DB Spyware/Win32.Zbot.R68889 SScope.Trojan.FakeAV.01110 W32/Zbot.YW!tr Win32/Trojan.c5f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000057", "source": "cyner2_test"}}
+{"text": "Researchers has observed recent espionage-related activity by TA473, including yet to be reported instances of TA473 targeting US elected officials and staffers.", "spans": {"ORGANIZATION: Researchers": [[0, 11]], "THREAT_ACTOR: espionage-related": [[32, 49]], "THREAT_ACTOR: TA473,": [[62, 68]], "THREAT_ACTOR: TA473": [[111, 116]], "ORGANIZATION: US elected officials": [[127, 147]], "ORGANIZATION: staffers.": [[152, 161]]}, "info": {"id": "cyner2_test_000058", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Abuse-Worry/W32.WinPassViewer.182272 Win32.Trojan.WisdomEyes.16070401.9500.9975 not-a-virus:PSWTool.Win32.WinPassViewer.bg Tool.PassView.1748 Tool.WinPassViewer.Win32.19 BehavesLike.Win32.BadFile.cc AdWare.Amonetize.anis RiskWare[PSWTool]/Win32.WinPassViewer not-a-virus:PSWTool.Win32.WinPassViewer.bg Win-AppCare/Getpassword.182272", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000059", "source": "cyner2_test"}}
+{"text": "Domain fronting provides outbound network connections that are indistinguishable from legitimate requests for popular websites.", "spans": {"SYSTEM: network": [[34, 41]]}, "info": {"id": "cyner2_test_000060", "source": "cyner2_test"}}
+{"text": "Charger SHA256 hash : 58eb6c368e129b17559bdeacb3aed4d9a5d3596f774cf5ed3fdcf51775232ba0 Infostealer , Keylogger , and Ransomware in One : Anubis Targets More than 250 Android Applications October 29 , 2021 The Cofense Phishing Defense Center uncovered a phishing campaign that specifically targets users of Android devices that could result in compromise if unsigned Android applications are permitted on the device .", "spans": {"MALWARE: Anubis": [[137, 143]], "SYSTEM: Android": [[166, 173], [306, 313], [366, 373]], "ORGANIZATION: Cofense Phishing Defense Center": [[209, 240]]}, "info": {"id": "cyner2_test_000061", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.DownloaderDll.Worm Trojan-Downloader.Win32.Small!O Trojan/Downloader.Small.gkh Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Downloader.RQOF-2765 Win32/Filitop.E Win.Downloader.19989-1 Trojan-Downloader.Win32.Small.gkh Trojan.Win32.Small.baasq Trojan.Win32.Downloader.7713 TrojWare.Win32.TrojanDownloader.Small.BW Trojan.DownLoader.37335 Downloader.Small.Win32.7224 W32/Downldr2.AKNJ TrojanDownloader.Small.nin Trojan[Downloader]/Win32.Small Win32.TrojDownloader.Small.kcloud Trojan-Downloader.Win32.Small.gkh Trojan/Win32.Downloader.C81971 TrojanDownloader.Small Trojan.DL.Small!Sm7hHElQfpU W32/Small.GKH!tr.dldr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000062", "source": "cyner2_test"}}
+{"text": "This suggests that these attacks were part of a planned operation against specific targets in India.", "spans": {"THREAT_ACTOR: planned operation": [[48, 65]]}, "info": {"id": "cyner2_test_000063", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.PWS.YVX Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.PWS.YVX Trojan.PWS.YVX Trojan.PWS.YVX Trojan.PWS.YVX BehavesLike.Win32.VTFlooder.hc Trojan.PWS.YVX Troj.Pws.Yvx!c Trojan.PWS.YVX Trj/CI.A Trojan-PWS.YVX W32/Kryptik.SHU!tr Win32/Trojan.PWS.3b2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000064", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Msic Backdoor.Msic Backdoor.Msic Backdoor.Msic Trojan/Delf.de Trojan.Win32.Delf.binhsf W32/Backdoor.FYD Backdoor.Msic BKDR_DELF.DE Backdoor.Win32.Delf.de Backdoor.Delf!QqXK5yDKgAs Backdoor.Msic Backdoor.Win32.Delf.DE Backdoor.Msic BackDoor.GWBoy.91 BKDR_DELF.DE W32/Backdoor.FFNS-0086 Win32.Hack.Delf.de.kcloud HEUR/Fakon.mwf Backdoor.Msic Win32/Delf.DE Backdoor.Win32.Y3KRat W32/Delf.DE!tr.bdr BackDoor.Delf.AV Backdoor.Win32.Delf.au", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000065", "source": "cyner2_test"}}
+{"text": "After an app is installed , the ad service pays the attacker .", "spans": {}, "info": {"id": "cyner2_test_000066", "source": "cyner2_test"}}
+{"text": "Chinese fabless semiconductor company Allwinner is a leading supplier of application processors that are used in many low-cost Android tablets , ARM-based PCs , set-top boxes , and other electronic devices worldwide .", "spans": {"ORGANIZATION: Allwinner": [[38, 47]], "SYSTEM: Android": [[127, 134]], "ORGANIZATION: ARM-based": [[145, 154]]}, "info": {"id": "cyner2_test_000067", "source": "cyner2_test"}}
+{"text": "STRONTIUM is Microsoft's code name for this group, following its internal practice of assigning chemical element names to activity groups; other researchers have used code names such as APT28, Sednit, Sofacy and Fancy Bear as labels for a group or groups", "spans": {"THREAT_ACTOR: STRONTIUM": [[0, 9]], "ORGANIZATION: Microsoft's": [[13, 24]], "ORGANIZATION: researchers": [[145, 156]], "THREAT_ACTOR: APT28, Sednit, Sofacy": [[186, 207]], "THREAT_ACTOR: Fancy Bear": [[212, 222]], "THREAT_ACTOR: group": [[239, 244]], "THREAT_ACTOR: groups": [[248, 254]]}, "info": {"id": "cyner2_test_000068", "source": "cyner2_test"}}
+{"text": "Stealing and Concealing SMS Messages As some banks still use SMS-based transaction authorization , TrickMo is configured to automatically steal all SMS messages that are stored on the device .", "spans": {"MALWARE: TrickMo": [[99, 106]]}, "info": {"id": "cyner2_test_000069", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Meciv.a Win32.Trojan.WisdomEyes.16070401.9500.9994 Backdoor.Meciv BKDR_MECIV.SME Win.Trojan.Enfal-82 Backdoor.Win32.Meciv.a BKDR_MECIV.SME Trojan[Backdoor]/Win32.Meciv Trojan.Bodegun.3 Backdoor.Win32.Meciv.a TrojanDropper:Win32/Meciv.A Trj/CI.A Win32/Pucedoor.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000070", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9982 Win32.Trojan-Ransom.Mole.A Trojan.Win32.Encoder.eqqmxg Worm.Win32.Pushbot.A Trojan.Encoder.11008 BehavesLike.Win32.VTFlooder.cm Trojan-Ransom.FileCoder Behavior:Win32/Pryncimoklyn.A!rsm BScope.Trojan-Ransom.Fury Win32.Trojan.Raas.Auto", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000071", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: TR/Dropper.MSIL.252169 Trj/GdSda.A Virus.PSW.ILSpy", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000072", "source": "cyner2_test"}}
+{"text": "With this in mind , we thoroughly look forward to working with you on these matters .", "spans": {}, "info": {"id": "cyner2_test_000073", "source": "cyner2_test"}}
+{"text": "Several months later and it seems to have evolved again, this time adding cryptocurrency theft to its routines.", "spans": {}, "info": {"id": "cyner2_test_000074", "source": "cyner2_test"}}
+{"text": "Symantec Corp, a digital security company, says it has identified a sustained cyber spying campaign, likely state-sponsored, against Indian and Pakistani entities involved in regional security issues.", "spans": {"ORGANIZATION: Symantec Corp,": [[0, 14]], "ORGANIZATION: digital security company,": [[17, 42]], "THREAT_ACTOR: cyber spying campaign,": [[78, 100]], "THREAT_ACTOR: state-sponsored,": [[108, 124]], "THREAT_ACTOR: entities": [[154, 162]]}, "info": {"id": "cyner2_test_000075", "source": "cyner2_test"}}
+{"text": "Without context , this method does not reveal much about its intended behavior , and there are no calls made to it anywhere in the DEX .", "spans": {}, "info": {"id": "cyner2_test_000076", "source": "cyner2_test"}}
+{"text": "] 6 2020-03-26 http : //rxc.rxcoordinator [ .", "spans": {}, "info": {"id": "cyner2_test_000077", "source": "cyner2_test"}}
+{"text": "Office 365 ATP sandbox employs special mechanisms to avoid being detected by similar checks .", "spans": {"SYSTEM: Office 365 ATP": [[0, 14]]}, "info": {"id": "cyner2_test_000078", "source": "cyner2_test"}}
+{"text": "During the last hours, OSX/Keydnap was distributed on a trusted website, which turned out to be something else", "spans": {"MALWARE: OSX/Keydnap": [[23, 34]]}, "info": {"id": "cyner2_test_000079", "source": "cyner2_test"}}
+{"text": "The threat actors used IcedID, delivering the payload using an ISO image on this occasion.", "spans": {"THREAT_ACTOR: The threat actors": [[0, 17]], "MALWARE: IcedID,": [[23, 30]], "MALWARE: payload": [[46, 53]]}, "info": {"id": "cyner2_test_000080", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.PorakeseDRAG.Trojan TrojanSpy.Crime.B4 Trojan.Keylogger.Win32.35471 Trojan/Spy.Keylogger.zu TSPY_VBMSIL.SMIA Win.Trojan.KillAV-49 Trojan.Win32.Win32.dccnnq Trojan.MSIL.Spy TR/BAS.Samca.11318183 TrojanSpy:MSIL/Crime.B Trojan.Diztakun", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000082", "source": "cyner2_test"}}
+{"text": "] cashnow [ .", "spans": {}, "info": {"id": "cyner2_test_000083", "source": "cyner2_test"}}
+{"text": "The Android.ZBot Trojan is one of these malicious programs.", "spans": {"MALWARE: Android.ZBot Trojan": [[4, 23]], "MALWARE: malicious programs.": [[40, 59]]}, "info": {"id": "cyner2_test_000084", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Virus.Win32.Dialer.1313 PSW.OnlineGames_r.AC", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000085", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Inject.GK Trojan.Inject.GK TROJ_AUTORUN_000003d.TOMA Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan2.VHK Trojan.Minit TROJ_AUTORUN_000003d.TOMA Win.Worm.Autorun-374 Trojan.Inject.GK Trojan.Win32.Autoruner.rjamm Trojan.Inject.GK Worm.Win32.Autorun.q0 Trojan.Inject.GK Win32.HLLW.Autoruner1.61072 W32/Autorun.worm.q W32/Trojan.TSME-5158 W32/AutoRun.BDJ!tr Trojan.Inject.GK Trojan:Win32/Remdruk.A Worm/Win32.AutoRun.R1836 W32/Autorun.worm.q BScope.Trojan-Dropper.Injector Virus.Win32.AutoRun.sd Trojan.Inject.GK W32/Autorun.HN.worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000086", "source": "cyner2_test"}}
+{"text": "Based on data from Trend Micro Mobile App Reputation Service, we detected more than 800 applications embedded the ad library's SDK that have been downloaded millions of times from Google Play.", "spans": {"ORGANIZATION: Trend Micro": [[19, 30]], "SYSTEM: Mobile App Reputation Service,": [[31, 61]], "SYSTEM: 800 applications": [[84, 100]], "SYSTEM: SDK": [[127, 130]], "SYSTEM: Google Play.": [[180, 192]]}, "info": {"id": "cyner2_test_000087", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan-Downloader.Win32.Small!O Backdoor.Xifos.S14134 TROJ_GOVDI.F Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.SSXY-8201 TROJ_GOVDI.F Trojan-Downloader.Win32.Small.apyd Trojan.Win32.Small.ovxwu Trojan.Win32.A.Downloader.13824.AT Troj.Downloader.W32.Small.apyd!c Trojan.DownLoad2.51103 Downloader.Small.Win32.68519 Trojan.Win32.Spy TrojanDownloader.Small.aidi W32.Malware.Downloader TR/Dldr.Namsoth.B W32/Small.QVC!tr.dldr Trojan[Downloader]/Win32.Small Trojan.Heur.RP.ED2300E Trojan-Downloader.Win32.Small.apyd TrojanDownloader:Win32/Namsoth.B Downloader/Win32.Small.C65448 Trojan.Downloader.Small TScope.Malware-Cryptor.SB Win32.Trojan-downloader.Small.Ebhl Trojan.DL.Small!PqMADy2OaN0", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000088", "source": "cyner2_test"}}
+{"text": "The group continues to primarily use publicly available pentesting tools outside of the US.", "spans": {"THREAT_ACTOR: The group": [[0, 9]], "MALWARE: tools": [[67, 72]]}, "info": {"id": "cyner2_test_000089", "source": "cyner2_test"}}
+{"text": "brother.apk ( SHA256 : 422fec2e201600bb2ea3140951563f8c6fbd4f8279a04a164aca5e8e753c40e8 ) : The package name – com.android.system.certificate .", "spans": {"SYSTEM: brother.apk": [[0, 11]]}, "info": {"id": "cyner2_test_000090", "source": "cyner2_test"}}
+{"text": "When we first observed the malware in January , we recorded 380 infections .", "spans": {}, "info": {"id": "cyner2_test_000091", "source": "cyner2_test"}}
+{"text": "In later versions , when it starts , the Trojan additionally opens a phishing site in the browser that simulates a free ad service so as to dupe the user into entering their login credentials and bank card details .", "spans": {}, "info": {"id": "cyner2_test_000092", "source": "cyner2_test"}}
+{"text": "One technique we've been tracking with this threat group is their use of the Clayslide delivery document as attachments to spear-phishing emails in attacks since May 2016.", "spans": {"THREAT_ACTOR: threat group": [[44, 56]]}, "info": {"id": "cyner2_test_000093", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Multi W32/Trojan3.AEFY TSPY_LOKI.THABET Trojan.Win32.Inject.exlwmp Trojan.PWS.Stealer.21330 TSPY_LOKI.THABET BehavesLike.Win32.Trojan.bh Trojan.Win32.Injector W32/Trojan.BSXG-7335 DR/Delphi.cmzkc Trojan[Backdoor]/Win32.Androm Uds.Dangerousobject.Multi!c TrojanSpy.Noon Spyware.LokiBot Trj/WLT.D Trojan.Injector!1D2XpjXiYyw W32/Injector.DVFA!tr Win32/Backdoor.2e1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000094", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Win32.NetWiredRC.esv Trojan.Win32.NetWiredRC.exccjt Win32.Backdoor.Netwiredrc.Pcso Backdoor.NetWiredRC.Win32.1167 Trojan.Win32.Injector Backdoor:Win32/NetWiredRC.B Backdoor.Win32.NetWiredRC.esv Trj/GdSda.A W32/VBINJECT.SM!tr Win32/Backdoor.a0c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000095", "source": "cyner2_test"}}
+{"text": "Allwinner has also been less transparent about the backdoor code .", "spans": {"ORGANIZATION: Allwinner": [[0, 9]]}, "info": {"id": "cyner2_test_000096", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9954 TROJ_WEBJACK.A Trojan.Win32.Sennoma.eqbupe Trojan.DownLoader25.692 TROJ_WEBJACK.A BehavesLike.Win32.Vundo.lh Trojan.Sennoma.ey TR/AD.Derbit.yhtwf Trojan.Sirefef.DE9D Trojan:Win32/Derbit.D!bit Trojan.Downloader Trojan.Sennoma! Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000097", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Fsysna.Win32.7926 Win32.Trojan.VB.ja Trojan.Win32.Fsysna.celb Trojan.Win32.Fsysna.dylomu Trojan.Win32.Z.Fsysna.163840 Troj.W32.Fsysna!c BehavesLike.Win32.Vilsel.cz Trojan/Fsysna.ebj WORM/Rasith.xxjtz Trojan/Win32.Fsysna Trojan.Heur.E8E0BD Trojan.Win32.Fsysna.celb Worm:Win32/Rasit.A Trojan.Fsysna Trj/CI.A Win32.Trojan.Fsysna.Aiij Trojan.Fsysna! W32/Rasith.B!worm Win32/Trojan.c65", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000098", "source": "cyner2_test"}}
+{"text": "Earth Preta delivering lure archives via spear-phishing emails and Google Drive links.", "spans": {"THREAT_ACTOR: Earth Preta": [[0, 11]], "SYSTEM: Google Drive": [[67, 79]]}, "info": {"id": "cyner2_test_000099", "source": "cyner2_test"}}
+{"text": "Because it eavesdrops on sensitive conversations by remotely controlling PC microphones – in order to surreptitiously bug its targets – and uses Dropbox to store exfiltrated data, CyberX has named it Operation BugDrop.", "spans": {"SYSTEM: PC": [[73, 75]], "SYSTEM: Dropbox": [[145, 152]], "THREAT_ACTOR: CyberX": [[180, 186]], "THREAT_ACTOR: Operation BugDrop.": [[200, 218]]}, "info": {"id": "cyner2_test_000100", "source": "cyner2_test"}}
+{"text": "FireEye recently detected a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "VULNERABILITY: a SOAP WSDL parser code injection vulnerability.": [[98, 146]]}, "info": {"id": "cyner2_test_000101", "source": "cyner2_test"}}
+{"text": "] com http : //www.i4vip [ .", "spans": {}, "info": {"id": "cyner2_test_000102", "source": "cyner2_test"}}
+{"text": "The malware, using stolen credentials, spreads throughout the targeted networks and then at a set date and time wipes the disks attached to the victim computers.", "spans": {"MALWARE: malware,": [[4, 12]], "ORGANIZATION: targeted networks": [[62, 79]], "SYSTEM: victim computers.": [[144, 161]]}, "info": {"id": "cyner2_test_000103", "source": "cyner2_test"}}
+{"text": "] com/gate_cb8a5aea1ab302f0_c online 185.158.248 [ .", "spans": {}, "info": {"id": "cyner2_test_000104", "source": "cyner2_test"}}
+{"text": "BankBot is also capable of hijacking and intercepting SMS messages, which means that it can bypass SMS-based 2-factor authentication.", "spans": {"MALWARE: BankBot": [[0, 7]]}, "info": {"id": "cyner2_test_000105", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Trojan.Posevol Win32.Trojan.WisdomEyes.16070401.9500.9865 Trojan.Win32.Yakes.vphp Trojan.Win32.Yakes.exokki Trojan.Win32.Z.Yakes.146962 Troj.W32.Yakes!c BackDoor.Andromeda.614 BehavesLike.Win32.Worm.ch Trojan.Yakes.ywi TR/RedCap.okrph Trojan/Win32.Yakes Trojan:Win32/Posevol.A Trojan.Win32.Yakes.vphp Trojan.Yakes Backdoor.Bot Trj/RnkBend.A Win32.Trojan.Yakes.Aiij", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000106", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.Flystud!O Worm.Nuj.IM6 Worm.AutoRun.Win32.2 Win32/Nuj.ACN TROJ_DROPR.CU Win32.Trojan-Downloader.Bulilit.A Trojan.Win32.FlyStudio.dswuoo W32.Troj.Downloader!c ApplicUnsaf.Win32.HackTool.FlySky.AC Trojan-Downloader:W32/VB.BUE TROJ_DROPR.CU Worm:Win32/Nuj.A Worm:Win32/Nuj.A Trojan.FlyStudio W32/DROPR.CU!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000107", "source": "cyner2_test"}}
+{"text": "In July 2015, Eduardo Prado released a Proof of Concept PoC exploit for this vulnerability here.", "spans": {"ORGANIZATION: Eduardo Prado": [[14, 27]], "MALWARE: Proof of Concept PoC exploit": [[39, 67]], "VULNERABILITY: vulnerability": [[77, 90]]}, "info": {"id": "cyner2_test_000108", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Worm.Silly Trojan.Krypt.24 WORM_PALEVO.SMJJ Win32.Trojan.WisdomEyes.16070401.9500.9555 WORM_PALEVO.SMJJ Win.Trojan.Ag-1 P2P-Worm.Win32.Palevo.jub MalCrypt.Indus! Trojan.Packed.20312 BehavesLike.Win32.Downloader.cc P2P-Worm.Win32.Palevo Worm/Palevo.jub Worm:Win32/Silly_P2P.G BScope.P2P-Worm.Palevo Trj/Rimecud.a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000109", "source": "cyner2_test"}}
+{"text": "Examples of the overlays available to the malware Above , you can see examples of the injections that distributed to the malware as part of this specific campaign .", "spans": {}, "info": {"id": "cyner2_test_000112", "source": "cyner2_test"}}
+{"text": "The official “ Golden Cup ” Facebook page .", "spans": {"MALWARE: Golden Cup": [[15, 25]], "SYSTEM: Facebook": [[28, 36]]}, "info": {"id": "cyner2_test_000114", "source": "cyner2_test"}}
+{"text": "One particularly persistent adware attack piqued our interest around March.", "spans": {"MALWARE: adware": [[28, 34]]}, "info": {"id": "cyner2_test_000115", "source": "cyner2_test"}}
+{"text": "To spread their malware, the attackers behind Joao have misused massively-multiplayer online role-playing games MMORPGs originally published by Aeria Games.", "spans": {"MALWARE: malware,": [[16, 24]], "THREAT_ACTOR: the attackers": [[25, 38]], "SYSTEM: massively-multiplayer online role-playing games MMORPGs": [[64, 119]], "SYSTEM: Aeria Games.": [[144, 156]]}, "info": {"id": "cyner2_test_000116", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan-Downloader.Win32.Smokedown!O TrojanDownloader.Smokedown Trojan/CoinMiner.ap Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/Droppedmalwaresdld.HZUA-6171 PUA.Bitcoinminer TSPY_DOWNLOADER_BL132D10.TOMC Trojan-Downloader.Win32.Smokedown.d Trojan.Win32.CoinMiner.bbxdtj Trojan.Win32.A.Downloader.16896.AAJ Troj.Downloader.W32!c Trojan.DownLoader7.18034 TSPY_DOWNLOADER_BL132D10.TOMC Trojan.Win32.Malex TrojanDropper.Dorifel.bxh Trojan[Downloader]/Win32.Smokedown Trojan-Downloader.Win32.Smokedown.d Dropper/Win32.Dorifel.R42031 TrojanDownloader.Smokedown Trojan.BCMiner Win32/CoinMiner.AP Win32.Trojan-downloader.Smokedown.Ebhi Win32/Trojan.Downloader.53e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000117", "source": "cyner2_test"}}
+{"text": "Distribution Cybercriminals made use of some exceptionally sophisticated methods to infect mobile devices .", "spans": {}, "info": {"id": "cyner2_test_000118", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Win32.Palevo.ekgxpo Trojan.Win32.Z.Palevo.1703416 HackTool.W32.Sniffer.WpePro.lqH9 Worm.Win32.Dropper.RA Trojan.DownLoader24.60205 Worm[P2P]/Win32.Palevo Trojan:Win32/Fushield.A!bit Worm.Palevo Trojan.Win32.Fushield W32/Phrasing!tr.bdr Win32/Trojan.Downloader.c8c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000119", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.stunexa4.Worm Win32.Worm.Stuxnet.B Win32.Worm.Stuxnet.B Worm.Win32.Stuxnet!O Worm.Stuxnet.Win32.6 Trojan.Win32.Stuxnet.bnpqz W32/MalwareF.GXSH Stuxnet.A Win32/Stuxnet.K TROJ_STUXNET.DX Trojan.Stuxnet-28 Worm.Win32.Stuxnet.ab Win32.Worm.Stuxnet.B Worm.Stuxnet!uh9RYlBH8TQ Worm.Win32.A.Stuxnet.297984[h] Win32.Worm.Stuxnet.Syif Win32.Worm.Stuxnet.B Worm.Win32.Stuxnet.A Win32.Worm.Stuxnet.B Trojan.Stuxnet.1 TROJ_STUXNET.DX W32/Risk.CWCG-6512 Worm/Stuxnet.j Worm/Stuxnet.A.6 Worm/Win32.Stuxnet Worm.Stuxnet.a.kcloud Trojan:Win32/Stuxnet.A Win32.Worm.Stuxnet.B Worm/Win32.Stuxnet Win32.Worm.Stuxnet.B Win32/Stuxnet.C PE:Worm.Win32.Stuxnet.c!1075333313 Win32.Stuxnet W32/STUXNET.AB!worm Win32/Worm.5cd", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000120", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Downloader.Regonid.28370 Trojan/Dropper.Mudrop.jlg TROJ_DROPPR.SMR Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Risk.GRBI-0276 TROJ_DROPPR.SMR Trojan.Win32.Mudrop.bunnk Troj.Dropper.W32.Mudrop.l63L Trojan.MulDrop1.39552 BehavesLike.Win32.Ransomware.dc Trojan-Dropper.Win32.Mudrop W32/MalwareS.BGPK TrojanDropper.Mudrop.ben W32.Trojan.Dropper Trojan[Dropper]/Win32.Mudrop Trojan.Razy.DA954 TrojanDownloader:Win32/Regonid.B Dropper/Win32.Mudrop.R9955 TrojanDropper.Mudrop Trojan.DR.Mudrop!u4bkYKypm+g Win32/Trojan.79e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000121", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Exploit.Iis.Thcunreal.01.A Trojan-Exploit/W32.Thcunreal.28672.B Trojan.Exploit.Iis.Thcunreal.01.A Exploit.W32.Thcunreal.a!c Trojan/Exploit.Thcunreal.a W32/Risk.INJJ-3275 Hacktool.NT.Exploit TROJ_IIS.A Exploit.Win32.Thcunreal.a Trojan.Exploit.Iis.Thcunreal.01.A Exploit.Win32.Thcunreal.goxw Trojan.Exploit.Iis.Thcunreal.01.A TrojWare.Win32.Exploit.IIS.01.A Trojan.Exploit.Iis.Thcunreal.01.A Exploit.IIS TROJ_IIS.A Exploit-IIS.Thcun Exploit.IIS.Thcunreal.01.a TR/Expl.IIS.Thcunreal.01.A W32/IIS.A!exploit Trojan[Exploit]/Win32.Thcunreal Trojan.Exploit.Iis.Thcunreal.01.A Exploit.Win32.Thcunreal.a Exploit:Win32/IISThcunreal.A Exploit-IIS.Thcun Exploit.Thcunreal Win32/Exploit.IIS.Thcunreal.01.A Win32.Exploit.Thcunreal.Lpuu Exploit.Thcunreal!kKvFaxcSUi0 Trojan.Win32.Exploit Trojan.Exploit.Iis.Thcunreal.01.A Win32/Trojan.2ff", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000122", "source": "cyner2_test"}}
+{"text": "In addition to stealing data, Ursnif also has the ability to download additional malicious components from the attacker's Command Control C C servers and load them dynamically into memory.", "spans": {"MALWARE: Ursnif": [[30, 36]], "MALWARE: malicious components": [[81, 101]], "THREAT_ACTOR: attacker's": [[111, 121]], "VULNERABILITY: memory.": [[181, 188]]}, "info": {"id": "cyner2_test_000123", "source": "cyner2_test"}}
+{"text": "A China-based cyber threat group, which FireEye tracks as an uncategorized advanced persistent threat APT group and other researchers refer to as admin@338, may have conduced the activity. The email messages contained malicious documents with a malware payload called LOWBALL.", "spans": {"THREAT_ACTOR: China-based cyber threat group,": [[2, 33]], "ORGANIZATION: FireEye": [[40, 47]], "THREAT_ACTOR: advanced persistent threat APT group": [[75, 111]], "ORGANIZATION: researchers": [[122, 133]], "THREAT_ACTOR: admin@338,": [[146, 156]], "MALWARE: malware payload": [[245, 260]], "MALWARE: LOWBALL.": [[268, 276]]}, "info": {"id": "cyner2_test_000124", "source": "cyner2_test"}}
+{"text": ") Let ’ s take a more detailed look at how this banking Trojan works .", "spans": {}, "info": {"id": "cyner2_test_000125", "source": "cyner2_test"}}
+{"text": "This allows the “ boot ” module to execute the payloads when the infected application is started .", "spans": {}, "info": {"id": "cyner2_test_000126", "source": "cyner2_test"}}
+{"text": "Check Point has worked closely with Google and at the time of publishing , no malicious apps remain on the Play Store .", "spans": {"ORGANIZATION: Check Point": [[0, 11]], "ORGANIZATION: Google": [[36, 42]], "SYSTEM: Play Store": [[107, 117]]}, "info": {"id": "cyner2_test_000127", "source": "cyner2_test"}}
+{"text": "Svpeng In mid-July , we detected Trojan-SMS.AndroidOS.Svpeng.a which , unlike its SMS Trojan counterparts , is focused on stealing money from the victiim ’ s bank account rather than from his mobile phone .", "spans": {"MALWARE: Svpeng": [[0, 6]], "MALWARE: Trojan-SMS.AndroidOS.Svpeng.a": [[33, 62]]}, "info": {"id": "cyner2_test_000128", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan/Delf.tjj Trojan.Zusy.D2E47A Win32.Trojan.WisdomEyes.16070401.9500.9990 Infostealer.Limitail HT_XIHET_GA310B61.UVPM Trojan.Win32.Delf.egkxur Trojan.DownLoader22.50210 Trojan.Delf.Win32.76470 HT_XIHET_GA310B61.UVPM Trojan.Reconyc Trojan-Banker.Win32.Banbra Win32/Trojan.db6", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000129", "source": "cyner2_test"}}
+{"text": "The titles and contents of these files suggest that the actor targeted individuals affiliated with these government agencies and the Fatah political party .", "spans": {"ORGANIZATION: Fatah": [[133, 138]]}, "info": {"id": "cyner2_test_000130", "source": "cyner2_test"}}
+{"text": "At the beginning of August, a new version of this Trojan—Linux.DDoS.89—was discovered.", "spans": {}, "info": {"id": "cyner2_test_000131", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: HW32.Packed.6E07 Win32.Trojan.WisdomEyes.16070401.9500.9975 MalCrypt.Indus! BehavesLike.Win32.Trojan.tc PUA.NoobyProtect Win32.Riskware.NoobyProtect.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000132", "source": "cyner2_test"}}
+{"text": "While this malware shares some commonalities with that family, it departs from the standard operating procedure of the previous versions rather dramatically.", "spans": {"MALWARE: malware": [[11, 18]]}, "info": {"id": "cyner2_test_000133", "source": "cyner2_test"}}
+{"text": "However , it also targets applications from Romania , Ireland , India , Austria , Switzerland , Australia , Poland and the USA .", "spans": {}, "info": {"id": "cyner2_test_000134", "source": "cyner2_test"}}
+{"text": "] com hxxp : //nttdocomo-qaq [ .", "spans": {}, "info": {"id": "cyner2_test_000135", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Win32.NetSpy.20!O Backdoor.Netspy Win32.Trojan.WisdomEyes.16070401.9500.9942 W32/Trojan.WJAE-6009 Backdoor.Trojan Backdoor.Win32.NetSpy.20.j Trojan.Win32.Netspy.eroujl Backdoor.W32.Netspy!c BackDoor.Netspy.20 Backdoor.NetSpy.Win32.85 BehavesLike.Win32.VirRansom.dc Backdoor/NetSpy.30 BDS/Netspy.iatae Trojan[Backdoor]/Win32.NetSpy Backdoor:Win32/Netspy.20.I Backdoor.Win32.NetSpy.20.j Backdoor.NetSpy Trj/CI.A Win32/NetSpy.20.I Win32.Backdoor.Netspy.Glu Backdoor.NetSpy!l8M8eeD/P+c Backdoor.Win32.Netspy W32/NetSpy.J!tr Win32/Backdoor.Spy.1ac", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000136", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan-Exploit/W32.THAUS.73216 Exploit.Win32.THAUS!O Trojan.Mauvaise.SL1 Trojan/Exploit.THAUS.a W32/MalwareS.BJQW Win.Tool.KiTrap-1 Exploit.Win32.THAUS.a Exploit.Win32.Vdm.ihuhu Trojan.Win32.EX-THAUS.73216 Win32.Exploit.Thaus.Hupd Exploit.Win32.Thaus.~asd Exploit.Vdm.2 Exploit.THAUS.Win32.17 Exploit.Win32.THAUS Exploit.THAUS.l W32.Hack.Tool Trojan[Exploit]/Win32.THAUS Win32.EXPLOIT.VDM.xj.73216 HackTool:Win32/Kitrap.A Exploit.W32.THAUS.a!c Exploit.Win32.THAUS.a Exploit.THAUS Exploit.THAUS Exploit.THAUS!2nbzKjrayCc W32/ThausLoader.A!tr Trj/CI.A Win32/Trojan.Exploit.f21", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000137", "source": "cyner2_test"}}
+{"text": "] 87:28844 61 [ .", "spans": {}, "info": {"id": "cyner2_test_000138", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Android.Trojan.Lightdd.b HEUR:Trojan-Downloader.AndroidOS.DorDrae.a HEUR:Trojan-Downloader.AndroidOS.DorDrae.a Trojan.AndroidOS.DorDrae Android/DrdLight.A!tr.dldr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000139", "source": "cyner2_test"}}
+{"text": "It is possible that this botnet is sold as a pay-per-infection botnet in the underground markets.", "spans": {"MALWARE: botnet": [[25, 31]], "MALWARE: pay-per-infection botnet": [[45, 69]], "THREAT_ACTOR: underground markets.": [[77, 97]]}, "info": {"id": "cyner2_test_000140", "source": "cyner2_test"}}
+{"text": "The same websites have hosted different RuMMS samples at different dates .", "spans": {"MALWARE: RuMMS": [[40, 45]]}, "info": {"id": "cyner2_test_000141", "source": "cyner2_test"}}
+{"text": "The threat is likely targeting employees of various Palestinian government agencies , security services , Palestinian students , and those affiliated with the Fatah political party .", "spans": {"ORGANIZATION: Fatah": [[159, 164]]}, "info": {"id": "cyner2_test_000143", "source": "cyner2_test"}}
+{"text": "Months Device Remained Infected India 15,230,123 2,017,873,249 2.6 1.7 2.1 Bangladesh 2,539,913 208,026,886 2.4 1.5 2.2 Pakistan 1,686,216 94,296,907 2.4 1.6 2 Indonesia 572,025 67,685,983 2 1.5 2.2 Nepal 469,274 44,961,341 2.4 1.6 2.4 US 302,852 19,327,093 1.7 1.4 1.8 Nigeria 287,167 21,278,498 2.4 1.3 2.3 Hungary 282,826 7,856,064 1.7 1.3 1.7 Saudi Arabia 245,698 18,616,259 2.3 1.6 1.9 Myanmar 234,338 9,729,572 1.5 1.4 1.9 “ Agent Smith ” Timeline Early signs of activity from the actor behind “ Agent Smith ” can be traced back to January 2016 .", "spans": {"MALWARE: Agent Smith": [[431, 442]]}, "info": {"id": "cyner2_test_000144", "source": "cyner2_test"}}
+{"text": "Upon kill chain completion , “ Agent Smith ” will then hijack compromised user apps to show ads .", "spans": {"MALWARE: Agent Smith": [[31, 42]]}, "info": {"id": "cyner2_test_000145", "source": "cyner2_test"}}
+{"text": "Depending if the victim has any of the targeted applications , the anti-virus installed or geographic location , the malware can harvest credentials from the targeted applications , exfiltrate all personal information or simply use the victim 's device to send SMS to spread the trojan The malware deploys overlaying webviews to trick the user and eventually steal their login credentials .", "spans": {}, "info": {"id": "cyner2_test_000146", "source": "cyner2_test"}}
+{"text": "Recently, we found several new versions of Carbon, a second stage backdoor in the Turla group arsenal.", "spans": {"MALWARE: Carbon,": [[43, 50]], "MALWARE: backdoor": [[66, 74]], "THREAT_ACTOR: the Turla group arsenal.": [[78, 102]]}, "info": {"id": "cyner2_test_000147", "source": "cyner2_test"}}
+{"text": "During the course of our research , we noticed that we were not the only ones to have found the operation .", "spans": {}, "info": {"id": "cyner2_test_000148", "source": "cyner2_test"}}
+{"text": "But the malicious ip file does not contain any methods from the original ip file .", "spans": {}, "info": {"id": "cyner2_test_000149", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.OnGameEEWAL.Trojan Backdoor/W32.Cakl.23552.B Backdoor.Win32.Cakl!O Backdoor.Cakl Trojan/FakeAV.ryd W32/Backdoor.NXW Backdoor.Trojan Win32/Cakl.F BKDR_TURKO.SME Win.Trojan.Cakl-3 Backdoor.Win32.Cakl.g Trojan.Win32.Cakl.eajvqz Backdoor.Win32.Cakl.23552.B BackDoor.Dosia BKDR_TURKO.SME Backdoor.Win32.Cakl W32/Backdoor.DFVB-2135 Backdoor/Cakl.h BDS/Cakl.D.51 Trojan[Backdoor]/Win32.Cakl Win32.Hack.Cakl.d.kcloud Trojan.Graftor.DCFE9 Backdoor.Win32.Cakl.g Backdoor:Win32/Cakl.D Trojan/Win32.Cakl.C187190 Backdoor.Cakl Trj/Cakl.J Win32/Cakl.D Backdoor.Cakl.G W32/Cakl.NAQ!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000151", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.ComreropExpLnr.Trojan Trojan/W32.Small.49261 Trojan.Win32.VBKrypt!O Trojan.Comrerop.AZ3 Downloader.VB.Win32.27622 Win32.Trojan.WisdomEyes.16070401.9500.9997 Win32/VBInject.DUQ Trojan.Win32.VBKrypt.enmu Trojan.Win32.A.VBKrypt.24576.CK BehavesLike.Win32.BadFile.pz Trojan/VBKrypt.hcih Trojan/Win32.VBKrypt Win32.Troj.VBKrypt.kcloud TrojanDownloader:Win32/CoinMiner.D Trojan.Win32.VBKrypt.enmu Trojan/Win32.VBKrypt.R120570 Win32/TrojanDownloader.VB.PHU Trojan.Bumat!jKE3yygrvxI Trojan.Injector", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000152", "source": "cyner2_test"}}
+{"text": "If the user wants to check which app is responsible for the ad being displayed , by hitting the “ Recent apps ” button , another trick is used : the app displays a Facebook or Google icon , as seen in Figure 6 .", "spans": {"ORGANIZATION: Facebook": [[164, 172]], "ORGANIZATION: Google": [[176, 182]]}, "info": {"id": "cyner2_test_000153", "source": "cyner2_test"}}
+{"text": "In the image below , we can see a packet that was sent to the attacker ’ s C & C containing collected information along with stolen SMS data .", "spans": {}, "info": {"id": "cyner2_test_000154", "source": "cyner2_test"}}
+{"text": "It spreads under the name AvitoPay.apk ( or similar ) and downloads from websites with names like youla9d6h.tk , prodam8n9.tk , prodamfkz.ml , avitoe0ys.tk , etc .", "spans": {}, "info": {"id": "cyner2_test_000156", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: HW32.Packed.B3E2 W32/AllocUp.b W32.AllocUp.A WORM_ALLOCU.A Net-Worm.Win32.AllocUp.c Trojan.Win32.AllocUp.fkxb Worm.Win32.Net-AllocUp.32326[h] Worm.Win32.Robobot._0 Win32.HLLW.Allocup Backdoor.Robobot.Win32.1 WORM_ALLOCU.A BehavesLike.Win32.Dropper.nc Worm/AllocUp.b Worm[Net]/Win32.AllocUp W32.W.AllocUp.c!c Win32/Allocup.worm.32326.N Worm:Win32/Dalloc.A W32/AllocUp.A.worm Backdoor.Win32.Robobot.P Exploit.CVE-2009-3129 Worm.Win32.AllocUp.c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000157", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.FamVT.AdojNHc.Trojan VirTool.CeeInject.DU4 Trojan/Downloader.Small.bzru SScope.Backdoor.Simbot Win32.Trojan.Inject.bm Win.Trojan.Rubinurd-67 Troj.Downloader.W32.Small.lk0q Trojan.DownLoad2.36100 BehavesLike.Win32.Downloader.mc W32.Trojan.Downloader.Small Trojan/Win32.Injector.qis Backdoor/Win32.CSon.R885 Backdoor.Simbot Trojan.Injector.QIS", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000158", "source": "cyner2_test"}}
+{"text": "TL ; DR Google Play Protect detected and removed 1.7k unique Bread apps from the Play Store before ever being downloaded by users Bread apps originally performed SMS fraud , but have largely abandoned this for WAP billing following the introduction of new Play policies restricting use of the SEND_SMS permission and increased coverage by Google Play Protect More information on stats and relative impact is available in the Android Security 2018 Year in Review report BILLING FRAUD Bread apps typically fall into two categories : SMS fraud ( older versions ) and toll fraud ( newer versions ) .", "spans": {"SYSTEM: Google Play Protect": [[8, 27], [339, 358]], "MALWARE: Bread": [[61, 66], [130, 135], [483, 488]], "SYSTEM: Play Store": [[81, 91]], "SYSTEM: Play": [[256, 260]], "SYSTEM: Android": [[425, 432]]}, "info": {"id": "cyner2_test_000159", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Dropped:Win32.Maddis.A Trojan-Proxy/W32.TexLock.105984 Troj.Proxy.W32.TexLock.b!c Trojan/Proxy.TexLock.b Dropped:Win32.Maddis.A Trojan.PR.TexLock!wwwu4M21S4c W32/Maddis.A W32.Maddis.B Win32/TrojanProxy.TexLock.B WORM_MADDIS.B Trojan.Proxy.Texlock.B Trojan-Proxy.Win32.TexLock.b Trojan.Win32.TexLock.gtjh Trojan.Win32.Proxy.105984[h] Virus.Win32.Heur.l Dropped:Win32.Maddis.A TrojWare.Win32.TrojanProxy.TexLock.B Dropped:Win32.Maddis.A Trojan.Texlok Trojan.TexLock.Win32.3 WORM_MADDIS.A BehavesLike.Win32.Backdoor.cc W32/Maddis.DDAN-1036 TrojanProxy.TexLock.a WORM/Maddis.B Trojan[Proxy]/Win32.TexLock Win32.Maddis.A Win-Trojan/TexLock.105984 TrojanProxy:Win32/Texlock.B Win32/Maddis.B Dropped:Win32.Maddis.A TrojanProxy.TexLock Trojan.Win32.TexLock.b Trojan-Dropper.Win32.Prate Dropped:Win32.Maddis.A Proxy.3.BS W32/Maddis.A.worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000160", "source": "cyner2_test"}}
+{"text": "Doctor Web security researchers examined a new dangerous Trojan for routers running Linux.", "spans": {"ORGANIZATION: Doctor Web security": [[0, 19]], "MALWARE: Trojan": [[57, 63]], "SYSTEM: routers": [[68, 75]], "SYSTEM: Linux.": [[84, 90]]}, "info": {"id": "cyner2_test_000161", "source": "cyner2_test"}}
+{"text": "FireEye shared the details of the vulnerability with Microsoft and has been coordinating public disclosure timed with the release of a patch by Microsoft to address the vulnerability, which can be found here.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "VULNERABILITY: vulnerability": [[34, 47]], "ORGANIZATION: Microsoft": [[53, 62], [144, 153]], "VULNERABILITY: address the vulnerability,": [[157, 183]]}, "info": {"id": "cyner2_test_000162", "source": "cyner2_test"}}
+{"text": "The Trojan is a script that contains a compressed and encrypted application designed to mine cryptocurrency.", "spans": {"MALWARE: Trojan": [[4, 10]]}, "info": {"id": "cyner2_test_000163", "source": "cyner2_test"}}
+{"text": "Affected industries include manufacturing, device fabrication, education, logistics, and pyrotechnics.", "spans": {"ORGANIZATION: industries": [[9, 19]], "ORGANIZATION: manufacturing, device fabrication, education, logistics,": [[28, 84]], "ORGANIZATION: pyrotechnics.": [[89, 102]]}, "info": {"id": "cyner2_test_000164", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Exploit.Getad Trojan-Exploit/W32.Getad.40960 Trojan.Exploit.Getad Trojan/Exploit.GetAdmin.a Trojan.Exploit.Getad Win.Tool.Getad-1 Trojan.Exploit.Getad Exploit.Win32.Getad Trojan.Exploit.Getad Exploit.Win32.Getad.gpai Trojan.Win32.Getad_Exploit.40960 Exploit.W32.Getad!c Trojan.Exploit.Getad TrojWare.Win32.Exploit.GetAd Trojan.Exploit.Getad Exploit.Getad Exploit.Getad.Win32.7 Exploit.Getad TR/Expl.Getad Trojan[Exploit]/Win32.Getad Exploit.Win32.Getad Exploit.Getad Win32/Exploit.GetAd Exploit.Win32.Getad", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000165", "source": "cyner2_test"}}
+{"text": "Active since at least 2014, this actor has long-standing interest in maritime industries, naval defense contractors, and associated research institutions in the United States and Western Europe.", "spans": {"MALWARE: at": [[13, 15]], "THREAT_ACTOR: actor": [[33, 38]], "ORGANIZATION: maritime industries, naval defense contractors,": [[69, 116]], "ORGANIZATION: associated research institutions": [[121, 153]]}, "info": {"id": "cyner2_test_000167", "source": "cyner2_test"}}
+{"text": "The various stealth and resilience techniques implemented in the adware show us that the culprit was aware of the malicious nature of the added functionality and attempted to keep it hidden .", "spans": {}, "info": {"id": "cyner2_test_000168", "source": "cyner2_test"}}
+{"text": "While analyzing the code , we found that the whole system consists of four critical components , as follows : penetration solutions , ways to get inside the device , either via SMS/email or a legitimate app low-level native code , advanced exploits and spy tools beyond Android ’ s security framework high-level Java agent – the app ’ s malicious APK command-and-control ( C & C ) servers , used to remotely send/receive malicious commands Attackers use two methods to get targets to download RCSAndroid .", "spans": {"SYSTEM: Android": [[270, 277]], "MALWARE: RCSAndroid": [[493, 503]]}, "info": {"id": "cyner2_test_000169", "source": "cyner2_test"}}
+{"text": "Unit42 recently discovered 22 Android apps that belong to a new Trojan family we're calling Xbot", "spans": {"ORGANIZATION: Unit42": [[0, 6]], "SYSTEM: 22 Android apps": [[27, 42]], "MALWARE: Trojan family": [[64, 77]], "MALWARE: Xbot": [[92, 96]]}, "info": {"id": "cyner2_test_000170", "source": "cyner2_test"}}
+{"text": "Like previous Turla activity, WhiteBear leverages compromised websites and hijacked satellite connections for command and control C2 infrastructure.", "spans": {"THREAT_ACTOR: Turla": [[14, 19]], "THREAT_ACTOR: WhiteBear": [[30, 39]], "ORGANIZATION: command and control C2": [[110, 132]], "SYSTEM: infrastructure.": [[133, 148]]}, "info": {"id": "cyner2_test_000171", "source": "cyner2_test"}}
+{"text": "Amongst the evidence gathered during the MONSOON investigation were a number of indicators which make it highly probable1 that this adversary and the OPERATION HANGOVER adversary are one and the same.", "spans": {"ORGANIZATION: MONSOON": [[41, 48]], "THREAT_ACTOR: adversary": [[132, 141]], "THREAT_ACTOR: the OPERATION HANGOVER adversary": [[146, 178]]}, "info": {"id": "cyner2_test_000172", "source": "cyner2_test"}}
+{"text": "This business unit and the eSurv software and brand was sold from Connexxa S.R.L .", "spans": {"ORGANIZATION: eSurv": [[27, 32]], "ORGANIZATION: Connexxa S.R.L .": [[66, 82]]}, "info": {"id": "cyner2_test_000173", "source": "cyner2_test"}}
+{"text": "The team has encountered different versions of the malware over time as it has rapidly evolved .", "spans": {}, "info": {"id": "cyner2_test_000174", "source": "cyner2_test"}}
+{"text": "Cerber ransomware has acquired the reputation of being one of the most rapidly evolving ransomware families to date.", "spans": {"MALWARE: Cerber ransomware": [[0, 17]], "MALWARE: ransomware families": [[88, 107]]}, "info": {"id": "cyner2_test_000175", "source": "cyner2_test"}}
+{"text": "] jp/佐川急便.apk hxxp : //mailsa-qae [ .", "spans": {}, "info": {"id": "cyner2_test_000176", "source": "cyner2_test"}}
+{"text": "It is also being classified as a variant of Bublik but the former is much more descriptive of the malware.", "spans": {"MALWARE: variant of Bublik": [[33, 50]], "MALWARE: malware.": [[98, 106]]}, "info": {"id": "cyner2_test_000177", "source": "cyner2_test"}}
+{"text": "It can also be sold on the dark web and used in various spoofing attacks .", "spans": {}, "info": {"id": "cyner2_test_000178", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Win32.Vinself!O Backdoor.Vinself.r4 Backdoor/Vinself.a Backdoor.Vinself Trojan.Win32.Vinself.cpadj Backdoor.Win32.A.Vinself.57344[h] Virus.Win32.Part.e PE:Trojan.PSW.Win32.GameOL.szn!1440726[F1] BackDoor.Comet.435 Trojan[Backdoor]/Win32.Vinself Trojan:Win32/Sipoo.A Win32.Backdoor.Vinself.Pdmk Backdoor.Win32.Vinself W32/Vinself.A!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000179", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.FakeW7Folder.Fam.Trojan Trojan-Dropper.Win32.Dapato!O TrojanDropper.Dapato W32.SillyFDC Win32/Tnega.ASPW WORM_FLASHBOT.SM Win.Trojan.Dapato-2218 Trojan-Dropper.Win32.Dapato.bfjn Trojan.Win32.Flashbot.dfurol Trojan.DownLoader7.37820 WORM_FLASHBOT.SM Trojan-Dropper.Win32.Dapato TrojanDropper.Dapato.lov WORM/Pimybot.JA.1 Trojan[Dropper]/Win32.Dapato Worm:Win32/Pimybot.A Trojan.Graftor.D2114C Trojan-Dropper.Win32.Dapato.bfjn HEUR/Fakon.mwf TrojanDropper.Dapato Trojan.Dapato Win32/Flashbot.A Trojan.Win32.Dapato.b Trojan.DR.Dapato!1GbmTavCgco", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000180", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Swifi SWF/Exploit.ExKit.AZC Exploit.Swf.FLASH.ektvib SWF.S.Exploit.25602 SWF.Exploit.29 BehavesLike.Flash.XSS.mb SWF/Trojan.DRZE-8 Exploit:SWF/Rigved.A Exploit.SWF.Downloader Exploit.FLASH.Pubenush", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000182", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.HLLW.Quin.A Worm.Quin Trojan/Quin.a WORM_QUIN.A W32/Risk.SNXM-0851 W32.Quin.Irc WORM_QUIN.A Win.Worm.Quin-3 Win32.HLLW.Quin.A IRC-Worm.Win32.Quin.a Win32.HLLW.Quin.A Trojan.Win32.Quin.ennw Win32.HLLW.Quin.A Win32.HLLW.Quin.A Win32.HLLW.Sytro.14 Worm.Quin.Win32.6 Worm/Quin.d WORM/Quin.A Worm[IRC]/Win32.Quin Win32.HLLW.Quin.A W32.W.Quin.a!c IRC-Worm.Win32.Quin.a Win32/Quin.worm.306176 Win32.HLLW.Quin.A IRCWorm.Quin Win32/HLLW.Quin Win32.Worm-irc.Quin.Dztv I-Worm.Quin.A Worm.Win32.Hllw W32/Quin.A!worm.irc Win32/Worm.7f5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000183", "source": "cyner2_test"}}
+{"text": "Once a user downloads a malicious app , it silently registers receivers which establish a connection with the C & C server .", "spans": {}, "info": {"id": "cyner2_test_000184", "source": "cyner2_test"}}
+{"text": "WAKE_LOCK - prevent the processor from sleeping and dimming the screen .", "spans": {}, "info": {"id": "cyner2_test_000185", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Win32.IRCBot!O Trojan.Zenshirsh.SL7 Backdoor.Aimbot Trojan/IRCBot.nbq W32/Trojan.DYXS-4795 Backdoor.IRC.Bot BKDR_IRCBOT_EK160034.UVPM Backdoor.Win32.IRCBot.udu Trojan.Win32.IRCBot.hebhd Backdoor.Win32.A.IRCBot.218566[UPX] Trojan.Click2.16673 BKDR_IRCBOT_EK160034.UVPM BehavesLike.Win32.BadFile.nc W32/Trojan2.LZPX Trojan[Backdoor]/Win32.IRCBot Backdoor:Win32/Aimbot.D Backdoor.Win32.IRCBot.udu Worm/Win32.IRCBot.R36004 Backdoor.Aimbot Backdoor.IRCBot Backdoor.IRCBot Win32/IRCBot.NBQ Backdoor.IRCbot!FWk6roe7FwA Backdoor.Win32.IRCBot", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000186", "source": "cyner2_test"}}
+{"text": "Additionally , the improvements we made to our protections have been enabled for all users of our security services .", "spans": {}, "info": {"id": "cyner2_test_000187", "source": "cyner2_test"}}
+{"text": "Since TrickMo ’ s HTTP traffic with its C & C server is not encrypted , it can easily be tampered with .", "spans": {}, "info": {"id": "cyner2_test_000188", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: AdWare/Win32.BHO Adware/BHO.aim Adware.BHO.OGI Backdoor.Sdbot not-a-virus:AdWare.Win32.BHO.eos Trojan.Click.23982 DR/BHO.eos.2 Trojan.Dropper.BHO.eos.2 AdWare.Win32.BHO.eos Trojan.Win32.AvKiller.gd Virus.Win32.QQHelper.GR", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000189", "source": "cyner2_test"}}
+{"text": "The primary infection vector is the exploit of the vulnerability CVE-2014-6332 which drops the binary file hosted on an HTTPd File Server HFS", "spans": {"MALWARE: exploit": [[36, 43]], "VULNERABILITY: vulnerability": [[51, 64]]}, "info": {"id": "cyner2_test_000190", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Exploit.Aluigi Exploit.Aluigi.gx Exploit.Win32.Aluigi W32/Aluigi.NR!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000191", "source": "cyner2_test"}}
+{"text": "The Rocket Kitten group and its attacks have been analyzed on numerous occasions by several vendors and security professionals, resulting in various reports describing the group's method of operation, tools and techniques.", "spans": {"THREAT_ACTOR: Rocket Kitten group": [[4, 23]], "ORGANIZATION: vendors": [[92, 99]], "ORGANIZATION: security professionals,": [[104, 127]], "THREAT_ACTOR: group's method": [[172, 186]]}, "info": {"id": "cyner2_test_000192", "source": "cyner2_test"}}
+{"text": "In a different period of the “ Agent Smith ” campaign , droppers and core modules used various combinations of the “ a * * * d ” and “ i * * * e ” domains for malicious operations such as prey list query , patch request and ads request .", "spans": {"MALWARE: Agent Smith": [[31, 42]]}, "info": {"id": "cyner2_test_000193", "source": "cyner2_test"}}
+{"text": "Each threat group quickly took advantage of a zero-day vulnerability CVE-2015-5119, which was leaked in the disclosure of Hacking Team's internal data.", "spans": {"THREAT_ACTOR: threat group": [[5, 17]], "VULNERABILITY: zero-day vulnerability": [[46, 68]], "ORGANIZATION: Hacking Team's": [[122, 136]]}, "info": {"id": "cyner2_test_000194", "source": "cyner2_test"}}
+{"text": "An in-depth understanding of the “ Agent Smith ’ s campaign C & C infrastructure enabled us to reach the conclusion that the owner of “ i * * * e.com ” , “ h * * * g.com ” is the group of hackers behind “ Agent Smith ” .", "spans": {"MALWARE: Agent Smith": [[35, 46], [205, 216]]}, "info": {"id": "cyner2_test_000195", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9992", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000196", "source": "cyner2_test"}}
+{"text": "Sample configuration file of the Trojan Through AccessibilityService , the malware monitors AccessibilityEvent events .", "spans": {}, "info": {"id": "cyner2_test_000197", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Yakes.8851 Trojan.Win32.OnLineGames.iiggm BehavesLike.Win32.Pate.wz Trojan/PSW.OnLineGames.cawa Win32.Troj.JunkUndefT.hh.24576 Trojan:Win32/Kredbegg.A Trojan/Win32.HDC.C94404 Trojan-PWS.Win32.OnLineGames W32/Onlinegames.AJIUO!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000198", "source": "cyner2_test"}}
+{"text": "Mobile Malware Evolution : 2013 24 FEB 2014 The mobile malware sector is growing rapidly both technologically and structurally .", "spans": {}, "info": {"id": "cyner2_test_000199", "source": "cyner2_test"}}
+{"text": "Base85 encoding is usually used on pdf and postscript documentsThe configuration of the malware is stored in custom preferences files , using the same obfuscation scheme .", "spans": {}, "info": {"id": "cyner2_test_000200", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Mosucker.30.C Backdoor.Win32.MoSucker.30!O Trojan.VBCrypt.MF.206 Backdoor.Mosucker.30.C Backdoor.MoSucker.Win32.142 Trojan/MoSucker.30.c Backdoor.Mosucker.30.C Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Mosucker.D Backdoor.Mosuck Win32/Mosuck.M BKDR_MOSUCK.C Win.Trojan.Mosucker-238 Backdoor.Mosucker.30.C Backdoor.Win32.MoSucker.40.c Backdoor.Mosucker.30.C Trojan.Win32.MoSucker.jojq Backdoor.Win32.Z.Mosucker.1762479 Backdoor.W32.Mosucker!c Backdoor.Mosucker.30.C Backdoor.Win32.MoSucker.30.C Backdoor.Mosucker.30.C BKDR_MOSUCK.C BehavesLike.Win32.Trojan.tz Backdoor.Win32.MoSucker W32/Mosucker.VQJB-6831 BDS/Mosucker.30.C Trojan[Backdoor]/Win32.MoSucker Backdoor:Win32/Mosucker.C Backdoor.Win32.MoSucker.40.c Trojan/Win32.HDC.C139642 Backdoor.MoSucker Bck/Mosuck.AA Win32/MoSucker.30.C Win32.Backdoor.Mosucker.Ljjv Backdoor.MoSucker!Dghh1yW8jJU W32/MoSucker.B!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000201", "source": "cyner2_test"}}
+{"text": "Below we outline initial findings. URL hosting the Scanbox exploit kit A worm from 2012 that continues to spread Hosting for a keylogger", "spans": {"MALWARE: the Scanbox exploit kit": [[47, 70]], "MALWARE: worm": [[73, 77]]}, "info": {"id": "cyner2_test_000202", "source": "cyner2_test"}}
+{"text": "This new version used Salsa20 for symmetric encryption, but the ECC algorithm was replaced with Curve25519.", "spans": {"SYSTEM: Salsa20": [[22, 29]], "SYSTEM: the ECC algorithm": [[60, 77]], "SYSTEM: Curve25519.": [[96, 107]]}, "info": {"id": "cyner2_test_000203", "source": "cyner2_test"}}
+{"text": "We watched WolfRAT evolve through various iterations which shows that the actor wanted to ensure functional improvements — perhaps they had deadlines to meet for their customers , but with no thought given to removing old code blocks , classes , etc .", "spans": {"MALWARE: WolfRAT": [[11, 18]]}, "info": {"id": "cyner2_test_000204", "source": "cyner2_test"}}
+{"text": "It has the added benefit of installing a nearly unlimited number of fraudulent apps without overloading the infected device .", "spans": {}, "info": {"id": "cyner2_test_000205", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Neloweg!dr BehavesLike.Win32.Downloader.lh TR/Drop.Elms.A Win32.Troj.Undef.kcloud Trojan:Win32/Reder.A Trojan.Kazy.D729C BScope.Trojan-Spy.Zbot", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000206", "source": "cyner2_test"}}
+{"text": "Initial reports of attacks were highlighted by Telefonica in Spain but the malware quickly spread to networks in the UK where the National Health Service NHS was impacted, followed by many other networks across the world.", "spans": {"ORGANIZATION: Telefonica": [[47, 57]], "MALWARE: malware": [[75, 82]], "SYSTEM: networks": [[101, 109]], "ORGANIZATION: the National Health Service NHS": [[126, 157]], "ORGANIZATION: networks": [[195, 203]]}, "info": {"id": "cyner2_test_000207", "source": "cyner2_test"}}
+{"text": "The loader has a very simple purpose , extract and run the “ core ” module of “ Agent Smith ” .", "spans": {"MALWARE: Agent Smith": [[80, 91]]}, "info": {"id": "cyner2_test_000208", "source": "cyner2_test"}}
+{"text": "Every Pony domain appears to belong to the same group, the infrastructure is mainly in Russia and Ukraine.", "spans": {"MALWARE: Pony": [[6, 10]], "THREAT_ACTOR: the same": [[39, 47]], "SYSTEM: infrastructure": [[59, 73]]}, "info": {"id": "cyner2_test_000209", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Spy.Middadle.A Adware/Midadle.b W32/Adware.ABP Adware.WinFetch W32/Midadle.B Win32/Maddle.C TROJ_MIDADDLE.A not-a-virus:AdWare.Win32.Midadle.b Trojan.Spy.Middadle.A Application.Win32.Adware.MidADdle Trojan.Spy.Middadle.A Adware.Midaddle SPR/Midadle.B.1 TROJ_MIDADDLE.A Riskware.AdWare.Win32.Midadle!IK TrojanDownloader:Win32/Midaddle.B Trojan.Spy.Middadle.A Win-Trojan/Downloader.200817 Adware.Win32.Midadle Win32/Adware.MidADdle not-a-virus:AdWare.Win32.Midadle W32/Midaddle.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000210", "source": "cyner2_test"}}
+{"text": "The following is a screenshot from IDA with comments showing the strings and JNI functions .", "spans": {}, "info": {"id": "cyner2_test_000211", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.KryptikTQP.Trojan Backdoor/W32.Akdoor.4096 Trojan.Dynamer.S12223 Troj.Downloader.Win64.TinyLoader.tnJD Trojan/Tiny.d BKDR64_TINY.SM0 Win32.Trojan.WisdomEyes.16070401.9500.9996 BKDR64_TINY.SM0 Trojan-Downloader.Win64.TinyLoader.b Trojan.Tiny.Win64.6 BehavesLike.Win64.FDoSBEnergy.xz Trojan.Win64.Tiny TrojanDownloader.TinyLoader.a TR/Downloader.bcmjo Trojan:Win64/Anobato.A Trojan-Downloader.Win64.TinyLoader.b Win64.Trojan-downloader.Tinyloader.Pgcx Win32/Trojan.7be", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000212", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.TestabdTM.Trojan TSPY_WOWSTIL.SMI Win32.Trojan.WisdomEyes.16070401.9500.9982 W32/Trojan2.HOGB Infostealer.Gampass Win32/Wowpa.LD TSPY_WOWSTIL.SMI Win.Trojan.WOW-161 Trojan.Win32.Gamania.deyveu TrojWare.Win32.GameThief.WOW.d09 Trojan.PWS.Wow.origin BehavesLike.Win32.Downloader.kt Trojan-GameThief.Win32.WOW W32/Trojan.XZGJ-5202 Trojan.Heur.E01F7E TrojanDropper:Win32/Wowsteal.AO Trojan/Win32.WowHack.R36813 TScope.Malware-Cryptor.SB W32/OnLineGames.NKL!tr.pws Win32/Trojan.8e2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000213", "source": "cyner2_test"}}
+{"text": "How Judy operates : To bypass Bouncer , Google Play ’ s protection , the hackers create a seemingly benign bridgehead app , meant to establish connection to the victim ’ s device , and insert it into the app store .", "spans": {"MALWARE: Judy": [[4, 8]], "SYSTEM: Bouncer": [[30, 37]], "SYSTEM: Google Play": [[40, 51]]}, "info": {"id": "cyner2_test_000214", "source": "cyner2_test"}}
+{"text": "This malicious program spreads via SMS spam and from compromised legitimate sites that redirect mobile users to a malicious resource .", "spans": {}, "info": {"id": "cyner2_test_000215", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Virus.Win32.OtwycalP.1!O Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan Win.Trojan.Karsh-1 Backdoor.Win32.Shark.v Trojan[Backdoor]/Win32.Shark Backdoor:Win32/Vharke.K Backdoor.Win32.Shark.v Backdoor.Win32.VB", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000216", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.NetThief Trojan.Win32.Z.Strictor.708608.AH W32/Trojan.GYUP-2462 BDS/NetThief.A.9 Trojan.Strictor.D184A Backdoor/Win32.NetThief.C1031988 Backdoor.NetThief! Backdoor.Win32.NetThief Win32/Backdoor.e2d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000217", "source": "cyner2_test"}}
+{"text": "We detail how the attackers continuously adapt their campaigns to their targets, shifting tactics from document-based malware to conventional phishing that draws on inside knowledge of community activities.", "spans": {"THREAT_ACTOR: attackers": [[18, 27]], "THREAT_ACTOR: campaigns": [[53, 62]], "MALWARE: document-based malware": [[103, 125]], "ORGANIZATION: community activities.": [[185, 206]]}, "info": {"id": "cyner2_test_000218", "source": "cyner2_test"}}
+{"text": "This app , dubbed “ TrickMo ” by our team , is designed to bypass second factor and strong authentication pushed to bank customers when they need to authorize a transaction .", "spans": {"MALWARE: TrickMo": [[20, 27]]}, "info": {"id": "cyner2_test_000219", "source": "cyner2_test"}}
+{"text": "Whereas most modern untargeted malware is ultimately profit-oriented, STRONTIUM mainly seeks sensitive information.", "spans": {"MALWARE: malware": [[31, 38]], "THREAT_ACTOR: STRONTIUM": [[70, 79]]}, "info": {"id": "cyner2_test_000220", "source": "cyner2_test"}}
+{"text": "Active users of mobile banking apps should be aware of a new Android banking malware campaign targeting customers of large banks in the United States, Germany, France, Australia, Turkey, Poland, and Austria.", "spans": {"SYSTEM: mobile banking apps": [[16, 35]], "SYSTEM: Android": [[61, 68]], "THREAT_ACTOR: banking malware campaign": [[69, 93]], "ORGANIZATION: customers": [[104, 113]], "ORGANIZATION: large banks": [[117, 128]]}, "info": {"id": "cyner2_test_000221", "source": "cyner2_test"}}
+{"text": "After the server returns the solution , the app enters it into the appropriate text field to complete the CAPTCHA challenge .", "spans": {}, "info": {"id": "cyner2_test_000222", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32/Downloader.AFP SecurityRisk.Downldr W32/INService.BF Win32/Inservice.M TROJ_INSERVC.C Trojan-Downloader.Win32.INService.bm TrojWare.Win32.TrojanDownloader.INService.BL Trojan.DownLoader.2568 TR/Dldr.INServic.BL TROJ_INSERVC.C Heuristic.LooksLike.Win32.INSer.I Trojan-Downloader.Win32.INService!IK TrojanDownloader.INService.n TrojanDownloader:Win32/Small.AAV Win-Trojan/Inservice.15360.Q W32/Downloader.AFP Trojan-Downloader.Win32.INService.dd Win32/TrojanDownloader.INService.BL Trojan.Win32.Nodef.jqe Trojan-Downloader.Win32.INService W32/Dowins.BL!tr Downloader.Small.25.AT Adware/IST.ISTBar", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000223", "source": "cyner2_test"}}
+{"text": "Proofpoint threat researchers recently analyzed Ovidiy Stealer, a previously undocumented credential stealer which appears to be marketed primarily in the Russian-speaking regions.", "spans": {"ORGANIZATION: Proofpoint threat researchers": [[0, 29]], "MALWARE: Ovidiy Stealer,": [[48, 63]], "MALWARE: credential stealer": [[90, 108]]}, "info": {"id": "cyner2_test_000224", "source": "cyner2_test"}}
+{"text": "The scourge of ransomware attacks that has plagued Windows endpoints over the past half decade or so has, thankfully, not been replicated on Mac devices.", "spans": {"SYSTEM: Windows endpoints": [[51, 68]], "SYSTEM: Mac devices.": [[141, 153]]}, "info": {"id": "cyner2_test_000225", "source": "cyner2_test"}}
+{"text": "Trend Micro™ Mobile Security for Enterprise provides device , compliance and application management , data protection , and configuration provisioning , as well as protects devices from attacks that exploit vulnerabilities , preventing unauthorized access to apps , and detecting and blocking malware and fraudulent websites .", "spans": {"ORGANIZATION: Trend Micro™": [[0, 12]], "SYSTEM: Mobile Security for Enterprise": [[13, 43]]}, "info": {"id": "cyner2_test_000226", "source": "cyner2_test"}}
+{"text": "Broadcast Receiver Figure 4 : MyReceiver broadcast receiver .", "spans": {}, "info": {"id": "cyner2_test_000227", "source": "cyner2_test"}}
+{"text": "Key information consists of an MD5 hash of the device 's Android ID , the device manufacturer , and the device model with each separated by an underscore .", "spans": {"SYSTEM: Android": [[57, 64]]}, "info": {"id": "cyner2_test_000228", "source": "cyner2_test"}}
+{"text": "A search for this certificate fingerprint on the Internet scanning service Censys returns 8 additional servers : IP address 34.208.71.9 34.212.92.0 34.216.43.114 52.34.144.229 54.69.156.31 54.71.249.137 54.189.5.198 78.5.0.195 207.180.245.74 Opening the Command & Control web page in a browser presents a Basic Authentication prompt : Closing this prompt causes the server to send a \" 401 Unauthorized Response '' with an \" Access Denied '' message in Italian .", "spans": {}, "info": {"id": "cyner2_test_000229", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_MEDFOS.SMI TROJ_MEDFOS.SMI Medfos.b Trojan:Win32/Caponett.A Trojan.Symmi.D91E Trojan/Win32.Midhos.R26177 Medfos.b Trojan.Win32.Medfos.a Virus.Win32.Cryptor W32/Midhos.FH!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000230", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojandownloader.Sryin Downloader.Pengdoloder TROJ_DLOAD.TEYIQ TROJ_DLOAD.TEYIQ TR/Dldr.Sryin.A TrojanDownloader:Win32/Sryin.A W32/DwnLdr.KNL!tr Win32/Trojan.bdf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000231", "source": "cyner2_test"}}
+{"text": "Today, we look at a Magecart skimmer that uses Hunter, a PHP Javascript obfuscator.", "spans": {"MALWARE: Magecart skimmer": [[20, 36]], "MALWARE: Hunter, a PHP Javascript obfuscator.": [[47, 83]]}, "info": {"id": "cyner2_test_000232", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Hostil.A8 Trojan/Cosmu.appd Trojan.Zusy.Elzob.D307A Win32.Trojan.WisdomEyes.16070401.9500.9912 Backdoor.Trojan TROJ_INJECT_FI0802CD.UVPM Win.Trojan.Cosmu-441 Trojan.Win32.Drop.ctcxhm Trojan.Win32.Z.Cosmu.283652.A TrojWare.Win32.Delf.OAY Trojan.MulDrop7.61818 Trojan.Cosmu.Win32.7107 BehavesLike.Win32.Backdoor.dh Virus.Win32.Delf.DTW Trojan/Win32.Cosmu Win32.Troj.DeepScan.a.kcloud Trojan/Win32.Inject.R186111 Trojan.Inject Win32/Backdoor.1c6", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000233", "source": "cyner2_test"}}
+{"text": "To achieve this , “ Agent Smith ” utilizes a series of 1-day vulnerabilities , which allows any application to run an activity inside a system application , even if this activity is not exported .", "spans": {"MALWARE: Agent Smith": [[20, 31]], "VULNERABILITY: 1-day vulnerabilities": [[55, 76]]}, "info": {"id": "cyner2_test_000234", "source": "cyner2_test"}}
+{"text": "After that so many Zeus-like webinjects around, this was kind of refreshing.", "spans": {}, "info": {"id": "cyner2_test_000235", "source": "cyner2_test"}}
+{"text": "To get around this , the app then uses its root privilege to inject code into the Setup Wizard , extract the CAPTCHA image , and sends it to a remote server to try to solve the CAPTCHA .", "spans": {}, "info": {"id": "cyner2_test_000237", "source": "cyner2_test"}}
+{"text": "However, the story is interesting not only because of the large amount of money stolen but also from a technical point of view.", "spans": {}, "info": {"id": "cyner2_test_000238", "source": "cyner2_test"}}
+{"text": "At the cost of possibly being overly verbose , following is the output of an nmap scan of the infected Android device from a laptop in the same local network , which further demonstrantes the availability of the same open TCP ports that we have mentioned thus far : Identification of eSurv Presence of Italian language At a first look , the first samples of the spyware we obtained did not show immediately evident connections to any company .", "spans": {"ORGANIZATION: eSurv": [[284, 289]]}, "info": {"id": "cyner2_test_000239", "source": "cyner2_test"}}
+{"text": "It is meant for effective operation in tandem with its worm32Dll module.", "spans": {"MALWARE: worm32Dll module.": [[55, 72]]}, "info": {"id": "cyner2_test_000241", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Win32.Ruskill!O Trojan.Win32.VB.bxbv W32.W.Otwycal.l4av TrojWare.Win32.Injector.SRR Trojan.Win32.VB.bxbv TrojanProxy:Win32/Banker.GI Win32/RiskWare.PEMalform.E Win32.Trojan.Vb.Szuz PUA.RiskWare.PEMalform W32/VBInjector.W!tr Win32/Trojan.003", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000242", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32/Trojan2.PWKM Infostealer.Lokibot!g6 TSPY_FAREIT.SMBD1 Trojan.Symmi.D92E2 Trojan.Win32.NaKocTb.ersosm Trojan.PWS.Stealer.17779 Trojan.Fareit.Win32.22139 TSPY_FAREIT.SMBD1 W32/Trojan.RCEK-1109 Exploit.BypassUAC.oh", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000243", "source": "cyner2_test"}}
+{"text": "This attack is from the same attack group as Cyber Attack 1.", "spans": {"THREAT_ACTOR: attack group": [[29, 41]]}, "info": {"id": "cyner2_test_000244", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.VariantZusyAO.Trojan Backdoor.Blubot.A3 Win32.Trojan.WisdomEyes.16070401.9500.9996 W32/Trojan.HRPE-6100 DDoS.Trojan BKDR_BLUBOT.SM TrojWare.MSIL.Blubot.AA Trojan.DownLoader11.38015 W32/Trojan2.OSSR Trojan/Win32.Badur Backdoor:Win32/Blubot.A Trojan.Zusy.D18DD3 MSIL.Trojan-DDoS.Blubot.A Backdoor.Bot Trojan-Dropper.Win32.Dapato Trj/Zbot.M", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000245", "source": "cyner2_test"}}
+{"text": "Most point-of-sale PoS threats follow a common process: dump, scrape, store, exfiltrate.", "spans": {"MALWARE: point-of-sale PoS threats": [[5, 30]]}, "info": {"id": "cyner2_test_000246", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9996 Trojan.Win32.Comet.exldji BackDoor.Comet.134 Trojan.MSIL.Injector TR/Dropper.MSIL.wnzdd Ransom:Win32/Nemreq.A Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000248", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9821 Trojan.ADH TROJ_SPNR.30HR13 Backdoor.Win32.Redaptor.ckn Hoax.W32.ArchSMS.ltFg BackDoor.Termuser.196 TROJ_SPNR.30HR13 Backdoor.Win32.Redaptor W32.Malware.Heur Trojan[Backdoor]/Win32.Redaptor Trojan.Symmi.D4D83 Backdoor.Win32.Redaptor.ckn Trojan.SB.01742 Trojan.Kryptik!Yusoob9I30Y Win32/Trojan.97e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000249", "source": "cyner2_test"}}
+{"text": "We are calling the malicious loader StegBaus based on its use of custom steganography and a PDB string, which was found in an embedded DLL.", "spans": {"MALWARE: malicious loader StegBaus": [[19, 44]]}, "info": {"id": "cyner2_test_000250", "source": "cyner2_test"}}
+{"text": "Malware developers use a variety of distribution methods in order to confuse users and evade certain AV solutions.", "spans": {"THREAT_ACTOR: Malware developers": [[0, 18]], "SYSTEM: AV solutions.": [[101, 114]]}, "info": {"id": "cyner2_test_000251", "source": "cyner2_test"}}
+{"text": "Lollipop has 7 percent , Ice Cream Sandwich has 2 percent , and Marshmallow has 1 percent .", "spans": {"SYSTEM: Lollipop": [[0, 8]], "SYSTEM: Ice Cream Sandwich": [[25, 43]], "SYSTEM: Marshmallow": [[64, 75]]}, "info": {"id": "cyner2_test_000252", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Ransom.Satan Trojan/Injector.f Riskware.Win64.Packed2.exhubz Trojan.Win32.Z.Injector.69246.S Trojan.Packed2.39908 Trojan.Injector.Win64.7 Trojan.Ransom TR/AD.Satwancrypt.hlwrr Trojan.Mikey.D12267 Trojan/Win64.Crypted.C2101402 Trojan.Win64.Injector W64/Injector.F!tr Win32/Trojan.7be", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000254", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Script W32/Trojan.ALLN-6642 TROJ_FRS.0NA003L117 TROJ_FRS.0NA003L117 BehavesLike.Win32.Trojan.dh", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000255", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win.Trojan.Ezoons-1 Trojan.Win32.Ezoons.fftg Joke.Errore.10 Trojan.Ezoons.Win32.1 Trojan.Ezoons", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000256", "source": "cyner2_test"}}
+{"text": "The attacks targeted high-profile targets, including government and commercial organizations.", "spans": {"ORGANIZATION: high-profile targets,": [[21, 42]], "ORGANIZATION: government": [[53, 63]], "ORGANIZATION: commercial organizations.": [[68, 93]]}, "info": {"id": "cyner2_test_000257", "source": "cyner2_test"}}
+{"text": "Device admin request from app that says it is WhatsApp The app then stays in the background listening to commands from the cybercrooks .", "spans": {}, "info": {"id": "cyner2_test_000258", "source": "cyner2_test"}}
+{"text": "The Gaza cybergang's attacks have never slowed down and its typical targets include government entities/embassies, oil and gas, media/press, activists, politicians, and diplomats.", "spans": {"THREAT_ACTOR: The Gaza cybergang's": [[0, 20]], "ORGANIZATION: government entities/embassies, oil": [[84, 118]], "ORGANIZATION: gas, media/press, activists, politicians,": [[123, 164]], "ORGANIZATION: diplomats.": [[169, 179]]}, "info": {"id": "cyner2_test_000259", "source": "cyner2_test"}}
+{"text": "These download second stages from encrypted zips, likely from a compromised website.", "spans": {}, "info": {"id": "cyner2_test_000260", "source": "cyner2_test"}}
+{"text": "According to the configuration pattern , these actions are registered to certain events : Sync configuration data , upgrade modules , and download new payload ( This uses transport protocol ZProtocol encrypted by AES/CBC/PKCS5Padding algorithm to communicate with the C & C server .", "spans": {}, "info": {"id": "cyner2_test_000261", "source": "cyner2_test"}}
+{"text": "This backdoor has several aliases in the community; Sophos calls the embedded components Brebsd-A and several other reference the code as simply Rambo", "spans": {"MALWARE: backdoor": [[5, 13]], "ORGANIZATION: community;": [[41, 51]], "ORGANIZATION: Sophos": [[52, 58]], "MALWARE: Brebsd-A": [[89, 97]], "MALWARE: Rambo": [[145, 150]]}, "info": {"id": "cyner2_test_000262", "source": "cyner2_test"}}
+{"text": "Allows an application to read SMS messages .", "spans": {}, "info": {"id": "cyner2_test_000263", "source": "cyner2_test"}}
+{"text": "setFullScreenIntent ( ) – This API wires the notification to a GUI so that it pops up when the user taps on it .", "spans": {}, "info": {"id": "cyner2_test_000264", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan-Downloader.Win32.DlKroha!O TrojanDownloader.Axent Downloader-DA.dll Trojan/Downloader.DlKroha.r TROJ_MONKIF.SMX Win32.Trojan.WisdomEyes.16070401.9500.9892 TROJ_MONKIF.SMX Win.Downloader.83851-1 Trojan-Downloader.Win32.Calper.pgd Trojan.Win32.DlKroha.bsfym Trojan.Win32.A.Downloader.15360.RF TrojWare.Win32.TrojanDownloader.Small.~ZK Trojan.DownLoad.29330 Downloader.DlKroha.Win32.171 Downloader-DA.dll TrojanDownloader.DlKroha.f TR/Dldr.DlKroha.s Trojan[Downloader]/Win32.DlKroha Win32.TrojDownloader.DlKroha.s.kcloud Trojan.Heur.ED137B7 Troj.PSW32.W.Kykymber.lxga Trojan-Downloader.Win32.Calper.pgd TrojanDownloader:Win32/Axent.A Backdoor/Win32.PcClient.R1733 TrojanDownloader.DlKroha Win32/TrojanDownloader.Small.OLL Trojan-Downloader.Win32.DlKroha", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000266", "source": "cyner2_test"}}
+{"text": "Please follow these basic precautions during the current crisis—and at all times : Install apps only from official stores , such as Google Play .", "spans": {"SYSTEM: Google Play": [[132, 143]]}, "info": {"id": "cyner2_test_000268", "source": "cyner2_test"}}
+{"text": "It expects a json with url , class and method name .", "spans": {}, "info": {"id": "cyner2_test_000269", "source": "cyner2_test"}}
+{"text": "Dell SecureWorks Counter Threat UnitTM CTU researchers analyzed multiple versions of a remote access trojan RAT named Sakula also known as Sakurel and VIPER.", "spans": {"ORGANIZATION: Dell SecureWorks Counter Threat UnitTM CTU researchers": [[0, 54]], "MALWARE: remote access trojan RAT": [[87, 111]], "MALWARE: Sakula": [[118, 124]], "MALWARE: Sakurel": [[139, 146]], "MALWARE: VIPER.": [[151, 157]]}, "info": {"id": "cyner2_test_000270", "source": "cyner2_test"}}
+{"text": "Attackers are keenly aware of the information they can derive from these devices and are using multi-stage ( phishing + an executable ) , multi-platform ( Android + desktop ) attacks to accomplish their spying .", "spans": {"SYSTEM: Android": [[155, 162]]}, "info": {"id": "cyner2_test_000271", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: HW32.Packed.C0A3 Trojan.Yakes.A6 Trojan.Yakes.Win32.29829 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Ransomlock!g83 Trojan.Win32.Yakes.dntgop Trojan.Win32.Z.Yakes.290820.D TrojWare.Win32.Ransom.Cryptor.A Trojan:W32/Dridex.D BackDoor.Reveton.444 BehavesLike.Win32.Trojan.dc Trojan.Win32.Crypt Trojan/Yakes.rfb TR/Kryptik.elposp Trojan/Win32.Yakes Trojan.Yakes Trojan.Yakes!Nbikm7ahQzA W32/Kryptik.CWPL!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000272", "source": "cyner2_test"}}
+{"text": "The Emotet malware has returned for the second time in less than a year, and this time it is using new techniques to evade detection and evade security tools..", "spans": {"MALWARE: The Emotet malware": [[0, 18]], "MALWARE: tools..": [[152, 159]]}, "info": {"id": "cyner2_test_000273", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Virus/W32.Alman W32.Almanahe.A W32/Almanahe.b Win32/Alman.A W32/Alman.D W32.Almanahe.A!inf W32/Alman.A PE_ALMANAHE.A W32.Alman.cd Virus.Win32.Alman.a Win32.Almam.A Win32.Alman.A Virus.Win32.Alman.A Win32.Almam.A Win32.Alman.2 W32/Almanahe.A PE_ALMANAHE.A W32/Almanahe.b Win32/Almanahe.C W32/Alman.D Win32/Almana.a Virus:Win32/Almanahe.A Win32.Almam.A Virus.Win32.Alman.1 Malware.Almanahe Worm.Magistr.c Virus.Win32.Alman.a W32/Alman.DB W32/Almanahe.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000275", "source": "cyner2_test"}}
+{"text": "In this blog, we will cover a recent Gamarue infection that we looked at, which downloads and installs the Lethic bot on an infected system.", "spans": {"MALWARE: Gamarue": [[37, 44]], "MALWARE: at,": [[70, 73]], "MALWARE: Lethic bot": [[107, 117]], "SYSTEM: infected system.": [[124, 140]]}, "info": {"id": "cyner2_test_000276", "source": "cyner2_test"}}
+{"text": "The group uses an advanced piece of malware known as Remsec Backdoor.Remsec to conduct its attacks.", "spans": {"MALWARE: malware": [[36, 43]], "MALWARE: Remsec": [[53, 59]]}, "info": {"id": "cyner2_test_000277", "source": "cyner2_test"}}
+{"text": "The entered data is forwarded to the cybercriminals .", "spans": {}, "info": {"id": "cyner2_test_000278", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.BlackduA.Worm P2P-Worm.Win32.Picsys!O Worm.Picsys W32/Picsys.worm.c Worm.Picsys.Win32.1 W32/Picsys.c Win32.Worm.Picsys.a W32.HLLW.Yoof Win32/Picsys.C WORM_SPYBOT.PA Win.Worm.Picsys-3 Worm.Picsys P2P-Worm.Win32.Picsys.c Riskware.Win32.Sock4Proxy.csnqbg Worm.Win32.A.P2P-Picsys.71011[UPX] W32.W.Picsys.tp0s Worm.Win32.Picsys.C Win32.HLLW.Morpheus.3 BehavesLike.Win32.Dropper.kc P2P-Worm.Win32.Picsys W32/Picsys.PYSN-0191 Worm/Picsys.a Worm[P2P]/Win32.Picsys Worm:Win32/Picsys.C Worm/Win32.Picsys.R7826 Win32/Picsys.C Worm.Win32.Picsys.a Worm.Picsys!XMnMuiZSf1k Worm.Win32.Picsys.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000279", "source": "cyner2_test"}}
+{"text": "Locky has been a devastating force for the last year in the spam and ransomware landscape.", "spans": {"MALWARE: Locky": [[0, 5]], "MALWARE: ransomware": [[69, 79]]}, "info": {"id": "cyner2_test_000280", "source": "cyner2_test"}}
+{"text": "S21Sec have spotted a new banking trojan in the wild that uses JSON formatted webinjects.", "spans": {"ORGANIZATION: S21Sec": [[0, 6]], "MALWARE: banking trojan": [[26, 40]]}, "info": {"id": "cyner2_test_000281", "source": "cyner2_test"}}
+{"text": "To activate this menu the operator needs to call the hardcoded number “ 9909 ” from the infected device : A hidden menu then instantly appears on the device display : The operator can use this interface to type any command for execution .", "spans": {}, "info": {"id": "cyner2_test_000282", "source": "cyner2_test"}}
+{"text": "Dridex was most active between 2014 and 2015, and smaller campaigns were observed throughout 2016.", "spans": {"MALWARE: Dridex": [[0, 6]], "THREAT_ACTOR: smaller campaigns": [[50, 67]]}, "info": {"id": "cyner2_test_000283", "source": "cyner2_test"}}
+{"text": "Communication with the C & C In order to communicate with its C & C , the app uses the MQTT ( Message Queuing Telemetry Transport ) protocol , which is transported over TCP port 1883 .", "spans": {}, "info": {"id": "cyner2_test_000284", "source": "cyner2_test"}}
+{"text": "These threats can be deployed to a system by brute-forcing log in credentials on machines with weak passwords.", "spans": {"SYSTEM: machines": [[81, 89]]}, "info": {"id": "cyner2_test_000285", "source": "cyner2_test"}}
+{"text": "YiSpecter is different from previously seen iOS malware in that it attacks both jailbroken and non-jailbroken iOS devices through unique and harmful malicious behaviors.", "spans": {"MALWARE: YiSpecter": [[0, 9]], "MALWARE: iOS malware": [[44, 55]]}, "info": {"id": "cyner2_test_000286", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Dropper Trojan.Win32.Invader.vpkho W32.W.Otwycal.l4av Backdoor.Win32.Kilya.A Trojan.Inject1.6183 Heur:Trojan/PSW.OnLineGames Trojan:WinNT/Tandfuy.B BScope.Trojan-Dropper.Inject", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000287", "source": "cyner2_test"}}
+{"text": "Dropped files appear to be kernel level key loggers", "spans": {"MALWARE: kernel level key loggers": [[27, 51]]}, "info": {"id": "cyner2_test_000288", "source": "cyner2_test"}}
+{"text": "Trend Micro researchers detected a new SLocker variant that mimics the GUI of the WannaCry crypto-ransomware on the Android platform.", "spans": {"ORGANIZATION: Trend Micro researchers": [[0, 23]], "MALWARE: new SLocker variant": [[35, 54]], "MALWARE: WannaCry crypto-ransomware": [[82, 108]], "SYSTEM: the Android platform.": [[112, 133]]}, "info": {"id": "cyner2_test_000289", "source": "cyner2_test"}}
+{"text": "In this age of global operations, that's a huge deal.", "spans": {}, "info": {"id": "cyner2_test_000290", "source": "cyner2_test"}}
+{"text": "This is only a small picture of the threat actor 's operations .", "spans": {}, "info": {"id": "cyner2_test_000291", "source": "cyner2_test"}}
+{"text": "Letting an attacker get access to this kind of data can have severe consequences .", "spans": {}, "info": {"id": "cyner2_test_000292", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.CydoorO.Worm Trojan.Downloader.JLGQ Trojan/W32.Inject.20480.N Trojan.Win32.Inject!O TROJ_FAKEAV.JU Win32/FakeAlert.AEE TROJ_FAKEAV.JU Win.Trojan.Inject-1918 Trojan.Downloader.JLGQ Packed.Win32.Katusha.a Trojan.Downloader.JLGQ Troj.GameThief.W32.OnLineGames.ljfQ Trojan.Downloader.JLGQ TrojWare.Win32.Trojan.Inject.~INE Trojan.Downloader.JLGQ Trojan.DownLoader.50219 Downloader.FakeAlert.Win32.16570 BehavesLike.Win32.Dropper.mh Trojan[Packed]/Win32.Katusha Trojan.Downloader.JLGQ Packed.Win32.Katusha.a TrojanDownloader:Win32/Podcite.A Trojan/Win32.Downloader.R10196 Trojan.Downloader.JLGQ TScope.Malware-Cryptor.SB Win32.Packed.Katusha.Pepo Trojan.Zlob.LFD Trojan.Fakealert", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000293", "source": "cyner2_test"}}
+{"text": "Then it adds onTouchListener to this textView and is able to process every user tap .", "spans": {}, "info": {"id": "cyner2_test_000294", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.Clodb0d.Trojan.9c3e TrojanDropper.Spacekito PUP.Optional.Vittalia PUP.ConvertAd/Variant Trojan.Razy.DFAEB TROJ_SP.81E42145 Multi.Threats.InArchive Trojan.ADH TROJ_SPACEKITO.SMA virus.win32.sality.at BehavesLike.Win32.Downloader.hc TrojanDropper:Win32/Spacekito.A Trojan.Msil W32/Malware_fam.NB Trj/CI.A Win32/Trojan.Downloader.78c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000295", "source": "cyner2_test"}}
+{"text": "Their campaigns employ the Daserf backdoor detected by Trend Micro as BKDR_DASERF, otherwise known as Muirim and Nioupale that has four main capabilities: execute shell commands, download and upload data, take screenshots, and log keystrokes.", "spans": {"THREAT_ACTOR: campaigns": [[6, 15]], "MALWARE: the Daserf backdoor": [[23, 42]], "ORGANIZATION: Trend Micro": [[55, 66]], "MALWARE: Muirim": [[102, 108]], "MALWARE: Nioupale": [[113, 121]]}, "info": {"id": "cyner2_test_000297", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: KeyLogger.Ardamax Riskware.Ardamax! WS.Reputation.1 Trojan.Win32.KeyLogger.djcsib Trojan.KeyLogger.24635 BehavesLike.Win32.Keylog.rc W32/Application.ARMZ-3982 Backdoor/Gbot.ptj BDS/Gbot.qxwmnb W32/Gbot.ACCR!tr.bdr Trojan[Backdoor]/Win32.Gbot Trojan.FAkeAlert.105 Trojan/Win32.Fakon Backdoor.Gbot PUA.Keylogger.Ardamax Ardamax.CFW Trojan.Win32.Ardamax.NBQ", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000298", "source": "cyner2_test"}}
+{"text": "This vulnerability allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing an embedded exploit.", "spans": {"VULNERABILITY: vulnerability": [[5, 18]], "THREAT_ACTOR: malicious actor": [[28, 43]], "MALWARE: an embedded exploit.": [[161, 181]]}, "info": {"id": "cyner2_test_000299", "source": "cyner2_test"}}
+{"text": "Apps with a custom-made advertisement SDK The simplest PHA from the author 's portfolio used a specially crafted advertisement SDK to create a proxy for all ads-related network traffic .", "spans": {}, "info": {"id": "cyner2_test_000300", "source": "cyner2_test"}}
+{"text": "] fun , you-foto [ .", "spans": {}, "info": {"id": "cyner2_test_000301", "source": "cyner2_test"}}
+{"text": "Allows an application to receive SMS messages .", "spans": {}, "info": {"id": "cyner2_test_000302", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.VB Trojan.Buzy.D6D2 Trojan-Downloader.Win32.Miscer.bwe Trojan.Win32.VB.euzpgu Trojan.Win32.Z.Buzy.71168 Troj.Clicker.W32.Vb!c BehavesLike.Win32.SoftPulse.kh W32.Malware.Downloader TrojanDownloader:Win32/Miscer.B Trojan-Downloader.Win32.Miscer.bwe Packed/Win32.Morphine.R14850 Win32.Trojan-downloader.Miscer.Crj W32/VB.C!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000303", "source": "cyner2_test"}}
+{"text": "Zygote is the core process in the Android OS that is used as a template for every application , which means that once the Trojan gets into Zygote , it becomes a part of literally every app that is launched on the device .", "spans": {"SYSTEM: Zygote": [[0, 6], [139, 145]], "SYSTEM: Android": [[34, 41]]}, "info": {"id": "cyner2_test_000304", "source": "cyner2_test"}}
+{"text": "Proofpoint researchers have observed and documented, for the first time, three distinct variants of the malware known as IcedID.", "spans": {"ORGANIZATION: Proofpoint researchers": [[0, 22]], "MALWARE: variants": [[88, 96]], "MALWARE: malware": [[104, 111]], "MALWARE: IcedID.": [[121, 128]]}, "info": {"id": "cyner2_test_000305", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.CarigatG.Trojan Trojan-Downloader.Win32.Banload!O Trojan/Downloader.Banload.ihm Win32.Trojan.VB.gu W32/Downldr2.DEAQ W32.SillyFDC Win32/Lefgroo.A WORM_AUTORUN.SMG Win.Trojan.VB-1518 Trojan.Win32.Dwn.vttwn Trojan.Win32.Downloader.910336 TrojWare.Win32.Downloader.Banload.~AAD Trojan.DownLoad1.19749 Downloader.Banload.Win32.44018 WORM_AUTORUN.SMG W32/Downloader.ARMS-0839 TR/Banload.ihm Trojan[Downloader]/Win32.Banload Worm:Win32/Lefgroo.A HEUR/Fakon.mwf Worm.Brontok Trj/VB.AAY Trojan.Banload Win32/VB.NMS Trojan.Win32.FakeFolder.pa Trojan.DL.Banload!rYSm24e8R00", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000306", "source": "cyner2_test"}}
+{"text": "The researchers believe that the devices somehow had the malware pre-loaded at the time of shipping from the manufacturer , or was likely distributed inside modified Android firmware .", "spans": {"SYSTEM: Android": [[166, 173]]}, "info": {"id": "cyner2_test_000307", "source": "cyner2_test"}}
+{"text": "The success is largely the result of the malware 's ability to silently root a large percentage of the phones it infects by exploiting vulnerabilities that remain unfixed in older versions of Android .", "spans": {"VULNERABILITY: vulnerabilities that remain unfixed in older versions of Android": [[135, 199]]}, "info": {"id": "cyner2_test_000308", "source": "cyner2_test"}}
+{"text": "However , in addition to the traditional functionality , there were also backdoor capabilities such as upload , download , delete files , camera takeover and record surrounding audio .", "spans": {}, "info": {"id": "cyner2_test_000309", "source": "cyner2_test"}}
+{"text": "CyS-CERT specialists at Sai Ess Center have detected signs that a wave of targeted attacks on Ukrainian enterprises with the use of the Ursnif malware also known as GoZi on 14/03/2017 was discovered during the monitoring of network threats and information security. / ISFB.", "spans": {"ORGANIZATION: CyS-CERT specialists": [[0, 20]], "ORGANIZATION: Sai Ess Center": [[24, 38]], "ORGANIZATION: Ukrainian enterprises": [[94, 115]], "MALWARE: the": [[132, 135]], "MALWARE: Ursnif malware": [[136, 150]], "MALWARE: GoZi": [[165, 169]], "MALWARE: network threats": [[224, 239]], "ORGANIZATION: ISFB.": [[268, 273]]}, "info": {"id": "cyner2_test_000310", "source": "cyner2_test"}}
+{"text": "A new LockBit ransomware campaign is targeting firms in Spanish-speaking areas.", "spans": {"THREAT_ACTOR: LockBit ransomware campaign": [[6, 33]], "ORGANIZATION: firms": [[47, 52]]}, "info": {"id": "cyner2_test_000311", "source": "cyner2_test"}}
+{"text": "] com/api/ads/ which is used for obtaining a link to APK file .", "spans": {}, "info": {"id": "cyner2_test_000312", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Mooqkel Trojan.Win32.SelfDel.asbd Trojan.Win32.KillFiles.drxdvi Troj.W32.SelfDel.mA4R Win32.Trojan.Selfdel.Pgmr TrojWare.Win32.Selfdel.DRX Trojan.KillFiles.27538 Trojan.SelfDel.Win32.49747 BehavesLike.Win32.AdwareConvertAd.dc Trojan/Selfdel.atub TR/Taranis.4019 Trojan/Win32.SelfDel Trojan.Zusy.D262B0 Trojan.Win32.SelfDel.asbd Trojan:Win32/Mooqkel.A Trojan.SelfDel Trojan.Graftor!XKRphH87aYk", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000314", "source": "cyner2_test"}}
+{"text": "The “ core ” module communicates with the C & C server , receiving the predetermined list of popular apps to scan the device for .", "spans": {}, "info": {"id": "cyner2_test_000315", "source": "cyner2_test"}}
+{"text": "After we notified Google and published an article about these fake Dubsmash Trojans, we discovered other fake Dubsmash versions being uploaded again infected with the same porn clicker.", "spans": {"ORGANIZATION: Google": [[18, 24]], "MALWARE: Dubsmash Trojans,": [[67, 84]], "MALWARE: porn clicker.": [[172, 185]]}, "info": {"id": "cyner2_test_000316", "source": "cyner2_test"}}
+{"text": "Of the 54 distinct C C servers, 12 of them were online and operational until F5 had them shut down in March, 10 were sink-holed, and 32 were already offline.", "spans": {"ORGANIZATION: F5": [[77, 79]]}, "info": {"id": "cyner2_test_000317", "source": "cyner2_test"}}
+{"text": "The attackers spoofed the email ids associated with Indian Ministry of Home Affairs to send out email to the victims.", "spans": {"THREAT_ACTOR: attackers": [[4, 13]], "ORGANIZATION: Indian Ministry of Home Affairs": [[52, 83]]}, "info": {"id": "cyner2_test_000318", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Downloader.JJVD Trojan-Downloader.Win32.BHO!O Trojan.Downloader.JJVD Downloader.BHO.Win32.1833 Troj.Downloader.W32.BHO.l33b TROJ_DLOADER.LER Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Downloader.JGGW-3321 Infostealer.Gampass Win32/SillyDl.DVK TROJ_DLOADER.LER Trojan.Downloader.JJVD Trojan-Downloader.Win32.BHO.xfn Trojan.Downloader.JJVD Trojan.Win32.BHO.cbhkf Trojan.Win32.Downloader.38438 Trojan.Downloader.JJVD Trojan.DownLoader.49249 BehavesLike.Win32.Downloader.nc W32/Downldr2.IBZP TrojanDownloader.BHO.bn Trojan.Downloader.JJVD Trojan-Downloader.Win32.BHO.xfn TrojanClicker:Win32/Zirit.O Trojan/Win32.BHO.C67509 TrojanDownloader.BHO Trj/Downloader.SPH Win32/BHO.NCG Trojan.DL.BHO!younfCjFxPg Trojan-Downloader.Win32.BHO.ct", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000319", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: HW32.Packed.3704 Packer.Morphine.B Packer.Morphine.B Packer.Morphine.B Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan Win.Trojan.Packed-85 Packer.Morphine.B Trojan.Win32.Morphine.cwnmax Packer.Morphine.B TrojWare.Win32.PkdMorphine.~AN BackDoor.IRC.Sdbot.3653 BehavesLike.Win32.Trojan.pc Packed.Morphine.a TrojanProxy:Win32/Daemonize.K Packer.Morphine.B Email-Worm.Win32.Bagle.pp Packed/Morphine.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000320", "source": "cyner2_test"}}
+{"text": "In October 2015, PaloAlto discovered a malicious payload file targeting Apple iOS devices.", "spans": {"ORGANIZATION: PaloAlto": [[17, 25]], "MALWARE: malicious payload": [[39, 56]], "SYSTEM: Apple iOS devices.": [[72, 90]]}, "info": {"id": "cyner2_test_000321", "source": "cyner2_test"}}
+{"text": "Port 6211 : Calendar extraction service .", "spans": {"SYSTEM: Calendar": [[12, 20]]}, "info": {"id": "cyner2_test_000322", "source": "cyner2_test"}}
+{"text": "Although this backdoor has been actively deployed since at least 2016, it has not been documented anywhere.", "spans": {"MALWARE: backdoor": [[14, 22]]}, "info": {"id": "cyner2_test_000323", "source": "cyner2_test"}}
+{"text": "] com and ora.studiolegalebasili [ .", "spans": {}, "info": {"id": "cyner2_test_000324", "source": "cyner2_test"}}
+{"text": "A thorough analysis of the infected system by our Incident Response and Malware Research teams quickly revealed that the server was indeed compromised.", "spans": {"ORGANIZATION: Incident Response and Malware Research teams": [[50, 94]]}, "info": {"id": "cyner2_test_000325", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor/W32.Liondoor.90112 Backdoor.Win32.Liondoor!O Backdoor.Liondoor Win32.Backdoor.Liondoor.c Backdoor.Trojan Backdoor.Win32.Liondoor.240 Trojan.Win32.Liondoor.eszzel Backdoor.Win32.A.Liondoor.385024 Backdoor.W32.Liondoor!c Trojan.Proxy.336 Backdoor.Liondoor.Win32.133 W32/Trojan.LXWF-9335 Backdoor/Liondoor.af BDS/Liondoor.241 Trojan[Backdoor]/Win32.Liondoor Backdoor.Liondoor Backdoor.Win32.Liondoor.240 Backdoor/Win32.Hupigon.R16709 Backdoor.Liondoor Trj/CI.A Win32.Backdoor.Liondoor.Ajlp Trojan.Liondoor!FZGmJzoQPdI Backdoor.Win32.Liondoor W32/Liondoor.240!tr.bdr Win32/Backdoor.f9c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000326", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.FakeW7Folder.Fam.Trojan Trojan.Scar.AG Trojan/W32.Scar.139264.AR Trojan.Win32.Scar!O Trojan.Scar.AG Win32.Trojan.VB.ac Trojan.Scar WORM_OTORUN.SM0 Trojan.Win32.Scar.lpco Trojan.Scar.AG Trojan.Win32.Scar.crgjex Trojan.Win32.Scar.128768 TrojWare.Win32.WBNA.THR Trojan.Scar.AG Trojan.MulDrop3.10901 Trojan.VB.Win32.69922 WORM_OTORUN.SM0 BehavesLike.Win32.VBObfus.cz Trojan.Win32.Sulunch Worm/WBNA.hgwu Trojan/Win32.Scar Troj.W32.Scar.toQM Trojan.Win32.Scar.lpco HEUR/Fakon.mwf Trojan.Scar Trojan.Scar.AG Trojan.Scar.AG Win32/VB.OGG W32/VB.QHS!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000327", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Constructor.Macro.Moothie.B Constructor.Moothie Win32.Trojan.WisdomEyes.16070401.9500.9657 W32/Trojan.BEVX Constructor.Win32.Moothie.b Trojan.Constructor.Macro.Moothie.B Riskware.Win32.Moothie.hptn Constructor.Macro.Moothie.B Trojan.Constructor.Macro.Moothie.B VirusConstructor.Mvc Tool.Moothie.Win32.6 TROJ_MOOTHIE.B BehavesLike.Win32.Virus.jz W32/Trojan.SAMQ-1725 Constructor.Macro.Moothie.b KIT/Mac.Moothie.B W32/HMVC.A!tr HackTool[Constructor]/Win32.Moothie Trojan.Constructor.Macro.Moothie.B Constructor.W32.Moothie!c Constructor.Win32.Moothie.b Constructor:W97M/Moothie.B Trojan.Constructor.Macro.Moothie.B Trojan.Constructor.Macro.Moothie.B Win32.Trojan.Moothie.Lkmz Constructor.Moothie!khF/Jv27CA8 Trojan.Constructor.Macro.Moothie.B Constructor.Moothie Win32/Constructor.d3d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000328", "source": "cyner2_test"}}
+{"text": "Device information : EventBot queries for device information like OS , model , etc , and also sends that to the C2 .", "spans": {"MALWARE: EventBot": [[21, 29]]}, "info": {"id": "cyner2_test_000329", "source": "cyner2_test"}}
+{"text": "We previously published an overview of cyber activities and the threat landscape related to the conflict between Russia and Ukraine and continue to monitor new threats in these regions.", "spans": {"MALWARE: new threats": [[156, 167]]}, "info": {"id": "cyner2_test_000330", "source": "cyner2_test"}}
+{"text": "They also left traces showing that their operations were active as recently as March, raising the possibility that the online spying continues today.", "spans": {}, "info": {"id": "cyner2_test_000331", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Symmi.DA390 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Milicenso Trojan.Win32.Kryptik.diiygp Trojan.Win32.Z.Symmi.1347536 Trojan.DownLoader7.14920 BehavesLike.Win32.Dropper.tm TR/Drop.Vundo.AB.98 TrojanDropper:Win32/Vundo.AB Win32/Trojan.4ba", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000332", "source": "cyner2_test"}}
+{"text": "Qbot, also known as Qakbot, is a network-aware worm with backdoor capabilities, primarily designed as a credential harvester.", "spans": {"MALWARE: Qbot,": [[0, 5]], "MALWARE: Qakbot,": [[20, 27]], "MALWARE: network-aware worm": [[33, 51]], "MALWARE: backdoor": [[57, 65]]}, "info": {"id": "cyner2_test_000333", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Dropper.SSX Trojan.Killav Trojan.Dropper Win.Trojan.Onlinegames-2466 Trojan.Dropper.SSX Trojan.Dropper.SSX Trojan.Win32.OnLineGames.csxlu BackDoor.Drat.131 BehavesLike.Win32.HLLPPhilis.gh Backdoor/Huigezi.eop Trojan.Dropper.SSX Trojan.Dropper.SSX Trojan.Dropper.SSX Trojan.Delf!DY4HT/zU/wg", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000334", "source": "cyner2_test"}}
+{"text": "Gooligan-infected apps can also be installed using phishing scams where attackers broadcast links to infected apps to unsuspecting users via SMS or other messaging services .", "spans": {"MALWARE: Gooligan-infected": [[0, 17]]}, "info": {"id": "cyner2_test_000335", "source": "cyner2_test"}}
+{"text": "Initially some particular words from the decompiled classes.dex of Exodus Two sent us in the right direction .", "spans": {"MALWARE: Exodus": [[67, 73]]}, "info": {"id": "cyner2_test_000336", "source": "cyner2_test"}}
+{"text": "Back in February 2014, ESET researchers wrote a blog post about an OpenSSH backdoor and credential stealer called Linux/Ebury.", "spans": {"ORGANIZATION: ESET researchers": [[23, 39]], "MALWARE: OpenSSH backdoor": [[67, 83]], "MALWARE: credential stealer": [[88, 106]], "MALWARE: Linux/Ebury.": [[114, 126]]}, "info": {"id": "cyner2_test_000337", "source": "cyner2_test"}}
+{"text": "Since then, we have had time to digest and dissect the propagating malware and share our findings with you.", "spans": {}, "info": {"id": "cyner2_test_000338", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32/Trojan.FRWF-9180 BehavesLike.Win32.Ransom.mc Trojan-Downloader.BAT.Ftper TR/Dldr.Ftper.gfdbs Trojan/Win32.VB.gic Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000339", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Win32.Trojan.WisdomEyes.16070401.9500.9998 TrojWare.Win32.VirRansom.A Trojan.DownLoad4.385 BehavesLike.Win32.RAHack.vc Trojan.Win32.Injector W32/Trojan.TYLA-7339 Trojan.Heur.GZ.EE99E1 Trj/CI.A Win32/Trojan.e6d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000340", "source": "cyner2_test"}}
+{"text": "The router rebooted every 15 to 20 minutes.", "spans": {"SYSTEM: The router": [[0, 10]]}, "info": {"id": "cyner2_test_000341", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Symmi.DB912 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.OIII-5864 Backdoor.Trojan Trojan.DownLoader23.39450 BehavesLike.Win32.PWSZbot.lm TR/Downloader.udrmo Trojan/Win32.Unknown Malware-Cryptor.InstallCore.7", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000342", "source": "cyner2_test"}}
+{"text": "Forcepoint Security Labs™ came across a malicious reconnaissance campaign that targets websites.", "spans": {"ORGANIZATION: Forcepoint Security Labs™": [[0, 25]], "THREAT_ACTOR: malicious reconnaissance campaign": [[40, 73]]}, "info": {"id": "cyner2_test_000343", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 TrojWare.Win32.TrojanDownloader.Onkods.Q DLOADER.Trojan Worm:Win32/Skypoot.A BScope.Trojan.IRCbot", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000344", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.GamarueInjector.Trojan Worm/W32.WBNA.3906752 Trojan.Win32.VBKrypt!O Worm.Gamarue.S145097 Trojan.Injector.Win32.141998 Trojan/VBKrypt.nrap Trojan.Symmi.D13A6C Win32.Trojan.Inject.bh Downloader.Dromedan Win32/Gamarue.eBPZLT TSPY_VBKRYPT_BK08455D.TOMC Worm.Win32.WBNA.bsoy Trojan.Win32.VBKrypt.cmxrxa TrojWare.Win32.Injector.XFR BackDoor.Andromeda.22 TSPY_VBKRYPT_BK08455D.TOMC Trojan/VBKrypt.hdpu Trojan/Win32.VBKrypt Worm:Win32/Gamarue.I W32.W.WBNA.tnqm Worm.Win32.WBNA.bsoy Trojan/Win32.Injector.R37109 BScope.Trojan-Spy.Zbot Trojan.VBCrypt Trojan.Injector.XFR Worm.WBNA!5uxrHkVli7M Worm.Win32.Gamarue W32/VBKrypt.MBW!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000345", "source": "cyner2_test"}}
+{"text": "The class “ org.starsizew.Ac ” is designed for this purpose ; its only task is to check if the main service is running , and restart the main service if the answer is no .", "spans": {}, "info": {"id": "cyner2_test_000346", "source": "cyner2_test"}}
+{"text": "Following a month-long hiatus after a number of arrests, and despite a recent reported takedown, Dridex actors appear to have taken the recent disruptions as a challenge to bounce back better than ever.", "spans": {"THREAT_ACTOR: Dridex actors": [[97, 110]]}, "info": {"id": "cyner2_test_000347", "source": "cyner2_test"}}
+{"text": "The C & C server then responds with a configuration file , containing the personal identification number for the device and some settings — the time interval between contacting the server , the list of modules to be installed and so on .", "spans": {}, "info": {"id": "cyner2_test_000348", "source": "cyner2_test"}}
+{"text": "More importantly, its claim to fame is the ability to destroy data and to render infected systems unusable.", "spans": {}, "info": {"id": "cyner2_test_000349", "source": "cyner2_test"}}
+{"text": "It calculates the MD5 hash of the lower-case process image name and terminates if one of the following conditions are met : The MD5 hash of the parent process image name is either D0C4DBFA1F3962AED583F6FCE666F8BC or 3CE30F5FED4C67053379518EACFCF879 The parent process ’ s full image path is equal to its own process path If these initial checks are passed , the loader builds a complete IAT by reading four imported libraries from disk ( ntdll.dll , kernel32.dll , advapi32.dll , and version.dll ) and remapping them in memory .", "spans": {}, "info": {"id": "cyner2_test_000350", "source": "cyner2_test"}}
+{"text": "nis : The su application used to execute shell commands with root privileges .", "spans": {}, "info": {"id": "cyner2_test_000351", "source": "cyner2_test"}}
+{"text": "Instead of attacking a user, it attacks the Wi-Fi network the user is connected to, or, to be precise, the wireless router that serves the network.", "spans": {"SYSTEM: wireless router": [[107, 122]], "SYSTEM: network.": [[139, 147]]}, "info": {"id": "cyner2_test_000352", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan-Ransom.Win32.Blocker!O Trojan.Blocker.Win32.9993 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Dropper Trojan-Ransom.Win32.Blocker.azqp Trojan.Win32.Blocker.bxpndh W32.W.Luder.lUDu Trojan.Inject1.11547 Trojan[Ransom]/Win32.Blocker TrojanDownloader:Win32/Gippers.A Trojan-Ransom.Win32.Blocker.azqp Trojan/Win32.Blocker.R78431 Hoax.Blocker Trojan-ransom.Win32.Blocker.cgth Trojan.Blocker!jkFHGuClN9Y", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000353", "source": "cyner2_test"}}
+{"text": "The app requesting the installation is passed off as a Manage Settings' app.", "spans": {"SYSTEM: app": [[4, 7]]}, "info": {"id": "cyner2_test_000354", "source": "cyner2_test"}}
+{"text": "It emerged in 2010, transferred by removable drives within infected executables and HTML files.", "spans": {"SYSTEM: removable drives": [[35, 51]]}, "info": {"id": "cyner2_test_000355", "source": "cyner2_test"}}
+{"text": "EventBot screen lock with support for Samsung devices A new method to handle screen lock with support for Samsung devices .", "spans": {"MALWARE: EventBot": [[0, 8]], "ORGANIZATION: Samsung": [[38, 45], [106, 113]]}, "info": {"id": "cyner2_test_000356", "source": "cyner2_test"}}
+{"text": "The spam emails attempt to install the pervasive Andromeda malware onto victim machines.", "spans": {"MALWARE: Andromeda malware": [[49, 66]], "SYSTEM: victim machines.": [[72, 88]]}, "info": {"id": "cyner2_test_000357", "source": "cyner2_test"}}
+{"text": "The attackers also leveraged a common Windows exploit to access a privileged command shell without authenticating.", "spans": {"THREAT_ACTOR: attackers": [[4, 13]], "MALWARE: Windows exploit": [[38, 53]], "VULNERABILITY: without authenticating.": [[91, 114]]}, "info": {"id": "cyner2_test_000358", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Android.Trojan.GingerMaster.gOJG Android.GingerMaster.N Android.Trojan.GingerMaster.gOJG Android.Trojan.GingerMaster.gOJG HEUR:Backdoor.AndroidOS.GinMaster.a A.H.Pri.Hippo.AG Trojan.Android.GinMaster.dkfsfi Android.Trojan.GingerMaster.gOJG Android.Trojan.GingerMaster.gOJG Android.DownLoader.92.origin Android.Trojan.GingerMaster.gOJG Android-Trojan/GinMaster.8982 Trojan.AndroidOS.GinMaster Android/G2M.LN.6C72B89F5841", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000359", "source": "cyner2_test"}}
+{"text": "In this case , “ Agent Smith ” is being used to for financial gain through the use of malicious advertisements .", "spans": {"MALWARE: Agent Smith": [[17, 28]]}, "info": {"id": "cyner2_test_000360", "source": "cyner2_test"}}
+{"text": "However , the actual text would often only display a basic welcome message .", "spans": {}, "info": {"id": "cyner2_test_000361", "source": "cyner2_test"}}
+{"text": "Google officials removed the malicious apps from the Play market after receiving a private report of their existence .", "spans": {"ORGANIZATION: Google": [[0, 6]], "SYSTEM: Play market": [[53, 64]]}, "info": {"id": "cyner2_test_000362", "source": "cyner2_test"}}
+{"text": "This kind of persistence has made it difficult for security vendors to detect the malware.", "spans": {"ORGANIZATION: security vendors": [[51, 67]], "MALWARE: malware.": [[82, 90]]}, "info": {"id": "cyner2_test_000363", "source": "cyner2_test"}}
+{"text": "The second type of apps reveals an evolution in the author 's tactics .", "spans": {}, "info": {"id": "cyner2_test_000364", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Application.Hacktool.JQ Trojan/W32.HackTool.217088.G Trojan.Mauvaise.SL1 Win32.Trojan.WisdomEyes.16070401.9500.9995 W64/WinCred.A Win.Tool.Wincred-6333920-0 HackTool.Win64.WinCred.l Application.Hacktool.JQ Application.Hacktool.JQ Application.Hacktool.JQ Tool.WinCred.4 HackTool.Win64 W64/WinCred.A Application.Hacktool.JQ HackTool.Win64.WinCred.l HackTool:Win32/Wincred.H Application.Hacktool.JQ", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000365", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9927 PWS:Win32/Stimilina.D!bit Trojan.Graftor.D63AB9", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000366", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.NotFunNY.Worm Trojan.Win32.TDSS!O Trojan.VBCrypt.MF.91 Trojan.TDSS.Win32.10599 Trojan/TDSS.brqg Trojan.Razy.DA584 TSPY_TEBTAIR_BH0100C2.TOMC Win32.Trojan.VB.hy Win32/Scar.AAI TSPY_TEBTAIR_BH0100C2.TOMC Win.Trojan.VB-1373 Trojan.Win32.TDSS.brqg Trojan.Win32.TDSS.dxocff Trojan.Win32.A.Tdss.58062 Troj.W32.TDSS.mcnb TrojWare.Win32.Tdss.ht BackDoor.Tdss.5794 BehavesLike.Win32.VBObfus.dt Trojan.Win32.Tdss Trojan/Tdss.vun Trojan:Win32/Tebtair.A Trojan/Win32.TDSS Trojan:Win32/Tebtair.A Trojan.Win32.TDSS.brqg Trojan/Win32.Scar.R9677 Trojan.VBRA.05364 Trojan.VB!cacUcnNEbXs", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000367", "source": "cyner2_test"}}
+{"text": "The German Bundesamt für Verfassungsschutz BfV and the National Intelligence Service of the Republic of Korea NIS issue the following JointCyber Security Advisory to raise awareness of KIMSUKY's a.k.a. Thallium, Velvet Chollima, etc. cyber campaigns against Google's browser and app store services targeting experts on the Korean Peninsula and North Korea issues.", "spans": {"ORGANIZATION: The German Bundesamt für Verfassungsschutz BfV": [[0, 47]], "ORGANIZATION: the National Intelligence Service of the Republic of Korea NIS": [[52, 114]], "ORGANIZATION: JointCyber Security Advisory": [[135, 163]], "THREAT_ACTOR: KIMSUKY's": [[186, 195]], "THREAT_ACTOR: Thallium, Velvet Chollima,": [[203, 229]], "THREAT_ACTOR: cyber campaigns": [[235, 250]], "SYSTEM: Google's browser": [[259, 275]], "SYSTEM: app store services": [[280, 298]], "ORGANIZATION: experts": [[309, 316]]}, "info": {"id": "cyner2_test_000368", "source": "cyner2_test"}}
+{"text": "We recently found 200 unique Android apps—with installs ranging between 500,000 and a million on Google Play—embedded with a backdoor: MilkyDoor detected by Trend Micro as ANDROIDOS_MILKYDOOR.A.", "spans": {"SYSTEM: Android apps—with": [[29, 46]], "SYSTEM: Google Play—embedded": [[97, 117]], "MALWARE: backdoor: MilkyDoor": [[125, 144]], "ORGANIZATION: Trend Micro": [[157, 168]]}, "info": {"id": "cyner2_test_000370", "source": "cyner2_test"}}
+{"text": "These are not technically sophisticated attackers.", "spans": {"THREAT_ACTOR: attackers.": [[40, 50]]}, "info": {"id": "cyner2_test_000371", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan/Kovter.d Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/VB.GANE-7543 Ransom_CRYPSHED.SMV Trojan.Win32.Fsysna.dkgh Trojan.Win32.Encoder.edublg Trojan.Encoder.858 Ransom_CRYPSHED.SMV W32/VB.DZF Trojan.Fsysna.duh Trojan/Win32.Fsysna Trojan.Win32.Fsysna.dkgh Trojan/Win32.Inject.R183706 Trojan.Fsysna W32/Injector.DHGK!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000372", "source": "cyner2_test"}}
+{"text": "The user simply needs to text a prescribed keyword to a prescribed number ( shortcode ) .", "spans": {}, "info": {"id": "cyner2_test_000373", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.eHeur.Virus02 Virus.Win32.Sality!O Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Zebro BehavesLike.Win32.PWSZbot.cc Trojan/Menti.ckw Trojan.Zeus.EA.0999", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000374", "source": "cyner2_test"}}
+{"text": "At peak times of activity , we have seen up to 23 different apps from this family submitted to Play in one day .", "spans": {"SYSTEM: Play": [[95, 99]]}, "info": {"id": "cyner2_test_000375", "source": "cyner2_test"}}
+{"text": "Additionally, the scope of organizations targeted by this group has expanded to not only include organizations within Saudi Arabia, but also a company in Qatar and government organizations in Turkey, Israel and the United States.", "spans": {"ORGANIZATION: organizations": [[27, 40], [97, 110]], "THREAT_ACTOR: group": [[58, 63]], "ORGANIZATION: company": [[143, 150]], "ORGANIZATION: government organizations": [[164, 188]]}, "info": {"id": "cyner2_test_000376", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Injector.Win32.428391 Win32.Trojan.WisdomEyes.16070401.9500.9989 Trojan.Win32.Tepfer.ehzjly Trojan.PWS.Stealer.1932 Trojan.Foreign.btf Trojan[Ransom]/Win32.Foreign Trojan.Graftor.D4C46E", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000380", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Worm.Netres.b.n8 Trojan.Win32.Netres.enie W32.Netres WORM_NETRES.B Worm.Win32.Netres.b Worm.Netres!bl6FeOelVl8 PE:Worm.Netres.b!1073822833 Worm.Netres.B Win32.HLLW.NetRes WORM_NETRES.B W32/Risk.WEVS-2872 Worm/Netres.b Worm/Netres.B Worm/Win32.Netres Worm.Netres.b.kcloud Worm:Win32/Netres.B Win32/Netres.worm.380928 Worm.Netres Worm.Win32.Netres.AI Netres.B Worm.Win32.Netres Worm/Netres.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000381", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trj/Katien.E W32/Katien.AB Trojan.Tsunami.B Backdoor.Win32.Katien.d Backdoor.Katien.D Backdoor.Win32.Katien.d BDS/Katien.D.1 BKDR_KATIEN.D Backdoor:Win32/Katien.D Backdoor.Katien.d Backdoor.Win32.Katien.d BackDoor.Katien.L Win-Trojan/Katien.49207.B Backdoor.Win32.Katien.d Backdoor.IRCBot Backdoor.Katien.p Backdoor.Win32.Katien.d W32/Katien.D!tr Win32/Katien.D Trj/Katien.E Trojan.Backdoor.Katien.D.1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000382", "source": "cyner2_test"}}
+{"text": "Notably, some of this recent activity demonstrated actors implementing a technique that bypassed antivirus detection by saving a PowerPoint document in which malware executed once the document was opened in Slide Show presentation format.", "spans": {"SYSTEM: PowerPoint document": [[129, 148]], "MALWARE: malware": [[158, 165]]}, "info": {"id": "cyner2_test_000384", "source": "cyner2_test"}}
+{"text": "While the BlackMoon malware code has been constantly updated by its perpetrators, the extent of the campaign s infection is previously unknown.", "spans": {"MALWARE: BlackMoon malware": [[10, 27]], "THREAT_ACTOR: perpetrators,": [[68, 81]], "THREAT_ACTOR: campaign": [[100, 108]]}, "info": {"id": "cyner2_test_000385", "source": "cyner2_test"}}
+{"text": "By the time of this publication , two Jaguar Kill Switch infected app has reached 10 million downloads while others are still in their early stages .", "spans": {}, "info": {"id": "cyner2_test_000386", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Reconyc Troj.W32.Reconyc!c Win32.Trojan.WisdomEyes.16070401.9500.9944 Backdoor.Trojan Trojan.Win32.Reconyc.ipfq Trojan.DownLoader4.51992 W32/Trojan.KRNZ-3842 Trojan/Win32.Reconyc Trojan.Win32.Reconyc.ipfq TrojanDownloader:Win32/Riprox.A Trojan/Win32.Swisyn.C63610 Win32.Trojan.Reconyc.Ajky Win32/Trojan.bf7", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000387", "source": "cyner2_test"}}
+{"text": "This particular botnet is downloaded by the Andromeda botnet.", "spans": {"MALWARE: botnet": [[16, 22]], "MALWARE: Andromeda botnet.": [[44, 61]]}, "info": {"id": "cyner2_test_000388", "source": "cyner2_test"}}
+{"text": "It posed a considerable threat to users and businesses, as Encryptor RaaS attacks can vary based on the customizations applied by the affiliate.", "spans": {"ORGANIZATION: users": [[34, 39]], "ORGANIZATION: businesses,": [[44, 55]], "MALWARE: Encryptor RaaS": [[59, 73]]}, "info": {"id": "cyner2_test_000389", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Sinowal.Win32.3993 Backdoor/Sinowal.fma Trojan.Krypt.23 Win32.Trojan.WisdomEyes.16070401.9500.9999 BKDR_SINOWAL.SME Win.Trojan.Sinowal-16743 Backdoor.Win32.Sinowal.fma Trojan.Win32.Lampa.ftzdt Backdoor.W32.Sinowal.fma!c Backdoor.Win32.Sinowal.~CRSR Trojan.Packed.21724 BKDR_SINOWAL.SME BehavesLike.Win32.Conficker.nc Backdoor.Win32.Sinowal Backdoor/Sinowal.fmz Backdoor.Win32.Sinowal.fma Trojan/Win32.Sinowal.R2810 SScope.Trojan.Cryptor Win32.Backdoor.Sinowal.Lmau", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000390", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.ZagawiiC.Trojan Backdoor/W32.HttpBot.80896 Backdoor.Httpbot.Win32.574 Backdoor/Httpbot.app Win32.Trojan.WisdomEyes.16070401.9500.9994 W32/Trojan.EJSL-5192 TROJ_RENEG.SMUM3 Trojan.Win32.Httpbot.ilomg TrojWare.Win32.TrojanDownloader.Small.DG Trojan.DownLoader2.10028 TROJ_RENEG.SMUM3 TR/Systemhijack.AA Trojan[Backdoor]/Win32.Httpbot Backdoor.W32.Httpbot.lmxk SScope.Trojan.Win32.Heur.V", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000391", "source": "cyner2_test"}}
+{"text": "We have been able to tie the malware to a long-running Facebook profile that we observed promoting the first stage of this family , a malicious chat application called Dardesh via links to Google Play .", "spans": {"ORGANIZATION: Facebook": [[55, 63]], "MALWARE: Dardesh": [[168, 175]], "SYSTEM: Google Play": [[189, 200]]}, "info": {"id": "cyner2_test_000392", "source": "cyner2_test"}}
+{"text": "While tracking the activities of this campaign, we identified a repository of additional malware, including a web server that was used to host the payloads used for both this attack as well as others.", "spans": {"THREAT_ACTOR: campaign,": [[38, 47]], "MALWARE: malware,": [[89, 97]], "SYSTEM: a web server": [[108, 120]], "SYSTEM: host": [[138, 142]]}, "info": {"id": "cyner2_test_000393", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: HW32.Packed.4B44 Trojan-Spy.Win32.Dibik!O Trojan.Delfinject.9710 Win32.Trojan.Delf.ae TSPY_DELF.SMK Win.Trojan.Dibik-3 Trojan-Ransom.Win32.PornoAsset.cwjq Trojan.Win32.Dibik.bnigz Backdoor.Win32.Dbs.a Trojan.DownLoader4.13174 TSPY_DELF.SMK BehavesLike.Win32.Downloader.dc Trojan/Invader.pg Trojan[Spy]/Win32.Dibik.fpd Trojan.Graftor.D1CAF Troj.W32.Invader.lpJQ Trojan-Ransom.Win32.PornoAsset.cwjq Trojan/Win32.Hupigon.R34191 TrojanSpy.Dibik!YurHSOFj1jo Trojan-Spy.Win32.Dibik W32/Injector.fam!tr Backdoor.Win32.BDS.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000394", "source": "cyner2_test"}}
+{"text": "Immediately after activation , the malware creates a textView element in a new window with the following layout parameters : All these parameters ensure the element is hidden from the user .", "spans": {}, "info": {"id": "cyner2_test_000395", "source": "cyner2_test"}}
+{"text": "Spoiler alert: they originated from Fancy Bear actors.", "spans": {"THREAT_ACTOR: Fancy Bear actors.": [[36, 54]]}, "info": {"id": "cyner2_test_000396", "source": "cyner2_test"}}
+{"text": "Last year, a technical analysis of this component was made by Swiss GovCERT.ch as part of their report detailing the attack that a defense firm owned by the Swiss government, RUAG, suffered in the past.", "spans": {"ORGANIZATION: Swiss GovCERT.ch": [[62, 78]], "ORGANIZATION: defense firm": [[131, 143]], "ORGANIZATION: the Swiss government, RUAG,": [[153, 180]]}, "info": {"id": "cyner2_test_000397", "source": "cyner2_test"}}
+{"text": "File Server ( http : //www.psservicedl [ .", "spans": {}, "info": {"id": "cyner2_test_000398", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.FamVT.UrelasTTc.Worm Trojan.Gupboot.G.mue Trojan/Urelas.o Win32.Trojan.Urelas.a Backdoor.Win32.Plite.bhuz Trojan.Win32.Plite.eizuzf Backdoor.W32.Plite.tnq2 TrojWare.Win32.Small.NAF Trojan.AVKill.33021 Trojan.Urelas.Win32.542 BehavesLike.Win32.CryptDoma.dc Backdoor.Plite.ck Trojan[Backdoor]/Win32.Plite Trojan.Zusy.D3036B Backdoor.Win32.Plite.bhuz Trojan:Win32/Urelas.AA Backdoor/Win32.Plite.C195259 Trojan.Urelas!CWpjcly5U1k Backdoor.Plite Win32/Trojan.Plite.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000399", "source": "cyner2_test"}}
+{"text": "leetMX infrastructure includes 27 hosts and domains used for malware delivery or for command and control.", "spans": {"MALWARE: leetMX": [[0, 6]], "SYSTEM: infrastructure": [[7, 21]], "MALWARE: malware delivery": [[61, 77]]}, "info": {"id": "cyner2_test_000400", "source": "cyner2_test"}}
+{"text": "We first reported on CMSTAR in spear phishing attacks in spring of 2015 and later in 2016.", "spans": {"MALWARE: CMSTAR": [[21, 27]]}, "info": {"id": "cyner2_test_000401", "source": "cyner2_test"}}
+{"text": "This Dragonfly 2.0 campaign, which appears to have begun in late 2015, shares tactics and tools used in earlier campaigns by the group.", "spans": {"THREAT_ACTOR: Dragonfly 2.0 campaign,": [[5, 28]], "THREAT_ACTOR: campaigns": [[112, 121]], "THREAT_ACTOR: the group.": [[125, 135]]}, "info": {"id": "cyner2_test_000402", "source": "cyner2_test"}}
+{"text": "( You can find additional IoCs at the end of this article ) As you can see , the Web page uses a similar colour scheme as , and the icon design from , a legitimate VPN application ( VPN Proxy Master ) found on the Google Play store .", "spans": {"SYSTEM: Google Play store": [[214, 231]]}, "info": {"id": "cyner2_test_000404", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: HW32.Packed.DC11 Trojan/Kryptik.amwu Win32.Trojan.WisdomEyes.16070401.9500.9655 TrojWare.Win32.Kryptik.AMW Trojan.Click2.61967 BehavesLike.Win32.VirRansom.mc Trojan/Win32.Unknown TrojanDownloader:Win32/Tijcont.A Trojan.Heur.S.ED17C9E Trojan/Win32.Downloader.R41544 Trojan.Kryptik!nPMRNlMixv4 W32/Kryptik.AHWM!tr Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000405", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9980 Trojan.Win32.Pakes.miu Trojan.MulDrop.28501 Trojan.Win32.Pakes.miu Win32.Virus.Unknown.Heur", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000406", "source": "cyner2_test"}}
+{"text": "In this article, we will share our findings of these recent updates.", "spans": {}, "info": {"id": "cyner2_test_000407", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Pasur.r3 Bds.Pasur.A!c Trojan/PSW.LdPinch.cwi W32/Backdoor2.HMZN Backdoor.Graybird Trojan.Win32.Z.Pasur.223969[h] W32/Backdoor.JFQE-8545 Win32.Backdoor.Pasur.Dvge", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000408", "source": "cyner2_test"}}
+{"text": "JNI Bread has also tested our ability to analyze native code .", "spans": {"MALWARE: Bread": [[4, 9]]}, "info": {"id": "cyner2_test_000409", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.BCC2 DoS.Win32.Ras!O Dos.Ras Win32/DDoS.Ras.11 Win.Trojan.DoS-3 DoS.Win32.Ras.11 Trojan.Win32.Ras.dlvd Trojan.Win32.Ras_11 TrojWare.Win32.DDoS.Ras.11 Nuke.Ras Tool.Ras.Win32.1 Trojan.Win32.DDos W32/Trojan.MYRM-3305 DoS.Win32.Ras.11 TR/Dos.RAS.11 HackTool[DoS]/Win32.Ras Dos.W32.Ras!c DoS.Win32.Ras.11 DoS:Win32/Ras.1_1 Win32.Trojan.Ras.Hzdo DoS.Ras!A9BBlzliems DoS.Ras", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000410", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32/Pws.BFTY Win.Spyware.57171-2 Trojan.Click.25911 W32/PWS.UUDR-5623 PWS:Win32/Seratin.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000411", "source": "cyner2_test"}}
+{"text": "Hacker's Door is now sold privately by the original author yyt_hac with updates to support newer Operating Systems and architectures.", "spans": {"MALWARE: Hacker's Door": [[0, 13]], "THREAT_ACTOR: the original author yyt_hac": [[39, 66]], "SYSTEM: Operating Systems": [[97, 114]], "SYSTEM: architectures.": [[119, 133]]}, "info": {"id": "cyner2_test_000412", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan/W32.HackTool.7168.C Trojan/Hacktool.Auha.30 W32/Trojan.MSQS-8786 Hacktool.Scan TROJ_SCAN.A HackTool.Win32.Auha.30 Riskware.Win32.Auha.hrhi HackTool.Auha.7168 HackTool.W32.Auha.30!c TrojWare.Win32.HackTool.Auha.A Tool.Autohack Tool.Auha.Win32.7 TROJ_SCAN.A W32/TrojanX.JNP Hacktool.Auha.30 HackTool/Win32.Auha HackTool.Win32.Auha.30 HackTool:Win32/Auha.A Win32/HackTool.Auha.30.A Win32.Hacktool.Auha.Alsn HackTool.Win32.Auha Malware_fam.gw Win32/Trojan.Hacktool.d21", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000413", "source": "cyner2_test"}}
+{"text": "PHA Family Highlights : Bread ( and Friends ) January 9 , 2020 In this edition of our PHA Family Highlights series we introduce Bread , a large-scale billing fraud family .", "spans": {"MALWARE: Bread": [[24, 29], [128, 133]]}, "info": {"id": "cyner2_test_000414", "source": "cyner2_test"}}
+{"text": "Unit 42 published a blog at the beginning of May titled Prince of Persia, in which we described the discovery of a decade-long campaign using a formerly unknown malware family, Infy, that targeted government and industry interests worldwide.", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "THREAT_ACTOR: a decade-long campaign": [[113, 135]], "MALWARE: unknown malware family, Infy,": [[153, 182]], "ORGANIZATION: government": [[197, 207]], "ORGANIZATION: industry": [[212, 220]]}, "info": {"id": "cyner2_test_000415", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Worm/W32.Gruel.102400.F Worm.Gruel Worm.Gruel/Variant W32/Fakerr.A@mm W32.Gruel@mm Win32/Fakerr.A WORM_GRUEL.A Win.Worm.Gruel-1 Email-Worm.Win32.Gruel.a Trojan.Win32.Gruel.hnbv W32.W.Gruel.a!c Win32.Worm-email.Gruel.Pfjn Worm.Win32.Gruel.C WORM_GRUEL.A W32/Fakerr.A@mm I-Worm/Gruel.a WORM/Gruel.01 Worm[Email]/Win32.Gruel Worm:Win32/Gruel.A@mm Trojan.Heur.E2E08E I-Worm.Win32.Gruel.102400.C Email-Worm.Win32.Gruel.a Win32.Worm.Gruel.A Worm/Win32.Gruel.R105674 Worm.Gruel Win32/Gruel.C I-Worm.Gruel!y+ASYamZKhI Virus.Win32.Gruel.B W32/Gruel.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000416", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.2623 Application.Hacktool.Gsecdump.C Hacktool.Gsecdump Trojan/Yakes.bkcr Win32.Trojan.WisdomEyes.16070401.9500.9993 Hacktool.PTHToolkit Win.Trojan.7503818-1 not-a-virus:PSWTool.Win64.Gsecdmp.e Application.Hacktool.Gsecdump.C Trojan.Win32.Obfuscate.spuel Application.Hacktool.Gsecdump.C Trojan.Yakes.Win32.5554 BehavesLike.Win32.PUP.hh Win32.Malware Trojan/Yakes.ebk Application.Hacktool.Gsecdump.C Application.Hacktool.Gsecdump.C Win-Trojan/Hacktool.557568 Trojan.Yakes!R8V8ToLltnc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000417", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: WS.Reputation.1 Trojan.Dropper-22862 Backdoor.Win32.Poison.bgfu Backdoor.Win32.Poison!IK Heur.Packed.Unknown BDS/Poison.bgfu TrojanDropper.Binder.rb Win-Trojan/Poison.28672.HZ Packer.Win32.UnkPacker.b Backdoor.Win32.Poison", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000418", "source": "cyner2_test"}}
+{"text": "Instances of this spyware were found on the Google Play Store , disguised as service applications from mobile operators .", "spans": {"SYSTEM: Google Play Store": [[44, 61]]}, "info": {"id": "cyner2_test_000419", "source": "cyner2_test"}}
+{"text": "Earlier versions were described by Palo Alto Networks.", "spans": {"ORGANIZATION: Palo Alto Networks.": [[35, 54]]}, "info": {"id": "cyner2_test_000420", "source": "cyner2_test"}}
+{"text": "With the capabilities of showing out-of-scope ads , exposing the user to other applications , and opening a URL in a browser , ‘ SimBad ’ acts now as an Adware , but already has the infrastructure to evolve into a much larger threat .", "spans": {"MALWARE: SimBad": [[129, 135]]}, "info": {"id": "cyner2_test_000421", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Farfli.16459 Trojan/Jorik.Zegost.egv Trojan.Strictor.D1905 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Gosht.IV Trojan-Dropper.Win32.Dapato.ojsb Trojan.Win32.Jorik.uutks TrojWare.Win32.GameThief.Magania.~UB Trojan.DownLoader8.55569 BehavesLike.Win32.Dropper.jc Trojan.Win32.KillAV Trojan/Jorik.fcjq Trojan/Win32.Zegost Trojan-Dropper.Win32.Dapato.ojsb Trojan/Win32.Jorik.R92633 Trojan.Zegost", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000422", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Heur.E6E5F4 Win32.Trojan.WisdomEyes.16070401.9500.9780 W32.Stration.CX@mm Win.Worm.Stration-502 Email-Worm.Win32.Warezov.et Win32.HLLM.Limar.based Win32.Warezov TrojanDownloader:Win32/Stration.A Email-Worm.Win32.Warezov.et Win32/Stration.JP", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000423", "source": "cyner2_test"}}
+{"text": "Command and control domains used by the Trojan-Banker.AndroidOS.Marcher Android Banker.", "spans": {"MALWARE: Android Banker.": [[72, 87]]}, "info": {"id": "cyner2_test_000424", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Spyware.Zbot Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan-Downloader.Win32.Upatre.gmrt Trojan.Win32.Upatre.exfuvy Win32.Trojan-downloader.Upatre.Llrm Trojan.MulDrop7.57372 TrojanDownloader.Upatre.aiek TR/Crypt.Xpack.piamo Trojan[Downloader]/Win32.Upatre Trojan.Razy.D3AA79 Trojan-Downloader.Win32.Upatre.gmrt Win-Trojan/Magniber.Exp TrojanDownloader.Upatre Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000425", "source": "cyner2_test"}}
+{"text": "The first type of content , starting with “ method=install ” , will be sent when the app is started for the first time , including the following device private information : Victim identifier Network operator Device model Device OS version Phone number Device identifier App version Country The second type of information will be sent periodically to indicate that the device is alive .", "spans": {}, "info": {"id": "cyner2_test_000426", "source": "cyner2_test"}}
+{"text": "DNS queries distribution over time The campaign does n't seem to be growing at a fast pace .", "spans": {}, "info": {"id": "cyner2_test_000427", "source": "cyner2_test"}}
+{"text": "Since the early hours of October 8, employees of various corporations in Japan started to receive suspicious-looking emails which turned out to carry malicious attachments.", "spans": {"ORGANIZATION: employees": [[36, 45]], "ORGANIZATION: corporations": [[57, 69]]}, "info": {"id": "cyner2_test_000428", "source": "cyner2_test"}}
+{"text": "The code for this characteristic and the corresponding Twitter accounts can be seen in figures 3 and 4 respectively .", "spans": {"ORGANIZATION: Twitter": [[55, 62]]}, "info": {"id": "cyner2_test_000429", "source": "cyner2_test"}}
+{"text": "The ultimate reach of the malicious code being tied to how much traffic a site will receive, ad servers are the ideal candidate since they are used by hundreds or thousands of other websites relying on advertising.", "spans": {}, "info": {"id": "cyner2_test_000430", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan/W32.Buzus.425984 Heur.Win32.VBKrypt.1!O Trojan.Llac Trojan/Buzus.zrq TROJ_BUZUS.UU Win32.Trojan.WisdomEyes.16070401.9500.9949 W32/Trojan2.EOFH TROJ_BUZUS.UU Win.Trojan.Buzus-2943 Trojan.Win32.Llac.jzcf Trojan.Win32.Buzus.tooy Trojan.Win32.Buzus.425984.B Troj.W32.Llac!c TrojWare.Win32.Buzus.zrq Trojan.Buzus.Win32.269 Virus.Trojan.Win32.Buzus.zrq W32/Trojan.YQZR-7209 Packed.Krap.esub Trojan[Packed]/Win32.Krap Trojan.Win32.Llac.jzcf Trojan:Win32/Vcryptoz.A Trojan/Win32.Buzus.C317353 Trojan.VB.Pedro Win32.Trojan.Llac.Lkeg Trojan.Buzus.BYY Win32/Trojan.cc2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000431", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Worm/W32.Bagle.59904 Win32.Trojan.WisdomEyes.16070401.9500.9972 W32/Trojan.VWJE-2922 Win32/Glieder.II TROJ_DROPPR.SMXA Email-Worm.Win32.Bagle.majf Trojan.Win32.Click.bkszb Win32.Worm-email.Bagle.Swkr TrojWare.Win32.TrojanDropper.Delf.~KF Trojan.PWS.LDPinch.11735 TROJ_DROPPR.SMXA BehavesLike.Win32.Dropper.qc W32/Trojan2.GZAQ Trojan/LdPinch.az Worm[Email]/Win32.Bagle TrojanDropper:Win32/Umrena.E Trojan.Win32.A.Swisyn.46052 Email-Worm.Win32.Bagle.majf Trojan/Win32.Xema.C994 Trojan.VkHost Trojan.DR.Umrena!flF93BG8zsg W32/IrcMiranda.B.worm Win32/Trojan.9dc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000432", "source": "cyner2_test"}}
+{"text": "This type of change doesn't occur often and was coupled with some other interesting tidbits including how the HTTP 302 cushioning has evolved and the payload of another ransomware has changed.", "spans": {"MALWARE: payload": [[150, 157]], "MALWARE: ransomware": [[169, 179]]}, "info": {"id": "cyner2_test_000434", "source": "cyner2_test"}}
+{"text": "For a while, we have noticed that Magnitude EK has been using Internet Explorer vulnerabilities without necessarily resorting to Flash exploits.", "spans": {"MALWARE: Magnitude EK": [[34, 46]], "VULNERABILITY: Internet Explorer vulnerabilities": [[62, 95]], "VULNERABILITY: Flash exploits.": [[129, 144]]}, "info": {"id": "cyner2_test_000435", "source": "cyner2_test"}}
+{"text": "The reality is that the RAT permissions can be implemented just with the permissions declared on the manifest , thus there is no need for higher permissions .", "spans": {}, "info": {"id": "cyner2_test_000436", "source": "cyner2_test"}}
+{"text": "The timer triggers additional thread which makes a request to the server .", "spans": {}, "info": {"id": "cyner2_test_000437", "source": "cyner2_test"}}
+{"text": "Mcafee recently found on Google Play a type of mobile ransomware that does not encrypt files.", "spans": {"ORGANIZATION: Mcafee": [[0, 6]], "ORGANIZATION: Google Play": [[25, 36]], "MALWARE: mobile ransomware": [[47, 64]]}, "info": {"id": "cyner2_test_000438", "source": "cyner2_test"}}
+{"text": "There are two main methods used to deliver the malware to victims' computers: spam messages and exploit kits in particular, NuclearEK.", "spans": {"MALWARE: malware": [[47, 54]], "SYSTEM: victims' computers:": [[58, 77]], "MALWARE: exploit kits": [[96, 108]], "MALWARE: NuclearEK.": [[124, 134]]}, "info": {"id": "cyner2_test_000439", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.UsernameHoxLnrA.Trojan Worm/W32.WBNA.159744 Heur.Win32.VBKrypt.2!O Trojan.Downloader.IC Trojan/AutoRun.VB.alc Trojan.VBKrypt.23 WORM_VOBFUS.SMAC Win32.Worm.Pronny.d W32.Changeup WORM_VOBFUS.SMAC Win.Trojan.Vobfus-70363 Worm.Win32.WBNA.ayx Trojan.Win32.VB.cojadt W32.W.WBNA.luev TrojWare.Win32.Diple.CY Trojan.VbCrypt.60 BehavesLike.Win32.VBObfus.cm Worm:Win32/Scparm.A Worm.Win32.WBNA.ayx Trojan/Win32.Diple.R13793 VBObfus.bb TScope.Trojan.VB Trojan.Win32.Koobface.p Trojan.Win32.Spy W32/VBKrypt.C!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000440", "source": "cyner2_test"}}
+{"text": "Back then, it was uncommon for malware to use this particular feature of Windows.", "spans": {"MALWARE: malware": [[31, 38]], "SYSTEM: Windows.": [[73, 81]]}, "info": {"id": "cyner2_test_000441", "source": "cyner2_test"}}
+{"text": "Allows applications to open network sockets .", "spans": {}, "info": {"id": "cyner2_test_000442", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Ransom.Onion.17166 Win32.Trojan.WisdomEyes.16070401.9500.9999 Ransom_Critroni.R00AC0DL217 Trojan-Ransom.Win32.Onion.dh Trojan.Win32.Z.Onion.200752 Troj.Ransom.W32!c Trojan.Encoder.858 Trojan.Vimditator.Win32.70 Ransom_Critroni.R00AC0DL217 BehavesLike.Win32.Backdoor.cc W32/Trojan.USOI-7993 Trojan/Win32.Vimditator Trojan.Kazy.D92ACD Trojan-Ransom.Win32.Onion.dh Ransom:Win32/Critroni.B Trojan/Win32.Ransom.C913974 Hoax.Onion Win32.Trojan.Onion.Pcsg Trojan.FileCryptor W32/Onion.DH!tr Win32/Trojan.49b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000443", "source": "cyner2_test"}}
+{"text": "Typically , however , cybercriminals first test-run a technology on the Russian sector of the Internet and then roll it out globally , attacking users in other countries .", "spans": {}, "info": {"id": "cyner2_test_000444", "source": "cyner2_test"}}
+{"text": "The “ core ” module will use one of two methods to infect the application – Decompile and Binary .", "spans": {}, "info": {"id": "cyner2_test_000445", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.eHeur.Virus02 Trojan.Kryptik.Win32.103188 Trojan/Kryptik.qhp TROJ_SPNR.16I612 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.AVPL-8335 Win32/Tracur.KC Trojan.Tracur.D TROJ_SPNR.16I612 Win.Trojan.30823-3 BehavesLike.Win32.PWSZbot.hc Trojan-Downloader.Win32.Tracur W32/Trojan2.NVIO W32.Pdf.Exploit TR/Dldr.Tracur.Y.4 Trojan/Win32.Scar Win32.Troj.DeepScan.kcloud Trojan:Win32/Tracur.Y Trojan.Win32.A.Scar.550912 Trojan/Win32.Menti.R145926 Trojan.Tracur Win32/TrojanDownloader.Tracur.D Trojan.Kryptik!MU/I7iKSs4k", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000446", "source": "cyner2_test"}}
+{"text": "Latest version ( 2018 ) Let ’ s now return to the present day and a detailed description of the functionality of a current representative of the Rotexy family ( SHA256 : ba4beb97f5d4ba33162f769f43ec8e7d1ae501acdade792a4a577cd6449e1a84 ) .", "spans": {"MALWARE: Rotexy": [[145, 151]]}, "info": {"id": "cyner2_test_000447", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.UltimateRAT.Plugin Backdoor.UltimateRAT.Plugin BackDoor-PK.plugin Backdoor/UltimateRAT.plugin Backdoor.UltimateRAT.Plugin Backdoor.UltimateRAT!1s7gtpI1GIE Backdoor.Trojan UltimateRAT.BF Backdoor.Win32.UltimateRAT.plugin Trojan.Win32.UltimateRAT.bsemwg Backdoor.UltimateRAT.Plugin Backdoor.Win32.UltimateRAT.Plugin Backdoor.UltimateRAT.Plugin BackDoor.Rat.20 Backdoor.UltimateRAT.Win32.41 BackDoor-PK.plugin W32/Risk.IYJI-7514 Backdoor/UltimateRAT.plugjt BDS/UltimaRat.PI.11 Trojan[Backdoor]/Win32.UltimateRAT Win32.Hack.UltimateRAT.pl.kcloud Backdoor:Win32/UltimateRat.2_0.plugin Win-Trojan/Ultimaterat.11264 Backdoor.UltimateRAT.Plugin Backdoor.UltimateRAT.Plugin Backdoor.UltimateRAT.plugin Win32/UltimateRAT.Plugin Backdoor.Win32.UltimateRat.plugin W32/Bdoor.PK!tr.bdr BackDoor.UltimateRAT Backdoor.Win32.UltimateRAT.plugin", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000448", "source": "cyner2_test"}}
+{"text": "The Gamarue aka Andromeda botnet is a highly modular botnet family that allows attackers to take complete control of an infected system and perform a range of malicious activity by downloading additional payloads.", "spans": {"MALWARE: Gamarue": [[4, 11]], "MALWARE: botnet": [[53, 59]], "SYSTEM: infected system": [[120, 135]]}, "info": {"id": "cyner2_test_000449", "source": "cyner2_test"}}
+{"text": "This adaptation appears to track changes in security behaviors within the Tibetan community, which has been promoting a move from sharing attachments via e-mail to using cloud-based file sharing alternatives such as Google Drive.", "spans": {"ORGANIZATION: Tibetan community,": [[74, 92]], "SYSTEM: Google Drive.": [[216, 229]]}, "info": {"id": "cyner2_test_000450", "source": "cyner2_test"}}
+{"text": "The Campaign achieved exponential growth from June to December 2018 with the infection number staying stable into early 2019 .", "spans": {}, "info": {"id": "cyner2_test_000451", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Zenshirsh.SL7 Trojan.Win32.Dwn.eemvmy Trojan.DownLoader17.29370 DDoS.Win32.Flusihoc DDoS:Win32/Flusihoc.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000452", "source": "cyner2_test"}}
+{"text": "Major government sectors and corporations in both Taiwan and the Philippines have become the latest targets in an ongoing attack campaign in the Asia Pacific region.", "spans": {"ORGANIZATION: government sectors and corporations": [[6, 41]]}, "info": {"id": "cyner2_test_000453", "source": "cyner2_test"}}
+{"text": "As the attacker attempts to remove all local traces, it is highly recommended to deploy and use a remote logging service e.g. remote syslog.", "spans": {"THREAT_ACTOR: attacker": [[7, 15]], "MALWARE: remote logging service e.g. remote syslog.": [[98, 140]]}, "info": {"id": "cyner2_test_000454", "source": "cyner2_test"}}
+{"text": "It uses the same trick to prevent the smartphone from being returned to its factory settings .", "spans": {}, "info": {"id": "cyner2_test_000455", "source": "cyner2_test"}}
+{"text": "The malicious apps can steal personally identifiable and financial data and install additional apps .", "spans": {}, "info": {"id": "cyner2_test_000456", "source": "cyner2_test"}}
+{"text": "A lockdown activity , which is a transparent window shown at the top of the screen that contains a “ loading ” cursor .", "spans": {}, "info": {"id": "cyner2_test_000457", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Win32.Ruskill!O Trojan.Zusy.D8577 Win32.Trojan.WisdomEyes.16070401.9500.9969 Trojan.Stabuniq Trojan.Win32.Ruskill.edxmao Trojan.Win32.Z.Zusy.59392.TB Trojan.Buniq.2 Trojan/Invader.iin TR/Buniq.A.3 Trojan:Win32/Buniq.A Win32/Trojan.e18", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000458", "source": "cyner2_test"}}
+{"text": "Triada : organized crime on Android 2 .", "spans": {"MALWARE: Triada": [[0, 6]], "SYSTEM: Android": [[28, 35]]}, "info": {"id": "cyner2_test_000459", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan/W32.Blocker.131072.M TrojanRansom.Blocker.aapj Trojan/SpyVoltar.a Trojan-Ransom.Win32.Blocker.aapj Trojan.SpyVoltar!4cYYgmm5xhU TrojWare.Win32.Injector.pqb BackDoor.Butirat.233 Win32.Troj.Undef.kcloud Trojan/Win32.Blocker Hoax.Blocker.aapj Win32/SpyVoltar.A Virus.Win32.Vundo W32/Injector.ZSC!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000460", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.ConimeFV.Trojan Trojan.Downloader.Dapato.D Trojan-Dropper.Win32.Dapato!O Trojan.Vasport Dropper.Dapato.Win32.9027 Troj.Dropper.W32.Dapato.bcdy!c BKDR_SERVPAS.HVN W32/Trojan2.NRVO Backdoor.Vasport BKDR_SERVPAS.HVN Win.Trojan.Hydraq-113 Trojan-Dropper.Win32.Dapato.bcdy Trojan.Downloader.Dapato.D Trojan.Win32.UPKM.duxsmi Trojan.Downloader.Dapato.D Trojan.Downloader.Dapato.D Trojan.DownLoader6.15302 Trojan-Dropper.Win32.Dapato W32/Trojan.RCHY-1259 TrojanDropper.Dapato.gta TR/Vasport.A W32/Dapato.BCDY!tr Trojan[Dropper]/Win32.Dapato Win32.Troj.Dapato.kcloud Trojan.Downloader.Dapato.D Trojan-Dropper.Win32.Dapato.bcdy Trojan:Win32/Vasport.A Win-Trojan/Vasport.57344 Trojan.Vasport.57344 TrojanDropper.Dapato Win32.Trojan-dropper.Dapato.Wurh Trojan.DR.Dapato!XiP/be+f/0U Trojan.Downloader.Dapato.D", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000462", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Worm.Win32.SillyShareCopy!IK Packed.Win32.Krap.w Heur.Packed.Unknown Trojan.Winlock.938 TROJ_QAKBOT.SMG BScope.Malware-Cryptor.073 Worm.Win32.SillyShareCopy", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000463", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Delf Trojan.Razy.D37D5D Trojan.Win32.Delf.eoam Trojan.Win32.Delf.ewsqwr Troj.W32.Delf!c BehavesLike.Win32.Dropper.wh Trojan-Downloader.Win32.Inferiore W32/Trojan.UHFF-6546 TR/Delf.nphvp Trojan/Win32.Delf Trojan.Win32.Delf.eoam Trojan.Dropper Trj/RnkBend.A Win32.Trojan.Delf.Pgmw Win32/Trojan.874", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000464", "source": "cyner2_test"}}
+{"text": "This particular new routine points to the possibility of the cybercriminals' intention of riding on the popularity of the Olympics to lure users.", "spans": {}, "info": {"id": "cyner2_test_000465", "source": "cyner2_test"}}
+{"text": "Here is an approximate diagram of the opcode data structure : Figure 5 .", "spans": {}, "info": {"id": "cyner2_test_000466", "source": "cyner2_test"}}
+{"text": "Users are cautioned to research and check reviews before they download apps .", "spans": {}, "info": {"id": "cyner2_test_000467", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Spyware.LokiBot W32/Injector.GGA Trojan.PWS.Stealer.21373 BehavesLike.Win32.Trojan.jh W32/Injector.UJPR-1263 DR/Delphi.updmg Trojan[Backdoor]/Win32.Androm Trojan.Crypt Win32/Trojan.805", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000468", "source": "cyner2_test"}}
+{"text": "On January 10, 2017, a court order was declassified by the Italian police, in regards to a chain of cyberattacks directed at top Italian government members and institutions.", "spans": {"ORGANIZATION: Italian police,": [[59, 74]], "MALWARE: at": [[122, 124]], "ORGANIZATION: Italian government members": [[129, 155]], "ORGANIZATION: institutions.": [[160, 173]]}, "info": {"id": "cyner2_test_000469", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Ransom.Crypren.6971 Trojan.Gpcode.Win32.71 Win32.Trojan.WisdomEyes.16070401.9500.9971 Ransom.OMG Win32.Trojan-Ransom.GPCode.A Trojan-Ransom.Win32.Crypren.pjx Trojan.Win32.Crypren.cssknx Trojan.Win32.Z.Crypren.13829 Trojan.Encoder.385 Trojan/Crypren.bt Trojan-Ransom.Win32.Crypren.pjx Ransom:Win32/Fortrypt.A Hoax.Crypren Trj/CI.A Win32.Trojan.Crypren.Wska Trojan.Crypren!hLlCoLoECeg Win32/Trojan.Ransom.2a6", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000470", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Script Trojan/Dropper.VB.oqo Win32.Trojan.WisdomEyes.16070401.9500.9532 BehavesLike.Win32.Tupym.bc TR/AD.ContadorBot.bwojd Trojan:Win32/Beeldeb.C Trj/CI.A Win32/TrojanDropper.Autoit.IE Trojan-Dropper.Win32.Autoit W32/Autoit.IE!tr Win32/Trojan.2d9", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000471", "source": "cyner2_test"}}
+{"text": "The AhnLab Security Emergency Response Center ASEC analysis team detected the distribution of CHM malware, which is believed to have been created by the RedEyes threat actor also known as APT37, ScarCruft, to domestic users.", "spans": {"ORGANIZATION: The AhnLab Security Emergency Response Center ASEC analysis team": [[0, 64]], "MALWARE: CHM malware,": [[94, 106]], "THREAT_ACTOR: the RedEyes threat actor": [[149, 173]], "THREAT_ACTOR: APT37, ScarCruft,": [[188, 205]], "ORGANIZATION: domestic users.": [[209, 224]]}, "info": {"id": "cyner2_test_000472", "source": "cyner2_test"}}
+{"text": "These attacks appear to be extremely focused on organizations operating in the banking, securities, trading, and payroll sectors.", "spans": {"ORGANIZATION: organizations": [[48, 61]], "ORGANIZATION: banking, securities, trading,": [[79, 108]], "ORGANIZATION: payroll sectors.": [[113, 129]]}, "info": {"id": "cyner2_test_000473", "source": "cyner2_test"}}
+{"text": "Despite its small size of 6 KB, this downloader didn t look very special at first.", "spans": {"MALWARE: downloader": [[37, 47]]}, "info": {"id": "cyner2_test_000474", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan-Downloader.Win32.Small!O TrojanDownloader.Small Win32.Trojan.WisdomEyes.16070401.9500.9988 Backdoor.Graybird TROJ_DLOADER.GWK Win.Downloader.Small-3303 Trojan-Downloader.Win32.Small.dwu Trojan.Win32.Hupigon.dxlfko Backdoor.Win32.vanbot.hg Trojan.DownLoader.14116 Downloader.Small.Win32.20647 TROJ_DLOADER.GWK Trojan-Downloader.Win32.Delf TrojanDownloader.Delf.amt Trojan[Downloader]/Win32.Small Win32.Troj.Downloader.sl.kcloud Trojan-Downloader.Win32.Small.dwu Trojan/Win32.Downloader.R86636 BScope.Trojan-Spy.Zbot Win32/Trojan.d54", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000475", "source": "cyner2_test"}}
+{"text": "EventBot targets users of over 200 different financial applications , including banking , money transfer services , and crypto-currency wallets .", "spans": {"MALWARE: EventBot": [[0, 8]]}, "info": {"id": "cyner2_test_000476", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Worm.Goosky W32/Backdoor2.HTEW Nice.A Trojan.Win32.Xtrat.abdv Trojan.Win32.ZAccess.cvhheu Trojan.Win32.Z.Kazy.3450368 TrojWare.Win32.Injector.ARVP Trojan.PWS.Multi.1182 Trojan.Scarsi.Win32.1081 BehavesLike.Win32.Dropper.wm W32/Backdoor.OGZU-7605 Backdoor/SdBot.mky TR/Injector.ngeoz Worm:Win32/Goosky.A Trojan.Kazy.D48641 Trojan.Win32.Xtrat.abdv Backdoor.ZAccess Trj/CI.A I-Worm.Neeris.B Win32/Injector.ARHG Trojan.Win32.Patcher Win32/Trojan.7b3", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000477", "source": "cyner2_test"}}
+{"text": "On Tuesday September 26, 2017 MalwareBytes blogged about a phishing campaign targeting the Middle East, more specifically Saudi Arabia.", "spans": {"ORGANIZATION: MalwareBytes": [[30, 42]], "THREAT_ACTOR: a phishing campaign": [[57, 76]]}, "info": {"id": "cyner2_test_000478", "source": "cyner2_test"}}
+{"text": "The second section will provide an analysis on campaign information that was gathered throughout the research.", "spans": {}, "info": {"id": "cyner2_test_000479", "source": "cyner2_test"}}
+{"text": "The blog post said HummingBad \" uses a completely different infrastructure with little in common '' with Shedun .", "spans": {"MALWARE: HummingBad": [[19, 29]]}, "info": {"id": "cyner2_test_000480", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan/W32.Buzus.28672.DN TrojWare.Win32.TrojanDropper.Binder.v Backdoor/Bifrose.zjs Backdoor.Poison/Variant Win32.Risk.Dropper.Wlpb W32/Dx.TJZ!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000481", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Graftor.D103D8 Win32.Trojan.WisdomEyes.16070401.9500.9984 Win32/Danmec.C Troj.W32.Jorik.Fraud.luCt Trojan.DownLoader6.2355 Trojan.Jorik.Win32.73903 BehavesLike.Win32.LoadMoney.dh Trojan/Jorik.Aspxor.bu Trojan.Win32.Jorik Trojan/Jorik.cfft TR/Kazy.LU.1 Trojan/Win32.Unknown Win32.Troj.Jorik.bu.kcloud TrojanDropper:Win32/Danmec.A W32/Dofoil.QTZ!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000482", "source": "cyner2_test"}}
+{"text": "Wind Tre SpA - an Italian telecom operator TMCell - the state owned mobile operator in Turkmenistan Deployment to users outside Apple ’ s app store was made possible through abuse of Apple ’ s enterprise provisioning system .", "spans": {"ORGANIZATION: Wind Tre SpA": [[0, 12]], "ORGANIZATION: TMCell": [[43, 49]], "ORGANIZATION: Apple": [[128, 133], [183, 188]]}, "info": {"id": "cyner2_test_000483", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9952 BackDoor.Bladabindi.1056 BehavesLike.Win32.Backdoor.fc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000484", "source": "cyner2_test"}}
+{"text": "Initial phase During this phase , the Trojan tries to gain root rights on the device and to install some modules .", "spans": {}, "info": {"id": "cyner2_test_000485", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Application.Hacktool.Bruteforce.L Hacktool.Ngbrumail Win.Trojan.Hacktool-1108 Application.Hacktool.Bruteforce.L Application.Hacktool.Bruteforce.L Application.Hacktool.Bruteforce.L Application.Hacktool.Bruteforce Trojan.Bladabindi.Win32.91392 BehavesLike.Win32.BackdoorNJRat.pm HackTool:Win32/Ngbrumail.A Application.Hacktool.Bruteforce.L Trojan/Win32.MSIL.C2164956 MSIL/HackTool.BruteForce.AI MSIL/BruteForce.AI!tr Trj/CI.A Win32/Application.Hacktool.d5d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000486", "source": "cyner2_test"}}
+{"text": "It also has the ability to load custom features tailored to individual targets.", "spans": {}, "info": {"id": "cyner2_test_000487", "source": "cyner2_test"}}
+{"text": "Operation Lotus Blossom describes a persistent cyber espionage campaign against government and military organizations in Southeast Asia.", "spans": {"THREAT_ACTOR: Operation Lotus Blossom": [[0, 23]], "THREAT_ACTOR: cyber espionage campaign": [[47, 71]], "ORGANIZATION: government": [[80, 90]], "ORGANIZATION: military organizations": [[95, 117]]}, "info": {"id": "cyner2_test_000488", "source": "cyner2_test"}}
+{"text": "Code structure Obviously , this code is not obfuscated when compared with the previous version it becomes clear that this is the same code base .", "spans": {}, "info": {"id": "cyner2_test_000490", "source": "cyner2_test"}}
+{"text": "Several technical details indicated that the software was likely the product of a well-funded development effort and aimed at the lawful intercept market .", "spans": {}, "info": {"id": "cyner2_test_000491", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Win32.GTbot!O Trojan/Aebot.c TROJ_SPNR.35DG13 Win32.Backdoor.Aebot.e W32/Trojan.HMPR-5159 TROJ_SPNR.35DG13 Win.Trojan.Sdbot-2485 Backdoor.Win32.GTbot.c Trojan.Win32.GTbot.brmmqq Backdoor.W32.Gtbot!c Backdoor.Win32.Aebot.C Win32.IRC.Bot.based BehavesLike.Win32.Backdoor.cz Backdoor.Win32.Aebot.C Backdoor/Aebot.ah Trojan[Backdoor]/Win32.GTbot Backdoor.Win32.GTbot.c BScope.P2P-Worm.Palevo Win32/Aebot.C Win32.Backdoor.Gtbot.Hufw Backdoor.Aebot!g5wkJjEeLc0 W32/Aebot.C!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000492", "source": "cyner2_test"}}
+{"text": "This group created a malware that takes over Android devices and generates $300,000 per month in fraudulent ad revenue.", "spans": {"THREAT_ACTOR: group": [[5, 10]], "MALWARE: malware": [[21, 28]], "SYSTEM: Android devices": [[45, 60]]}, "info": {"id": "cyner2_test_000493", "source": "cyner2_test"}}
+{"text": "In a blog post, TrendMicro also detailed recently compiled versions of the NewPOSthings family that bear a closer resemblance to NewPOSthings than Punkey.", "spans": {"ORGANIZATION: TrendMicro": [[16, 26]]}, "info": {"id": "cyner2_test_000494", "source": "cyner2_test"}}
+{"text": "We found that among the leaked files is the code for Hacking Team ’ s open-source malware suite RCSAndroid ( Remote Control System Android ) , which was sold by the company as a tool for monitoring targets .", "spans": {"MALWARE: RCSAndroid": [[96, 106]], "MALWARE: Remote Control System Android": [[109, 138]]}, "info": {"id": "cyner2_test_000496", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Win32.28160.hawwx Trojan.DownLoader5.1182 TR/Spy.28160.103 Win32/Virut.bn TrojanDropper:Win32/Chacker.A Downloader/Win32.Small BScope.Trojan-Spy.Zbot Trojan-Downloader.Win32.Small", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000497", "source": "cyner2_test"}}
+{"text": "Exodus : New Android Spyware Made in Italy Mar 29 Summary We identified a new Android spyware platform we named Exodus , which is composed of two stages we call Exodus One and Exodus Two .", "spans": {"MALWARE: Exodus": [[0, 6], [112, 118]], "SYSTEM: Android": [[13, 20], [78, 85]], "MALWARE: Exodus One": [[161, 171]], "MALWARE: Exodus Two": [[176, 186]]}, "info": {"id": "cyner2_test_000498", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: TrojWare.Win32.Trojan.Delf.~NM Win32.HLLW.Cdbur.4 Worm:Win32/Ofderug.A TR/Kryptik.gta.8 Trojan:Win32/Stocop.A Trj/CI.A I-Worm.Delf.NFO Win32/Delf.NFO Trojan.Win32.FakeFolder.ble", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000499", "source": "cyner2_test"}}
+{"text": "A later blog will explore the associated attack campaigns and attributions surrounding Bookworm.", "spans": {"THREAT_ACTOR: attack campaigns": [[41, 57]], "MALWARE: Bookworm.": [[87, 96]]}, "info": {"id": "cyner2_test_000500", "source": "cyner2_test"}}
+{"text": "We captured a PowerPoint file named Payment_Advice.ppsx, which is in OOXML format.", "spans": {}, "info": {"id": "cyner2_test_000501", "source": "cyner2_test"}}
+{"text": "The website has been infected with a malicious javascript file that redirects users to a website with a fake browser update message.", "spans": {"MALWARE: malicious javascript file": [[37, 62]]}, "info": {"id": "cyner2_test_000502", "source": "cyner2_test"}}
+{"text": "The earliest identified sample , however , can be traced back to Jan. 18 , 2016 .", "spans": {}, "info": {"id": "cyner2_test_000503", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9982 BehavesLike.Win32.BadFile.gc W32/Kryptik.EXQF!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000504", "source": "cyner2_test"}}
+{"text": "] com hxxp : //mailsa-wqp [ .", "spans": {}, "info": {"id": "cyner2_test_000505", "source": "cyner2_test"}}
+{"text": "The rootdaemon binary in fact offers several other possibilities to execute commands on the infected device just by connecting to TCP port 6200 and issuing one of the following commands .", "spans": {}, "info": {"id": "cyner2_test_000507", "source": "cyner2_test"}}
+{"text": "A backdoor targetting Linux also known as: Unix.Trojan.Mumblehard-3 Trojan.Unix.Mumblehard.evzwgt Elf.Dropperl.M!c Linux.Mumblehard.1 LINUX/Mumblehard.usimn Trojan.Linux.Mumblehard Win32/Trojan.Dropper.bcd", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000508", "source": "cyner2_test"}}
+{"text": "All known samples from these periods used infected Excel files attached to phishing emails to infect victims.", "spans": {"ORGANIZATION: infect victims.": [[94, 109]]}, "info": {"id": "cyner2_test_000509", "source": "cyner2_test"}}
+{"text": "In the process, they created at least four distinct spyware bundles, all communicating with the same server set to receive Nisman's data.", "spans": {"MALWARE: four distinct spyware": [[38, 59]], "SYSTEM: server": [[101, 107]]}, "info": {"id": "cyner2_test_000510", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.OnGameWLLPAIZXAP.Trojan Trojan/Downloader.Soddsat.a Trojan.Zusy.DC5F W32/Trojan.KLDD-5403 Win.Downloader.132677-1 Trojan.Win32.Dwn.vuaks Trojan.DownLoader4.54475 TR/Offend.7223657.9 TrojanDownloader:Win32/Soddsat.A Trojan.Win32.A.Swisyn.57344.F Downloader/Win32.Small.C84345 Win32.TenThief.DNFTrojan_def.clcy Trojan.DL.Soddsat!U5Ia4/b890c Trojan-Downloader.Win32.Small", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000511", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Worm.Win32.AutoRun!O Virus.Sality.Win32.15 W32/AutoRun.bgfs Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/Autorun.ZT W32.SillyFDC Win32/SillyAutorun.CYU Win.Worm.Autorun-3999 Worm.Win32.AutoRun.hdg Trojan.Win32.AutoRun.vugpc W32.Virut.lQTU Win32.Worm.Autorun.Suxt Win32.HLLW.Autoruner.19538 W32/Autorun.worm.aaap W32/Autorun.ICAE-4530 Worm/AutoRun.amlr WORM/Vigilant.65024 Worm/Win32.AutoRun Worm:Win32/Levitiang.A Worm.Win32.A.AutoRun.330752.A Worm.Win32.AutoRun.hdg Worm/Win32.AutoRun.R3855 Trojan.VBRA.014781 Win32/AutoRun.VB.VH Backdoor.Win32.IRCBot W32/Autorun.JDU", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000512", "source": "cyner2_test"}}
+{"text": "IOCs SHA256 0ca09d4fde9e00c0987de44ae2ad51a01b3c4c2c11606fe8308a083805760ee7 4378f3680ff070a1316663880f47eba54510beaeb2d897e7bbb8d6b45de63f96 76c9d8226ce558c87c81236a9b95112b83c7b546863e29b88fec4dba5c720c0b 7cc2d8d43093c3767c7c73dc2b4daeb96f70a7c455299e0c7824b4210edd6386 9b2fd7189395b2f34781b499f5cae10ec86aa7ab373fbdc2a14ec4597d4799ba ac216d502233ca0fe51ac2bb64cfaf553d906dc19b7da4c023fec39b000bc0d7 b1ccb5618925c8f0dda8d13efe4a1e1a93d1ceed9e26ec4a388229a28d1f8d5b ba4beb97f5d4ba33162f769f43ec8e7d1ae501acdade792a4a577cd6449e1a84 ba9f4d3f4eba3fa7dce726150fe402e37359a7f36c07f3932a92bd711436f88c e194268bf682d81fc7dc1e437c53c952ffae55a9d15a1fc020f0219527b7c2ec С & C 2014–2015 : secondby.ru darkclub.net holerole.org googleapis.link 2015–2016 : test2016.ru blackstar.pro synchronize.pw lineout.pw sync-weather.pw 2016 freedns.website streamout.space 2017–2018 : streamout.space sky-sync.pw gms-service.info EventBot : A New Mobile Banking Trojan is Born April 30 , 2020 KEY FINDINGS The Cybereason Nocturnus team is investigating EventBot , a new type of Android mobile malware that emerged around March 2020 .", "spans": {"MALWARE: EventBot": [[908, 916], [1031, 1039]], "ORGANIZATION: Cybereason Nocturnus": [[988, 1008]], "SYSTEM: Android": [[1056, 1063]]}, "info": {"id": "cyner2_test_000513", "source": "cyner2_test"}}
+{"text": "We noticed Java and PDF exploits collected by our honeypot which we haven't seen in ages.", "spans": {"SYSTEM: Java": [[11, 15]], "MALWARE: PDF exploits": [[20, 32]], "SYSTEM: honeypot": [[50, 58]]}, "info": {"id": "cyner2_test_000514", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.OnGamesLT170812GHJHGT.Trojan Backdoor.Darkddoser.S6855 Win32.Trojan.Delf.iq Backdoor.Trojan BKDR_DARKDDOSER.SM Trojan.PWS.Firefox.560 BKDR_DARKDDOSER.SM TR/Spy.ZBot.1310725 Trojan.Zusy.D3CEB Backdoor:Win32/Darkddoser.C Trojan.PasswordStealer Win32/Delf.OGC Win32.Trojan.Spy.Hnku Trojan.Win32.Ridok Win32/Trojan.Spy.ed7", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000515", "source": "cyner2_test"}}
+{"text": "Machine learning module indicates continuous evolution As mentioned , this ransomware is the latest variant of a malware family that has undergone several stages of evolution .", "spans": {}, "info": {"id": "cyner2_test_000516", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9956 BehavesLike.Win32.Trojan.bc Trojan.MSIL.Crypt W32/Trojan.KCHZ-1086 TR/Dropper.MSIL.qosig TrojanSpy:MSIL/Nitwil.A MSIL/Kryptik.CTJ!tr Trj/CI.A Win32/Trojan.087", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000517", "source": "cyner2_test"}}
+{"text": "The Andromeda botnet is a well-known botnet that surfaced around 2011 and has", "spans": {"MALWARE: Andromeda botnet": [[4, 20]], "MALWARE: botnet": [[37, 43]]}, "info": {"id": "cyner2_test_000518", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Worm/W32.Holar.65928 W32.Holar.J Win32.Trojan.WisdomEyes.16070401.9500.9848 W32/Hawawi.G@mm W32.Galil.C@mm Win32/Holar.G WORM_HAWAWI.F Win.Worm.Galil-1 Email-Worm.Win32.Hawawi.g Trojan.Win32.Hawawi.emrl W32.W.Hawawi.g!c Win32.Worm-email.Hawawi.Lhwz Worm.Win32.Holar.I Trojan.MulDrop.510 Worm.Holar.Win32.10 WORM_HAWAWI.F BehavesLike.Win32.PUPXAX.kc Email-Worm.Win32.Hawawi W32/Hawawi.CPIS-5852 I-Worm/Hawawi.g WORM/Hawawi.G.Exp HackTool[NetTool]/Win32.SmtpModule Trojan.Strictor.D64A7 I-Worm.Win32.Holar.9126 Email-Worm.Win32.Hawawi.g Worm:Win32/Holar.L@mm Worm/Win32.Holar.R140993 SScope.Trojan.VBRA.6861 Win32/Holar.I I-Worm.Holar!/Jhd5gkzw68 W32/Holar.I!worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000519", "source": "cyner2_test"}}
+{"text": "The LetsEncrypt certificate is shared between a number of malicious domains.", "spans": {}, "info": {"id": "cyner2_test_000520", "source": "cyner2_test"}}
+{"text": "Ongoing activity While monitoring this particular threat , we found another XLoader variant posing as a pornography app aimed at South Korean users .", "spans": {"MALWARE: XLoader": [[76, 83]]}, "info": {"id": "cyner2_test_000521", "source": "cyner2_test"}}
+{"text": "CHTHONIC was discovered in 2014 by Kaspersky security researchers and is considered to be an evolution of ZeusVM malware.", "spans": {"MALWARE: CHTHONIC": [[0, 8]], "ORGANIZATION: Kaspersky security researchers": [[35, 65]], "MALWARE: ZeusVM malware.": [[106, 121]]}, "info": {"id": "cyner2_test_000522", "source": "cyner2_test"}}
+{"text": "In 2019, ITG03 campaigns continued to aim against the cryptocurrency industry, targeting both Windows and MacOS users with malicious Word documents.", "spans": {"THREAT_ACTOR: ITG03 campaigns": [[9, 24]], "ORGANIZATION: the cryptocurrency industry,": [[50, 78]], "SYSTEM: Windows": [[94, 101]], "SYSTEM: MacOS": [[106, 111]], "ORGANIZATION: users": [[112, 117]]}, "info": {"id": "cyner2_test_000523", "source": "cyner2_test"}}
+{"text": "The Android version of the malware has the ability to use the GPS embedded in the phone to track the user and use the camera and microphone to spy on the user.", "spans": {"SYSTEM: Android version": [[4, 19]], "MALWARE: malware": [[27, 34]]}, "info": {"id": "cyner2_test_000524", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Downloader.Troll.A Trojan.Downloader.Troll.A Trojan.Downloader.Troll.A TrojanDownloader.Troll!49SU++no+Bs W32/Risk.ASAS-4248 Downloader.Trojan Win32/Troll.10!Kit TROJ_TROLL.H Trojan-Downloader.Win32.Troll.a Trojan.Win32.Troll.ehlh Backdoor.W32.Rbot Trojan.Downloader.Troll.A Worm.Win32.Prux.A Trojan.Downloader.Troll.A Trojan.Troll Downloader.Troll.Win32.4 TROJ_TROLL.H TrojanDownloader.Troll.10.cfg TR/Troll.A Win32.Troj.Troll.kcloud TrojanDownloader:Win32/Troll.A Trojan.Downloader.Troll.A Trojan.Downloader.Troll.A TrojanDownloader.Troll Win32/TrojanDownloader.Troll.A Win32.Trojan-downloader.Troll.Lqyr Trojan-Downloader.Win32.Troll.A Downloader.Troll.C Trojan.Win32.Troll.atR Win32/Trojan.Downloader.b34", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000525", "source": "cyner2_test"}}
+{"text": "Apple has confirmed that the iOS apps are not functioning based on analysis of the codes , and stated that the sandbox is able to detect and block these malicious behaviors .", "spans": {"ORGANIZATION: Apple": [[0, 5]], "SYSTEM: iOS": [[29, 32]]}, "info": {"id": "cyner2_test_000526", "source": "cyner2_test"}}
+{"text": "The Trojan intercepts incoming SMSs and can receive the following commands from them : “ 3458 ” — revoke device administrator privileges from the app ; ��� hi ” , “ ask ” — enable and disable mobile internet ; “ privet ” , “ ru ” — enable and disable Wi-Fi ; “ check ” — send text “ install : [ device IMEI ] ” to phone number from which SMS was sent ; “ stop_blocker ” — stop displaying all blocking HTML pages ; “ 393838 ” — change C & C address to that specified in the SMS .", "spans": {}, "info": {"id": "cyner2_test_000527", "source": "cyner2_test"}}
+{"text": "We are analyzing injects, as they are capable of using ATS.", "spans": {"SYSTEM: ATS.": [[55, 59]]}, "info": {"id": "cyner2_test_000528", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Injector.016639 HT_DINOLAP_FD260018.UVPM Dropper.Injector.Win32.76638 BehavesLike.Win32.Backdoor.lm TrojanDropper.Injector.bgnv W32/Injector.ONBC!tr Trojan[Dropper]/Win32.Injector Trojan.Graftor.D23FE9 Trojan:Win32/Dinolap.A Trojan.Win32.Injector.i Trojan.DR.Injector!s7l+mcQvCiI", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000530", "source": "cyner2_test"}}
+{"text": "Chinese security firm QiAnXin has captured attack samples from the Donot group, a group believed to be carrying out cyber-espionage operations against government agencies and businesses in South Asian countries.", "spans": {"ORGANIZATION: Chinese security firm QiAnXin": [[0, 29]], "THREAT_ACTOR: the Donot group,": [[63, 79]], "THREAT_ACTOR: group": [[82, 87]], "THREAT_ACTOR: cyber-espionage operations": [[116, 142]], "ORGANIZATION: government agencies": [[151, 170]], "ORGANIZATION: businesses": [[175, 185]]}, "info": {"id": "cyner2_test_000531", "source": "cyner2_test"}}
+{"text": "Example download via Powershell: pOwERShell.exe -nOl -NoNiNt -WInDOws 1 -NoprOFIle -eXEcu BYpaSs new-object system.net.webclient.", "spans": {"MALWARE: download": [[8, 16]]}, "info": {"id": "cyner2_test_000532", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Zapchast.Win32.21320 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Bladabindi.cwxrgb TrojWare.MSIL.TrojanDownloader.Tiny.AH Trojan.DownLoader11.49091 W32/Trojan.XWPH-7415 BDS/Bladabindi.apqew Win32.Troj.FrauDrop.kcloud TrojanDownloader:MSIL/Bladabindi.A Trojan.Zusy.D13349 Trj/CI.A Win32/Trojan.Downloader.89b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000534", "source": "cyner2_test"}}
+{"text": "The domain on this campaign was registered on Jan. 19 , 2019 .", "spans": {}, "info": {"id": "cyner2_test_000535", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: TROJ_DLOADE.EHS Trojan-Dropper.Win32.Parsi.ly Trojan.Win32.Downloader.29215[h] Trojan.MulDrop.11401 Backdoor.CPEX.Win32.4494 TROJ_DLOADE.EHS BehavesLike.Win32.Downloader.pm Trojan[Dropper]/Win32.Parsi TrojanDownloader:Win32/Tsunovest.A TrojanDropper.Parsi Trojan-Dropper.Delf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000536", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: TrojanDownloader.Small.H4 Trojan.Meredrop Trojan.MSIL.Krypt.4 TROJ_DROPR.SMH Win32.Trojan.Small.j Win32/Dropper.IP TROJ_DROPR.SMH Trojan.Win32.Meredrop.60928 BackDoor.Cybergate.1703 Trojan.Win32.Small TrojanDropper.MSIL.eye TrojanDownloader:MSIL/Small.H Win32/Small.NJA TrojanSpy.Spyeye!gkhDSEQCv00", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000537", "source": "cyner2_test"}}
+{"text": "The service is implemented in the class com.serenegiant.service.ScreenRecorderService which is declared in the package manifest .", "spans": {}, "info": {"id": "cyner2_test_000538", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: HW32.Packed.D788 Win32.Trojan.WisdomEyes.16070401.9500.9931 W32/Trojan.ZMAA-7241 WORM_MOLDYOW.SMB BackDoor.Woodin.48 WORM_MOLDYOW.SMB BehavesLike.Win32.BadFile.cc W32/Trojan2.GQNY Worm:Win32/Moldyow.A Troj.Downloader.W32.Bagle.kYXw Trojan/Win32.Inject.R8017 Worm.Win32.Moldyow", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000539", "source": "cyner2_test"}}
+{"text": "These attacks are being conducted through numerous strategically compromised websites and have occurred over several high-profile ASEAN summits.", "spans": {"ORGANIZATION: high-profile ASEAN summits.": [[117, 144]]}, "info": {"id": "cyner2_test_000540", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Win32.Fluxay!O Trojan.Skeeyah.8843 Multi.Threats.InArchive Win.Trojan.Fluxay-5 Trojan.Win32.Fluxay.llihw Trojan.KillFiles.24121 W32/Trojan.DXRJ-2026 Trojan[Backdoor]/Win32.Fluxay Trojan.Win32.HT-Fluxay.9018965 Backdoor.Fluxay PUA.Pskill Win32/Fluxay.A Backdoor.Fluxay!QPeWJM2XnDo Trojan.Win32.Skeeyah", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000541", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan-PWS/W32.Bjlog.196608.BG Backdoor.Zegost.B Trojan.Bjlog.Win32.2452 Trojan/PSW.Bjlog.ien BKDR_ZEGOST.SMF Win32.Backdoor.Zegost.d BKDR_ZEGOST.SMF Win.Trojan.DNSchanger-7 Trojan.Win32.Bjlog.cqnvac Trojan.MulDrop1.27754 BehavesLike.Win32.Virut.ch Trojan/PSW.Bjlog.alv Trojan[PSW]/Win32.Bjlog TrojanDropper:Win32/Zegost.C Trojan.Kazy.D2C6B8 Trojan/Win32.Bjlog.C7535 Trojan.SB.0546 Trojan.PWS.Bjlog!siJtl6w2R70 Backdoor.Win32.Zegost Bck/Gh0stRat.F", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000542", "source": "cyner2_test"}}
+{"text": "After reversing these opcodes , we were able to update our interpreter script to support both 32-bit and 64-bit virtual machines used by FinFisher .", "spans": {"MALWARE: FinFisher": [[137, 146]]}, "info": {"id": "cyner2_test_000543", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.FlooderCA.Trojan Trojan.Spy.VB.NDR Trojan.Spy.VB.NDR Trojan.Spy.VB.NDR Backdoor/Brabot.a Trojan.Win32.Brabot.gycn W32/Brainbot.D@bd Backdoor.IRC.Bot Win32/Brabot.A HKTL_PASSDUMP.A Worm.VB-13 P2P-Worm.Win32.VB.cm Trojan.Spy.VB.NDR Backdoor.Brabot.A Backdoor.Win32.Brabot.471994[h] W32.W.VB.cm!c Trojan.Spy.VB.NDR Backdoor.Win32.Brabot.A Trojan.Spy.VB.NDR Backdoor.Brabot.Win32.4 HKTL_PASSDUMP.A BehavesLike.Win32.PWSZbot.gm W32/Brainbot.VHHE-1644 Worm/VB.hew BDS/Brabot.B W32/Bbuild.B!worm Trojan[Backdoor]/Win32.Bifrose Trojan.Spy.VB.NDR Worm/Win32.IRCBot Backdoor:Win32/Brabot.A Win32/Brabot.A Trojan.VBRA.02834 Bck/Brabot.A Win32.Worm-p2p.Vb.Ajlv Backdoor.Win32.Brabot Trojan.Spy.VB.NDR Worm/VB.2.C Worm.Win32.VB.cm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000544", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Xtreme Backdoor.Xtreme.Win32.17656 Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Win32.Xtreme.ayqh Trojan.Win32.Llac.egfndm Trojan.Win32.Z.Razy.90112.CZR Backdoor.W32.Xtreme!c Trojan.Win32.Injector Backdoor.Xtreme.arc TR/AD.XtremeRAT.cznhs Trojan[Backdoor]/Win32.Xtreme Trojan.Razy.D164F4 Backdoor.Win32.Xtreme.ayqh Trojan/Win32.Llac.R188289 TScope.Trojan.VB Trj/GdSda.A Win32.Backdoor.Xtreme.Lhng Win32/Trojan.4e7", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000545", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.FamVT.OnlinegameEETTc.Worm Trojan/W32.KRBanker.29824 TrojanPWS.OnLineGames.A55 Trojan.KillAV.sysdll Trojan/OnLineGames.quk TROJ_ONLINEGAMES_EC250023.UVPA Win32.Trojan-PSW.OLGames.bx Win32/Tnega.AQQWXMB TROJ_ONLINEGAMES_EC250023.UVPA Win.Trojan.Onlinegames-18826 Trojan-GameThief.Win32.OnLineGames2.cizz Trojan.Win32.OnLineGames.djxnuk Trojan.PWS.GamaniaENT.1 Trojan.OnLineGames.Win32.190234 Trojan.Win32.PSW Trojan/PSW.OnLineGames.cuwc TR/Symmi.29952 TrojanDropper:WinNT/Enterok.A Troj.GameThief.W32.OnLineGames.mf8q Trojan-GameThief.Win32.OnLineGames2.cizz Trojan/Win32.OnLineGames.R127617 TrojanPSW.OnLineGames.a Trj/CI.A Win32.Trojan-gamethief.Onlinegames2.Llgy Trojan.PWS.OnLineGames!AdRUDWW3hk0 Win32/Trojan.ace", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000546", "source": "cyner2_test"}}
+{"text": "After the payload is extracted , decrypted , and mapped in the process memory , the malware calls the new DLL entry point , and then the RunDll exported function .", "spans": {}, "info": {"id": "cyner2_test_000547", "source": "cyner2_test"}}
+{"text": "After establishing a connection with them via the SSH protocol, the Trojan attempts to run a copy of itself on them.", "spans": {"MALWARE: Trojan": [[68, 74]]}, "info": {"id": "cyner2_test_000548", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: HW32.Packed.65D5 Trojan.QzonitCS.S892249 Win32.Trojan.WisdomEyes.16070401.9500.9936 Trojan.DownLoader24.53170 TR/ATRAPS.yyemu Trojan[Banker]/Win32.Banbra Trojan:Win32/Qzonit.A!bit Trojan/Win32.Banki.R199618 TrojanBanker.Banbra Trojan.PWS.Banbra!aQHZ31wDzOU", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000550", "source": "cyner2_test"}}
+{"text": "Unit 42 has discovered a persistent attack campaign operating primarily in the Middle East dating back to at least mid-2016 which we have named Magic Hound.", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "THREAT_ACTOR: persistent attack campaign": [[25, 51]], "MALWARE: at": [[106, 108]], "THREAT_ACTOR: Magic Hound.": [[144, 156]]}, "info": {"id": "cyner2_test_000551", "source": "cyner2_test"}}
+{"text": "The spearphishing attempt posed as a message from the Director of United for Iran, a U.S.-based human rights organization, claiming that the organization had developed a secure communications tool for activists.", "spans": {"THREAT_ACTOR: spearphishing": [[4, 17]]}, "info": {"id": "cyner2_test_000552", "source": "cyner2_test"}}
+{"text": "malware used in the 2016 attack on the Bangladesh SWIFT banking system", "spans": {"MALWARE: malware": [[0, 7]], "SYSTEM: the Bangladesh SWIFT banking system": [[35, 70]]}, "info": {"id": "cyner2_test_000553", "source": "cyner2_test"}}
+{"text": "The new macros and Bateleur backdoor use sophisticated anti-analysis and sandbox evasion techniques as they attempt to cloak their activities and expand their victim pool.", "spans": {"MALWARE: macros": [[8, 14]], "MALWARE: Bateleur backdoor": [[19, 36]], "SYSTEM: sandbox": [[73, 80]], "ORGANIZATION: victim pool.": [[159, 171]]}, "info": {"id": "cyner2_test_000554", "source": "cyner2_test"}}
+{"text": "] me under names in the format : photo_ [ number ] _img.apk , mms_ [ number ] _img.apk avito_ [ number ] .apk , mms.img_ [ number ] _photo.apk , mms [ number ] _photo.image.apk , mms [ number ] _photo.img.apk , mms.img.photo_ [ number ] .apk , photo_ [ number ] _obmen.img.apk .", "spans": {}, "info": {"id": "cyner2_test_000555", "source": "cyner2_test"}}
+{"text": "The group also makes use of several different modules that they deploy where appropriate to their targets.", "spans": {"THREAT_ACTOR: The group": [[0, 9]], "ORGANIZATION: targets.": [[98, 106]]}, "info": {"id": "cyner2_test_000556", "source": "cyner2_test"}}
+{"text": "More than twenty were found and exposed during the said months.", "spans": {"MALWARE: twenty": [[10, 16]]}, "info": {"id": "cyner2_test_000557", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.MSIL.Qhost.bgq Trojan.Win32.Qhost.exeaec Trojan.Hosts.43624 Trojan:MSIL/Wirzemro.A Trojan.MSIL.Qhost.bgq Adware/Win32.AdInstaller.C2358455 Trojan.MSIL.Qhost Msil.Trojan.Qhost.Syhr Trojan.MSIL.Qhost", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000558", "source": "cyner2_test"}}
+{"text": "] com ) : Contains android packages , java archives and zip archives with exploits Archive Link domains : Three domains with the same functionality , but the application chooses one of them to send request for archive link .", "spans": {"SYSTEM: android": [[19, 26]]}, "info": {"id": "cyner2_test_000559", "source": "cyner2_test"}}
+{"text": "If all conditions are met , “ Agent Smith ” tries to infect the application .", "spans": {"MALWARE: Agent Smith": [[30, 41]]}, "info": {"id": "cyner2_test_000560", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win.Worm.Autorun-5678 W32.W.Otwycal.l4av Trojan.Win32.Dropper.abr Trojan.DownLoader.55579 Worm:Win32/Rimcoss.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000561", "source": "cyner2_test"}}
+{"text": "Animal Farm is the security industry's name for a group of attackers first described by Canada's Communications Security Establishment CSE in a set of slides leaked by Edward Snowden in March 2014.", "spans": {"THREAT_ACTOR: Animal Farm": [[0, 11]], "THREAT_ACTOR: security industry's": [[19, 38]], "THREAT_ACTOR: group of attackers": [[50, 68]], "ORGANIZATION: Canada's Communications Security Establishment CSE": [[88, 138]], "THREAT_ACTOR: Edward Snowden": [[168, 182]]}, "info": {"id": "cyner2_test_000562", "source": "cyner2_test"}}
+{"text": "Conversations-based app mimics Telegram messenger Even when we originally thought this was a backdoored version of the Conversations app , used to infect victims , we didn´t discovered anything malicious in it .", "spans": {"SYSTEM: Telegram messenger": [[31, 49]]}, "info": {"id": "cyner2_test_000563", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: BehavesLike.Win32.Downloader.fc Worm:Win32/Nokpuda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000564", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: HW32.Packed.FA63 Trojan.Barys.DDC1E Win32.Trojan.WisdomEyes.16070401.9500.9811 Trojan/Win32.Banbra.C1546872", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000565", "source": "cyner2_test"}}
+{"text": "The name Asacub appeared with version 4 in late 2015 ; previous versions were known as Trojan-SMS.AndroidOS.Smaps .", "spans": {"MALWARE: Asacub": [[9, 15]]}, "info": {"id": "cyner2_test_000566", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.K2pS.Trojan Trojan/W32.Kuang.7680 Weird.11264 Kuang.pws TROJ_PSW_RING0.B Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.Kuang.B Infostealer.Kuang.B Win32/Kuang.F TROJ_PSW_RING0.B Win.Trojan.KunagB-1 Trojan-PSW.Win32.Kuang.h Trojan.Win32.Kuang.fzlh Trojan.PWS.Kuang Trojan.Kuang.Win32.4 BehavesLike.Win32.Backdoor.zm W32/Trojan.Kuang.B Trojan/PSW.Kuang.b Trojan[PSW]/Win32.Kuang Trojan.Win32.KuangLogger.7680 Trojan-PSW.Win32.Kuang.h Trojan:Win32/Kuang.B Trojan.PSW.Kuang2 Win32.Kuang.I Trojan.Win32.Kuang W32/Kuang.B!tr.pws", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000567", "source": "cyner2_test"}}
+{"text": "As “ Agent Smith ” uses a modular approach , and as stated earlier , the original loader extracts everything from the assets , the usage of the Janus vulnerability can only change the code of the original application , not the resources .", "spans": {"MALWARE: Agent Smith": [[5, 16]], "VULNERABILITY: Janus": [[144, 149]]}, "info": {"id": "cyner2_test_000568", "source": "cyner2_test"}}
+{"text": "Figure 16 : integrating an in-house ad SDK Figure 17 : replacing original app activities with the malicious ad SDK activity Figure 18 : the malware showing ads on any activity being loaded Connecting the Dots As our malware sample analysis took the team closer to reveal the “ Agent Smith ” campaign in its entirety and it is here that the C & C server investigation enters the center stage .", "spans": {}, "info": {"id": "cyner2_test_000569", "source": "cyner2_test"}}
+{"text": "This led to the publication of a whitepaper covering the full operation.", "spans": {}, "info": {"id": "cyner2_test_000570", "source": "cyner2_test"}}
+{"text": "First , based on information that is associated with the registered C & C domain , we identified the name of the registrant , along with further data like country and email address , as seen in Figure 8 .", "spans": {}, "info": {"id": "cyner2_test_000571", "source": "cyner2_test"}}
+{"text": "These applications range from utility apps such as photo manipulators to wallpaper and ringtone changers.", "spans": {}, "info": {"id": "cyner2_test_000572", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Win32.MulDrop5.crmtcx WS.Reputation.1 Trojan.MulDrop5.4437 Trojan.CoinMiner CoinMiner.AAM Trojan.Win32.CoinMiner.HY", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000573", "source": "cyner2_test"}}
+{"text": "The fake page will not go away until the user provides the payment information.", "spans": {}, "info": {"id": "cyner2_test_000574", "source": "cyner2_test"}}
+{"text": "] pw/4 * * * * * 7 ” ( It .", "spans": {}, "info": {"id": "cyner2_test_000575", "source": "cyner2_test"}}
+{"text": "No matter what button is pressed , the window stays on top of all other windows .", "spans": {}, "info": {"id": "cyner2_test_000576", "source": "cyner2_test"}}
+{"text": "In April 2013 , we saw the first sample , which made heavy use of dynamic code loading ( i.e. , fetching executable code from remote sources after the initial app is installed ) .", "spans": {}, "info": {"id": "cyner2_test_000577", "source": "cyner2_test"}}
+{"text": "The StrongPity APT is a technically capable group operating under the radar for several years.", "spans": {"THREAT_ACTOR: The StrongPity APT": [[0, 18]], "THREAT_ACTOR: group": [[44, 49]]}, "info": {"id": "cyner2_test_000579", "source": "cyner2_test"}}
+{"text": "Stage 1 : Loader malware keeps sandbox and debuggers away The first stage of FinFisher running through this complicated virtual machine is a loader malware designed to probe the system and determine whether it ’ s running in a sandbox environment ( typical for cloud-based detonation solution like Office 365 ATP ) .", "spans": {"MALWARE: FinFisher": [[77, 86]], "SYSTEM: Office 365 ATP": [[298, 312]]}, "info": {"id": "cyner2_test_000580", "source": "cyner2_test"}}
+{"text": "Exploit kits EK are typically used to distribute malware and other malicious programs to large numbers of victims using existing vulnerabilities in commonly-used browsers.", "spans": {"MALWARE: Exploit kits EK": [[0, 15]], "MALWARE: malware": [[49, 56]], "MALWARE: malicious programs": [[67, 85]], "VULNERABILITY: vulnerabilities": [[129, 144]], "SYSTEM: browsers.": [[162, 171]]}, "info": {"id": "cyner2_test_000582", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Dropper.Sysn.Win32.631 Trojan.Zusy.D41DFC TROJ_SYSN_GE2300B9.UVPA W32.Faedevour Win32/Bzub.KUWUUcC TROJ_SYSN_GE2300B9.UVPA Trojan-Dropper.Win32.Sysn.bqcl Trojan.Win32.ddncff.eaqdzv Trojan.Inject1.27874 BehavesLike.Win32.RansomWannaCry.dc TrojanDropper.Sysn.avc Trojan[Dropper]/Win32.Sysn Trojan-Dropper.Win32.Sysn.bqcl Dropper/Win32.Sysn.R120846 TrojanDropper.Sysn", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000583", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: IMIServer.download Downloader.OneClickNetSearch.Win32.8 Trojan/Downloader.OneClickNetSearch.i Trojan.Graftor.D60D9 W32/Downloader.BBQ Adware.IEPlugin Win32/SillyDl.FM TROJ_DLOADER.VR Win.Trojan.Downloader-40673 Trojan-Downloader.Win32.OneClickNetSearch.i Trojan.Win32.OneClickNetSearch.dkts Troj.Downloader.W32.OneClickNetSearch.i!c Trojan.DownLoader.28897 TROJ_DLOADER.VR BehavesLike.Win32.Backdoor.km W32/Downloader.VQVS-3601 TrojanDownloader.OneClickNetSearch.c Adware.ShopNavUpdater TR/Dldr.OneClic.I Trojan[Downloader]/Win32.OneClickNetSearch TrojanDownloader:Win32/OneClickNetSearch.I Adware.IEPlugin Trojan-Downloader.Win32.OneClickNetSearch.i Trojan/Win32.HDC.C12454 Adware.IEPlugin TrojanDownloader.OneClickNetSearch Win32.Trojan-downloader.Oneclicknetsearch.Lnec Trojan.DL.NetSearch!M12OX4IwWPY Trojan-Downloader.Win32.OneClickNetSearch W32/OneClickNetSearch.I!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000584", "source": "cyner2_test"}}
+{"text": "The malware was deployed via the software update mechanism in a piece of Ukranian accounting software on the morning of Tuesday 27th June 2017.", "spans": {"MALWARE: malware": [[4, 11]], "SYSTEM: software update mechanism": [[33, 58]], "SYSTEM: Ukranian accounting software": [[73, 101]]}, "info": {"id": "cyner2_test_000585", "source": "cyner2_test"}}
+{"text": "Security firm Symantec has released a list of tools used by the Blackfly espionage group in recent years, which it believes may have been used in a series of attacks in China and Asia.", "spans": {"ORGANIZATION: Security firm": [[0, 13]], "ORGANIZATION: Symantec": [[14, 22]], "MALWARE: tools": [[46, 51]], "THREAT_ACTOR: the Blackfly espionage group": [[60, 88]]}, "info": {"id": "cyner2_test_000586", "source": "cyner2_test"}}
+{"text": "This stealth technique has been gaining popularity among adware-related threats distributed via Google Play .", "spans": {"SYSTEM: Google Play": [[96, 107]]}, "info": {"id": "cyner2_test_000587", "source": "cyner2_test"}}
+{"text": "? q= - : As is common with trojans , the communication is always initiated by the trojan on the device to the C2 .", "spans": {}, "info": {"id": "cyner2_test_000588", "source": "cyner2_test"}}
+{"text": "Parsing of instructions by EventBot Parsing of instructions by the bot from the C2 .", "spans": {"MALWARE: EventBot": [[27, 35]]}, "info": {"id": "cyner2_test_000589", "source": "cyner2_test"}}
+{"text": "] meacount-manager [ .", "spans": {}, "info": {"id": "cyner2_test_000590", "source": "cyner2_test"}}
+{"text": "Legitimate ones will typically require a subscription fee or rely on advertising as part of their business model.", "spans": {}, "info": {"id": "cyner2_test_000591", "source": "cyner2_test"}}
+{"text": "It is based on the same codebase that was used by the infamous Zeus trojan, the source code of which was leaked in 2011.", "spans": {"MALWARE: Zeus trojan,": [[63, 75]]}, "info": {"id": "cyner2_test_000592", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Ransom/W32.Magniber.218114 Trojan.Ransom.MyRansom Win32.Trojan.WisdomEyes.16070401.9500.9994 TROJ_HPWORTRIK.SM Trojan-Banker.Win32.Jimmy.ep Trojan.Win32.Mikey.ettifq Trojan.Win32.MyRansom.629760 Trojan.DownLoad3.46525 TROJ_HPWORTRIK.SM BehavesLike.Win32.MultiPlug.dc W32/Trojan.ZTWR-3024 TrojanDownloader.Geral.ead TR/Crypt.ZPACK.dggks Ransom:Win32/Sobnot.A Uds.Dangerousobject.Multi!c Trojan-Banker.Win32.Jimmy.ep Trojan/Win32.Magniber.R210623 TrojanBanker.Jimmy Trojan.MalPack Trj/CI.A W32/Injector.DSPI!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000594", "source": "cyner2_test"}}
+{"text": "It is also another example for why organizations and consumers alike should have an advanced mobile threat prevention solution installed on the device to protect themselves against the possibility of unknowingly installing malicious apps , even from trusted app stores .", "spans": {}, "info": {"id": "cyner2_test_000595", "source": "cyner2_test"}}
+{"text": "The server sends back encoded json containing URL , class name and method name .", "spans": {}, "info": {"id": "cyner2_test_000596", "source": "cyner2_test"}}
+{"text": "Rooting trojans The Zen authors have also created a rooting trojan .", "spans": {"MALWARE: Zen": [[20, 23]]}, "info": {"id": "cyner2_test_000597", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32/Eggnog.f W32/Worm.AWIJ Trojan.ADH W32/Malware.GIJQ Win32/Eggnog.F TROJ_COSPET.B WIN.Worm.Eggnog P2P-Worm.Win32.Eggnog.f Trojan.Cospet!FlzIxxaUDss Worm.Win32.A.P2P-Eggnog.39754 TrojWare.Win32.Cospet.X0 Win32.HLLW.Kazaa.512 TR/Cospet.X TROJ_COSPET.B Win32.Troj.Cospet.x.kcloud Worm:Win32/Eggnog.D Worm/Win32.Eggnog W32/Worm.AWIJ Trojan.Win32.Cospet.x Trojan.ADH Win32/Eggnog.E Email-Worm.Win32.Fearso W32/Eggnog.W@mm Bck/Poison.F", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000598", "source": "cyner2_test"}}
+{"text": "By poisoning the search results for specific banking related keywords, the attackers were able to effectively target specific users in a novel fashion.", "spans": {"ORGANIZATION: banking": [[45, 52]], "THREAT_ACTOR: the attackers": [[71, 84]]}, "info": {"id": "cyner2_test_000599", "source": "cyner2_test"}}
+{"text": "This paper documents attempted exploitation activity aimed at Uyghur interests outside of China.", "spans": {"VULNERABILITY: exploitation activity": [[31, 52]], "ORGANIZATION: Uyghur": [[62, 68]]}, "info": {"id": "cyner2_test_000600", "source": "cyner2_test"}}
+{"text": "The bot can then be used by cybercriminals to steal money, a much more profitable outcome than just receiving a ransom to decrypt some files.", "spans": {"THREAT_ACTOR: cybercriminals": [[28, 42]]}, "info": {"id": "cyner2_test_000601", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.Symmi.Lnez BehavesLike.Win32.PWSZbot.dm Trojan:Win32/Peals.B!gfc Trojan.Symmi.D90B8 TrojanDropper.Hassur Backdoor.Win32.Sobador", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000602", "source": "cyner2_test"}}
+{"text": "While these common internet protocols may be disabled within a restrictive card processing environment, DNS is still necessary to resolve hostnames within the corporate environment and is unlikely to be blocked.", "spans": {"VULNERABILITY: DNS": [[104, 107]], "ORGANIZATION: corporate environment": [[159, 180]]}, "info": {"id": "cyner2_test_000603", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Korplug Trojan.KorplugCRTD.Win32.5229 BKDR_PLUGX.DUKPX Trojan.Win32.Mocker.epfvig BKDR_PLUGX.DUKPX Trojan.Win32.Korplug Trojan.Korplug.h W32/Mocker.ID!tr.bdr Trojan[Backdoor]/Win32.Mocker Trojan/Win32.Downloader.R193185 Trj/CI.A Win32.Backdoor.Mocker.Pluq Win32/Backdoor.a63", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000604", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.eHeur.Malware11 TrojanPWS.OnLineGames.AH7 Trojan.OnLineGames.Win32.176380 Trojan/OnLineGames.qoc Trojan.Symmi.D309E PUA_ONLINEG.SM Win32.Trojan-GameThief.OnLineGames.c Infostealer.Gampass Win32/Gamepass.NbRQGb PUA_ONLINEG.SM Win.Spyware.Onlinegames-18853 Trojan.Win32.Wsgame.bxoznw Trojan.Win32.PSWIGames.350720.A TrojWare.Win32.GameThief.OnLineGames.AJQT Trojan.PWS.Wsgame.40807 Trojan-GameThief.Win32.OnLineGames Trojan/PEF13F.cv TR/PSW.OnlineGames.AH.8 Trojan/Win32.Unknown PWS:Win32/Enterak.A Trojan.Win32.OnlineGame.f Trojan.PWS.OnLineGames!l5ipAZ0fFAE W32/GAMEPSW.C!tr Win32/Trojan.PSW.39f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000605", "source": "cyner2_test"}}
+{"text": "Our investigation indicates that the campaign has existed since at least November 2013 but has remained active until today.", "spans": {"THREAT_ACTOR: campaign": [[37, 45]], "MALWARE: at": [[64, 66]]}, "info": {"id": "cyner2_test_000606", "source": "cyner2_test"}}
+{"text": "Our worldwide sensor network provides researchers at FireEye Labs with unique opportunities to detect innovative tactics employed by malicious actors and protects our clients from these tactics.", "spans": {"SYSTEM: sensor network": [[14, 28]], "ORGANIZATION: FireEye Labs": [[53, 65]], "THREAT_ACTOR: malicious actors": [[133, 149]]}, "info": {"id": "cyner2_test_000607", "source": "cyner2_test"}}
+{"text": "Since 2012, we have found more than 9,000 apps using the Mario name on various sources online.", "spans": {"SYSTEM: apps": [[42, 46]], "MALWARE: Mario name": [[57, 67]], "ORGANIZATION: sources online.": [[79, 94]]}, "info": {"id": "cyner2_test_000608", "source": "cyner2_test"}}
+{"text": "The source process reads /proc/ [ pid ] /maps to find where libc is located in the target process memory .", "spans": {}, "info": {"id": "cyner2_test_000609", "source": "cyner2_test"}}
+{"text": "This version brings back the ACCESS_SUPERUSER and READ_FRAME_BUFFER permissions .", "spans": {}, "info": {"id": "cyner2_test_000610", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Heur.AutoIT.13 Win32.Trojan.WisdomEyes.16070401.9500.9827 W32/Trojan.PPOR-1386 Trojan.Win32.Autoit.ezk Trojan.Win32.Autoit Trojan/Reconyc.ma Trojan:Win32/Autibep.A!bit Trojan.Win32.Autoit.ezk Trojan/Win32.Autoit.C2358053", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000611", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Jabxin Win32.Trojan.WisdomEyes.16070401.9500.9985 Trojan.Win32.Jabxin.exmnee W32/Trojan.XFOU-3426 Trojan.Snojan.cw TR/Jabxin.sphdn Trojan.Kazy.D4B7E4 Trojan:Win32/Jabxin.A Trojan/Win32.Xema.C215983 Trj/Dtcontx.G Win32.Trojan.Kazy.Jcv", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000612", "source": "cyner2_test"}}
+{"text": "First , the malicious app tries to determine whether it is being tested by the Google Play security mechanism .", "spans": {"SYSTEM: Google Play": [[79, 90]]}, "info": {"id": "cyner2_test_000613", "source": "cyner2_test"}}
+{"text": "Analysis of a sample I came across on twitter which uses a GitHub issue as a communication channel for the malware.", "spans": {"MALWARE: sample": [[14, 20]], "ORGANIZATION: twitter": [[38, 45]], "SYSTEM: GitHub issue": [[59, 71]], "MALWARE: malware.": [[107, 115]]}, "info": {"id": "cyner2_test_000614", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: BKDR_KIRPICH.SM Win32.Trojan.WisdomEyes.16070401.9500.9999 BKDR_KIRPICH.SM Win.Trojan.RegSubDat-19 Trojan.Win32.Dwn.dtfqe Trojan.DownLoader4.46899 Trojan:Win32/Gyplit.A Trojan.Win32.Gyplit", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000615", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: TrojanMSIL.Shmandaler.A4 Trojan.Bedep Trojan/Downloader.Small.afq TSPY_LIMITAIL.SMJC Infostealer.Limitail TSPY_LIMITAIL.SMJC Trojan-Downloader.MSIL.Tiny.um Trojan.Win32.Tiny.ebvkml TrojWare.MSIL.TrojanDownloader.Small.AFQ Trojan.DownLoader23.40196 TR/Dldr.Small.18434.2 Trojan.MSIL.Krypt.2 Trojan-Downloader.MSIL.Tiny.um TrojanDownloader:MSIL/Shmandaler.A Trj/GdSda.A MSIL/TrojanDownloader.Small.AFQ Trojan.DL.Small!QZBtiX7UwsI Trojan-Downloader.MSIL.Small MSIL/Small.AFQ!tr.dldr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000616", "source": "cyner2_test"}}
+{"text": "The attack ultimately compromised accounts and stole research and intellectual property.", "spans": {}, "info": {"id": "cyner2_test_000617", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Graftor.D1EB1 Win32.Trojan.WisdomEyes.16070401.9500.9966 BehavesLike.Win32.BadFile.tz Virus.Win32.VBInject Trojan/Win32.Diple Trojan:Win32/Bangsmoop.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000618", "source": "cyner2_test"}}
+{"text": "Trend Micro has discovered a new family of ATM malware called Alice, which is the most stripped down ATM malware family we have ever encountered.", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "MALWARE: family of ATM malware": [[33, 54]], "MALWARE: Alice,": [[62, 68]], "MALWARE: ATM malware family": [[101, 119]]}, "info": {"id": "cyner2_test_000619", "source": "cyner2_test"}}
+{"text": "Lookout Discovers Phishing Sites Distributing New IOS And Android Surveillanceware April 8 , 2019 For the past year , Lookout researchers have been tracking Android and iOS surveillanceware , that can exfiltrate contacts , audio recordings , photos , location , and more from devices .", "spans": {"ORGANIZATION: Lookout": [[0, 7], [118, 125]], "SYSTEM: IOS": [[50, 53]], "SYSTEM: Android": [[58, 65], [157, 164]], "MALWARE: Surveillanceware": [[66, 82]], "SYSTEM: iOS": [[169, 172]], "MALWARE: surveillanceware": [[173, 189]]}, "info": {"id": "cyner2_test_000620", "source": "cyner2_test"}}
+{"text": "A fourth ransomware campaign focused on Ukraine has surfaced today, following some of the patterns seen in past ransomware campaigns that have been aimed at the country, such as XData, PScrypt, and the infamous NotPetya.", "spans": {"THREAT_ACTOR: ransomware campaign": [[9, 28]], "THREAT_ACTOR: ransomware campaigns": [[112, 132]], "MALWARE: XData, PScrypt,": [[178, 193]], "MALWARE: NotPetya.": [[211, 220]]}, "info": {"id": "cyner2_test_000621", "source": "cyner2_test"}}
+{"text": "] info OpSec fails and use of cryptography While looking at this infrastructure , we identified that one of these domains has directory indexing enabled .", "spans": {}, "info": {"id": "cyner2_test_000622", "source": "cyner2_test"}}
+{"text": "Microsoft Defender for Endpoint on Android , now generally available , extends Microsoft ’ s industry-leading endpoint protection to Android .", "spans": {"SYSTEM: Microsoft Defender": [[0, 18]], "SYSTEM: Android": [[35, 42], [133, 140]], "ORGANIZATION: Microsoft": [[79, 88]]}, "info": {"id": "cyner2_test_000623", "source": "cyner2_test"}}
+{"text": "In this blog , we ’ ll detail the innovative ways in which this ransomware surfaces its ransom note using Android features we haven ’ t seen leveraged by malware before , as well as incorporating an open-source machine learning module designed for context-aware cropping of its ransom note .", "spans": {"SYSTEM: Android": [[106, 113]]}, "info": {"id": "cyner2_test_000624", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor/W32.Gibbon.160256 Backdoor.Trojan Win32/Gibbon.B BKDR_SCANREGW.A Backdoor.Win32.Gibbon.b Trojan.Win32.Gibbon.fgmc Backdoor.Win32.Gibbon.160256[h] Backdoor.Win32.Gibbon.B BackDoor.Gibbon Backdoor.Gibbon.Win32.3 BKDR_SCANREGW.A W32/Risk.JIWD-6248 Backdoor/Gibbon.b BDS/Gibbon.B W32/Gibbon.B!tr.bdr Trojan[Backdoor]/Win32.Gibbon Backdoor.W32.Gibbon.b!c Win-Trojan/Gibbon.160256 Backdoor:Win32/Gibbon.1_24 Backdoor.Gibbon Bck/Gibbon.b Win32.Backdoor.Gibbon.Wsud Backdoor.Gibbon!c66jqE55ZiA Backdoor.Win32.Gibbon BackDoor.Gibbon Backdoor.Win32.Gibbon.b Win32/Backdoor.BO.c71", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000625", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32/Gaobot.worm!e Worm.Agobot.WQWW Win32.Horse Backdoor.Win32.Agobot.rci Backdoor.Win32.S.Agobot.584192 Heuristic.BehavesLike.Win32.Dropper.H Backdoor/Agobot.dwx Worm:Win32/Gaobot.B Backdoor/Win32.Agobot Backdoor.Win32.Agobot.rci Worm/Agobot.HYF W32/Gaobot.OXI.worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000626", "source": "cyner2_test"}}
+{"text": "A group calling itself the Cyber Caliphate, linked to so-called Islamic State, first claimed responsibility.", "spans": {"THREAT_ACTOR: Cyber Caliphate,": [[27, 43]], "ORGANIZATION: Islamic State,": [[64, 78]]}, "info": {"id": "cyner2_test_000627", "source": "cyner2_test"}}
+{"text": "These attacks have some links to earlier attacks by a group called Budminer involving the Taidoor Trojan Trojan.Taidoor.", "spans": {"THREAT_ACTOR: group": [[54, 59]], "THREAT_ACTOR: Budminer": [[67, 75]], "MALWARE: Taidoor Trojan": [[90, 104]]}, "info": {"id": "cyner2_test_000628", "source": "cyner2_test"}}
+{"text": "The core of this functionality is also based on an open-source project that can be found here .", "spans": {}, "info": {"id": "cyner2_test_000629", "source": "cyner2_test"}}
+{"text": "Kaspersky Lab products detect it as Trojan.AndroidOS.Dvmap.a.", "spans": {"ORGANIZATION: Kaspersky Lab": [[0, 13]], "SYSTEM: products": [[14, 22]]}, "info": {"id": "cyner2_test_000630", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Wavipeg.A8 Troj.W32.Scar.to7k Trojan.Zusy.D8DC2 Backdoor.Ratenjay Win32/Tnega.GEXfUSB BKDR_WAVIPEG.SM Trojan.Win32.Scar.hgxl Trojan.Win32.Scar.cqkqmh Trojan.Click2.51376 Trojan.Scar.Win32.77443 BKDR_WAVIPEG.SM Trojan/Scar.azvv Trojan/Win32.Scar Backdoor:Win32/Wavipeg.A Trojan.Win32.Scar.hgxl Trojan/Win32.Scar.R62287 Trojan.Scar Trojan.Scar!gyQE2NlfXyY Win32/Trojan.40a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000631", "source": "cyner2_test"}}
+{"text": "JS/Nemucod downloads additional malware and executes it without the user's consent.", "spans": {"MALWARE: malware": [[32, 39]]}, "info": {"id": "cyner2_test_000632", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.JS.Iframe.AEZ Trojan.JS.Iframe.AEZ Trojan.JS.Iframe.AEZ JS.IFrame.68 JS/iFrame.psa.22 HTML/Iframer.F Trojan.JS.Iframe.AEZ", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000633", "source": "cyner2_test"}}
+{"text": "McAfee product detection is covered in the Indicators of Compromise section at the end of the document.", "spans": {"ORGANIZATION: McAfee": [[0, 6]], "SYSTEM: product": [[7, 14]]}, "info": {"id": "cyner2_test_000634", "source": "cyner2_test"}}
+{"text": "FIN7 is referred to by many vendors as Carbanak Group although we do not equate all usage of the CARBANAK backdoor with FIN7.", "spans": {"THREAT_ACTOR: FIN7": [[0, 4]], "ORGANIZATION: vendors": [[28, 35]], "THREAT_ACTOR: Carbanak Group": [[39, 53]], "MALWARE: CARBANAK backdoor": [[97, 114]], "THREAT_ACTOR: FIN7.": [[120, 125]]}, "info": {"id": "cyner2_test_000637", "source": "cyner2_test"}}
+{"text": "] 230 [ .", "spans": {}, "info": {"id": "cyner2_test_000638", "source": "cyner2_test"}}
+{"text": "Stick to Google Play and use VPN software from reputable vendors .", "spans": {"SYSTEM: Google Play": [[9, 20]]}, "info": {"id": "cyner2_test_000639", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Crypt.ULPM", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000641", "source": "cyner2_test"}}
+{"text": "This tunnel provided the attacker remote access to the host system using the Terminal Services TS, NetBIOS, and Server Message Block SMB services, while appearing to be traffic to legitimate websites.", "spans": {"SYSTEM: tunnel": [[5, 11]], "THREAT_ACTOR: attacker": [[25, 33]], "SYSTEM: the host system": [[51, 66]], "SYSTEM: Terminal Services TS, NetBIOS,": [[77, 107]], "SYSTEM: Server Message Block SMB services,": [[112, 146]]}, "info": {"id": "cyner2_test_000642", "source": "cyner2_test"}}
+{"text": "] 137 54.69.156 [ .", "spans": {}, "info": {"id": "cyner2_test_000643", "source": "cyner2_test"}}
+{"text": "More interestingly however, Fancy Bear employed a new tactic we hadn t previously seen: using Blogspot-hosted URLs in their spear-phishing email messages.", "spans": {"THREAT_ACTOR: Fancy Bear": [[28, 38]]}, "info": {"id": "cyner2_test_000644", "source": "cyner2_test"}}
+{"text": "] com webmail [ .", "spans": {}, "info": {"id": "cyner2_test_000645", "source": "cyner2_test"}}
+{"text": "In the beginning of July, Neutrino reportedly incorporated the HackingTeam 0day CVE-2015-5119, and in the past few days we've seen a massive uptick in the use of the kit.", "spans": {"MALWARE: Neutrino": [[26, 34]], "ORGANIZATION: HackingTeam": [[63, 74]], "VULNERABILITY: 0day": [[75, 79]], "MALWARE: kit.": [[166, 170]]}, "info": {"id": "cyner2_test_000646", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: DoS.Win32.VB!O Win32.Trojan.WisdomEyes.16070401.9500.9942 DoS.Win32.VB.u Trojan.Win32.VB.cyoswl Tool.VB.Win32.2571 BehavesLike.Win32.BadFile.ft DoS.VB.gc DoS:Win32/VB.U DoS.Win32.VB.u DoS.VB!+iXnI0PBPqU", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000647", "source": "cyner2_test"}}
+{"text": "In the dangerous module lies a kill switch logic which looks for the keyword “ infect ” .", "spans": {}, "info": {"id": "cyner2_test_000648", "source": "cyner2_test"}}
+{"text": "Since May 2016, the APT-C-23 has organized an organized, planned and targeted long-term uninterrupted attack on important areas such as Palestinian educational institutions and military institutions.", "spans": {"THREAT_ACTOR: APT-C-23": [[20, 28]], "ORGANIZATION: Palestinian educational institutions": [[136, 172]], "ORGANIZATION: military institutions.": [[177, 199]]}, "info": {"id": "cyner2_test_000649", "source": "cyner2_test"}}
+{"text": "] it server1na.exodus.connexxa [ .", "spans": {}, "info": {"id": "cyner2_test_000650", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan/W32.HackTool.4170 HackTool.Win32.QQMima!O Hacktool.Qqmima Trojan/Hacktool.QQMima.a Win32.HackTool.QQMima.a HKTL_QQMIMA.A Win.Trojan.Qqmima-1 HackTool.Win32.QQMima.a Riskware.Win32.QQMima.hzhnq Backdoor.Win32.A.Hupigon.12288.D[UPX] Troj.W32.Tiny.to39 Win32.Hacktool.Qqmima.Dvzq Tool.Qqmima Tool.QQMima.Win32.1 HKTL_QQMIMA.A HackTool.QQMima.k HackTool/Win32.QQMima HackTool.Win32.QQMima.a HackTool:Win32/Qqmima.A Trojan/Win32.HackTool.R46193 Win32/HackTool.QQMima.A HackTool.Win32.QQMima Win32/Trojan.1e8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000651", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Backdoor.DarkKomet.Win32.4059 Troj.Ransom.W32.Blocker.tnqj Infostealer.Limitail Win32/Tnega.RfCSaJB Win32.Trojan-Dropper.BeiF.A Trojan-Ransom.Win32.Blocker.hrft Trojan.Win32.FakeAV.bdkdze BackDoor.Comet.152 Ransom_ATOM.SM0 BehavesLike.Win32.Ransomware.jc Backdoor/DarkKomet.kwk TR/Dropper.MSIL.svnaf Trojan-Ransom.Win32.Blocker.hrft TrojanDropper:Win32/Effbee.A Backdoor/Win32.DarkKomet.R48242 Hoax.Blocker Trojan.Dropper Trojan-Ransom.Win32.Blocker.a W32/Dropper.PYN!tr Win32/Trojan.Dropper.569", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000652", "source": "cyner2_test"}}
+{"text": "When loaded with startup command 2 , the installer can copy the original explorer.exe file inside its current running directory and rename d3d9.dll to uxtheme.dll .", "spans": {}, "info": {"id": "cyner2_test_000653", "source": "cyner2_test"}}
+{"text": "In most cases they would be crafted to appear as applications distributed by unspecified mobile operators in Italy .", "spans": {}, "info": {"id": "cyner2_test_000654", "source": "cyner2_test"}}
+{"text": "In a curious case of life imitating art, a new ransomware variant inspired by the popular TV show, Mr. Robot, has emerged.", "spans": {"MALWARE: ransomware variant": [[47, 65]]}, "info": {"id": "cyner2_test_000655", "source": "cyner2_test"}}
+{"text": "We identified infrastructure overlaps and string references to previous Wolf Research work .", "spans": {"ORGANIZATION: Wolf Research": [[72, 85]]}, "info": {"id": "cyner2_test_000656", "source": "cyner2_test"}}
+{"text": "The registrant contact details of the C & C domains used in the campaign , for instance , were masked .", "spans": {}, "info": {"id": "cyner2_test_000657", "source": "cyner2_test"}}
+{"text": "The compromised websites are the site for a group of information technology companies in Thailand, and all the tools were stored in the same directory.", "spans": {"THREAT_ACTOR: group": [[44, 49]], "ORGANIZATION: information technology companies": [[53, 85]], "MALWARE: tools": [[111, 116]]}, "info": {"id": "cyner2_test_000658", "source": "cyner2_test"}}
+{"text": "Rasul Jafarov is a prominent lawyer and human rights defender in Azerbaijan.", "spans": {"ORGANIZATION: Rasul Jafarov": [[0, 13]], "ORGANIZATION: prominent lawyer and human rights defender": [[19, 61]]}, "info": {"id": "cyner2_test_000659", "source": "cyner2_test"}}
+{"text": "Ransomware continues to be a plague on the internet and still sets itself as the fastest growing malware family we have seen in the last number of years.", "spans": {"MALWARE: Ransomware": [[0, 10]], "MALWARE: malware family": [[97, 111]]}, "info": {"id": "cyner2_test_000660", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.Paganini.Heur Backdoor.Win32.Small!O Trojan.Malex.F4 W32.Virut.CF Win32/Pigeon.BCWZ BKDR_GANIPIN.SMI Win.Trojan.Small-14355 Backdoor.Win32.Small.abv Virus.Win32.Virut.Ce BKDR_GANIPIN.SMI BehavesLike.Win32.PWSZbot.lh Trojan[Backdoor]/Win32.Small Win32.Virut.cr.61440 Backdoor:Win32/Ganipin.A Backdoor.Win32.A.Small.53248.G Backdoor.Win32.Small.abv HEUR/Fakon.mwf Backdoor.Small Trojan.FakeMS.ED Win32/Virut.NBP Trojan.Win32.Malex W32/Ganipin.KID!tr W32/Sality.AO", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000661", "source": "cyner2_test"}}
+{"text": "After closer inspection, it appears to be a completely distinct Trojan, which we have dubbed Bookworm and track in Autofocus using the tag Bookworm.", "spans": {"MALWARE: Trojan,": [[64, 71]], "MALWARE: Bookworm": [[93, 101]], "MALWARE: Autofocus": [[115, 124]], "MALWARE: Bookworm.": [[139, 148]]}, "info": {"id": "cyner2_test_000662", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Turla Backdoor.Win32.Turla BDS/Turla.biysb Backdoor:Win32/Turla.PA Trojan/Win32.Turla.C2322328 Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000663", "source": "cyner2_test"}}
+{"text": "How did it work ? The malware mimics legit services such as Google service , GooglePlay or Flash update .", "spans": {"ORGANIZATION: Google": [[60, 66]], "SYSTEM: GooglePlay": [[77, 87]], "SYSTEM: Flash": [[91, 96]]}, "info": {"id": "cyner2_test_000664", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan/ExeDot.dpg Win32.Trojan.BHO.l W32/MalwareS.BGEU TROJ_DROPPR.SMS Win.Trojan.Exedot-76 Trojan.Win32.ExeDot.ctyvd Trojan.Win32.A.ExeDot.348684.A Backdoor.Win32.Cycbot.SM Trojan.MulDrop1.15257 Trojan.ExeDot.Win32.233 TROJ_DROPPR.SMS Trojan.Win32.ExeDot Trojan/ExeDot.ar TR/Spy.348684.2 Trojan/Win32.ExeDot Win32/BHO.NYW Trojan.ExeDot!RnagdE48E2U", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000665", "source": "cyner2_test"}}
+{"text": "] commargaery [ .", "spans": {}, "info": {"id": "cyner2_test_000666", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.HoiuyetsA.Trojan Trojan.Win32.Cossta!O TrojanDownloader.Gemax.A8 Trojan/Cossta.loo Trojan.Graftor.D779B TROJ_GEMAX.SMI Win32.Trojan.StartPage.x Win32/SillyDl.XBR TROJ_GEMAX.SMI Win.Trojan.Cossta-78 Trojan.Win32.Cossta.loo Trojan.Win32.Cossta.iikiu Trojan.KeyLogger.10368 BehavesLike.Win32.Worm.fh Trojan-Downloader.Win32.Gemax Trojan/Win32.Cossta TrojanDownloader:Win32/Gemax.A Trojan.Win32.A.Cossta.379904 Trojan.Win32.Cossta.loo Trojan/Win32.Cossta.R5364 Trojan.Cossta Win32/StartPage.NXB W32/Cossta.NXB!tr Win32/Trojan.6eb", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000668", "source": "cyner2_test"}}
+{"text": "This is consistent with previous KONNI distribution campaigns which have also frequently mentioned North Korea.", "spans": {"MALWARE: KONNI": [[33, 38]], "THREAT_ACTOR: distribution campaigns": [[39, 61]]}, "info": {"id": "cyner2_test_000669", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: WS.Reputation.1 Trojan/Win32.StartPage", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000670", "source": "cyner2_test"}}
+{"text": "This new wave also presents unique attack vectors based on the kind of device it has accessed .", "spans": {}, "info": {"id": "cyner2_test_000671", "source": "cyner2_test"}}
+{"text": "Gindin, which exposed new information about the attack and is currently assisting with the investigation.", "spans": {"ORGANIZATION: Gindin,": [[0, 7]]}, "info": {"id": "cyner2_test_000672", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: BAT.PowScript.A.GC Trojan.Malscript TROJ_POWSHELL.IA Trojan.AQMK-7 Trojan:PowerShell/Dpow.A Trojan.PowerShell.Dpow", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000673", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Sauron.A5 Troj.Multi.Remsec!c W64/Trojan.JRSI-8772 Trojan.Win32.Z.Remsec.79872 Backdoor:W64/Remsec.C Trojan.Remsec.10 BehavesLike.Win64.PWSZbot.lc Trojan.Multi.f BDS/Remsec.ivhvc Trojan/Multi.Remsec Backdoor:Win64/Remsec.A!dha Trj/CI.A Win32.Trojan.Remsec.Svhs Backdoor..Remsec Win32/Trojan.Multi.c3f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000674", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Win32.Singu!O Trojan.Banbra Backdoor/Singu.o Win32.Trojan.WisdomEyes.16070401.9500.9965 W32/Singu.FOSG-1503 Win32/Singu.G BKDR_SINGU.L Trojan-Banker.Win32.Banbra.tode Trojan.Win32.Singu.dnjf Backdoor.W32.Singu.l3vO Win32.Trojan-banker.Banbra.Alsa BackDoor.BlackHole.22965 Backdoor.Singu.Win32.191 BKDR_SINGU.L BehavesLike.Win32.Backdoor.dc Backdoor.Win32.Singu W32/Singu.BA@bd Backdoor/Heidong2005.mh BDS/Singu.O.2 Trojan[Backdoor]/Win32.Singu Trojan.Graftor.D92DE Backdoor.Win32.Singu.210668 Trojan-Banker.Win32.Banbra.tode Backdoor:Win32/Singu.AB Trojan/Win32.Xema.C113743 Backdoor.Singu Win32/Singu.NAD W32/Singu.L!tr.bdr Bck/Singu.Q Win32/Trojan.a3e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000675", "source": "cyner2_test"}}
+{"text": "To perform some of its activities , the malware does not need high privileges inside the device , as we will explain ahead .", "spans": {}, "info": {"id": "cyner2_test_000677", "source": "cyner2_test"}}
+{"text": "Investigators put the origin of the attack as Iranian; Morphisec's research supports this conclusion and attributes the attacks to the same infamous hacker group responsible for the OilRig malware campaigns.", "spans": {"ORGANIZATION: Investigators": [[0, 13]], "ORGANIZATION: Morphisec's research": [[55, 75]], "THREAT_ACTOR: infamous hacker group": [[140, 161]], "THREAT_ACTOR: the OilRig malware campaigns.": [[178, 207]]}, "info": {"id": "cyner2_test_000678", "source": "cyner2_test"}}
+{"text": "Alienvault has added additional and related infrastructure found when we analyzed the PoisonIvy sample.", "spans": {"ORGANIZATION: Alienvault": [[0, 10]], "MALWARE: PoisonIvy": [[86, 95]]}, "info": {"id": "cyner2_test_000679", "source": "cyner2_test"}}
+{"text": "An internal investigation by the University of Toyama and other sources has revealed that a research centre at the university known for its work on tritium, a substance used to fuel nuclear fusion reactors, is feared to have been targeted by cyberattacks over a period of about six months.", "spans": {"ORGANIZATION: University of Toyama": [[33, 53]], "ORGANIZATION: research centre at": [[92, 110]], "ORGANIZATION: university": [[115, 125]], "THREAT_ACTOR: cyberattacks": [[242, 254]]}, "info": {"id": "cyner2_test_000680", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G Virus.Virut.Win32.1938 Trojan.Dirtjump Win32/Virut.NBP PE_VIRUX.R Win.Trojan.Misun-1 Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg W32.Virut.lDnT Virus.Win32.Virut.CE Win32.Virut.56 PE_VIRUX.R BehavesLike.Win32.Downloader.dh Win32/Virut.bt Virus/Win32.Virut.ce Win32.Virut.dd.368640 TrojanDownloader:Win32/Misun.A Virus.Win32.Virut.ce Win32/Virut.17408 Virus.Virut.14 Trojan.Pandora Trojan-Downloader.Win32.Misun W32/Virut.CE W32/Sality.AO Virus.Win32.VirutChangeEntry.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000681", "source": "cyner2_test"}}
+{"text": "This particular family seems to be distributed via compromising servers and using them as a foothold to move laterally through the network to compromise additional machines which are then held for ransom.", "spans": {"SYSTEM: compromising servers": [[51, 71]], "SYSTEM: additional machines": [[153, 172]], "MALWARE: ransom.": [[197, 204]]}, "info": {"id": "cyner2_test_000682", "source": "cyner2_test"}}
+{"text": "] com hxxp : //mailsa-wqu [ .", "spans": {}, "info": {"id": "cyner2_test_000683", "source": "cyner2_test"}}
+{"text": "The new drive-by download attacks we caught over the weekend rely on the same structure as the original Blackhole, even reusing the old PDF and Java exploits.", "spans": {"MALWARE: Blackhole,": [[104, 114]], "VULNERABILITY: Java exploits.": [[144, 158]]}, "info": {"id": "cyner2_test_000684", "source": "cyner2_test"}}
+{"text": "More recently , we have seen Bread-related apps trying to hide malicious code in a native library shipped with the APK .", "spans": {"MALWARE: Bread-related": [[29, 42]]}, "info": {"id": "cyner2_test_000686", "source": "cyner2_test"}}
+{"text": "I haven't seen any write-up or info about it yet nor had any major incidents at $dayjob or heard of it from any other analysts.", "spans": {}, "info": {"id": "cyner2_test_000687", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9995 Win32/Virut.17408.C!corrupt Worm.Win32.WBNA.roc Win32.Worm.Wbna.Htcg BehavesLike.Win32.BadFile.pt Virus.Win32.Trojan Win32.Virut.cr.52736 Worm.Win32.WBNA.roc W32/WBNA.ROC!worm Win32/Worm.d5f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000688", "source": "cyner2_test"}}
+{"text": "Protecting organizations from threats across domains and platforms Mobile threats continue to rapidly evolve , with attackers continuously attempting to sidestep technological barriers and creatively find ways to accomplish their goal , whether financial gain or finding an entry point to broader network compromise .", "spans": {}, "info": {"id": "cyner2_test_000689", "source": "cyner2_test"}}
+{"text": "In November 2015, ClearSky and Minerva Labs published the first public report exposing its activity.", "spans": {"ORGANIZATION: ClearSky": [[18, 26]], "ORGANIZATION: Minerva Labs": [[31, 43]]}, "info": {"id": "cyner2_test_000690", "source": "cyner2_test"}}
+{"text": "The worm serves as a backdoor.", "spans": {"MALWARE: worm": [[4, 8]], "MALWARE: backdoor.": [[21, 30]]}, "info": {"id": "cyner2_test_000691", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.StuxnetQKD.Worm Worm.Win32.Stuxnet!O TrojanDropper.Stuxnet.A Trojan/Dropper.Stuxnet.e Trojan.Razy.D295EE WORM_STUXNET.SM Win32.Worm.Stuxnet.b W32/Stuxnet.A Win32/Stuxnet.A WORM_STUXNET.SM Win.Trojan.Stuxnet-16 Worm.Win32.Stuxnet.e Trojan.Win32.Stuxnet.yqyt Dropper.Stuxnet.517632 W32.W.Stuxnet.tnba Worm.Win32.Stuxnet.a Trojan.Stuxnet.1 BehavesLike.Win32.Ransomware.hc W32/Stuxnet.WKAU-7295 TrojanDropper.Stuxnet.c W32.Stuxnet TR/Drop.Stuxnet.A Worm/Win32.Stuxnet TrojanDropper:Win32/Stuxnet.A Worm.Win32.Stuxnet.e Worm/Win32.Stuxnet.R608 Trojan.Stuxnet W32/Stuxnet.A.worm Win32/Stuxnet.A Win32.Worm.Stuxnet.Wtxk Trojan-Dropper.Win32.Stuxnet Worm.Win32.Stuxnet.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000692", "source": "cyner2_test"}}
+{"text": "Certificate Used The apps themselves pretended to be carrier assistance apps which instructed the user to “ keep the app installed on your device and stay under Wi-Fi coverage to be contacted by one of our operators ” .", "spans": {}, "info": {"id": "cyner2_test_000693", "source": "cyner2_test"}}
+{"text": "A new Malware-as-Service MaaS platform, called Cinoshi, is offering free malware services, including a stealer, botnet, and cryptominer.", "spans": {"THREAT_ACTOR: A new Malware-as-Service MaaS platform,": [[0, 39]], "THREAT_ACTOR: Cinoshi,": [[47, 55]], "MALWARE: malware services,": [[73, 90]], "MALWARE: stealer, botnet,": [[103, 119]], "MALWARE: cryptominer.": [[124, 136]]}, "info": {"id": "cyner2_test_000694", "source": "cyner2_test"}}
+{"text": "The second vulnerability was a Flash vulnerability that worked on versions up to 18.0.0.232", "spans": {"VULNERABILITY: vulnerability": [[11, 24]], "VULNERABILITY: Flash vulnerability": [[31, 50]]}, "info": {"id": "cyner2_test_000695", "source": "cyner2_test"}}
+{"text": "The group, known to Symantec as Tick, has maintained a low profile, appearing to be active for at least 10 years prior to discovery.", "spans": {"ORGANIZATION: Symantec": [[20, 28]], "THREAT_ACTOR: Tick,": [[32, 37]]}, "info": {"id": "cyner2_test_000696", "source": "cyner2_test"}}
+{"text": "Some of the lure documents observed contained employee W-2 tax documents, I-9, and real estate purchase contracts.", "spans": {}, "info": {"id": "cyner2_test_000697", "source": "cyner2_test"}}
+{"text": "EventBot web injects execution method Web injects execution method by a pre-established configuration .", "spans": {"MALWARE: EventBot": [[0, 8]]}, "info": {"id": "cyner2_test_000698", "source": "cyner2_test"}}
+{"text": "of a campaign we've labeled Turbo, for the associated kernel module that was deployed.", "spans": {"THREAT_ACTOR: campaign": [[5, 13]], "MALWARE: Turbo, for": [[28, 38]]}, "info": {"id": "cyner2_test_000699", "source": "cyner2_test"}}
+{"text": "Since the summer of 2016, this group began using a new downloader known as ZeroT to install the PlugX remote access Trojan RAT and added Microsoft Compiled HTML Help .chm as one of the initial droppers delivered in spear-phishing emails.", "spans": {"THREAT_ACTOR: group": [[31, 36]], "MALWARE: downloader": [[55, 65]], "MALWARE: ZeroT": [[75, 80]], "MALWARE: PlugX remote access Trojan RAT": [[96, 126]]}, "info": {"id": "cyner2_test_000700", "source": "cyner2_test"}}
+{"text": "In addition, Emissary appears to only be used against Taiwanese or Hong Kong based targets, all of the decoys are written in Traditional Chinese, and they use themes related to the government or military.", "spans": {"MALWARE: Emissary": [[13, 21]], "ORGANIZATION: Taiwanese": [[54, 63]], "ORGANIZATION: Hong Kong based targets,": [[67, 91]], "ORGANIZATION: the government": [[177, 191]], "ORGANIZATION: military.": [[195, 204]]}, "info": {"id": "cyner2_test_000701", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Kitro.G@mm Worm/W32.Kitro.501760 Worm.Kitro Worm.Kitro.Win32.7 W32.W.Kitro.g1!c Win32.Kitro.EAD1A6 W32/Kitro.L Win32/Kitro.N Win32.Kitro.G@mm Email-Worm.Win32.Kitro.g1 Win32.Kitro.G@mm Trojan.Win32.Kitro.fpwn Win32.Kitro.G@mm Worm.Win32.Kitro.G1 Win32.HLLM.Kitro.16 BehavesLike.Win32.Backdoor.gh W32/Kitro.CDOE-2657 I-Worm/Kitro.g WORM/Kitro.G1 Worm[Email]/Win32.Kitro Worm:Win32/Kitro.G@mm Email-Worm.Win32.Kitro.g1 Trojan/Win32.Xema.C24227 Win32.Kitro.G@mm TScope.Trojan.Delf Win32/Kitro.G1 Win32.Worm-email.Kitro.Lnxz Worm.Win32.Kitro Win32/Worm.d9a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000702", "source": "cyner2_test"}}
+{"text": "The threat actors seem to have abandoned these URLs and might be looking into other ways to reach more victims .", "spans": {}, "info": {"id": "cyner2_test_000703", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Orsam.TS3 Win32/CInject.LO Win32.Trojan.Dropper.MS Trojan.Win32.Crypt.mhmvv W32/Trojan.XTDW-7154 Trojan/MSIL.ciz Trojan.MSILKrypt.13 Trojan:MSIL/Soar.A Trojan.Win32.Crypt.cj Trojan.Crypt!AAtL5gQIwSc W32/Crypt.BE!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000704", "source": "cyner2_test"}}
+{"text": "The PDF and DOC/XLS campaigns primarily impacted the United States and the Archive campaigns largely impacted the Unites States and South Korea.", "spans": {"THREAT_ACTOR: campaigns": [[20, 29]], "THREAT_ACTOR: the Archive campaigns": [[71, 92]]}, "info": {"id": "cyner2_test_000705", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9982 Ransom_Teerac.R032C0DJ717 Backdoor.Win32.Androm.jzkg Trojan.Win32.Androm.etmmzg Trojan.Encoder.761 Ransom_Teerac.R032C0DJ717 BehavesLike.Win32.MultiPlug.fc Backdoor.Androm.jqc Trojan[Backdoor]/Win32.Androm Trojan.Graftor.D432D1 Backdoor.Win32.Androm.jzkg Ransom:Win32/Teerac.I W32/TorrentLocker.C!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000706", "source": "cyner2_test"}}
+{"text": "It steals bank card information ( the number , the expiry date , CVC2/CVV2 ) imitating the process of registering the bank card with Google Play .", "spans": {"SYSTEM: Google Play": [[133, 144]]}, "info": {"id": "cyner2_test_000707", "source": "cyner2_test"}}
+{"text": "In this article FireEye examines TREASUREHUNT, POS malware that appears to have been custom-built for the operations of a particular dump shop, which sells stolen credit card data.", "spans": {"ORGANIZATION: FireEye": [[16, 23]], "MALWARE: TREASUREHUNT, POS malware": [[33, 58]], "THREAT_ACTOR: operations": [[106, 116]], "THREAT_ACTOR: dump shop,": [[133, 143]]}, "info": {"id": "cyner2_test_000708", "source": "cyner2_test"}}
+{"text": "] com .", "spans": {}, "info": {"id": "cyner2_test_000709", "source": "cyner2_test"}}
+{"text": "The function onUserLeaveHint ( ) is called whenever the malware screen is pushed to background , causing the in-call Activity to be automatically brought to the foreground .", "spans": {}, "info": {"id": "cyner2_test_000710", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Banbra Trojan/Banbra.ahku Trojan.Heur.4mSfrSrP2REU Win32/Spy.Banker.AAWF Trojan-Banker.Win32.Banbra.ahku Trojan.Win32.Banbra.ktysi Trojan.Win32.Z.Banbra.926720 Troj.Banker.W32.Banbra.ahku!c Trojan.PWS.Banker.56593 Trojan.Banbra.Win32.11005 BehavesLike.Win32.Backdoor.dc W32/Trojan.UCVI-2531 Trojan/Banker.ajr TR/Spy.926720.1 Win32.Troj.Undef.kcloud Trojan-Banker.Win32.Banbra.ahku TrojanDownloader:Win32/Bradop.B Trojan-Banker.Banbra Trj/CI.A Win32.Trojan-Banker.Banbra.vkt Trojan.PWS.Banbra!V1hcdsPLM4g Win32/Trojan.15a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000711", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.PSW.MSN.Faker.M Trojan/W32.Faker.176128 Trojan.Faker Trojan/Faker.m TROJ_MSN.M W32/Faker.M TROJ_MSN.M Win.Trojan.Faker-5 Trojan.PSW.MSN.Faker.M Trojan-IM.Win32.Faker.m Trojan.PSW.MSN.Faker.M Trojan.Win32.Faker.dguo Trojan.Win32.Z.Faker.176128 Troj.IM.W32.Faker.m!c Trojan.PSW.MSN.Faker.M TrojWare.Win32.PSW.MSN.M Trojan.PSW.MSN.Faker.M Trojan.PWS.MSNFake Trojan.Faker.Win32.10 Trojan-IM.Win32.Faker W32/Faker.KUAU-2229 Trojan/PSW.MSN.Faker.m TR/PSW.MSN.Faker.M.1 Trojan[IM]/Win32.Faker Trojan.PSW.MSN.Faker.M Trojan-IM.Win32.Faker.m PWS:Win32/Faker.M Trojan/Win32.HDC.C244648 Trojan.PSW.MSN.Faker.M Trojan.VB Win32/PSW.MSN.Faker.M Win32.Trojan-im.Faker.Lizy Trojan.Faker.W W32/MSN.M!tr Win32/Trojan.PSW.7e0", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000712", "source": "cyner2_test"}}
+{"text": "The only noticeable difference is the game has more ads , including ads on the very first screen .", "spans": {}, "info": {"id": "cyner2_test_000713", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.HLLW.Motovilo.1 Trojan:Win32/Mousky.A Python/Motovilo.A Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000715", "source": "cyner2_test"}}
+{"text": "Facebook phishing One of the interesting features of this spyware is the ability to steal Facebook credentials using a fake login page , similar to phishing .", "spans": {"SYSTEM: Facebook": [[0, 8], [90, 98]]}, "info": {"id": "cyner2_test_000716", "source": "cyner2_test"}}
+{"text": "Red Alert 2.0 IoCs list C2 addresses 103.239.30.126:7878 146.185.241.29:7878 146.185.241.42:7878 185.126.200.3:7878 185.126.200.12:7878 185.126.200.15:7878 185.126.200.18:7878 185.165.28.15:7878 185.243.243.241:7878 185.243.243.244:7878 185.243.243.245:7878 Domains Malware source Web hosts on 167.99.176.61 : free-androidvpn.date free-androidvpn.download free-androidvpn.online free-vpn.date free-vpn.download free-vpn.online Hashes 22fcfce096392f085218c3a78dd0fa4be9e67ed725bce42b965a27725f671cf 55292a4dde8727faad1c40c914cf1be9dfdcf4e67b515aa593bcd8d86e824372 be92a751e5abbcd24151b509dbb4feb98ea46f367a99d6f86ed4a7c162461e31 5c4d666cef84abc2a1ffd3b1060ef28fa3c6c3bb4fad1fa26db99350b41bea4c 06081ab7faa729e33b9397a0e47548e75cbec3d43c50e6368e81d737552150a5 753999cb19a4346042f973e30cf1158c44f2335ab65859d3bfa16bca4098e2ef As a result of a lot of hard work done by our security research teams , we revealed today a new and alarming malware campaign .", "spans": {"MALWARE: Red Alert 2.0": [[0, 13]]}, "info": {"id": "cyner2_test_000717", "source": "cyner2_test"}}
+{"text": "This contains the Mobile Country Code ( MCC ) and Mobile Network Code ( MNC ) values that the billing process will work for .", "spans": {}, "info": {"id": "cyner2_test_000718", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.eHeur.Virus02 Virus.Win32.Sality!O Trojan/Buzus.hts Win32.Trojan.WisdomEyes.16070401.9500.9517 Backdoor.Win32.Bifrose.fwvf Trojan.Win32.Buzus.dkrvi Troj.W32.Buzus.hts!c Trojan.DownLoader4.41400 Trojan.Buzus.Win32.81109 BehavesLike.Win32.SoftPulse.hc Trojan/PSW.Almat.efi Backdoor:Win32/Buzus.C Backdoor.Win32.Bifrose.fwvf Trojan.Inject Trj/CI.A Win32.Trojan.Buzus.Ebqs Trojan.Buzus!tyFfEDrkzzg", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000719", "source": "cyner2_test"}}
+{"text": "As if the recent breach and subsequent public data dump involving the Italian company Hacking Team wasn't bad enough, it all gets just a little bit worse.", "spans": {"ORGANIZATION: Italian company Hacking Team": [[70, 98]]}, "info": {"id": "cyner2_test_000720", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9988 Trojan.Win32.Starter.dabbar Trojan.Starter.2136 TR/Rarnmel.A.5 Trojan/Win32.Unknown Trojan.Zusy.D592F Trojan:Win32/Rarnmel.A Trojan/Win32.Qpolos.R8363 Trojan.Rarnmel!0uh7i88bHnk W32/Dloader.EH!tr Win32/Trojan.37e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000721", "source": "cyner2_test"}}
+{"text": "In recent weeks, Unit 42 has been monitoring a new e-mail campaign distributing the Trapwot malware family.", "spans": {"ORGANIZATION: Unit 42": [[17, 24]], "MALWARE: Trapwot malware family.": [[84, 107]]}, "info": {"id": "cyner2_test_000722", "source": "cyner2_test"}}
+{"text": "Thanks to that project , we were able to extract his Facebook profile – which lists his studies at the aforementioned university .", "spans": {"ORGANIZATION: Facebook": [[53, 61]]}, "info": {"id": "cyner2_test_000723", "source": "cyner2_test"}}
+{"text": "July 14 A new zero-day vulnerability ( CVE-2015-2425 ) was found in Internet Explorer .", "spans": {"VULNERABILITY: zero-day vulnerability": [[14, 36]], "VULNERABILITY: CVE-2015-2425": [[39, 52]], "SYSTEM: Internet Explorer": [[68, 85]]}, "info": {"id": "cyner2_test_000724", "source": "cyner2_test"}}
+{"text": "However , this particular email downloads an Android Package Kit ( APK ) , which is the common format used by Android to distribute and install applications .", "spans": {"SYSTEM: Android Package Kit": [[45, 64]], "SYSTEM: Android": [[110, 117]]}, "info": {"id": "cyner2_test_000725", "source": "cyner2_test"}}
+{"text": "They have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected .", "spans": {}, "info": {"id": "cyner2_test_000726", "source": "cyner2_test"}}
+{"text": "For example , the default configuration file with injects is non-operational , and the malware contains no fake built-in windows requesting bank card details .", "spans": {}, "info": {"id": "cyner2_test_000727", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan/W32.Jorik.44032.L Trojan.Jorik.Win32.110854 Trojan/Jorik.Mokes.agc Win32.Trojan.WisdomEyes.16070401.9500.9999 TSPY_ZBOT.SM3T Win.Trojan.Jorik-4495 Trojan.Win32.Jorik.vrckf TrojWare.Win32.Kryptik.AIDO BackDoor.Andromeda.22 TSPY_ZBOT.SM3T Trojan/Birele.cdk TR/Cridex.EB.23 Trojan/Win32.Mokes DDoS:Win32/Dofoil.A Trojan.Kazy.DA9C1 Trojan/Win32.Birele.R39959 BScope.Trojan-Inject.01659 Spyware.Zbot Trojan.Mokes!dIcqmwDMJRk Trojan-Dropper.Win32.Dapato", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000728", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Win32.G_Door!O Backdoor.FR BackDoor-FR.svr Backdoor.GDoor.Win32.3 BKDR_G_DOOR.B Win32.Trojan.BingHe.a W32/Backdoor.RBPV-2001 Backdoor.GDoor Win32/Glace.B BKDR_G_DOOR.B Win.Trojan.Gdoor-3 Backdoor.Win32.G_Door.aa Trojan.Win32.G_Door.hgau Win32.Backdoor.G_door.Wuhg Backdoor.Win32.G_Door.B BackDoor.GDoor.30 BehavesLike.Win32.Fake.dc W32/Backdoor.BJZE Backdoor/IceRiver.c TR/G-Door.Srv Trojan[Backdoor]/Win32.G_Door Win32.Hack.G_Door.b.kcloud Backdoor.Win32.G_Door.266385 Win-Trojan/GDoor_v22.B Backdoor.G_Door Backdoor.G_Door Win32/G_Door.B Backdoor.G_Door!IqXZ/OUSD/8 Backdoor.Win32.G_Door.B Bck/Iroffer.BG", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000729", "source": "cyner2_test"}}
+{"text": "The reverse DNS history of this IP brought “ ads.i * * * e.com ” into our attention .", "spans": {}, "info": {"id": "cyner2_test_000730", "source": "cyner2_test"}}
+{"text": "The new class is called NotificationListener and extends the NotificationListenerService class .", "spans": {}, "info": {"id": "cyner2_test_000731", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Ole2.Vbs-heuristic.druvzi", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000732", "source": "cyner2_test"}}
+{"text": "The infection chain had multiple stages, and was accomplished using bodiless/fileless exploit payloads executed in-memory without additional persistence mechanisms.", "spans": {"VULNERABILITY: in-memory": [[112, 121]]}, "info": {"id": "cyner2_test_000733", "source": "cyner2_test"}}
+{"text": "It has an incredibly wide-ranging protocol – about 100 commands – and an ability to bypass the Doze battery saver .", "spans": {}, "info": {"id": "cyner2_test_000734", "source": "cyner2_test"}}
+{"text": "In this version , the developer added more classes from the same package .", "spans": {}, "info": {"id": "cyner2_test_000735", "source": "cyner2_test"}}
+{"text": "than 50 countries, with a substantial infection rate located in the Asia-Pacific region.", "spans": {}, "info": {"id": "cyner2_test_000736", "source": "cyner2_test"}}
+{"text": "As you might expect from a RAT, the tool is capable of grabbing passwords, key logging and browsing files on the victim's computer.", "spans": {"MALWARE: RAT,": [[27, 31]], "MALWARE: tool": [[36, 40]], "SYSTEM: victim's computer.": [[113, 131]]}, "info": {"id": "cyner2_test_000738", "source": "cyner2_test"}}
+{"text": "Otherwise , in the case of conditional opcodes , the variable part can contain the next JIT packet ID or the next relative virtual address ( RVA ) where code execution should continue .", "spans": {}, "info": {"id": "cyner2_test_000739", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Worm.Win32.AutoRun!O Worm.Rotrumas.A3 Downloader.VB.Win32.3884 Trojan/Downloader.VB.bnp Win32.Worm.VB.te W32/Downldr2.BEZK Win32/Detsysrot.A Trojan.Win32.Fsysna.diju Trojan.Win32.VB.lefg Trojan.Win32.Downloader.137728.C Worm.Win32.VB.NNJ Win32.HLLW.Kati BehavesLike.Win32.YahLover.ch Worm.Win32.VB W32/Downloader.JTPS-5013 TrojanDownloader.VB.nyp Trojan[Downloader]/Win32.VB Trojan.Heur.imMfrHddqEnib Worm:Win32/Rotrumas.A HEUR/Fakon.mwf Trojan.VBS.01505 W32/Penetrator.A.worm Win32/VB.NNJ Worm.AutoRun!SysxXnMz9Ho W32/Dloader.A!tr Win32/Trojan.a97", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000740", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan/W32.Small.34304.EG Trojan.Win32.Cossta!O Backdoor.Neunut Troj.W32.Cossta.grt!c TSPY_COSSTA.DH Win32.Trojan.WisdomEyes.16070401.9500.9989 TSPY_COSSTA.DH Win.Trojan.Cossta-71 Backdoor.Win32.Small.liy Trojan.Win32.Cossta.cqvyn Trojan.Win32.A.Cossta.34304.A Trojan.Cossta.Win32.3853 Trojan.Win32.Cossta W32/Trojan.OCZY-0389 Trojan/Cossta.bna TR/Cossta.grt.6 Trojan/Win32.Cossta Backdoor:Win32/Neunut.A Backdoor.Win32.Small.liy Trojan/Win32.Cossta.C106712 Trojan.Cossta Win32.Backdoor.Small.Eded Trojan.Cossta!P8rygE6kCUE Win32/Trojan.29f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000741", "source": "cyner2_test"}}
+{"text": "If the apps Brain Test and RetroTetris ring a bell, better check your devices.", "spans": {"SYSTEM: apps Brain Test": [[7, 22]], "SYSTEM: RetroTetris": [[27, 38]], "SYSTEM: devices.": [[70, 78]]}, "info": {"id": "cyner2_test_000742", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Reconyc.S19048 Trojan/Delf.tjj Trojan.Zusy.D38F35 TROJ_GRAFTOR_GB010057.UVPM Trojan.Win32.Click3.ejbwdp Trojan.Click3.23122 Trojan.Delf.Win32.77716 TROJ_GRAFTOR_GB010057.UVPM Trojan.Reconyc.gnx Trojan/Win32.Reconyc.C1667812 Trojan.Reconyc Trojan.Delf!BE+iw+tlojw Trojan.Win32.Asacky", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000743", "source": "cyner2_test"}}
+{"text": "The last step of the activation cycle is the download of a password-protected ZIP file .", "spans": {}, "info": {"id": "cyner2_test_000745", "source": "cyner2_test"}}
+{"text": ") Upload and purge collected evidence Destroy device by resetting locking password Execute shell commands Send SMS with defined content or location Disable network Disable root Uninstall bot To avoid detection and removal of the agent app in the device memory , the RCSAndroid suite also detects emulators or sandboxes , obfuscates code using DexGuard , uses ELF string obfuscator , and adjusts the OOM ( out-of-memory ) value .", "spans": {"MALWARE: RCSAndroid": [[266, 276]], "SYSTEM: DexGuard": [[343, 351]]}, "info": {"id": "cyner2_test_000746", "source": "cyner2_test"}}
+{"text": "Linux/Mumblehard is a family of malware targeting servers running both the Linux and BSD operating systems.", "spans": {"MALWARE: Linux/Mumblehard": [[0, 16]], "MALWARE: malware": [[32, 39]], "SYSTEM: Linux and BSD operating systems.": [[75, 107]]}, "info": {"id": "cyner2_test_000747", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Dropped:Win32.Ramnit.Dam Backdoor.Win32.Hupigon!O Trojan.Mauvaise.SL1 BackDoor-AWQ!hv.o Spyware.OnlineGames Win32.Ramnit.Dam Win32.Trojan-GameThief.OnlineGames.j W32/Backdoor.WTTC-8437 Win32/Brengr.N TROJ_DROPR.SMIF Win.Trojan.Hupigon-14460 Dropped:Win32.Ramnit.Dam Trojan.Win32.OnLineGames.iiiay Troj.GameThief.W32.OnLineGames.l2KE Trojan.TenThief.QQPsw.tne Dropped:Win32.Ramnit.Dam Backdoor.Win32.Hupigon.~EPW Dropped:Win32.Ramnit.Dam Trojan.MulDrop5.48291 TROJ_DROPR.SMIF BackDoor-AWQ!hv.o Trojan.Renos W32/Backdoor2.CBFI Trojan[GameThief]/Win32.OnLineGames Win32.Hack.Huigezi.86528 TrojanDropper:Win32/Picazen.A Backdoor.Win32.Hupigon.547840.I Win32.Application.PUPStudio.B Dropped:Win32.Ramnit.Dam Virus.Win32.Nimnul.a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000748", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.Gupboot!O Trojan.Gupboot.B.mue Backdoor.Graybird Win.Trojan.R-102 Trojan.Win32.Wecod.as Trojan.Win32.AVKill.bdepgw Troj.Rogue.lDtG Rootkit.Win32.Plite.aaa Trojan.AVKill.24465 Trojan.Urelas.Win32.1117 TR/GupBoot.987721 Trojan/Win32.Wecod Trojan.Zusy.D5F79 Trojan:Win32/Urelas.AA Trojan/Win32.PbBot.R35329 Trojan.Delf!nkcF4XkjtH0 Trojan.Win32.Gupboot W32/Urelas.F!tr Win32/Trojan.ccc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000749", "source": "cyner2_test"}}
+{"text": "Forward incoming phone calls to intercept voice-based two-factor authentication .", "spans": {}, "info": {"id": "cyner2_test_000750", "source": "cyner2_test"}}
+{"text": "Unit 42 has discovered activity involving threat actors responsible for the OilRig campaign with a potential link to a threat group known as GreenBug.", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "THREAT_ACTOR: threat actors": [[42, 55]], "THREAT_ACTOR: the OilRig campaign": [[72, 91]], "THREAT_ACTOR: threat group": [[119, 131]], "THREAT_ACTOR: GreenBug.": [[141, 150]]}, "info": {"id": "cyner2_test_000751", "source": "cyner2_test"}}
+{"text": "Infection vector and victims While looking for the infection vector , we found no evidence of spear phishing or any of the other common vectors .", "spans": {}, "info": {"id": "cyner2_test_000752", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Win32.Clicker.ecmcyi Troj.Downloader.W32.CodecPack.lTRv TrojWare.Win32.Rootkit.podnuha.ek6 Trojan.Click2.12882 Trojan.Graftor.DF3C8 TrojanDropper:Win32/Boaxxe.G Trojan/Win32.Xema.C9267 Trojan.Smardf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000753", "source": "cyner2_test"}}
+{"text": "Our evidence suggests the actors behind these attacks have been operating for over five years and have maintained a single command and control server for almost two.", "spans": {"THREAT_ACTOR: actors": [[26, 32]]}, "info": {"id": "cyner2_test_000754", "source": "cyner2_test"}}
+{"text": "Gooligan, a new variant of the Android malware Check Point researchers found in the SnapPea app last year, has breached the security of more than a million Google accounts, potentially exposing messages, documents, and other sensitive data to attack.", "spans": {"MALWARE: Gooligan,": [[0, 9]], "MALWARE: variant": [[16, 23]], "ORGANIZATION: Android malware Check Point researchers": [[31, 70]], "SYSTEM: SnapPea app": [[84, 95]], "SYSTEM: Google accounts,": [[156, 172]]}, "info": {"id": "cyner2_test_000755", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Heur.Corrupt.PE TrojanDropper:Win32/Decept.2_1.dam#2 Trojan-Dropper.Win32.Decept", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000756", "source": "cyner2_test"}}
+{"text": "Indicators for MenuPass/APT10", "spans": {"THREAT_ACTOR: MenuPass/APT10": [[15, 29]]}, "info": {"id": "cyner2_test_000757", "source": "cyner2_test"}}
+{"text": "The Taiwanese television network involved has been producing and importing TV shows and movies for a decade.", "spans": {"ORGANIZATION: The Taiwanese television network": [[0, 32]]}, "info": {"id": "cyner2_test_000758", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: TR/Proxy.Cimuz.1 Trojan.Spambot.origin Trojan:Win32/Mespam.B Trojan.Proxy.Cimuz.1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000759", "source": "cyner2_test"}}
+{"text": "ViperRAT : The Mobile APT Targeting The Israeli Defense Force That Should Be On Your Radar February 16 , 2017 ViperRAT is an active , advanced persistent threat ( APT ) that sophisticated threat actors are actively using to target and spy on the Israeli Defense Force.The threat actors behind the ViperRAT surveillanceware collect a significant amount of sensitive information off of the device , and seem most interested in exfiltrating images and audio content .", "spans": {"MALWARE: ViperRAT": [[0, 8], [110, 118], [297, 305]], "ORGANIZATION: Israeli Defense Force": [[40, 61]], "ORGANIZATION: Israeli Defense Force.The": [[246, 271]]}, "info": {"id": "cyner2_test_000760", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Barys.DD29C BackDoor.Bladabindi.13678", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000761", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.DownLoader3.33368 TrojanDownloader:Win32/Massdi.C Trojan.Win32.Downloader.67608 Win-Trojan/Downloader.67608 Trojan.Win32.Fednu.aez W32/Dloader.EP!tr.NSIS Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000762", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Cryptjoke Trojan.Ransom.CryptoJoker Ransom_CryptJoke.R002C0DL617 W32/Trojan.CLVZ-6630 Ransom_CryptJoke.R002C0DL617 Trojan.Win32.FileCoder.evvfqf Trojan.Win32.Z.Cryptjoke.306863 Trojan.Filecoder.Win32.6801 Trojan-Ransom.FileCoder TR/FileCoder.gijrz Ransom:MSIL/CryptJoke.B!bit RansomMSIL.CryptJoke Ransom.CryptoJoker Trj/GdSda.A MSIL/Filecoder_CryptoJoker.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000763", "source": "cyner2_test"}}
+{"text": "Smaller groups can have the advantage of being able to stay under the radar for longer periods of time, which is what happened here.", "spans": {}, "info": {"id": "cyner2_test_000765", "source": "cyner2_test"}}
+{"text": "On Windows 10 , similar code integrity policies can be configured using Windows Defender Application Control .", "spans": {"SYSTEM: Windows 10": [[3, 13]], "SYSTEM: Windows Defender Application Control": [[72, 108]]}, "info": {"id": "cyner2_test_000766", "source": "cyner2_test"}}
+{"text": "Meanwhile , desktop banking Trojans developed the ability to execute various social engineering schemes by using web injections , a method that alters the content presented to the infected victim in their browser .", "spans": {}, "info": {"id": "cyner2_test_000767", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Pwstool.Icq Trojan/PSW.M2.19.b Win32.Trojan.WisdomEyes.16070401.9500.9959 Win.Trojan.Ag-1 Trojan-PSW.Win32.M2.19.b Trojan.Win32.PWStealer.hfsc Troj.Psw.W32!c TrojWare.Win32.PSW.M2.B1 Trojan.PWS.M2.19 Trojan.M2.Win32.58 BehavesLike.Win32.Downloader.mc Worm.Win32.Bizex W32/Risk.TTOL-3341 Trojan/PSW.M2.i Trojan[PSW]/Win32.M2 Trojan-PSW.Win32.M2.19.b PWS:Win32/M2.19.A Trojan/Win32.Koobface.R130163 TrojanPSW.M2 Win32/PSW.M2.19.B1 Trojan.PWS.M2!KEVJQ1JFfwA W32/M2_19.B!tr.pws Win32/Trojan.PSW.310", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000768", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Exploit.PDF.BR Trojan-Exploit/W32.Pidief.232166.CST Exploit.PDF.BR VBS/PdfDrop.A TROJ_PIDIEF1.DAM Exploit.PDF.BR Exploit.Win32.Pidief.dcd Exploit.PDF.BR Win32.Exploit.Pidief.Pgcn Exploit.PDF.BR PDF.MulDrop.2 TROJ_PIDIEF1.DAM BehavesLike.PDF.Trojan.dx VBS/PdfDrop.A EXP/Pidief.bls TrojanDropper:Win32/Pidrop.A Exploit.PDF.BR Exploit.W32.Pidief!c Exploit.Win32.Pidief.dcd Exploit-PDF.sd Exploit.Win32.Pidief Win32/Trojan.Script.9b0", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000771", "source": "cyner2_test"}}
+{"text": "The advertisement SDK also collects statistics about clicks and impressions to make it easier to track revenue .", "spans": {}, "info": {"id": "cyner2_test_000772", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor/Zuza.bc Win32.Trojan.WisdomEyes.16070401.9500.9998 Win.Trojan.Zuza-19 Trojan.Win32.Zuza.dajyp Backdoor.Zuza.Win32.17 BehavesLike.Win32.BadFile.pt Backdoor/Zuza.m Trojan[Backdoor]/Win32.Zuza Trojan.Barys.D420 Trojan/Win32.Dllbot.R683 Backdoor.Zuza Backdoor.Zuza!e9P3bfkzixo Backdoor.Win32.Zuza Win32/Trojan.b7f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000773", "source": "cyner2_test"}}
+{"text": "It has become common for users to use Google to find information that they do not know.", "spans": {}, "info": {"id": "cyner2_test_000774", "source": "cyner2_test"}}
+{"text": "We have been closely monitoring the tools, techniques and procedures TTPs of APT37 also known as ScarCruft or Temp.Reaper - a North Korea-based advanced persistent threat actor.", "spans": {"THREAT_ACTOR: APT37": [[77, 82]], "THREAT_ACTOR: ScarCruft": [[97, 106]], "THREAT_ACTOR: Temp.Reaper": [[110, 121]], "THREAT_ACTOR: a North Korea-based advanced persistent threat actor.": [[124, 177]]}, "info": {"id": "cyner2_test_000775", "source": "cyner2_test"}}
+{"text": "In some versions , the server would only return valid responses several days after the apps were submitted .", "spans": {}, "info": {"id": "cyner2_test_000776", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.VobfusSmetasV.Trojan Trojan.Strictor.D6F4 Win32.Worm.VB.me W32/MalwareS.BBPK Win32/SillyFDC.ZK Trojan.Win32.FakeFolder.txw Win32.HLLW.Autoruner.16482 W32/Risk.AYZE-4531 Worm:Win32/Fakefolder.A TScope.Malware-Cryptor.SB Win32/VB.NUZ", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000777", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Ekidoa.FC.3268 Win32.Trojan.WisdomEyes.16070401.9500.9995 Trojan.DownLoader23.9057 Trojan.MSIL.Crypt W32.Malware.Heur Trojan/Win32.Bladabindi.C2099890 MSIL/Kryptik.EOO!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000778", "source": "cyner2_test"}}
+{"text": "From mTAN to pushTAN In the past few years , some banks in Europe , especially in Germany , stopped using SMS-based authentication and switched to dedicated pushTAN applications for 2FA schemes .", "spans": {}, "info": {"id": "cyner2_test_000779", "source": "cyner2_test"}}
+{"text": "Curiously, the two initial targets have little in common with each other aside from human rights activism – although not having worked on overlapping issues or countries.", "spans": {}, "info": {"id": "cyner2_test_000780", "source": "cyner2_test"}}
+{"text": "The infection was remediated after the system notified the devices owners and the system administrators.", "spans": {"SYSTEM: system": [[39, 45]], "SYSTEM: the devices owners": [[55, 73]], "ORGANIZATION: system administrators.": [[82, 104]]}, "info": {"id": "cyner2_test_000781", "source": "cyner2_test"}}
+{"text": "We have seen two types of apps that use this custom-made SDK .", "spans": {}, "info": {"id": "cyner2_test_000782", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor/Sykipot.br Backdoor.Sykipot!z89rc7diIEY Backdoor.Sykipot Win32.TRSpy Backdoor.Win32.Sykipot.br Backdoor.Win32.Wkysol!IK BackDoor.Terapy.5 Backdoor:Win32/Wkysol.E Backdoor/Win32.CSon Backdoor.Sykipot.br Backdoor.Sykipot Backdoor.Win32.Wkysol W32/BDoor.FDE!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000783", "source": "cyner2_test"}}
+{"text": "This malware usually infects all sites that share the same FTP account, which means cleaning just one website won't help as hackers use the compromised site to reinfect all sites on the server in a matter of minutes.", "spans": {"MALWARE: malware": [[5, 12]], "MALWARE: sites": [[33, 38]], "VULNERABILITY: that share the same FTP account,": [[39, 71]], "THREAT_ACTOR: hackers": [[124, 131]], "SYSTEM: server": [[186, 192]]}, "info": {"id": "cyner2_test_000784", "source": "cyner2_test"}}
+{"text": "We named this campaign “ Bouncing Golf ” based on the malware ’ s code in the package named “ golf. ” June 18 , 2019 We uncovered a cyberespionage campaign targeting Middle Eastern countries .", "spans": {"MALWARE: Bouncing Golf": [[25, 38]]}, "info": {"id": "cyner2_test_000785", "source": "cyner2_test"}}
+{"text": "Operating since 2012, the group's activity has been reported by Norman Kaspersky FireEye and PwC", "spans": {"THREAT_ACTOR: group's activity": [[26, 42]], "ORGANIZATION: Norman": [[64, 70]], "ORGANIZATION: Kaspersky": [[71, 80]], "ORGANIZATION: FireEye": [[81, 88]], "ORGANIZATION: PwC": [[93, 96]]}, "info": {"id": "cyner2_test_000787", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Application.Hacktool.KMSActivator.AB PUA.HackKMS.A4 Win32.Riskware.HackKMS.D not-a-virus:RiskTool.Win32.HackKMS.aq Application.Hacktool.KMSActivator.AB Riskware.Win32.HackKMS.eltxzs BehavesLike.Win32.PUPXAX.nc RiskTool.HackKMS.af W32.Riskware.Hackkms.D RiskWare[RiskTool]/Win32.Hackkms.n Application.Hacktool.KMSActivator.AB PUP.HackKMS/Variant not-a-virus:RiskTool.Win32.HackKMS.aq Unwanted/Win32.HackKMS.R197642 Application.Hacktool.KMSActivator.AB Trj/CI.A HackTool.Win32.AutoKMS Win32/Virus.RiskTool.10e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000788", "source": "cyner2_test"}}
+{"text": "The Android-targeting BankBot malware all variants detected by Trend Micro as ANDROIDOS_BANKBOT first surfaced January of this year and is reportedly the improved version of an unnamed open source banking malware that was leaked in an underground hacking forum.", "spans": {"MALWARE: The Android-targeting BankBot malware": [[0, 37]], "ORGANIZATION: Trend Micro": [[63, 74]], "MALWARE: open source banking malware": [[185, 212]], "THREAT_ACTOR: an underground hacking forum.": [[232, 261]]}, "info": {"id": "cyner2_test_000789", "source": "cyner2_test"}}
+{"text": "* Actually , we are currently investigating whether this group might also be behind a large-scale web-oriented attack at the end of 2018 using code injection and exploiting SQL vulnerabilities .", "spans": {"VULNERABILITY: SQL vulnerabilities": [[173, 192]]}, "info": {"id": "cyner2_test_000790", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W97M.Downloader.BAZ W97M.ShellHide.A W97M/Downloader.bav Troj.Downloader.Script!c Trojan.Dropper W2KM_CRYPTESLA.A W97M.Downloader.BAZ Trojan.Script.Vba.clxgqb W97M.Downloader.BAZ W97M.Downloader.BAZ W2KM_CRYPTESLA.A W97M/Downloader.bav Trojan:W97M/Shellhide.B W97M.Downloader.BAZ OLE.Win32.Macro.700080 virus.office.qexvmc.1090", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000792", "source": "cyner2_test"}}
+{"text": "When discussing suspected Middle Eastern hacker groups with destructive capabilities, many automatically think of the suspected Iranian group that previously used SHAMOON – aka Disttrack – to target organizations in the Persian Gulf.", "spans": {"THREAT_ACTOR: Middle Eastern hacker groups": [[26, 54]], "THREAT_ACTOR: Iranian group": [[128, 141]], "MALWARE: SHAMOON": [[163, 170]], "MALWARE: Disttrack": [[177, 186]], "ORGANIZATION: organizations": [[199, 212]]}, "info": {"id": "cyner2_test_000793", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32/MalwareS.AXNC Riskware.PSWTool.NetPass!IK Not_a_virus:PSWTool.NetPass.117533 W32/MalwareS.AXNC not-a-virus.PSWTool.NetPass Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000794", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Inject.HD Backdoor/Harvester.2005.05 Trojan.Inject.HD Win32.Trojan.WisdomEyes.16070401.9500.9998 BKDR_HARVESTER.X Trojan.Inject.HD Backdoor.Win32.Harvester.07 Trojan.Inject.HD Trojan.Win32.Harvester.bcqbz Backdoor.Win32.A.Harvester.105472 Backdoor.W32.Harvester.2005.05!c Trojan.Inject.HD Trojan.Inject.HD BackDoor.Harvester.66 Backdoor.Harvester.Win32.35 BKDR_HARVESTER.X BehavesLike.Win32.Nofear.ch Trojan-Downloader.Win32.Delf W32/Harvester.AI@pws Backdoor/FearLess.10.e BDS/Harve.2005.05.A Trojan[Spy]/Win32.Harvester Win32.Hack.Harvester.kcloud Backdoor:Win32/Harvester.O Backdoor.Win32.Harvester.07 Trojan/Win32.Mbro.R105536 Trojan.Inject.HD BScope.Trojan-Spy.Zbot Win32/Harvester.65 Win32.Backdoor.Harvester.Lify Backdoor.Harvester!+cE04k5XYM4 W32/Harvester.V2005!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000795", "source": "cyner2_test"}}
+{"text": "Since that time, Locky has been frequently noted in various campaigns using malicious spam malspam to spread this relatively new strain of ransomware.", "spans": {"MALWARE: Locky": [[17, 22]], "THREAT_ACTOR: various campaigns": [[52, 69]], "MALWARE: new strain of ransomware.": [[125, 150]]}, "info": {"id": "cyner2_test_000796", "source": "cyner2_test"}}
+{"text": "A backdoor targetting Linux also known as: Linux.Dofloo.CE994 Linux/Dofloo.b Backdoor.Dofloo.Linux.30 Backdoor.Linux.Dofloo!c Linux.Dofloo ELF_SONEX.SMA Unix.Trojan.Spike-6301360-0 HEUR:Backdoor.Linux.Dofloo.d Trojan.Unix.Dofloo.exnolq Linux.Mrblack.103 ELF_SONEX.SMA Linux/Dofloo.b ELF/Trojan.AIBQ-0 Backdoor.Linux.ogb LINUX/Dofloo.DA Trojan[Backdoor]/Linux.Dofloo.d Trojan.Trojan.Linux.MrBlack.1 HEUR:Backdoor.Linux.Dofloo.d Linux.Backdoor.Dofloo.Llrg Trojan.Linux.Dofloo Linux/Dofloo.B!tr Win32/Trojan.DDoS.13c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000797", "source": "cyner2_test"}}
+{"text": "The encryption key is different from the one used for sending stolen data via HTTP .", "spans": {}, "info": {"id": "cyner2_test_000798", "source": "cyner2_test"}}
+{"text": "After that , the Trojan will replace the original /system/bin/ip with a malicious one from the archive ( Game324.res or Game644.res ) .", "spans": {}, "info": {"id": "cyner2_test_000799", "source": "cyner2_test"}}
+{"text": "Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware.", "spans": {"ORGANIZATION: Unit 42 threat researchers": [[0, 26]], "THREAT_ACTOR: a threat group": [[50, 64]], "MALWARE: custom developed malware.": [[83, 108]]}, "info": {"id": "cyner2_test_000800", "source": "cyner2_test"}}
+{"text": "Figure 28 : Jaguar Kill Switch infected GP apps Peek Into the Actor Based on all of the above , we connected “ Agent Smith ” campaign to a Chinese internet company located in Guangzhou whose front end legitimate business is to help Chinese Android developers publish and promote their apps on overseas platforms .", "spans": {"MALWARE: Agent Smith": [[111, 122]], "SYSTEM: Android": [[240, 247]]}, "info": {"id": "cyner2_test_000801", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan-Spy/W32.Noon.905266 Trojan.Injector TSPY_NOON.P Trojan-Spy.Win32.Noon.ccu Trojan.Win32.Delphi.etnpfb Trojan.Noon.Win32.401 TSPY_NOON.P Trojan.Win32.Krypt DR/Delphi.wtwos Trojan-Spy.Win32.Noon.ccu Backdoor.Androm Trj/CI.A Win32.Trojan.Inject.Auto TrojanSpy.Noon!", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000802", "source": "cyner2_test"}}
+{"text": "The attackers try to lure targets through spear phishing emails that include compressed executables.", "spans": {"THREAT_ACTOR: attackers": [[4, 13]]}, "info": {"id": "cyner2_test_000803", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: PSWTool.Win32.GetPass!O HackTool.CiscoGetCS.S165619 W32/HackTool.CDL not-a-virus:PSWTool.Win32.GetPass.e Riskware.Win32.GetPass.cxqend Tool.GetPass.11 W32/Tool.QYHO-1001 SPR/Getpass.B not-a-virus:PSWTool.Win32.GetPass.e Trojan/Win32.HDC.C113148 Trj/CI.A Riskware.PSWTool! Win32/Virus.PSW.a34", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000804", "source": "cyner2_test"}}
+{"text": "This installs additional application from assets directory ( brother.apk ) and listens for PACKAGE_REMOVED events .", "spans": {"SYSTEM: brother.apk": [[61, 72]]}, "info": {"id": "cyner2_test_000805", "source": "cyner2_test"}}
+{"text": "In its analysis , CSIS notes that MazarBOT was reported by Recorded Future last November as being actively sold in Russian underground forums and intriguingly , the malware will not activate on Android devices configured with Russian language settings .", "spans": {"ORGANIZATION: CSIS": [[18, 22]], "MALWARE: MazarBOT": [[34, 42]], "ORGANIZATION: Recorded Future": [[59, 74]], "SYSTEM: Android": [[194, 201]]}, "info": {"id": "cyner2_test_000806", "source": "cyner2_test"}}
+{"text": "This is likely done to keep the developers from being prosecuted in their own countries or being extradited between countries .", "spans": {}, "info": {"id": "cyner2_test_000807", "source": "cyner2_test"}}
+{"text": "Moreover , as we use mobile devices to access the web and phishing templates extend to mobile environments , we should expect to see a greater variety of integrated threats like the scheme we detail here .", "spans": {}, "info": {"id": "cyner2_test_000808", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Downloader Trojan.Heur.DP.E90E6B Win32.Trojan.WisdomEyes.16070401.9500.9977 Win32/SillyDl.NUU Win.Downloader.72812-1 Trojan.Win32.DownLoad.eskiur Trojan.DownLoad.51835 W32/Trojan.VSBV-7807 Trojan[Downloader]/Win32.Murlo TrojanDownloader:Win32/Doneltart.A Trojan/Win32.Scar.C53686 Trj/CI.A Trojan-Downloader.Win32.Doneltart W32/Delf.OZG!tr Win32/Trojan.a6a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000811", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan-Downloader.Win32.Delf!O Backdoor.Bot W32.W.Deecee.lrKT Win32.Trojan.WisdomEyes.16070401.9500.9977 TROJ_DELF_00001d6.TOMA Trojan-Downloader.Win32.Delf.begb Trojan.Win32.Delf.ecktai Trojan.Win32.A.Downloader.613376.A Trojan.MulDrop6.46521 Downloader.Delf.Win32.36278 BehavesLike.Win32.PWSZbot.hm TrojanDownloader.Delf.adst Trojan/Win32.Unknown Trojan.Barys.DDD08 Trojan-Downloader.Win32.Delf.begb TrojanDownloader:Win32/Peguese.D", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000812", "source": "cyner2_test"}}
+{"text": "The newcomer appeared to be a dark horse: it was multiplatform, had an appealing price, and empowered budding malefactors an easier entry point to cybercrime.", "spans": {"MALWARE: dark horse:": [[30, 41]], "SYSTEM: multiplatform,": [[49, 63]]}, "info": {"id": "cyner2_test_000813", "source": "cyner2_test"}}
+{"text": "We have documented a growing number of these attacks, and have received reports that we cannot confirm of targets and victims of highly similar attacks, including in Iran.", "spans": {}, "info": {"id": "cyner2_test_000814", "source": "cyner2_test"}}
+{"text": "Once the victim opens this file using the MS PowerPoint program, the malicious code contained in the file is executed.", "spans": {"SYSTEM: the MS PowerPoint program,": [[38, 64]], "MALWARE: malicious code": [[69, 83]]}, "info": {"id": "cyner2_test_000815", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Zusy.D3FB1A Win32.Trojan.WisdomEyes.16070401.9500.9943 W32/Downldr2.EUYL Win.Downloader.60202-1 Trojan.Win32.Downloader.36864.GI Trojan.DownLoad.9925 BehavesLike.Win32.Dropper.nz W32/Downloader.XEZX-3301 Trojan:Win32/Melkash.A Trojan/Win32.Banload.R2066 TScope.Malware-Cryptor.SB W32/Heuri.AMWD!tr.dldr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000816", "source": "cyner2_test"}}
+{"text": "Phone numbers, the texts of the messages to be intercepted, and cybercriminal phone numbers for redirecting calls are downloaded from the command-and-control server.", "spans": {}, "info": {"id": "cyner2_test_000817", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan/Papras.ch Win32.Trojan.WisdomEyes.16070401.9500.9988 TROJ_DAWS.DT Win.Trojan.Retruse-1 Trojan.Win32.Inject1.cyajjw Trojan.Inject1.9526 Trojan.Papras.Win32.1326 TR/Papras.L PWS:Win32/Pesut.A Win32/PSW.Papras.CH Trojan.PWS.Papras!82MgiPq8Zlg Trojan-PWS.Win32.Pesut W32/Daws.BX!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000818", "source": "cyner2_test"}}
+{"text": "Also, we discovered a unique feature within Kazuar: it exposes its capabilities through an Application Programming Interface API to a built-in webserver.", "spans": {"MALWARE: Kazuar:": [[44, 51]], "SYSTEM: Application Programming Interface API": [[91, 128]], "SYSTEM: built-in webserver.": [[134, 153]]}, "info": {"id": "cyner2_test_000819", "source": "cyner2_test"}}
+{"text": "Malware code showing initializing broadcast receiver Figure 15 .", "spans": {}, "info": {"id": "cyner2_test_000820", "source": "cyner2_test"}}
+{"text": "The following method is declared in the DEX .", "spans": {}, "info": {"id": "cyner2_test_000821", "source": "cyner2_test"}}
+{"text": "After investigating, we believe the payload belongs to a new iOS Trojan family that we're calling TinyV", "spans": {"MALWARE: payload": [[36, 43]], "MALWARE: iOS Trojan family": [[61, 78]], "MALWARE: TinyV": [[98, 103]]}, "info": {"id": "cyner2_test_000822", "source": "cyner2_test"}}
+{"text": "This is hardcoded and equals “ phone ” .", "spans": {}, "info": {"id": "cyner2_test_000823", "source": "cyner2_test"}}
+{"text": "Network communication is obfuscated with single-byte XOR encoding.", "spans": {}, "info": {"id": "cyner2_test_000824", "source": "cyner2_test"}}
+{"text": "End users and enterprises can also benefit from multilayered mobile security solutions such as Trend Micro™ Mobile Security™ .", "spans": {"ORGANIZATION: Trend Micro™": [[95, 107]]}, "info": {"id": "cyner2_test_000825", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Ransom.Cerber.A4 Trojan.Injector Trojan/Kryptik.ffay Trojan.Razy.D16447 Win32.Trojan.Kryptik.avs Ransom_CRYPTESLA.SMW Trojan.Win32.Menti.evgneg TrojWare.Win32.Kryptik.ERJ Backdoor.Androm.Win32.36147 Ransom_CRYPTESLA.SMW BehavesLike.Win32.Ransomware.gh TR/AD.TorrentLocker.lokd Backdoor.Androm Trj/GdSda.A Backdoor.Androm!t0g9Od7Ri9c Trojan.Win32.Filecoder W32/Kryptik.FSUS!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000826", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Win32.Turla.dofvdj Win32/Spindest.H Backdoor.Win32.Turla.j Trojan.Rogue!f5e8Dq0NJR0 Trojan.Win32.Z.Turla.151552[h] Backdoor.Turla.Win32.4 TR/Rogue.11209314 W32/Backdr.KA!tr Backdoor/Win32.Apocalipto BScope.P2P-Worm.Palevo Backdoor.Win32.Turla.j", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000827", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan/W32.HackTool.715060 Trojan-PWS.QQPass Trojan/Hacktool.Delf.bi Riskware.Win32.Delf.hsjo W32/Trojan.VLJ Trojan.PWS.QQPass Win32/HackTool.Delf.BI HKTL_QQPASS.TD HackTool.Win32.Delf.bi Virus.Win32.Heur.l Tool.Delf.Win32.188 HKTL_QQPASS.TD BehavesLike.Win32.Dropper.jc W32/Trojan.YNJZ-1231 HackTool/Delf.l SPR/Delf.BI W32/Qqpass.A!tr HackTool/Win32.Delf HackTool.W32.Delf.bi!c Win-Trojan/Xema.variant HackTool:Win32/Delf.BI Trojan-PWS.QQPass Win32.Hacktool.Delf.Sxow", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000828", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.WOW Troj.GameThief.W32.Magania.l943 Trojan/PSW.WOW.acd Win32.Trojan-PSW.OLGames.d Infostealer.Wowcraft Win32/Wow.A TSPY_WOW.BL Win.Spyware.16281-1 Trojan-GameThief.Win32.WOW.ach Trojan.Win32.WOW.bnexl TrojWare.Win32.PSW.WOW.ACE Trojan.PWS.Wow.1404 Trojan.WOW.Win32.14563 TSPY_WOW.BL PWS-WoW.dll Trojan-Spy.Frethog Trojan/PSW.Moshou.qn Trojan[GameThief]/Win32.WOW.gic Win32.PSWTroj.WowT.my.17831 Trojan-GameThief.Win32.WOW.ach PWS:Win32/Wowsteal.ZD Trojan/Win32.OnlineGameHack.R2081 OScope.PSW.Game.3A5A Win32/PSW.WOW.ACE", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000829", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor/W32.IRCBot.64000.Q Backdoor.Momibot.a Trojan/Kryptik.bio W32/Backdoor2.GYPR TROJ_MOMIBOT.AE Win32.Backdoor.IRC.Z Backdoor.IRC.ZGQ Backdoor.IRC.ZGQ TR/PSW.ZGQ.17 TROJ_MOMIBOT.AE Backdoor.IRC.ZGQ!IK Win32/Tnega.BTQ W32/Backdoor2.GYPR Backdoor.IRC.ZGQ Backdoor.IRC.ZGQ", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000830", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.Clod90e.Trojan.9eaa Trojan/W32.Vilsel.263680.E Trojan.Banker Trojan/Vilsel.bbgv Trojan.Vilsel!pyaltINkh1Y WS.Reputation.1 TROJ_DLOADR.FDZ Trojan.Win32.Vilsel.bbgv Trojan.Win32.VB.cpetaq PE:Backdoor.Arquivos!1.667B TROJ_DLOADR.FDZ Trojan/Vilsel.ykg Trojan[:HEUR]/Win32.Unknown Trojan:Win32/Deleter.A Trojan/Win32.Vilsel Trojan.Vilsel Win32.Trojan.Vilsel.crnl Trojan.Win32.Diple W32/Vilsel.BBGV!tr Trojan.Win32.Diple.Az Win32/Trojan.fe9", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000831", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Bubnix.A Trojan/Bubnix.bb Trojan.Bubnix.1 Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.Bubnix Win.Trojan.Bubnix-930 Rootkit.Win32.Bubnix.bem Trojan.NtRootKit.9660 Rootkit.Bubnix.aub Rootkit.Win32.Bubnix.bem Win32.Rootkit.Bubnix.ihj Rootkit.Bubnix!Ts7U77Ag3pk Rootkit.Win32.Bubnix", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000832", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Win32.Beastdoor!O Trojan.Xih Backdoor.Beastdoor.Win32.1000 Backdoor/Beastdoor.201.c Trojan.Graftor.D4532 W32/Backdoor.ZBX Infostealer.Bancos BKDR_BISTDOR.SMI Win.Trojan.Beastdoor-105 Trojan.Win32.Xih.phw Trojan.Win32.Beastdoor.bsekq Backdoor.Win32.Beastdoor.24576 Troj.W32.Xih.tonR Trojan.MulDrop.418 BKDR_BISTDOR.SMI Backdoor.Win32.Beastdoor W32/Backdoor.DXXM-0159 Trojan[Backdoor]/Win32.Beastdoor TrojanDropper:Win32/Beastdoor.P Trojan.Win32.Xih.phw Trojan/Win32.BeastDoor.R4731 Backdoor.BeastDoor.201 Win32/Beastdoor.201.C Backdoor.Beastdoor!SnWSaW3qdEw Win32/Trojan.fd9", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000833", "source": "cyner2_test"}}
+{"text": "Researchers discovered a new malware, which we named OpcJacker due to its opcode configuration design and its cryptocurrency hijacking ability, that has been distributed in the wild since the second half of 2022.", "spans": {"MALWARE: malware,": [[29, 37]], "MALWARE: OpcJacker": [[53, 62]]}, "info": {"id": "cyner2_test_000834", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Troj.W32.Regin.hopscotch!c Trojan/Regin.g TROJ_REGIN.A Backdoor.Trojan TROJ_REGIN.A Trojan.Win32.Regin.hopscotch Trojan.Win32.Regin.dmvwtc Trojan.Regin.Win32.7 BehavesLike.Win32.PUPXAX.lh W32/Trojan.WHDQ-0942 Trojan/Regin.j Trojan/Win32.Regin Backdoor:Win32/Regin.D!dha Trojan.Win32.Regin.hopscotch Trojan.Heur.PT.E24C70 Win32/Regin.G Win32.Trojan.Regin.Pdwk W32/Regin.HOPSCOTCH!tr Win32/Trojan.6f8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000835", "source": "cyner2_test"}}
+{"text": "Triada is a modular mobile Trojan that actively uses root privileges to substitute system files and exists mostly in the device ’ s RAM , which makes it extremely hard to detect .", "spans": {"MALWARE: Triada": [[0, 6]]}, "info": {"id": "cyner2_test_000836", "source": "cyner2_test"}}
+{"text": "Users who have configured their Android mobile device to receive work-related emails and allow installation of unsigned applications face the most risk of compromise .", "spans": {"SYSTEM: Android": [[32, 39]]}, "info": {"id": "cyner2_test_000837", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Win32.Inject.exluks Trojan.Inject.54807 Trojan.Barys.884 HackTool:MSIL/Binder.B Trojan-Dropper.MSIL Trj/CI.A Win32/Trojan.Dropper.0c7", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000839", "source": "cyner2_test"}}
+{"text": "The samples we have seen had their configuration set to delay displaying the first ad by 24 minutes after the device unlocks .", "spans": {}, "info": {"id": "cyner2_test_000840", "source": "cyner2_test"}}
+{"text": "One such immediately apparent connection was the similar deployment technique used by both XLoader 6.0 and FakeSpy .", "spans": {"MALWARE: XLoader 6.0": [[91, 102]], "MALWARE: FakeSpy": [[107, 114]]}, "info": {"id": "cyner2_test_000841", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan/W32.Small.12800.LZ Trojan-Downloader.Win64.Madyd!O TrojanDownloader.Win64 Win32.Trojan.WisdomEyes.16070401.9500.9924 Trojan-Downloader.Win64.Madyd.a Trojan.Win64.Viknok.evbeox Trojan.Win32.Z.Viknok.12800 Troj.Downloader.Win64!c Trojan:W64/Viknok.A Trojan.DownLoader8.51959 Trojan.Viknok.Win64.1 BehavesLike.Win64.Dropper.lt W64/Trojan.RTLC-8859 TrojanDownloader.Madyd.b TR/Viknok.tlctg Trojan[Downloader]/Win64.Madyd Trojan-Downloader.Win64.Madyd.a Trojan:Win64/Viknok.A Trj/CI.A Win64/Viknok.A Win64.Trojan-downloader.Madyd.Lmai W64/Viknok.A!tr Win32/Trojan.207", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000842", "source": "cyner2_test"}}
+{"text": "As soon as this service is started , it creates two processes that take care of connection and disconnection to the C & C server .", "spans": {}, "info": {"id": "cyner2_test_000843", "source": "cyner2_test"}}
+{"text": "Every device with Google Play includes Google Play Protect and all apps on Google Play are automatically and periodically scanned by our solutions .", "spans": {"SYSTEM: Google Play": [[18, 29], [75, 86]], "SYSTEM: Google Play Protect": [[39, 58]]}, "info": {"id": "cyner2_test_000844", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: TrojanDownloader.Sinresby Trojan.Win32.Hijacker.evumcs Trojan.Win32.Z.Hijacker.1734656 BehavesLike.Win32.Downloader.tc TrojanDownloader:Win32/Sinresby.B Trj/GdSda.A Win32.Trojan.Hijacker.Hupk", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000845", "source": "cyner2_test"}}
+{"text": "Talos has investigated a targeted malware campaign against South Korean users.", "spans": {"ORGANIZATION: Talos": [[0, 5]], "THREAT_ACTOR: targeted malware campaign": [[25, 50]], "ORGANIZATION: users.": [[72, 78]]}, "info": {"id": "cyner2_test_000846", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9997 Troj.Spy.W32!c BackDoor.Tordev.976 Trojan.MSIL.Injector TR/Dropper.MSIL.miqxe Trojan:MSIL/Redlonam.A Trj/GdSda.A Win32/Trojan.Dropper.788", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000847", "source": "cyner2_test"}}
+{"text": "But some clues , such as the existence of a hidden menu for operator control , point to a manual installation method – the attackers used physical access to a victim ’ s device to install the malware .", "spans": {}, "info": {"id": "cyner2_test_000848", "source": "cyner2_test"}}
+{"text": "Step 3 : Run installation Start the Bank Austria security app from the notifications or your download folder , tap Install .", "spans": {"SYSTEM: Bank Austria security app": [[36, 61]]}, "info": {"id": "cyner2_test_000849", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Iyeclore.A Backdoor/Hupigon.mzkf Win32.Trojan.WisdomEyes.16070401.9500.9936 Trojan.Win32.Click1.cramur Trojan.Win32.Iyeclore.bp Trojan.Click1.28512 Trojan.Iyeclore.Win32.176 BackDoor-AWQ.m Trojan[Backdoor]/Win32.Hupigon Trojan.Buzy.D646 Trojan:Win32/Iyeclore.A!dll Backdoor/Win32.Trojan.R83644 BackDoor-AWQ.m Trojan.Iyeclore!uEAYssliQJc Trojan-Dropper.Delf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000850", "source": "cyner2_test"}}
+{"text": "and an attached Microsoft Word file, some with names like these:", "spans": {"SYSTEM: Microsoft Word file,": [[16, 36]]}, "info": {"id": "cyner2_test_000852", "source": "cyner2_test"}}
+{"text": "The executable in this instance appears to be a variant of a Trojan known as ISMAgent and uses the domain www.ntpupdateserver[.]com for command and control C2.", "spans": {"MALWARE: variant": [[48, 55]], "MALWARE: Trojan": [[61, 67]], "MALWARE: ISMAgent": [[77, 85]]}, "info": {"id": "cyner2_test_000853", "source": "cyner2_test"}}
+{"text": "After which, they used the compromised servers not only as gateways to the rest of the network but also as C&C servers.", "spans": {"VULNERABILITY: compromised servers": [[27, 46]], "VULNERABILITY: gateways": [[59, 67]], "SYSTEM: network": [[87, 94]], "SYSTEM: C&C servers.": [[107, 119]]}, "info": {"id": "cyner2_test_000854", "source": "cyner2_test"}}
+{"text": "As the screenshot above shows , the malware has its own command syntax that represents a combination of characters while the “ # ” symbol is a delimiter .", "spans": {}, "info": {"id": "cyner2_test_000855", "source": "cyner2_test"}}
+{"text": "Most samples maintain persistence through a registry Run key, although some samples configure themselves as a service.", "spans": {}, "info": {"id": "cyner2_test_000856", "source": "cyner2_test"}}
+{"text": "According to Doctor Web specialists, the devices infected by Android.ZBot are grouped into botnets, the number of which is now more than ten.", "spans": {"ORGANIZATION: Doctor Web specialists,": [[13, 36]], "SYSTEM: devices": [[41, 48]], "MALWARE: Android.ZBot": [[61, 73]], "MALWARE: botnets,": [[91, 99]]}, "info": {"id": "cyner2_test_000857", "source": "cyner2_test"}}
+{"text": "Figure 2 .", "spans": {}, "info": {"id": "cyner2_test_000858", "source": "cyner2_test"}}
+{"text": "The DLL side-loaded stage 4 malware mimicking a real export table to avoid detection Stage 4 : The memory loader – Fun injection with GDI function hijacking Depending on how stage 4 was launched , two different things may happen : In the low-integrity case ( under UAC ) the installer simply injects the stage 5 malware into the bogus explorer.exe process started earlier and terminates In the high-integrity case ( with administrative privileges or after UAC bypass ) , the code searches for the process hosting the Plug and Play service ( usually svchost.exe ) loaded in memory and injects itself into it For the second scenario , the injection process works like this : The malware opens the target service process .", "spans": {}, "info": {"id": "cyner2_test_000859", "source": "cyner2_test"}}
+{"text": "There has been no appreciable evolution of this Trojan over time – only the format of the encrypted file's name, the C&C server addresses and the RSA keys have been changing.", "spans": {"MALWARE: Trojan": [[48, 54]]}, "info": {"id": "cyner2_test_000860", "source": "cyner2_test"}}
+{"text": "Conclusion and security recommendations The continued monitoring of XLoader showed how its operators continuously changed its features , such as its attack vector deployment infrastructure and deployment techniques .", "spans": {"MALWARE: XLoader": [[68, 75]]}, "info": {"id": "cyner2_test_000861", "source": "cyner2_test"}}
+{"text": "Retrieve all SMS messages .", "spans": {}, "info": {"id": "cyner2_test_000862", "source": "cyner2_test"}}
+{"text": "The new Rawpos variant is largely similar to the 2015 variant.", "spans": {"MALWARE: The new Rawpos variant": [[0, 22]], "MALWARE: variant.": [[54, 62]]}, "info": {"id": "cyner2_test_000863", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Boybi.Win32.2 W32/Trojan.DNSN-2587 Trojan.ADH.2 Win32/Swisyn.HP Trojan.Win32.Boybi.pgj Trojan.Win32.Boybi.xatwe Troj.W32.Boybi.afm!c BehavesLike.Win32.Ramnit.cz TR/Kazy.66987452 Win32.Troj.Alipay.lx.kcloud Trojan:Win32/Autrino.A Trojan.Graftor.DB93F Trojan.Win32.Boybi.pgj RDN/Downloader.a!vq Trojan.Graftor!1prEoEXm0Dk", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000864", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Bot.97762 Trojan-Dropper.Win32.Small!O Pwstool.Messen Backdoor.Vatos.Win32.2 Trojan/Dropper.Small.vy TROJ_MALM94.A Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Dropper.EWS Backdoor.Trojan Win32/Vatos.A TROJ_MALM94.A Win.Dropper.Small-5120 Trojan-Dropper.Win32.Small.vy Backdoor.Bot.97762 Trojan.Win32.Small.dbulc Backdoor.Bot.97762 TrojWare.Win32.TrojanDropper.Small.~DF BackDoor.Vatosajan W32/Risk.GMZD-7537 TrojanDownloader.Small.agt Trojan[Backdoor]/Win32.Vatos Backdoor.Bot.D17DE2 Dropper.Small.359856 Trojan-Dropper.Win32.Small.vy Backdoor.Bot.97762 Trojan/Win32.Prorat.R1877 Backdoor.Bot.97762 TrojanDropper.Small Trojan-Dropper.Win32.Small.VY Bck/Prorat.HT", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000865", "source": "cyner2_test"}}
+{"text": "] site , photolike [ .", "spans": {}, "info": {"id": "cyner2_test_000866", "source": "cyner2_test"}}
+{"text": "This example code shows a JSON reply returned by the C & C server .", "spans": {}, "info": {"id": "cyner2_test_000867", "source": "cyner2_test"}}
+{"text": "The Event Action Trigger module triggers malicious actions based on certain events .", "spans": {}, "info": {"id": "cyner2_test_000868", "source": "cyner2_test"}}
+{"text": "In March 2017, ClearSky published a second report exposing further incidents, some of which impacted the German Bundestag.", "spans": {"ORGANIZATION: ClearSky": [[15, 23]], "ORGANIZATION: the German Bundestag.": [[101, 122]]}, "info": {"id": "cyner2_test_000869", "source": "cyner2_test"}}
+{"text": "Command Description SEND_SMS Send an SMS from the bot to a specific number NEW_URL Update the C2 URL KILL Disable the bot PING_DELAY Update interval between each ping request CLEAN_IGNORE_PKG Empty list of overlayed apps WRITE_INJECTS Update target list READ_INJECTS Get current target list START_ADMIN Request Device Admin privileges ALL_SMS Get all SMS messages DISABLE_ACCESSIBILITY Stop preventing user from disabling the accessibility service ENABLE_ACCESSIBILITY Prevent user from disabling the accessibility service ENABLE_HIDDEN_SMS Set malware as default SMS app DISABLE_HIDDEN_SMS Remove malware as default SMS app ENABLE_EXTENDED_INJECT Enable overlay attacks DISABLE_EXTENDED_INJECT Disable overlay attacks ENABLE_CC_GRABBER Enable the Google Play overlay DISABLE_CC_GRABBER Disable the Google Play overlay START_DEBUG Enable debugging GET_LOGCAT Get logs from the device STOP_DEBUG Disable debugging GET_APPS Get installed applications GET_CONTACTS Get contacts SEND_BULK_SMS Send SMS to multiple numbers UPDATE_APK Not implemented INJECT_PACKAGE Add new overlay target CALL_FORWARD Enable/disable call forwarding START_PERMISSIONS Starts request for additional permissions ( Accessibility privileges , battery optimizations bypass , dynamic permissions ) Features The most recent version of Ginp has the same capabilities as most other Android banking Trojans , such as the use of overlay attacks , SMS control and contact list harvesting .", "spans": {"SYSTEM: Google Play": [[748, 759], [799, 810]], "SYSTEM: Android": [[1350, 1357]]}, "info": {"id": "cyner2_test_000870", "source": "cyner2_test"}}
+{"text": "As our researchers discovered , it also lays its hands on the outgoing SMS and filters the incoming ones .", "spans": {}, "info": {"id": "cyner2_test_000871", "source": "cyner2_test"}}
+{"text": "At the time of writing , a reverse image search for the favicon on Shodan using the query http.favicon.hash:990643579 returned around 40 web servers which use the same favicon .", "spans": {}, "info": {"id": "cyner2_test_000872", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.CreateWinsockKeyLTAJ.Trojan Trojan.Win32.Zapchast!O Trojan.Pabueri Trojan/Zapchast.abuk Trojan.Graftor.D89D0 Win32.Trojan-PSW.OLGames.m Trojan.Gampass.B!inf Win32/Gamepass.QDC Trojan.Win32.Zapchast.abuk Trojan.Win32.Zapchast.rmfxd Trojan.Win32.A.Zapchast.17920.B TrojWare.Win32.Kryptik.ATA Trojan.PWS.Gamania.36444 Trojan.Zapchast.Win32.9724 PWS-OnlineGames.lw Trojan.Win32.Patched Heur:Trojan/PSW.QQPass TR/Patched.9984012 Trojan/Win32.Unknown Trojan.Win32.Zapchast.abuk Trojan/Win32.OnlineGameHack.R39710 PWS-OnlineGames.lw Trojan.Zapchast Win32/PSW.OnLineGames.QAP Trojan.Win32.Inject.thx Trojan.Zapchast!w+M30s8FNYQ W32/Onlinegames.QAP!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000873", "source": "cyner2_test"}}
+{"text": "Figure 13 .", "spans": {}, "info": {"id": "cyner2_test_000874", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Win32.Hupigon!O Backdoor/Hupigon.kxio Win32.Trojan.WisdomEyes.16070401.9500.9776 W32/Downloader.TCTH-1863 Backdoor.Hupigon.Win32.99947 Backdoor.Win32.Mestys W32/Downldr2.IPCN Backdoor/Hupigon.ayow Trojan.Heur.ECFAB2 Backdoor:Win32/Mestys.A BScope.Trojan.SvcHorse.01643", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000875", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Win32.MoSucker.30!O Backdoor.Mosucker Backdoor.MoSucker.Win32.159 Backdoor.W32.Mosucker!c Backdoor/MoSucker.30.e BKDR_MOSUCK.A Win32.Trojan.WisdomEyes.16070401.9500.9924 W32/Mosucker.Z@bd Backdoor.Mosuck Win32/Mosuck.L BKDR_MOSUCK.A Win.Trojan.MoSucker-1 Backdoor.Win32.MoSucker.40.e Trojan.Win32.MoSucker-30.gymr Backdoor.Win32.Mosuck.30 BehavesLike.Win32.Fake.cc Backdoor.Win32.VB W32/Mosucker.EBWJ-6580 Backdoor/MoSucker.30.e BDS/Mosucker.30.E Trojan[Backdoor]/Win32.MoSucker Backdoor:Win32/Mosuck.3_0 Backdoor.Win32.MoSucker.40.e Trojan/Win32.HDC.C41794 TScope.Trojan.VB Bck/Mosucker.H Win32/Mosuck.30 Win32.Backdoor.Mosucker.dirf Win32/Backdoor.d9c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000876", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: AIT:Trojan.Autoit.DBK AIT:Trojan.Autoit.DBK AIT:Trojan.Autoit.DBK AIT:Trojan.Autoit.DBK AIT:Trojan.Autoit.DBK AIT:Trojan.Autoit.DBK BehavesLike.Win32.Trojan.dh AIT:Trojan.Autoit.DBK Trojan.Autoit.Injcrypt", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000877", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Script Trojan.Win32.Xtreme.exozxc Trojan.Win32.Z.Xtreme.679916 BackDoor.XtremeRat.6 BehavesLike.Win32.Trojan.jh Trojan.Win32.Injector TR/AD.XtremeRAT.qsqva Backdoor:Win32/Xtrat.AC Backdoor.Wirenet Trj/CI.A W32/Xtreme.BQJ!tr.bdr Win32/Trojan.Script.ed4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000878", "source": "cyner2_test"}}
+{"text": "The most recent version of Ginp ( at the time of writing ) was detected at the end of November 2019 .", "spans": {"MALWARE: Ginp": [[27, 31]]}, "info": {"id": "cyner2_test_000879", "source": "cyner2_test"}}
+{"text": "It is perhaps the first in a new wave of targeted attacks aimed at Android users .", "spans": {"SYSTEM: Android": [[67, 74]]}, "info": {"id": "cyner2_test_000880", "source": "cyner2_test"}}
+{"text": "Proofpoint calls it Win32/RediModiUpd based on a debugging string from an earlier sample.", "spans": {"ORGANIZATION: Proofpoint": [[0, 10]]}, "info": {"id": "cyner2_test_000881", "source": "cyner2_test"}}
+{"text": "In some cases , it uses this mechanism to send log data of important actions .", "spans": {}, "info": {"id": "cyner2_test_000882", "source": "cyner2_test"}}
+{"text": "Palo Alto Networks Unit 42 has identified a series of phishing emails containing updated versions of the previously discussed CMSTAR malware family targeting various government entities in the country of Belarus.", "spans": {"ORGANIZATION: Palo Alto Networks Unit 42": [[0, 26]], "MALWARE: CMSTAR malware family": [[126, 147]], "ORGANIZATION: government entities": [[166, 185]]}, "info": {"id": "cyner2_test_000884", "source": "cyner2_test"}}
+{"text": "First , the app has to turn off SELinux protection .", "spans": {"SYSTEM: SELinux": [[32, 39]]}, "info": {"id": "cyner2_test_000885", "source": "cyner2_test"}}
+{"text": "Upon running the JavaScript, the Locky ransomware is downloaded and executed.", "spans": {"MALWARE: Locky ransomware": [[33, 49]]}, "info": {"id": "cyner2_test_000886", "source": "cyner2_test"}}
+{"text": "Although we have not observed this malicious APK in the wild, it was uploaded to a malicious file repository service at 09:19:27 UTC on July 7, 2016, less than 72 hours after the game was officially released in New Zealand and Australia.", "spans": {"MALWARE: malicious APK": [[35, 48]], "SYSTEM: game": [[179, 183]]}, "info": {"id": "cyner2_test_000887", "source": "cyner2_test"}}
+{"text": "The LookingGlass Cyber Threat Intelligence Group CTIG observed a widespread malspam campaign sent to victims appearing as if it had been an email to themselves with a malicious attachment.", "spans": {"ORGANIZATION: The LookingGlass Cyber Threat Intelligence Group CTIG": [[0, 53]], "THREAT_ACTOR: malspam campaign": [[76, 92]]}, "info": {"id": "cyner2_test_000888", "source": "cyner2_test"}}
+{"text": "Once an application has been identified , Anubis overlays the original application with a fake login page to capture the user ’ s credentials .", "spans": {"MALWARE: Anubis": [[42, 48]]}, "info": {"id": "cyner2_test_000889", "source": "cyner2_test"}}
+{"text": "This threat has been assigned the verdict Trojan-Ransom.Win32.Shade according to Kaspersky Lab's classification.", "spans": {"MALWARE: threat": [[5, 11]], "ORGANIZATION: Kaspersky Lab's": [[81, 96]]}, "info": {"id": "cyner2_test_000890", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Program.Unwanted.2208 RiskTool.SysTweaker.c PUA/AdvanceSystemCare.sadf Trojan:Win32/Speesipro.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000891", "source": "cyner2_test"}}
+{"text": "This happens because the IDE executes the code from the Android debug bridge ( ADB ) by calling the activity declared in the manifest by name .", "spans": {"SYSTEM: Android debug bridge": [[56, 76]]}, "info": {"id": "cyner2_test_000892", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.FakeAlert.AWZ Trojan-Downloader.Win32.WarSpy!O Trojan.FakeAlert.AWZ Trojan/Downloader.warspy Trojan.FakeAlert.AWZ Win32.Trojan.WisdomEyes.16070401.9500.9955 Trojan.Desktophijack TROJ_WARSPY.A Trojan.FakeAlert.AWZ Trojan.FakeAlert.AWZ Trojan.Win32.Click.eoqljn Trojan.FakeAlert.AWZ TrojWare.Win32.TrojanDownloader.WarSpy Trojan.FakeAlert.AWZ Trojan.Click.373 Downloader.WarSpy.Win32.20 TROJ_WARSPY.A Warspy.dll TrojanDownloader.WarSpy.l TR/Dldr.WarSpy.pprwo Trojan[Downloader]/Win32.WarSpy TrojanDownloader:Win32/WarSpy.F Trojan/Win32.Downloader.C60200 Warspy.dll TrojanDownloader.WarSpy Trj/GdSda.A Win32/TrojanDownloader.WarSpy not-a-virus:AdWare.Win32.Serpo W32/StartPage.PPR!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000893", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Alyak.B3 Win32.Trojan.Alyak.a Downloader.Bouncedoc TROJ_SPNR.0BFD13 TrojWare.Win32.Alyak.B Trojan.DownLoader6.51294 TROJ_SPNR.0BFD13 PWS-OnlineGames.lq TR/Dldr.Kanav.H.1 TrojanDownloader:Win32/Kanav.H Trojan.Graftor.Elzob.D3781 Dropper/Win32.OnlineGameHack.R35034 PWS-OnlineGames.lq BScope.Trojan.Win32.Inject.2 Trojan.Win32.Alyak", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000894", "source": "cyner2_test"}}
+{"text": "] cc/TiktokPro .", "spans": {}, "info": {"id": "cyner2_test_000895", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojandownloader.Faxplor Trojan.Razy.D15905 W32/Trojan.CLBI-3375 Trojan.Win32.Scarsi.aohf Trojan.Win32.Fsysna.ejthvr Trojan.KillProc.54385 TrojanDownloader:MSIL/Faxplor.A!bit Trojan.Win32.Scarsi.aohf Trj/GdSda.A Win32.Trojan.Atraps.Lmul Win32/Trojan.781", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000896", "source": "cyner2_test"}}
+{"text": "Only later is the malicious code introduced , through an update .", "spans": {}, "info": {"id": "cyner2_test_000897", "source": "cyner2_test"}}
+{"text": "The malware we observed on this infrastructure was almost uniquely commodity RATs including DarkComet, DarkTrack, LuminosityLink, NJRAT, ImminentMonitor, NanoCore, Orcus, NetWireRAT, BabylonRAT, Remcos, ZyklonHTTP, SandroRAT, RevengeRAT, SpyNote, QuasarRAT, and HWorm.", "spans": {"MALWARE: malware": [[4, 11]], "SYSTEM: infrastructure": [[32, 46]], "MALWARE: RATs": [[77, 81]], "MALWARE: DarkComet, DarkTrack, LuminosityLink, NJRAT, ImminentMonitor, NanoCore, Orcus, NetWireRAT, BabylonRAT, Remcos, ZyklonHTTP, SandroRAT, RevengeRAT, SpyNote, QuasarRAT,": [[92, 257]], "MALWARE: HWorm.": [[262, 268]]}, "info": {"id": "cyner2_test_000898", "source": "cyner2_test"}}
+{"text": "For example : WireLurker installed malicious apps on non-jailbroken iPhones Six different Trojan , Adware and HackTool families launched “ BackStab ” attacks to steal backup archives of iOS and BlackBerry devices The HackingTeam ’ s RCS delivered its Spyware from infected PCs and Macs to jailbroken iOS devices and BlackBerry phones Recently , we discovered another Windows Trojan we named “ DualToy ” which side loads malicious or risky apps to both Android and iOS devices via a USB connection .", "spans": {"MALWARE: WireLurker": [[14, 24]], "MALWARE: HackTool families": [[110, 127]], "SYSTEM: iOS": [[186, 189], [300, 303], [464, 467]], "SYSTEM: BlackBerry": [[194, 204], [316, 326]], "MALWARE: HackingTeam": [[217, 228]], "MALWARE: RCS": [[233, 236]], "SYSTEM: Windows": [[367, 374]], "MALWARE: DualToy": [[393, 400]], "SYSTEM: Android": [[452, 459]], "SYSTEM: USB": [[482, 485]]}, "info": {"id": "cyner2_test_000899", "source": "cyner2_test"}}
+{"text": "This feature is implemented using another open-source software package that can be found here .", "spans": {}, "info": {"id": "cyner2_test_000900", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.Injector!O TROJ_JORIK.SM4 Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_JORIK.SM4 Trojan-Dropper.Win32.Injector.fjim Tool.PassView.604 Dropper.Injector.Win32.48748 W32/Autorun.worm.aadc Worm.Win32.Rombrast TrojanDropper.Injector.bltt Trojan[Dropper]/Win32.Injector Trojan-Dropper.Win32.Injector.fjim Trojan/Win32.Gimemo.R29683 W32/Autorun.worm.aadc TrojanDropper.Injector", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000901", "source": "cyner2_test"}}
+{"text": "It requests permission to access the additional storage .", "spans": {}, "info": {"id": "cyner2_test_000902", "source": "cyner2_test"}}
+{"text": "In this blog, we will describe the latest piece of malware implemented by the Ploutus Team with its malware variant known as Ploutus-D, where one of the most interesting features allows the attackers to manage the infected ATMs from the Internet and therefore making them operate like an IoT device.", "spans": {"MALWARE: malware": [[51, 58], [100, 107]], "THREAT_ACTOR: the Ploutus Team": [[74, 90]], "MALWARE: Ploutus-D,": [[125, 135]], "THREAT_ACTOR: attackers": [[190, 199]], "SYSTEM: ATMs": [[223, 227]], "SYSTEM: Internet": [[237, 245]], "SYSTEM: IoT device.": [[288, 299]]}, "info": {"id": "cyner2_test_000903", "source": "cyner2_test"}}
+{"text": "SPEAR was able to identify just over three hundred unique victims over the past month, as well as over 100GB worth of data that was exfiltrated and stored on one of the C2 servers.", "spans": {"MALWARE: SPEAR": [[0, 5]], "ORGANIZATION: three hundred unique victims": [[37, 65]]}, "info": {"id": "cyner2_test_000904", "source": "cyner2_test"}}
+{"text": "In this example , the server response contains several values for Thai carriers .", "spans": {}, "info": {"id": "cyner2_test_000905", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Backdoor.Win32.BO!O Orifice.svr.d BackOrifice.Trojan Backdoor.Win32.BO.a Heur.Corrupt.PE BackDoor.BOrifice.120 Orifice.svr.d Backdoor/BO.a TR/BO.Srv Backdoor.Win32.BO.a Backdoor:Win32/BO.A.dam#2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000906", "source": "cyner2_test"}}
+{"text": "Unlike previously discovered non Google Play centric campaigns whose victims almost exclusively come from less developed countries and regions , “ Agent Smith ” successfully penetrated into noticeable number of devices in developed countries such as Saudi Arabia , UK and US .", "spans": {"SYSTEM: Google Play": [[33, 44]], "MALWARE: Agent Smith": [[147, 158]]}, "info": {"id": "cyner2_test_000907", "source": "cyner2_test"}}
+{"text": "Cyber Threat Group that Exploited Governments and Commercial Entities across Southeast Asia and India for over a Decade The first group, named Moafee, appears to operate from the Guandong Province.", "spans": {"THREAT_ACTOR: Cyber Threat Group": [[0, 18]], "ORGANIZATION: Governments": [[34, 45]], "ORGANIZATION: Commercial Entities": [[50, 69]], "THREAT_ACTOR: Moafee,": [[143, 150]]}, "info": {"id": "cyner2_test_000908", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Win32.Ekstak.bwtk Trojan.Win32.Ekstak.evfqig Trojan.Win32.CryptXXX.270336.D Trojan.Ekstak.Win32.3480 BehavesLike.Win32.PWSZbot.jc Trojan.Win32.Injector TR/Crypt.ZPACK.dtseo Trojan[Backdoor]/Win32.Androm TrojanDropper:Win32/Pitou.B Virus.W32.Troj!c Trojan.Win32.Ekstak.bwtk Hoax.Scatter Trj/GdSda.A W32/Injector.DIOR!tr Win32/Trojan.eeb", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000910", "source": "cyner2_test"}}
+{"text": "ViceLeaker Operation : mobile espionage targeting Middle East 26 JUN 2019 In May 2018 , we discovered a campaign targeting dozens of mobile Android devices belonging to Israeli citizens .", "spans": {"MALWARE: ViceLeaker": [[0, 10]], "SYSTEM: Android": [[140, 147]]}, "info": {"id": "cyner2_test_000911", "source": "cyner2_test"}}
+{"text": "The modern version of Rotexy combines the functions of a banking Trojan and ransomware .", "spans": {"MALWARE: Rotexy": [[22, 28]]}, "info": {"id": "cyner2_test_000912", "source": "cyner2_test"}}
+{"text": "Not even a day ago I blogged on a piece of ransomware named CryptoApp' which I discovered while it was still in its development & testing phase: [Analysis of a piece of ransomware in development: the story of CryptoApp'].", "spans": {"MALWARE: ransomware": [[43, 53], [169, 179]], "MALWARE: CryptoApp'": [[60, 70]], "MALWARE: CryptoApp'].": [[209, 221]]}, "info": {"id": "cyner2_test_000913", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win.Exploit.Fnstenv_mov-1 Exploit.Win32.SqlShell.a Exploit.Win32.SqlShell.cvvofc Trojan.SqlShell Trojan.SqlShell.Win32.9 Exploit.SqlShell.a Trojan[Exploit]/Win32.SqlShell Exploit:Win32/Siveras.E Exploit.Win32.SqlShell.a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000914", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.DownLoader23.14020 TrojanDownloader:Win32/Apcrewnod.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000915", "source": "cyner2_test"}}
+{"text": "We also describe apps that we think are coming from the same author or a group of authors .", "spans": {}, "info": {"id": "cyner2_test_000916", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE TrojanSpy.MSIL Troj.Spy.Msil!c Win32.Trojan.WisdomEyes.16070401.9500.9996 Win32.Trojan.Kryptik.JK Trojan.Win32.Jenxcus.expoor Trojan.Win32.Z.Autoruns.585216 BehavesLike.Win32.Fareit.hc Trojan.MSIL.Crypt TrojanSpy.MSIL.vlx TR/AD.Jenxcus.xrytt Trojan/MSIL.Crypt Worm:Win32/Jenxcus.A Trojan/Win32.MSIL.R219591 Spyware.PasswordStealer Trj/GdSda.A MSIL/Kryptik.MNQ!tr Win32/Trojan.f56", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000917", "source": "cyner2_test"}}
+{"text": "The 3cx supply chain attack infected companies all over the world, especially in France, Italy, Germany, and Brazil.", "spans": {"ORGANIZATION: The 3cx": [[0, 7]], "ORGANIZATION: companies": [[37, 46]]}, "info": {"id": "cyner2_test_000918", "source": "cyner2_test"}}
+{"text": "This code starts by allocating two chunks of memory : a global 1 MB buffer and one 64 KB buffer per thread .", "spans": {}, "info": {"id": "cyner2_test_000919", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.Mudrop!O W32/Backdoor2.DOAJ Infostealer.Tarno.B TROJ_DROPPER.SGQ Trojan-Dropper.Win32.Mudrop.cy Trojan.Win32.Mudrop.njme Trojan.Win32.MulDrop.191866 Troj.Dropper.W32.Mudrop.l2yP Trojan.MulDrop.3684 Dropper.Mudrop.Win32.966 TROJ_DROPPER.SGQ BehavesLike.Win32.PWSZbot.cc Trojan-Dropper.Win32.Mudrop W32/Backdoor.ZSGQ-5731 TrojanDropper.Mudrop.ahz TR/Drop.Mudrop.ER Win32.Troj.Mudrop.cy.kcloud Trojan.Conjar.9 Trojan-Dropper.Win32.Mudrop.cy TrojanDropper:Win32/Mudrop.W Dropper/Win32.Mudrop.R6557 Trj/Multidropper.RPV Win32.Trojan-dropper.Mudrop.Anpp Trojan.DR.Mudrop.TK", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000920", "source": "cyner2_test"}}
+{"text": "July 7 Three exploits – two for Flash Player and one for the Windows kernel—were initially found in the information dump .", "spans": {"SYSTEM: Flash Player": [[32, 44]], "SYSTEM: Windows": [[61, 68]]}, "info": {"id": "cyner2_test_000921", "source": "cyner2_test"}}
+{"text": "Initial research into the exploit by Unit 42 indicates that this actor has opted to include multiple exploits.", "spans": {"MALWARE: exploit": [[26, 33]], "ORGANIZATION: Unit 42": [[37, 44]], "THREAT_ACTOR: actor": [[65, 70]], "MALWARE: multiple exploits.": [[92, 110]]}, "info": {"id": "cyner2_test_000922", "source": "cyner2_test"}}
+{"text": "Travelers applying for a US Visa in Switzerland were recently targeted by cyber-criminals linked to a malware called QRAT.", "spans": {"ORGANIZATION: Travelers": [[0, 9]], "THREAT_ACTOR: cyber-criminals": [[74, 89]], "MALWARE: malware": [[102, 109]], "MALWARE: QRAT.": [[117, 122]]}, "info": {"id": "cyner2_test_000923", "source": "cyner2_test"}}
+{"text": "Worm that connects to theworldnews.byethost5[.]com/online.php", "spans": {"MALWARE: Worm": [[0, 4]]}, "info": {"id": "cyner2_test_000924", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Tool.KeyLogger.Win32.722 Riskware.Win32.EliteKeylogger.eluvck Application.EliteKeyLogger SPR/EliteKeyLog.AC", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000925", "source": "cyner2_test"}}
+{"text": "The dynamically-loaded code is also flooded with meaningless commands that mask the actual commands passing through .", "spans": {}, "info": {"id": "cyner2_test_000926", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.Clodc8d.Trojan.f6fa Trojan.Skeeyah Trojan.Zusy.D2C0FC TROJ_SKEEYAH_FB24024B.UVPM Win32.Trojan.WisdomEyes.16070401.9500.9772 Backdoor.Trojan TROJ_SKEEYAH_FB24024B.UVPM Trojan.DownLoader19.10801 Adware.BrowseFox.Win32.317622 W32/Trojan.UZWX-1729 BScope.P2P-Worm.Palevo Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000927", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: TROJ_HILOTI.SMWQ Win32.Trojan.WisdomEyes.16070401.9500.9839 TROJ_HILOTI.SMWQ Trojan.PackedENT.24737 Virus.Win32.Cryptor Trojan.Famudin.1 Trojan:Win32/Famudin.A Trojan/Win32.Zefarch.R8475", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000928", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.Chkdsk.Worm Trojan-Downloader.Win32.PurityScan!O Downloader.PurityScan.Win32.185 Trojan/Downloader.PurityScan.hl Win32.Trojan.WisdomEyes.16070401.9500.9994 Adware.Purityscan Win.Adware.Purityscan-45 Trojan.Win32.Fsysna.amty Trojan.Win32.PurityScan.wjls Adware.MediaTicket BehavesLike.Win32.Sytro.kc TrojanDownloader.PurityScan.ge Trojan[Downloader]/Win32.PurityScan Win32.TrojDownloader.PurityScan.hl.kcloud TrojanDropper:Win32/Puritany.A!bit Trojan.Heur.D.emHfbGXR0jj Trojan.Win32.A.Downloader.68677.C[UPX] TrojanDownloader.PurityScan Trojan-Downloader.Win32.PurityScan", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000929", "source": "cyner2_test"}}
+{"text": "The “ id ” value inside the “ data ” block is equal to the “ timestamp ” value of the relevant command : In addition , the Trojan sets itself as the default SMS application and , on receiving a new SMS , forwards the sender ’ s number and the message text in base64 format to the cybercriminal : Thus , Asacub can withdraw funds from a bank card linked to the phone by sending SMS for the transfer of funds to another account using the number of the card or mobile phone .", "spans": {"MALWARE: Asacub": [[303, 309]]}, "info": {"id": "cyner2_test_000930", "source": "cyner2_test"}}
+{"text": "While Google implemented multiple mechanisms , like two-factor-authentication , to prevent hackers from compromising Google accounts , a stolen authorization token bypasses this mechanism and allows hackers the desired access as the user is perceived as already logged in .", "spans": {"ORGANIZATION: Google": [[6, 12], [117, 123]]}, "info": {"id": "cyner2_test_000931", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Win32.Z.Mikey.225280.T Backdoor.Win32.Sobador W32/Trojan.VKIR-9186 Worm:Win32/Docmuck.A Trj/CI.A Win32/Trojan.639", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000933", "source": "cyner2_test"}}
+{"text": "The 9002 RAT is not new.", "spans": {"MALWARE: 9002 RAT": [[4, 12]]}, "info": {"id": "cyner2_test_000934", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: HW32.Packed.2A05 Trojan.Win32.VBKrypt!O TrojanDropper.VB.HV3 Trojan/VBKrypt.vvt Win32.Trojan.WisdomEyes.151026.9950.9999 W32/Dropper.BJGL Heur.AdvML.B Win32/RiskWare.PEMalform.B TROJ_VBDROP.SMIA Win.Trojan.VB-26665 Backdoor.Win32.Hupigon.usxr Trojan.Win32.AutoRun.wqect Trojan.Win32.A.VBKrypt.220160.A[h] Troj.W32.VBKrypt.vvt!c TrojWare.Win32.Kryptik.~NT Trojan.Click1.48058 Trojan.VBKrypt.Win32.42907 TROJ_VBDROP.SMIA BehavesLike.Win32.Downloader.dc Trojan/VBKrypt.hfjo W32/Onlinegames.ASE!tr Trojan/Win32.VBKrypt Trojan.Graftor.D6DF1 Trojan/Win32.VBKrypt.N368238745 TrojanDropper:Win32/Popsenong.A Win32/Popsenong.BD Trojan.Pasta Win32.Trojan.Vbkrypt.byqw Trojan.Win32.VBKrypt Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000935", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Trojan.Zusy.D3C179 TROJ_UPADEMTYS.SM Trojan.DownLoader25.8430 TROJ_UPADEMTYS.SM Trojan:Win32/Cenjonsla.D!bit Trojan.Win32.U.Downloader.437248 Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000936", "source": "cyner2_test"}}
+{"text": "The spaghetti code in FinFisher dropper This problem is not novel , and in common situations there are known reversing plugins that may help for this task .", "spans": {"MALWARE: FinFisher": [[22, 31]]}, "info": {"id": "cyner2_test_000937", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.YahLoverQKB.Trojan Worm.Autoit.Sohanad.S Worm.AutoRun Worm.Sohanad.Win32.3409 Trojan.Heur.AutoIT.2 Win32.Worm.Sohanad.x Win32/SillyAutorun.DQF WORM_SOHAND.SM IM-Worm.Win32.Sohanad.pw W32.W.Sohanad.m0tE Worm.Win32.Sohanad.NCB WORM_SOHAND.SM BehavesLike.Win32.Tupym.wt Win32.Worm.Autorun.M HEUR/Fakon.mwf I-Worm.Sohanad.NFS Win32/Sohanad.NCB Trojan.AutoIT.ZU not-a-virus:Monitor.Win32.007SpySoft", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000938", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32/Trojan4.AADB Rootkit.Win32.AntiAv.pqy TrojWare.Win32.TrojanDownloader.Icehart.A Trojan.MulDrop5.35956 W32/Trojan.QEHW-5913 Trojan:WinNT/Percol.A Trojan-Downloader.Win32.Icehart", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000940", "source": "cyner2_test"}}
+{"text": "Sneaking unwanted or harmful functionality into popular , benign apps is a common practice among “ bad ” developers , and we are committed to tracking down such apps .", "spans": {}, "info": {"id": "cyner2_test_000941", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: TrojanDownloader.Moure.A3 TROJ_MOURE.SM TROJ_MOURE.SM Trojan.Win32.KillProc.cvivhz BehavesLike.Win32.Dropper.lc Trojan.Win32.Droma TR/Moure.A.17 Trojan.Kazy.D39E9B TScope.Malware-Cryptor.SB Trj/CI.A Win32.Trojan.Moure.Hxzu Trojan.Droma!2wG5lxLKOCU Win32/Trojan.Multi.daf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000942", "source": "cyner2_test"}}
+{"text": "It was configured to activate via SMS sent from a Czech Republic number .", "spans": {}, "info": {"id": "cyner2_test_000943", "source": "cyner2_test"}}
+{"text": "As we began to analyze and tear down the various samples we collected, we found significant overlaps with previously reported and documented adversary groups, attack campaigns, and their toolsets, exemplifying the concept of the Digital Quartermaster.", "spans": {"MALWARE: samples": [[49, 56]], "THREAT_ACTOR: adversary groups, attack campaigns,": [[141, 176]], "MALWARE: toolsets,": [[187, 196]]}, "info": {"id": "cyner2_test_000944", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.FamVT.MiraVM.Worm Worm.Mira.IM6 Trojan/Mira.a WORM_MIRAS.SMN Win32.Worm.Mira.c W32.SillyFDC Win32/Tnega.MFcdAFD WORM_MIRAS.SMN Win32.Worm.Mira.D Trojan.Win32.Mira.etthwn Trojan.Win32.Mira.741847 Trojan.MulDrop5.32888 TR/Zusy.BQ HEUR/Fakon.mwf Win32/Mira.A Worm.Win32.Mira.a Trojan-Spy.Zbot W32/Mira.9C5!tr W32/Milam.A.worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000945", "source": "cyner2_test"}}
+{"text": "The current investigations are still underway but the known indicators of compromise in these new attacks will be presented below.", "spans": {}, "info": {"id": "cyner2_test_000946", "source": "cyner2_test"}}
+{"text": "As it launches , it requests device administrator rights , and then starts communicating with its C & C server .", "spans": {}, "info": {"id": "cyner2_test_000947", "source": "cyner2_test"}}
+{"text": "The delivery method for these documents remained consistent to other common malicious e-mail campaigns.", "spans": {"MALWARE: malicious": [[76, 85]], "THREAT_ACTOR: e-mail campaigns.": [[86, 103]]}, "info": {"id": "cyner2_test_000948", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32/Downldr2.HMDO Trojan.FakeAdvapi.11 TrojanDownloader:Win32/Tapivat.B W32/Downldr2.HMDO Backdoor.Win32.Undef.cjv Trj/Downloader.MDW", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000949", "source": "cyner2_test"}}
+{"text": "Multiple new variants of the previously discussed sysget malware family have been observed in use by DragonOK.", "spans": {"MALWARE: variants": [[13, 21]], "MALWARE: sysget malware family": [[50, 71]]}, "info": {"id": "cyner2_test_000950", "source": "cyner2_test"}}
+{"text": "Then , it uses the accessibility service for its malicious operations , some of which include : Preventing the user from uninstalling the app Becoming the default SMS app by changing device settings Monitoring the currently running application ( s ) Scraping on-screen text Android operating systems include many dialog screens that require the denial , or approval , of app permissions and actions that have to receive input from the user by tapping a button on the screen .", "spans": {"SYSTEM: Android": [[274, 281]]}, "info": {"id": "cyner2_test_000951", "source": "cyner2_test"}}
+{"text": "This domain also contains pages to phish credentials for popular online mail providers such as Gmail and Yahoo.", "spans": {"ORGANIZATION: online mail providers": [[65, 86]], "SYSTEM: Gmail": [[95, 100]], "SYSTEM: Yahoo.": [[105, 111]]}, "info": {"id": "cyner2_test_000952", "source": "cyner2_test"}}
+{"text": "Upon further analysis it became clear this application was as malicious as they come and initially resembled the CopyCat malware , discovered by Check Point Research back in April 2016 .", "spans": {"MALWARE: CopyCat": [[113, 120]], "ORGANIZATION: Check Point": [[145, 156]]}, "info": {"id": "cyner2_test_000953", "source": "cyner2_test"}}
+{"text": "The campaign seeks to deliver Anubis , a particularly nasty piece of malware that was originally used for cyber espionage and retooled as a banking trojan .", "spans": {"MALWARE: Anubis": [[30, 36]]}, "info": {"id": "cyner2_test_000954", "source": "cyner2_test"}}
+{"text": "Smishing : The Major Way To Distribute RuMMS We have not observed any instances of RuMMS on Google Play or other online app stores .", "spans": {"MALWARE: RuMMS": [[39, 44], [83, 88]], "SYSTEM: Google Play": [[92, 103]]}, "info": {"id": "cyner2_test_000955", "source": "cyner2_test"}}
+{"text": "] ponethus [ .", "spans": {}, "info": {"id": "cyner2_test_000956", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9980 Trojan.Win32.Hijacker.evenzx Win32.Trojan.Hijacker.Aiij DLOADER.Trojan Worm.Kasidet.Win32.342 Trojan.Razy.D361B7 Backdoor:Win32/Quicdy.A Worm.Kasidet! Worm.Win32.Kasidet W32/Kasidet.AU!worm Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000957", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.IRCBot.ACPE Worm.Butibrot Backdoor.IRCBot.ACPE Backdoor.IRCBot.ACPE Win32.Trojan.WisdomEyes.16070401.9500.9998 Win.Trojan.IRCBot-846 SScope.Trojan.YM.0379 P2P-Worm.Win32.Butibrot.fx Trojan.Win32.Hosts2.ewqtym Backdoor.W32.IRCBot.li6r Win32.HLLW.Autoruner.6328 Virus.Win32.IRCBot.BSX Backdoor.IRCBot.ACPE P2P-Worm.Win32.Butibrot.fx Win32.Trojan.Qhost.A Worm/Win32.IRCBot.R6005 Backdoor.IRCBot.ACPE Trojan.QHosts.G Win32/Backdoor.BO.263", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000958", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Multi Uds.Dangerousobject.Multi!c Trojan/Downloader.Fosniw.al Trojan.Win32.Mirai.exojtt Trojan.DownLoader26.15190 BDS/Mirai.kpgws Backdoor:Win32/Mirai.A Trojan/Win32.Mirai.C2393598 Adware.Elex Trj/RnkBend.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000959", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Ransom/W32.Blocker.191946 Trojan-Ransom.Win32.Blocker!O Trojan.Autorun.WR4 Trojan.Blocker.Win32.7173 BKDR_TOFSEE.SMJ0 Win32/FakeAV.YeKRCbC BKDR_TOFSEE.SMJ0 Win.Trojan.Blocker-302 Trojan-Ransom.Win32.Blocker.kgw Trojan.Win32.Blocker.btwdzu Troj.Downloader.Small.mxel Trojan-ransom.Win32.Blocker.kgw Trojan.StartPage.49691 BehavesLike.Win32.Ransom.cc Trojan/Blocker.afz TR/Rogue.zxdv Trojan-Ransom.Win32.Blocker.kgw Trojan/Win32.Blocker.R46032 Hoax.Blocker Ransom.Winlock Trojan.Blocker!9ES4EgQtPbA Trojan-Ransom.Win32.Blocker", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000960", "source": "cyner2_test"}}
+{"text": "These apps also had a large amount of downloads between 4 and 18 million , meaning the total spread of the malware may have reached between 8.5 and 36.5 million users .", "spans": {}, "info": {"id": "cyner2_test_000961", "source": "cyner2_test"}}
+{"text": "Mandiant currently tracks this actor as UNC4540.", "spans": {"ORGANIZATION: Mandiant": [[0, 8]], "THREAT_ACTOR: actor": [[31, 36]], "THREAT_ACTOR: UNC4540.": [[40, 48]]}, "info": {"id": "cyner2_test_000962", "source": "cyner2_test"}}
+{"text": "mobile_treats_2013_04s The number of mobile banking Trojans in our collection Mobile banking Trojans can run together with Win-32 Trojans to bypass the two-factor authentication – mTAN theft ( the theft of banking verification codes that banks send their customers in SMS messages ) .", "spans": {"SYSTEM: Win-32": [[123, 129]]}, "info": {"id": "cyner2_test_000963", "source": "cyner2_test"}}
+{"text": "This was likely done because DNS is required for normal network operations.", "spans": {"SYSTEM: DNS": [[29, 32]], "VULNERABILITY: required for normal network operations.": [[36, 75]]}, "info": {"id": "cyner2_test_000964", "source": "cyner2_test"}}
+{"text": "Unsurprisingly, it took just under 3 hours for the first infection to hit.", "spans": {}, "info": {"id": "cyner2_test_000965", "source": "cyner2_test"}}
+{"text": "Since at least 2015, the group appears to have fragmented into smaller, loosely related groups,each with its own preferred toolsets and Trojans, although many similarities in tactics, techniques and procedures TTPs exist.", "spans": {"THREAT_ACTOR: the group": [[21, 30]], "MALWARE: toolsets": [[123, 131]], "MALWARE: Trojans,": [[136, 144]]}, "info": {"id": "cyner2_test_000966", "source": "cyner2_test"}}
+{"text": "The SANS ISC recently published a very interesting technical analysis of Bartalex.", "spans": {"ORGANIZATION: The SANS ISC": [[0, 12]], "MALWARE: Bartalex.": [[73, 82]]}, "info": {"id": "cyner2_test_000967", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor/W32.IRCBot.7909376 Trojan.MaptoSteal.S14224 Infostealer.Lineage Win.Trojan.8117429-1 not-a-virus:RiskTool.Win32.Gamehack.xzb Trojan.Click1.56234 Trojan.OnLineGames.Win32.67502 BehavesLike.Win32.PWSOnlineGames.wh RiskTool.Gamehack.ajo not-a-virus:RiskTool.Win32.Gamehack.xzb Trojan/Win32.Mapstosteal.R121969 Trj/CI.A DroppedWin32.Worm.Stration.EM", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000969", "source": "cyner2_test"}}
+{"text": "This new variant roots devices and steals email addresses and authentication tokens stored on the device.", "spans": {"MALWARE: variant": [[9, 16]], "VULNERABILITY: roots devices": [[17, 30]]}, "info": {"id": "cyner2_test_000970", "source": "cyner2_test"}}
+{"text": "Registering broadcast receivers enable XLoader to trigger its malicious routines .", "spans": {"MALWARE: XLoader": [[39, 46]]}, "info": {"id": "cyner2_test_000971", "source": "cyner2_test"}}
+{"text": "In the latter case, the Trojan used a diskless method of operation and was notoriously more difficult to detect and track.", "spans": {}, "info": {"id": "cyner2_test_000972", "source": "cyner2_test"}}
+{"text": "Behind the scenes , there are number of process occurring simultaneously .", "spans": {}, "info": {"id": "cyner2_test_000975", "source": "cyner2_test"}}
+{"text": "] 102 2020-04-14 http : //pub.douglasshome [ .", "spans": {}, "info": {"id": "cyner2_test_000976", "source": "cyner2_test"}}
+{"text": "Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well and as discovered later, even the U.S. and UK governments.", "spans": {"ORGANIZATION: Security researchers": [[0, 20]], "THREAT_ACTOR: campaign": [[78, 86]], "ORGANIZATION: Israelis": [[110, 118]], "ORGANIZATION: Palestinians": [[123, 135]], "ORGANIZATION: U.S.": [[178, 182]], "ORGANIZATION: UK governments.": [[187, 202]]}, "info": {"id": "cyner2_test_000977", "source": "cyner2_test"}}
+{"text": "Within some of the first of those commands , the bot typically receives a list of banks it will target .", "spans": {}, "info": {"id": "cyner2_test_000978", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.BackdoorWabot.Trojan Backdoor.Win32.Wabot!O Trojan.Wabot.A8 Backdoor.Wabot Trojan/Delf.nrf Win32.Backdoor.Wabot.a W32.Wabot Win32/DCMgreen.A BKDR_WABOT.SMIA Win.Trojan.Wabot-6113548-0 Backdoor.Win32.Wabot.a Trojan.Win32.Wabot.dmukv Backdoor.Win32.Wabot.157619 Backdoor.W32.Wabot.tn6b Backdoor.Win32.Wabot.A Trojan.MulDrop6.64369 Backdoor.Wabot.Win32.1 BKDR_WABOT.SMIA BehavesLike.Win32.Wabot.rc P2P-Worm.Win32.Delf Backdoor/Wabot.z Trojan[Backdoor]/Win32.Wabot.a Trojan.ShellIni.E86D3B Backdoor.Win32.Wabot.a Backdoor:Win32/Wabot.A Worm/Win32.IRCBot.R3689 Backdoor.Wabot I-Worm.Delf.NRF Win32/Delf.NRF Trojan.Win32.Wabot.a Backdoor.Wabot!jai+hnpgbwI W32/Luiha.M!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000979", "source": "cyner2_test"}}
+{"text": "The exploit was dropping some malicious payloads that we took for further analysis.", "spans": {"MALWARE: The exploit": [[0, 11]], "MALWARE: malicious payloads": [[30, 48]]}, "info": {"id": "cyner2_test_000980", "source": "cyner2_test"}}
+{"text": "These sites pretend to be porn video websites, and all lead to various malicious apps being downloaded.", "spans": {"MALWARE: malicious apps": [[71, 85]]}, "info": {"id": "cyner2_test_000981", "source": "cyner2_test"}}
+{"text": "2016 From mid-2016 on , the cybercriminals returned to dynamic generation of lowest-level domains .", "spans": {}, "info": {"id": "cyner2_test_000982", "source": "cyner2_test"}}
+{"text": "Use of the virtual machine brings many technical benefits to the operators , chief among them allowing the malware to install apps without requiring users to approve a list of elevated permissions .", "spans": {}, "info": {"id": "cyner2_test_000983", "source": "cyner2_test"}}
+{"text": "This threat is another proof point that attackers are clearly incorporating the mobile device into their surveillance campaigns as a primary attack vector .", "spans": {}, "info": {"id": "cyner2_test_000984", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan/W32.Jorik.25600.I Trojan.Win32.Jorik.Nbdd!O Downloader.Isnev.16705 Trojan.Win32.Gofot.d Trojan.Win32.Jorik2.bcihcn Troj.Downloader.W32.Small.lfJx Win32.Trojan.Gofot.Swbj TrojWare.Win32.Patched.IL0 Trojan.DownLoader7.19964 Trojan.Jorik.Win32.165240 Trojan-Downloader.Win32.Isnev Trojan/Jorik.ftgq TR/Patched.IL Trojan/Win32.Nbdd Win32.Troj.Jorik.kcloud Trojan.Graftor.DE014 Trojan.Win32.Gofot.d Win-Trojan/Downloader.25600.JL Trojan.Gofot Win32/Trojan.Downloader.a03", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000985", "source": "cyner2_test"}}
+{"text": "The FBI and the US Department of Health and Social Security HHS have issued a joint cybersecurity advisory, #StopRansomware, following a recent incident involving Hive Ransomeware.", "spans": {"ORGANIZATION: The FBI": [[0, 7]], "ORGANIZATION: the US Department of Health and Social Security HHS": [[12, 63]], "THREAT_ACTOR: #StopRansomware,": [[108, 124]], "MALWARE: Hive Ransomeware.": [[163, 180]]}, "info": {"id": "cyner2_test_000986", "source": "cyner2_test"}}
+{"text": "Figure 11 .", "spans": {}, "info": {"id": "cyner2_test_000987", "source": "cyner2_test"}}
+{"text": "To date, only 0.006% of all malware seen by Palo Alto Networks employs this technique, indicating that it is in fact fairly rare.", "spans": {"MALWARE: malware": [[28, 35]], "ORGANIZATION: Palo Alto Networks": [[44, 62]]}, "info": {"id": "cyner2_test_000988", "source": "cyner2_test"}}
+{"text": "The paranoid antihero leader of the group is known as Mr. Robot, who leads an underground hacker society named you've guessed it FSociety.", "spans": {}, "info": {"id": "cyner2_test_000989", "source": "cyner2_test"}}
+{"text": "There were several distinct areas where mobile malware underwent advances .", "spans": {}, "info": {"id": "cyner2_test_000990", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan/Scar.cefr Trojan.Graftor.D44C TROJ_SCAR.AO Win32.Trojan.WisdomEyes.16070401.9500.9761 W32/Trojan2.MNFO TROJ_SCAR.AO Win.Trojan.Scar-1871 Trojan.Win32.Scar.cefr Trojan.Win32.Scar.vsxm Trojan.Win32.Scar.46080.D Troj.W32.Scar.cefr!c TrojWare.Win32.TrojanDownloader.Murlo.~JH2 Trojan.PWS.Gamania.25505 Trojan.Scar.Win32.23993 BehavesLike.Win32.Fesber.ph W32/Trojan.QJAT-4881 Trojan/Scar.uvi Trojan/Win32.Scar Trojan:Win32/Kolbot.A Trojan.Win32.Scar.cefr Trojan/Win32.Lmirhack.R36071 Win32.Trojan.Scar.Amce Trojan.Scar!efY4TUtZ30I Trojan.Win32.Scar W32/Scar.CEFR!tr Win32/Trojan.154", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000991", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.BackFs.Worm Win32.Worm.VB.NUT IM-Worm.Win32.VB!O W32/Autorun.worm.h Win32.Worm.VB.NUT WORM_ABI.A W32.SillyFDC Win32/SillyAutorun.HX WORM_ABI.A Win.Worm.VB-710 Win32.Worm.VB.NUT IM-Worm.Win32.VB.gd Win32.Worm.VB.NUT Trojan.Win32.BFJU.vkeq Worm.Win32.IM-VB.86016.B Win32.Worm.VB.NUT TrojWare.Win32.Regrun.Q Win32.Worm.VB.NUT Win32.HLLW.Backfs Worm.VB.Win32.309 W32/Autorun.worm.h Trojan-Dropper.Win32.VB Worm/VB.ppr TR/Autorun.UA Worm[IM]/Win32.VB Worm:Win32/Rapsha.A IM-Worm.Win32.VB.gd Worm/Win32.AutoRun.R122830 Win32.Worm.VB.NUT TScope.Trojan.VB W32/VB.RM!worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000992", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: P2P-Worm.Win32.KillFiles!O Worm.KillFiles Trojan.FakeAV.Win32.8553 Win32.Trojan.WisdomEyes.16070401.9500.9998 Win32/Buzus.HL Win.Trojan.Buzus-7265 P2P-Worm.Win32.KillFiles.a Trojan.Win32.Shellbot.wkhrk Trojan.Win32.Buzus.34816.K TrojWare.Win32.Trojan.FakeAV.ACS0 Trojan.PWS.Panda.3091 WORM_RBOT.SMJF BehavesLike.Win32.Backdoor.cc Trojan/Refroso.fmj TR/FakeAV.kzz.26 Worm[P2P]/Win32.KillFiles Trojan.Graftor.D1374 P2P-Worm.Win32.KillFiles.a Trojan/Win32.Refroso.R6215 BScope.Trojan-Dropper.MTA.0116 W32/MSNWorm.HL.worm Win32.Worm-p2p.Killfiles.Pgwo Trojan.Fakeav Win32/Worm.P2P-Worm.3c2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000993", "source": "cyner2_test"}}
+{"text": "This is the first time in nearly two years that a new Java zero-day vulnerability was reported.", "spans": {"SYSTEM: Java": [[54, 58]], "VULNERABILITY: zero-day vulnerability": [[59, 81]]}, "info": {"id": "cyner2_test_000994", "source": "cyner2_test"}}
+{"text": "This is known as a targeted attack .", "spans": {}, "info": {"id": "cyner2_test_000995", "source": "cyner2_test"}}
+{"text": "Zen family PHA authors exhibit a wide range of techniques , from simply inserting an advertising SDK to a sophisticated trojan .", "spans": {"MALWARE: Zen": [[0, 3]]}, "info": {"id": "cyner2_test_000996", "source": "cyner2_test"}}
+{"text": "These e-mails kick off a multi-stage infection chain.", "spans": {}, "info": {"id": "cyner2_test_000997", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: not-a-virus:NetTool.Win32.Nuker.Click.22 Nuke.Click.22 TR/Clicker.fnogv not-a-virus:NetTool.Win32.Nuker.Click.22 Win32/Nuker.Click Trojan.Win32.Nuker Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_000998", "source": "cyner2_test"}}
+{"text": "Extract events from the Calendar app .", "spans": {"SYSTEM: Calendar app": [[24, 36]]}, "info": {"id": "cyner2_test_000999", "source": "cyner2_test"}}
+{"text": "For more detailed information about the threat , check out the blog post from CSIS .", "spans": {"ORGANIZATION: CSIS": [[78, 82]]}, "info": {"id": "cyner2_test_001000", "source": "cyner2_test"}}
+{"text": "The Trojan, named Android.Spy.377.origin, is a remote administration tool RAT that is distributed under the guise of benign applications.", "spans": {"MALWARE: Trojan,": [[4, 11]], "MALWARE: remote administration tool RAT": [[47, 77]], "SYSTEM: benign applications.": [[117, 137]]}, "info": {"id": "cyner2_test_001001", "source": "cyner2_test"}}
+{"text": "Whether or not rooting succeeds , HummingBad downloads a large number of apps .", "spans": {"MALWARE: HummingBad": [[34, 44]]}, "info": {"id": "cyner2_test_001002", "source": "cyner2_test"}}
+{"text": "Some actions include ( with rough translations ) : The command-and-control server The command-and-control server is located at IP 64.78.161.133 .", "spans": {}, "info": {"id": "cyner2_test_001003", "source": "cyner2_test"}}
+{"text": "Accessibility features are typically used to help users with disabilities by giving the device the ability to write into input fields , auto-generate permissions , perform gestures for the user , etc .", "spans": {}, "info": {"id": "cyner2_test_001004", "source": "cyner2_test"}}
+{"text": "Other backdoors used by the same actor are Bisonal, Pipcreat, HeartBeat..", "spans": {"MALWARE: backdoors": [[6, 15]], "THREAT_ACTOR: actor": [[33, 38]], "MALWARE: Bisonal, Pipcreat, HeartBeat..": [[43, 73]]}, "info": {"id": "cyner2_test_001005", "source": "cyner2_test"}}
+{"text": "We believe that this attacker operates out of China.", "spans": {"THREAT_ACTOR: attacker": [[21, 29]]}, "info": {"id": "cyner2_test_001006", "source": "cyner2_test"}}
+{"text": "More significantly, the group also uses a previously undocumented JScript backdoor called Ostap and a Delphi dropper we named MrWhite", "spans": {"THREAT_ACTOR: group": [[24, 29]], "MALWARE: JScript backdoor": [[66, 82]], "MALWARE: Ostap": [[90, 95]], "MALWARE: Delphi dropper": [[102, 116]], "MALWARE: MrWhite": [[126, 133]]}, "info": {"id": "cyner2_test_001007", "source": "cyner2_test"}}
+{"text": "Malware authors use injected clicks , custom HTML parsers and SMS receivers to automate the billing process without requiring any interaction from the user .", "spans": {}, "info": {"id": "cyner2_test_001008", "source": "cyner2_test"}}
+{"text": "We identified campaigns targeting Thai users and their devices .", "spans": {}, "info": {"id": "cyner2_test_001009", "source": "cyner2_test"}}
+{"text": "It searches for mobile banking applications , removes them and uploads counterfeit versions .", "spans": {}, "info": {"id": "cyner2_test_001010", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32/Virut.dr!4BBD3556FA82 Win32.Worm.VB.nv Trojan.Festalco Win32/Tnega.HAWAeO TSPY_COSMU_DD3005E3.UVPA Win.Trojan.Sovfo-1 Trojan.Win32.Cosmu.cdqg Trojan.Zusy.D35D23 Trojan.Win32.Cosmu.ecjywu W32.W.WBNA.mn3B Trojan.DownLoader15.59945 Trojan.Cosmu.Win32.13264 TSPY_COSMU_DD3005E3.UVPA Trojan.Cosmu.hk W32.Trojan.Heur2.Vp.Im0@acxgvrf Trojan/Win32.Cosmu Worm:Win32/Sovfo.A Trojan.Win32.Cosmu.cdqg Trojan/Win32.Cosmu.R109200 Trojan.Cosmu Trojan.Cosmu!t+6saFz/t3s Trojan.Win32.Cosmu Trj/Dtcontx.G Win32/Trojan.24c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001011", "source": "cyner2_test"}}
+{"text": "Distribution via alternative app stores .", "spans": {}, "info": {"id": "cyner2_test_001012", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.PWS.FIU.1.6.6.D Trojan.PWS.FIU.1.6.6.D Trojan.PWS.FIU.1.6.6.D Trojan.Dos.FIU.fpit Win32/PSW.FIU.166 TROJ_PSWFIU166.A Trojan.FIU.166.D Trojan-PSW.Win32.FIU.166.d Trojan.Win32.Z.Fiu.40624[h] Trojan.PWS.FIU.1.6.6.D TrojWare.Win32.PSW.FIU.166 Trojan.PWS.FIU.1.6.6.D Trojan.PWS.Fiu.1666 Trojan.FIU.Win32.16 TROJ_PSWFIU166.A VirTool.TrojConfig TR/FIU.166.D W32/FIU.A!tr.pws Trojan[PSW]/Win32.FIU Troj.PSW32.W.FIU.166.d!c PWS:Win32/Fiu.D Trojan.PWS.FIU.1.6.6.D Trojan.PSW.FIU.166.d Trojan-PWS.Win32.FIU Trojan.PWS.FIU.1.6.6.D", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001013", "source": "cyner2_test"}}
+{"text": "] websiteaccounts-fb [ .", "spans": {}, "info": {"id": "cyner2_test_001014", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: HW32.Packed.6436 Trojan.Win32.Diple!O Trojan/Injector.dafr Trojan.Johnnie.D3FF8 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Inject.aaeih Trojan.Win32.Packed2.edlhvv Trojan.Packed2.38120 Trojan.Injector.Win32.388422 BehavesLike.Win32.Trojan.cc Trojan.Inject.lyz Trojan/Win32.Inject Trojan.Win32.Inject.aaeih Trojan.Inject Trojan.Injector Trojan.Inject!/Yd9s6+AsF8 W32/Filecoder.ED!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001015", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Skeeyah.10874 Trojan/PcClient.ngo Trojan.PcClient.1 HT_PCCLIENT_GF070181.UVPM Win32.Trojan.WisdomEyes.16070401.9500.9989 HT_PCCLIENT_GF070181.UVPM Backdoor.W32.Hupigon.kYKa TrojWare.Win32.PcClient.NOP Trojan.Win32.PcClient", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001016", "source": "cyner2_test"}}
+{"text": "Indicators of Compromise ( IoCs ) Package Name Hash ESET detection name com.secure.protect.world F17AEBC741957AA21CFE7C7D7BAEC0900E863F61 Android/Spy.BanBra.A com.brazil.android.free EA069A5C96DC1DB0715923EB68192FD325F3D3CE Android/Spy.BanBra.A MITRE ATT & CK techniques Tactic ID Name Description Initial Access T1475 Deliver Malicious App via Authorized App Store Impersonates security app on Google Play .", "spans": {"ORGANIZATION: ESET": [[52, 56]], "ORGANIZATION: MITRE": [[245, 250]], "SYSTEM: App Store": [[356, 365]], "SYSTEM: Google Play": [[395, 406]]}, "info": {"id": "cyner2_test_001017", "source": "cyner2_test"}}
+{"text": "List of commands sewn into the body of the Trojan : Command code Parameters Actions 2 – Sending a list of contacts from the address book of the infected device to the C & C server 7 “ to ” : int Calling the specified number 11 “ to ” : int , “ body ” : string Sending an SMS with the specified text to the specified number 19 “ text ” : string , “ n ” : string Sending SMS with the specified text to numbers from the address book of the infected device , with the name of the addressee from the address book substituted into the message text 40 “ text ” : string Shutting down applications with specific names ( antivirus and banking applications ) The set of possible commands is the most significant difference between the various flavors of Asacub .", "spans": {"SYSTEM: address book": [[124, 136], [417, 429], [495, 507]], "MALWARE: Asacub": [[744, 750]]}, "info": {"id": "cyner2_test_001019", "source": "cyner2_test"}}
+{"text": "These additional tools bear the hallmarks of a sophisticated attacker which has plagued the financial industry since at least 2013–Carbanak.", "spans": {"MALWARE: tools": [[17, 22]], "THREAT_ACTOR: attacker": [[61, 69]]}, "info": {"id": "cyner2_test_001020", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Razy.D44DD PE_MEWSPY.B-O PE_MEWSPY.B-O Packed.Win32.TDSS.c Trojan.Win32.TDSS.dzwxza TrojWare.Win32.MewsSpy.DA Win32.MewsSpy.42 Trojan.Bayrob.Win32.27338 BehavesLike.Win32.RAHack.nc Virus.Win32.MewsSpy Packed.Tdss.btdb ADWARE/Taranis.2355 Trojan[Packed]/Win32.TDSS Packed.Win32.TDSS.c Trojan.Bayrob Win32/MewsSpy.AE W32/MewsSpy.AE", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001021", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.52A1 Worm/W32.Vifiter.898736 Worm.Email.Vifi W32/Vifiter.worm Worm.P2P.Vifiter!oGKebgYvRAs W32/Vifiter.A W32.HLLW.Vifiter Win32/Vifiter.A BKDR_LITHIUM.B Worm.P2P.Vifiter P2P-Worm.Win32.Vifiter Trojan.Win32.Vifiter-wrm.fslw Worm.Win32.A.P2P-Vifiter.1131056[h] W32.W.Vifiter!c Worm.Win32.Vifiter.A Win32.HLLW.Filter Worm.Vifiter.Win32.1 BKDR_LITHIUM.B W32/Vifiter.worm W32/Vifiter.BMAP-4367 Worm/P2P.Vifiter WORM/Vifiter.2 W32/Vifiter!worm.p2p Trojan[Backdoor]/Win32.Lithium Win32/Vifiter.worm.672350 Worm:Win32/Vifiter.A Virus.Win32.Heur.l W32/Vifiter.worm Backdoor.Lithium Backdoor.Win32.Lithium Worm.Win32.Vifiter.aa", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001022", "source": "cyner2_test"}}
+{"text": "EventBot ’ s request to use accessibility services .", "spans": {}, "info": {"id": "cyner2_test_001024", "source": "cyner2_test"}}
+{"text": "Parallax RAT aka, ParallaxRAT has been distributed through spam campaigns or phishing emails with attachments since December 2019.", "spans": {"MALWARE: Parallax RAT": [[0, 12]], "MALWARE: ParallaxRAT": [[18, 29]], "THREAT_ACTOR: spam campaigns": [[59, 73]]}, "info": {"id": "cyner2_test_001026", "source": "cyner2_test"}}
+{"text": "An example of FinFisher ’ s spaghetti code is shown below .", "spans": {"MALWARE: FinFisher": [[14, 23]]}, "info": {"id": "cyner2_test_001027", "source": "cyner2_test"}}
+{"text": "Last month ESET researchers wrote an article about a new OS X malware called OSX/Keydnap, built to steal the content of OS X's keychain and maintain a permanent backdoor.", "spans": {"ORGANIZATION: ESET researchers": [[11, 27]], "SYSTEM: OS X": [[57, 61]], "MALWARE: malware": [[62, 69]], "MALWARE: OSX/Keydnap,": [[77, 89]], "SYSTEM: OS X's": [[120, 126]], "MALWARE: keychain": [[127, 135]], "MALWARE: permanent backdoor.": [[151, 170]]}, "info": {"id": "cyner2_test_001028", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Joke.Rain Trojan.Zusy.Elzob.D11E7 W32/Joke.WVJV-1809 Win32/Tnega.AKPK Win.Joke.Schmilz-1 Riskware.Win32.Splash.iaxa Variant.Application.Bundler.mDBF Joke.Splash not-virus:Joke.Win32.Splash Win32.Joke.Splash.kcloud Win-Joke/Melt.163927 Joke.Schmilz Joke.Schmilz Joke.Schmilz", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001029", "source": "cyner2_test"}}
+{"text": "Google Play Protect is constantly updating detection engines and warning users of malicious apps installed on their device .", "spans": {"SYSTEM: Google Play Protect": [[0, 19]]}, "info": {"id": "cyner2_test_001030", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Multi BKDR_PIRPI.YE Win32.Trojan.WisdomEyes.16070401.9500.9998 Backdoor.Trojan BKDR_PIRPI.YE Trojan.Win32.MLW.cyfeos Uds.Dangerousobject.Multi!c BehavesLike.Win32.Downloader.ch Trojan.Win32.Pirpi W32/Backdoor.OJLB-8266 Backdoor:Win32/Pirpi.E!dha Win32.Backdoor.Backdoor.Ug W32/BackDoor.VD!tr Win32/Trojan.Multi.daf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001031", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Win32.IRCBot.~EAV Win32.IRC.Bot.based Backdoor.Win32.SdBot Backdoor.IRCBot.jh BDS/Hackarmy.X Backdoor:Win32/Hackarmy.X Backdoor.Hackarmy", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001032", "source": "cyner2_test"}}
+{"text": "This data is immediately sent to the cybercriminals and the computer displays the QR code containing a link to the alleged certificate of the online banking system .", "spans": {}, "info": {"id": "cyner2_test_001033", "source": "cyner2_test"}}
+{"text": "MD5s : c4c4077e9449147d754afd972e247efc Document.apk 0b8806b38b52bebfe39ff585639e2ea2 WUC ’ s Conference.apk Triada : organized crime on Android Triada is a modular mobile Trojan that actively uses root privileges to substitute system files and uses several clever methods to become almost invisible March 3 , 2016 You know how armies typically move : first come the scouts to make sure everything is ok. Then the heavy troops arrive ; at least that was how it used to be before the age of cyber wars .", "spans": {"MALWARE: Triada": [[109, 115], [145, 151]], "SYSTEM: Android": [[137, 144]]}, "info": {"id": "cyner2_test_001034", "source": "cyner2_test"}}
+{"text": "Typhon has been in continuous development and a new version named Typhon Reborn was released just several months later of its first release.", "spans": {"MALWARE: Typhon": [[0, 6]], "MALWARE: Typhon Reborn": [[66, 79]]}, "info": {"id": "cyner2_test_001035", "source": "cyner2_test"}}
+{"text": "But before we go into the details of what the latest version of Rotexy can do and why it ’ s distinctive , we would like to give a summary of the path the Trojan has taken since 2014 up to the present day .", "spans": {"MALWARE: Rotexy": [[64, 70]]}, "info": {"id": "cyner2_test_001036", "source": "cyner2_test"}}
+{"text": "Encryptor RaaS's purveyor created a full web panel for his patrons, accessible only via the Tor network, that enabled them to manage victims' systems.", "spans": {"THREAT_ACTOR: Encryptor RaaS's purveyor": [[0, 25]], "SYSTEM: Tor network,": [[92, 104]], "SYSTEM: victims' systems.": [[133, 150]]}, "info": {"id": "cyner2_test_001037", "source": "cyner2_test"}}
+{"text": "Evolution The initial version of the malware dates back to early June 2019 , masquerading as a “ Google Play Verificator ” app .", "spans": {"SYSTEM: Google Play Verificator": [[97, 120]]}, "info": {"id": "cyner2_test_001038", "source": "cyner2_test"}}
+{"text": "Two strings are passed into the call , the shortcode and keyword used for SMS billing ( getter methods renamed here for clarity ) .", "spans": {}, "info": {"id": "cyner2_test_001039", "source": "cyner2_test"}}
+{"text": "As a rule , bots self-proliferate by sending out text messages with a malicious link to addresses in the victim ’ s address book .", "spans": {}, "info": {"id": "cyner2_test_001040", "source": "cyner2_test"}}
+{"text": "The attacker can choose the data types to collect , which are written in a certain format .", "spans": {}, "info": {"id": "cyner2_test_001041", "source": "cyner2_test"}}
+{"text": "If we look on Ramnit's history, it's hard to exactly pin down which malware family it actually belongs to.", "spans": {"MALWARE: Ramnit's": [[14, 22]], "MALWARE: malware family": [[68, 82]]}, "info": {"id": "cyner2_test_001042", "source": "cyner2_test"}}
+{"text": "The attackers behind the EITest campaign have occasionally implemented a social engineering scheme using fake HoeflerText popups to distribute malware targeting users of Google's Chrome browser.", "spans": {"THREAT_ACTOR: The attackers": [[0, 13]], "THREAT_ACTOR: the EITest campaign": [[21, 40]], "MALWARE: malware": [[143, 150]], "SYSTEM: Google's Chrome browser.": [[170, 194]]}, "info": {"id": "cyner2_test_001043", "source": "cyner2_test"}}
+{"text": "Extract information on pictures from the Gallery .", "spans": {}, "info": {"id": "cyner2_test_001044", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9897 Trojan.Win32.Midhos.dxoj Trojan.Win32.Inject.dndqbs Trojan.Inject BehavesLike.Win32.Upatre.ch TR/AD.Medfos.ifaaj Trojan/Win32.Midhos Trojan:Win32/Medfos.AF Trojan.Symmi.D52D2 Trojan.Win32.Midhos.dxoj SScope.Trojan.Midhos.2513 Virus.Win32.Cryptor", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001045", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Zusy.D3B7DB Win32.Trojan.WisdomEyes.16070401.9500.9838 TSPY_TINCLEX.SM1 Trojan.DownLoader25.2852 TSPY_TINCLEX.SM1 Backdoor.Win32.Xiclog Backdoor:Win32/Xiclog.A Trojan/Win32.Xiclog.C2155395 Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001046", "source": "cyner2_test"}}
+{"text": "SSH backdoor that binds to port 2222", "spans": {"MALWARE: SSH backdoor": [[0, 12]]}, "info": {"id": "cyner2_test_001048", "source": "cyner2_test"}}
+{"text": "Of course, you have to have the Java Runtime Environment installed, which many people do.", "spans": {}, "info": {"id": "cyner2_test_001049", "source": "cyner2_test"}}
+{"text": "In November 2018 , a version of the Trojan for the English market appeared in the shape of Gumtree.apk .", "spans": {}, "info": {"id": "cyner2_test_001050", "source": "cyner2_test"}}
+{"text": "EventBot is in constant development , as seen with the botnetID string above , which shows consecutive numbering across versions .", "spans": {"MALWARE: EventBot": [[0, 8]]}, "info": {"id": "cyner2_test_001051", "source": "cyner2_test"}}
+{"text": "The main reason for developers to choose SMS over traditional payments via Internet is that in the case with SMS no Internet connection is required .", "spans": {}, "info": {"id": "cyner2_test_001052", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Win32.AutoRun!O Worm.Spyonpc WORM_AUTORUN.JEF Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan.B WORM_AUTORUN.JEF Trojan.Win32.AutoRun.duc Trojan.Win32.AutoRun.ctqtit Trojan/AutoRun.ei Trojan.Heur.RP.EB30B0 Troj.W32.AutoRun.duc!c Trojan.Win32.AutoRun.duc Worm:Win32/Spyonpc.A BScope.Trojan.SvcHorse.01643 Win32.Trojan.Autorun.Sxom Trojan.AutoRun!wA9W6qFisoU Trojan.Win32.Spy Win32/Trojan.2ed", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001053", "source": "cyner2_test"}}
+{"text": "The module allows Gooligan to : Steal a user ’ s Google email account and authentication token information Install apps from Google Play and rate them to raise their reputation Install adware to generate revenue Ad servers , which don ’ t know whether an app using its service is malicious or not , send Gooligan the names of the apps to download from Google Play .", "spans": {"MALWARE: Gooligan": [[18, 26], [304, 312]], "ORGANIZATION: Google": [[49, 55]], "SYSTEM: Google Play": [[125, 136], [352, 363]]}, "info": {"id": "cyner2_test_001054", "source": "cyner2_test"}}
+{"text": "Red Alert 2.0 is a banking bot that is currently very active online , and presents a risk to Android devices .", "spans": {"MALWARE: Red Alert 2.0": [[0, 13]]}, "info": {"id": "cyner2_test_001055", "source": "cyner2_test"}}
+{"text": "The attack platform mainly includes Windows and Android, the attack range is mainly for the Middle East region, as of now we have captured a total of 24 Android samples, 19 Windows samples, involving C C domain name 29.", "spans": {"SYSTEM: Windows": [[36, 43]], "SYSTEM: Android,": [[48, 56]], "MALWARE: Android samples, 19 Windows samples,": [[153, 189]]}, "info": {"id": "cyner2_test_001056", "source": "cyner2_test"}}
+{"text": "Of these Banload samples, we've seen 2,132 samples during the first six months of 2017.", "spans": {"MALWARE: Banload": [[9, 16]], "MALWARE: samples": [[43, 50]]}, "info": {"id": "cyner2_test_001057", "source": "cyner2_test"}}
+{"text": "Data collectors are used in conjunction with repeated commands to collect user data including , SMS settings , SMS messages , Call logs , Browser History , Calendar , Contacts , Emails , and messages from selected messaging apps , including WhatsApp , Twitter , Facebook , Kakoa , Viber , and Skype by making /data/data directories of the apps world readable .", "spans": {"SYSTEM: WhatsApp": [[241, 249]], "SYSTEM: Twitter": [[252, 259]], "SYSTEM: Facebook": [[262, 270]], "SYSTEM: Kakoa": [[273, 278]], "SYSTEM: Viber": [[281, 286]], "SYSTEM: Skype": [[293, 298]]}, "info": {"id": "cyner2_test_001058", "source": "cyner2_test"}}
+{"text": "] zqo-japan [ .", "spans": {}, "info": {"id": "cyner2_test_001059", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32/Smalldoor.JZSK TSPY_SPATET.SMT Trojan.Dropper-24471 Win32.HLLW.Autoruner.15386 TSPY_SPATET.SMT TrojanDropper.MSIL.fg TrojanDropper:MSIL/RednibTihs.A Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001060", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9982 W32.Pws.Stealer TR/Crypt.Xpack.hosv Trojan.Graftor.D47380 Trojan/Win32.Deshacop.R189693 SScope.TrojanRansom.WannaCry", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001061", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.WansickyG.Trojan Trojan.Win32.Scar!O Worm.Pochi.MF.128 TROJ_SCAR.AD Win32.Trojan.VB.jo W32/VBTrojan.19H!Maximus TROJ_SCAR.AD Trojan.Win32.Scar.ajze Trojan.Win32.Scar.bsvmh Trojan.Win32.A.Scar.108211 Troj.W32.Scar.tp4e Trojan.MulDrop3.4297 Trojan.Scar.Win32.45700 BehavesLike.Win32.Autorun.pm Trojan.Win32.Scar W32/VBTrojan.19H!Maximus Trojan.Scar.jji Trojan/Win32.Scar Trojan.Win32.Scar.ajze Worm:Win32/Pochi.A Trojan.Scar Trj/Scar.N Win32/VB.PSB Trojan.Scar!bkhwPXcAv6E W32/Scar.AJZE!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001064", "source": "cyner2_test"}}
+{"text": "Investigation of this domain led to additional domains that appear to have been registered for use with the campaign , but are not in use yet .", "spans": {}, "info": {"id": "cyner2_test_001065", "source": "cyner2_test"}}
+{"text": "Additionally , it also writes addresses of dlopen , dlsym , and dlclose into the same region , so that they can be used by the shellcode .", "spans": {}, "info": {"id": "cyner2_test_001066", "source": "cyner2_test"}}
+{"text": "] databit [ .", "spans": {}, "info": {"id": "cyner2_test_001067", "source": "cyner2_test"}}
+{"text": "Although there does not appear to be any direct evidence in the open source at this time, media reports indicated that U.S. government officials have linked the campaign to Russia.", "spans": {"MALWARE: at": [[76, 78]], "ORGANIZATION: media": [[90, 95]], "ORGANIZATION: U.S. government officials": [[119, 144]], "THREAT_ACTOR: campaign": [[161, 169]]}, "info": {"id": "cyner2_test_001068", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.eHeur.Virus02 Trojan.PWS.Lmir.UNK TrojanPWS.Mapdimp.A5 PWS-OnlineGames.ax Trojan.OnLineGames.Win32.92696 Trojan/PSW.OnLineGames.rydr Trojan.PWS.Lmir.UNK Win32.Trojan-GameThief.OnlineGames.s Infostealer.Gampass TSPY_GAMETHIE.SE Win.Spyware.48189-2 Trojan.PWS.Lmir.UNK Trojan.Win32.OnLineGames.vxxdj Trojan.Win32.PSWIGames.1068692 Troj.GameThief.W32.OnLineGames.lgZ8 Trojan.PWS.Lmir.UNK Trojan.PWS.Lmir.UNK Trojan.PWS.Wsgame.6445 TSPY_GAMETHIE.SE PWS-OnlineGames.ax Virus.Win32.Nilage.NP Trojan[GameThief]/Win32.OnLineGames Win32.Troj.EncodeGameT.am.1035692 PWS:Win32/Mapdimp.A Trojan.PWS.Lmir.UNK Trojan.Win32.Lmir.gfv", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001069", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.DataboLTSB.Trojan VirTool.VBInject Trojan.FakeMS.ED Trojan/Injector.abip Win32.Trojan.Inject.ba W32.Rontokbro@mm Win32/Inject.TSaKNBD Win.Trojan.Injector-13562 Trojan.Win32.Autoruner1.brmigt Troj.W32.SelfDel.mA4R TrojWare.Win32.Injector.AOO Win32.HLLW.Autoruner1.24454 Trojan.Injector.Win32.169993 BehavesLike.Win32.Trojan.tz Trojan.Win32.Injector TR/Injector.anq Trojan/Win32.Unknown Trojan.Symmi.D2C49 Trojan:Win32/Rontokbro.A Win32/Rontokbro.worm.109512.B Trojan.Injector.ABIP Trojan.Injector!50IGAxMRdFE W32/Injector.ZYM!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001070", "source": "cyner2_test"}}
+{"text": "Lures contained subjects related to recent invoices, or other matters requiring the victim's attention, such as an overdue bill.", "spans": {"MALWARE: Lures": [[0, 5]]}, "info": {"id": "cyner2_test_001071", "source": "cyner2_test"}}
+{"text": "Using intelligence from our in-depth investigation , Windows Defender ATP can raise alerts for malicious behavior employed by FinFisher ( such as memory injection in persistence ) in different stages of the attack kill chain .", "spans": {"SYSTEM: Windows Defender ATP": [[53, 73]], "MALWARE: FinFisher": [[126, 135]]}, "info": {"id": "cyner2_test_001072", "source": "cyner2_test"}}
+{"text": "This may also explain the timing in between the apps becoming fully functional and “ incubation. ” As this is a group we have not observed before , we will continue monitoring this campaign for further developments .", "spans": {}, "info": {"id": "cyner2_test_001073", "source": "cyner2_test"}}
+{"text": "Figure 1 .", "spans": {}, "info": {"id": "cyner2_test_001074", "source": "cyner2_test"}}
+{"text": "7/7/2016 , 1:50 PM Security experts have documented a disturbing spike in a particularly virulent family of Android malware , with more than 10 million handsets infected and more than 286,000 of them in the US .", "spans": {"SYSTEM: Android": [[108, 115]]}, "info": {"id": "cyner2_test_001075", "source": "cyner2_test"}}
+{"text": "Cisco What initially drew our interest to this particular malware sample was a tweet published by security researcher on Twitter thanks simpo! regarding a Powershell script that he was analyzing that contained the base64 encoded string SourceFireSux", "spans": {"ORGANIZATION: Cisco": [[0, 5]], "MALWARE: malware sample": [[58, 72]], "ORGANIZATION: security researcher": [[98, 117]], "ORGANIZATION: Twitter": [[121, 128]], "ORGANIZATION: simpo!": [[136, 142]], "SYSTEM: Powershell script": [[155, 172]], "MALWARE: SourceFireSux": [[236, 249]]}, "info": {"id": "cyner2_test_001076", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.W32.Corum!c Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Trojan.ZTAP-2170 Backdoor.Frigcase Backdoor.Win32.Corum.b Trojan.PWS.Banker1.24798 Trojan.Win32.Dynamer Trojan.Graftor.D1F11A Backdoor.Win32.Corum.b Backdoor:Win32/Kluch.A Trj/GdSda.A Win32.Backdoor.Corum.Wrzy Win32/Backdoor.a14", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001077", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: BackDoor-CCT.dll Bck/Dumador.DS Backdoor.Dumador.ET Backdoor.Dumador.et BackDoor-CCT.dll Backdoor.Win32.Dumador.et Backdoor.Dumador.DD W32/Dumador.DI@bd Backdoor.Nibu W32/Dumador.MZ Backdoor.Win32.Dumador.et Backdoor.Dumador.ET Backdoor.Win32.Dumador.et BackDoor.Dumaru.23 BDS/Dumador.ET.2 BKDR_NIBU.J W32/Dumador.DI@bd Backdoor.Win32.Dumador!IK Trojan.Backdoor.Dumador.ET.2 Backdoor.Win32.Dumador.28672 Backdoor.Dumador.ET Backdoor.Dumador.DD Backdoor.Dumador.jm Backdoor.Win32.Dumador W32/Dumador.T!tr.bdr Bck/Dumador.DS", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001078", "source": "cyner2_test"}}
+{"text": "FastPOS initially detected by Trend Micro as TSPY_FASTPOS.SMZTDA was different with the way it removed a middleman and went straight from stealing credit card data to directly exfiltrating them to its command and control C C servers.", "spans": {"MALWARE: FastPOS": [[0, 7]], "ORGANIZATION: Trend Micro": [[30, 41]]}, "info": {"id": "cyner2_test_001079", "source": "cyner2_test"}}
+{"text": "Contrary to its counterparts, it is not used on mainstream websites or via malvertising attacks but rather it specifically targets Chinese websites and users.", "spans": {}, "info": {"id": "cyner2_test_001080", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Exploit-TaroDrop.e Trojan.Tarodrop.G TROJ_TARODROP.ZKEJ-A TROJ_TARODROP.ZKEJ-A Exploit-TaroDrop.e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001081", "source": "cyner2_test"}}
+{"text": "On June 10, South Korean web hosting company NAYANA was hit by Erebus ransomware detected by Trend Micro as RANSOM_ELFEREBUS.A, infecting 153 Linux servers and over 3,400 business websites the company hosts.", "spans": {"ORGANIZATION: web hosting company NAYANA": [[25, 51]], "MALWARE: Erebus ransomware": [[63, 80]], "ORGANIZATION: Trend Micro": [[93, 104]], "SYSTEM: Linux servers": [[142, 155]], "ORGANIZATION: the company": [[189, 200]], "SYSTEM: hosts.": [[201, 207]]}, "info": {"id": "cyner2_test_001082", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9993 Trojan.Starter.2890 BehavesLike.Win32.Dropper.vh Trojan.MSILPerseus.D210E0", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001083", "source": "cyner2_test"}}
+{"text": "In recent months, CrowdStrike has observed limited use of what appears to be a third Sakula variant.", "spans": {"ORGANIZATION: CrowdStrike": [[18, 29]], "MALWARE: third Sakula variant.": [[79, 100]]}, "info": {"id": "cyner2_test_001084", "source": "cyner2_test"}}
+{"text": "Our research into the group found that it's been attacking a broad range of industries, including aviation, broadcasting, and finance, to drop back door Trojans.", "spans": {"ORGANIZATION: research": [[4, 12]], "THREAT_ACTOR: group": [[22, 27]], "ORGANIZATION: industries,": [[76, 87]], "ORGANIZATION: aviation, broadcasting,": [[98, 121]], "ORGANIZATION: finance,": [[126, 134]], "MALWARE: back door Trojans.": [[143, 161]]}, "info": {"id": "cyner2_test_001085", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.eHeur.Malware10 Trojan.Bodegun.3 Win32.Trojan.WisdomEyes.16070401.9500.9927 Backdoor.Trojan W32/Farfli.NJ!tr Backdoor:Win32/Shoco.B Trojan.SelfDelete Trj/CI.A Win32/Trojan.198", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001086", "source": "cyner2_test"}}
+{"text": "Uploading screenshots of sensitive information", "spans": {}, "info": {"id": "cyner2_test_001087", "source": "cyner2_test"}}
+{"text": "It helps the attacker find out which banks the owner of the smartphone calls – the Trojan receives a list of bank phone numbers from its C & C server .", "spans": {}, "info": {"id": "cyner2_test_001088", "source": "cyner2_test"}}
+{"text": "When the Trojan is executed, it may connect to one of the following remote locations: [http://]crcchecker.com/in[REMOVED] [http://]msmodule.com/in[REMOVED] [http://]msgetupdt.com/in[REMOVED] [http://]mssendinf.com/in[REMOVED]", "spans": {"MALWARE: Trojan": [[9, 15]]}, "info": {"id": "cyner2_test_001089", "source": "cyner2_test"}}
+{"text": "A novel cryptojacking campaign targeting Redis has been uncovered by Cado Labs, the UK-based firm that specialises in security research and development for the digital world's largest online marketplace.", "spans": {"THREAT_ACTOR: cryptojacking campaign": [[8, 30]], "ORGANIZATION: Redis": [[41, 46]], "ORGANIZATION: Cado Labs,": [[69, 79]], "ORGANIZATION: firm": [[93, 97]], "ORGANIZATION: security research": [[118, 135]], "ORGANIZATION: development": [[140, 151]]}, "info": {"id": "cyner2_test_001090", "source": "cyner2_test"}}
+{"text": "In December, Microsoft's eSentire published a summary of BatLoader activity whereby Google Search Ads were used to impersonate software such as WinRAR to deliver malicious Windows Installer files.", "spans": {"ORGANIZATION: Microsoft's eSentire": [[13, 33]], "MALWARE: BatLoader": [[57, 66]], "SYSTEM: Google Search Ads": [[84, 101]], "SYSTEM: software": [[127, 135]], "SYSTEM: WinRAR": [[144, 150]], "MALWARE: malicious Windows Installer files.": [[162, 196]]}, "info": {"id": "cyner2_test_001092", "source": "cyner2_test"}}
+{"text": "The Trojan ’ s list of possible commands has remained practically unchanged throughout its life , and will be described below in detail .", "spans": {}, "info": {"id": "cyner2_test_001093", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Worm/W32.WBNA.75102 VBObfus.da Trojan/Slenfbot.ak Win32.Worm.Autorun.l Win.Packer.VBCrypt-5731541-0 Worm.Win32.WBNA.ipa Trojan.Win32.Z.Wbna.75102 Worm.W32.Wbna!c Trojan.Facebook.297 Worm.Slenfbot.Win32.261 BehavesLike.Win32.Backdoor.lt Trojan.VB Worm.WBNA.eomd Worm.Win32.WBNA.ipa Trojan:Win32/Acbot.A Worm.WBNA Win32.Worm.Wbna.Dxmv", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001094", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Win32.Swizzor.3!O Trojan/EraseMBR.a Win32.Trojan.WisdomEyes.16070401.9500.9912 W32/DistTrack.B W32.Disttrack Win.Trojan.DistTrack-1 Trojan.Win32.EraseMBR.a Trojan.Win32.EraseMBR.elqhim Trojan.Win32.EraseMBR.989184 Win32.Trojan.Erasembr.Phzv Virus.Win32.DistTrac.A Trojan.KillMBR.165 Trojan.EraseMBR.Win32.2 W32/DistTrack.VGNA-8394 Trojan/Win32.EraseMBR Win32.Troj.Undef.kcloud Trojan.Graftor.D9CE0 Troj.W32.EraseMBR.tnis Trojan.Win32.EraseMBR.a Trojan:Win32/WipMBR.A Win-Trojan/Disttrack.989184.B Trojan.EraseMBR!AdfCNAQ/Vbs Trojan.Win32.Disttrack Trojan.Tarkserv.18805 Trj/CI.A Win32/Trojan.3f8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001095", "source": "cyner2_test"}}
+{"text": "In February 2016, Novetta announced a profiling report entitled Operation Blockbuster: Unraveling the Long Thread of Sony Attack in association with global security companies Kaspersky Lab, Symantec, Trend Micro, JPCERT / CC, etc..", "spans": {"ORGANIZATION: Novetta": [[18, 25]], "THREAT_ACTOR: Operation Blockbuster:": [[64, 86]], "ORGANIZATION: Sony": [[117, 121]], "ORGANIZATION: global security companies Kaspersky Lab,": [[149, 189]], "ORGANIZATION: Symantec,": [[190, 199]], "ORGANIZATION: Trend Micro,": [[200, 212]], "ORGANIZATION: JPCERT": [[213, 219]], "ORGANIZATION: CC,": [[222, 225]]}, "info": {"id": "cyner2_test_001096", "source": "cyner2_test"}}
+{"text": "Corerrelation of the TelePort Crews TTPs and infrastructure leads us to believe the group is closely affiliated with, and may in fact be, the Carbanak Threat Actor.", "spans": {"THREAT_ACTOR: TelePort Crews": [[21, 35]], "SYSTEM: infrastructure": [[45, 59]], "THREAT_ACTOR: group": [[84, 89]], "THREAT_ACTOR: the Carbanak Threat Actor.": [[138, 164]]}, "info": {"id": "cyner2_test_001098", "source": "cyner2_test"}}
+{"text": "This allowed it to search for and upload potentially sensitive local files.", "spans": {}, "info": {"id": "cyner2_test_001101", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.BHO Trojan/BHO.rrk Trojan.Adware.Graftor.DB443 Win32/AdClicker.AZ Trojan.Win32.BHO.czvr Trojan.Win32.BHO.bqymi Trojan.Win32.Z.Bho.203776 Backdoor.W32.IRCBot.kYVM TrojWare.Win32.BHO.RU Trojan.BHO.Win32.3468 AdWare.Win32.BHO W32/Trojan.QGGR-1095 Trojan/BHO.jgz TR/BHO.rrk Trojan:Win32/Yenfhur.A Adware.Vumer Trojan.Win32.BHO.czvr Trojan/Win32.BHO.R21503 Win32.Trojan.Bho.Lpcb Trojan.BHO!sZ6oLyvN9vY W32/BHO.NKS!tr Win32/Trojan.10e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001103", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Virus.Win32.Virut.1!O Trojan.Autoit.Gasonen.A Trojan-Downloader.a W32.Virut.CF Win32/Virut.NBP Virus.Win32.Virut.ce Virus.Win32.Virut.ue Virus.Win32.Virut.Ce Trojan.DownLoader24.36108 Downloader.AutoIt.Win32.", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001104", "source": "cyner2_test"}}
+{"text": "However, Dridex is still taking good care of its notorious original business– banking Trojans.", "spans": {"THREAT_ACTOR: Dridex": [[9, 15]]}, "info": {"id": "cyner2_test_001105", "source": "cyner2_test"}}
+{"text": "If you ’ ve downloaded one of the apps listed in Appendix A , below , you might be infected .", "spans": {}, "info": {"id": "cyner2_test_001106", "source": "cyner2_test"}}
+{"text": "It first starts another activity defined in “ org.starsizew.Aa ” to request device administrator privileges , and then calls the following API of “ android.content.pm.PackageManager ” ( the Android package manager to remove its own icon on the home screen in order to conceal the existence of RuMMS from the user : At the same time , ” org.starsizew.MainActivity ” will start the main service as defined in “ org.starsizew.Tb ” , and use a few mechanisms to keep the main service running continuously in the background .", "spans": {"SYSTEM: Android": [[190, 197]], "MALWARE: RuMMS": [[293, 298]]}, "info": {"id": "cyner2_test_001107", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan-Downloader/W32.CWS.15872.C Trojan/Downloader.CWS.s W32/Downloader.NGQ Trojan.Bookmarker Win32/Chopenoz.AT TROJ_DLOADER.CML Win.Downloader.CWS-5 Trojan-Downloader.Win32.CWS.s Trojan.Win32.CWS.whoyd Troj.Downloader.W32.CWS.s!c Trojan.DownLoader.5656 Downloader.CWS.Win32.255 TROJ_DLOADER.CML BehavesLike.Win32.Backdoor.lc W32/Downloader.PTUP-4639 TrojanDownloader.CWS.p W32.Trojan.Relayer-Komforochka TR/Dldr.CWS.ARQ.2 Trojan.Win32.Downloader.15872.P Trojan-Downloader.Win32.CWS.s TrojanDownloader:Win32/Chopanez.A Trojan/Win32.Cws.R71052 TrojanDownloader.CWS Trojan.Krepper!v2daonCoc1Y Trojan-Downloader.Win32.CWS W32/Cwsaq.S!tr Adware/CWS.Yexe", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001108", "source": "cyner2_test"}}
+{"text": "Figure 6 – Ransomware component Anubis has been known to utilize Twitter or Telegram to retrieve the C2 address and this sample is no exception ( Figure 7 ) .", "spans": {"MALWARE: Anubis": [[32, 38]], "ORGANIZATION: Twitter": [[65, 72]], "ORGANIZATION: Telegram": [[76, 84]]}, "info": {"id": "cyner2_test_001109", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Hacktool.Webshell Trojan.Chopper.Win32.2 Backdoor.Hadmad Win.Trojan.Chopper-3 HackTool.Win32.WebShell.cv Trojan.Win32.Chopper.csobpu Trojan.Win32.Z.Chopper.700416 Hacktool.W32.Webshell!c TrojWare.Win32.Chopper.A BackDoor.Chopper.23 BehavesLike.Win32.BadFile.jm Trojan-PWS.Win32.LdPinch W32/Trojan.LZKC-7904 HackTool.WebShell.c TR/Chopper.wsqdz Trojan:Win32/Chopper.A HackTool.Win32.WebShell.cv Trojan/Win32.HDC.C534259 Trj/CI.A Win32.Hacktool.Webshell.Ajlk Win32/Trojan.51c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001110", "source": "cyner2_test"}}
+{"text": "This threat may arrive as an email spammed macro malware which, when opened, socially engineers you to enable it in your PC.", "spans": {"SYSTEM: PC.": [[121, 124]]}, "info": {"id": "cyner2_test_001111", "source": "cyner2_test"}}
+{"text": "A backdoor targetting Linux also known as: Unix.Trojan.Mirai-5678467-0 HEUR:Trojan-Downloader.Linux.Mirai.b Trojan.Unix.Dwn.exoczj Troj.Downloader.Linux!c Linux.DownLoader.569 LINUX/Dldr.Mirai.vzbiu HEUR:Trojan-Downloader.Linux.Mirai.b Linux.Trojan-downloader.Mirai.Ecua Trojan-Downloader.Linux.Mirai W32/Mirai.A!tr.dldr virus.elf.mirai.a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001112", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojandownloader.Script Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.QNWY-7354 Trojan.Win32.CoinMiner.etwjwz Troj.Downloader.Script!c BehavesLike.Win32.Dropper.jm TrojanDropper:Win32/Sminager.G Exploit.UACSkip Trj/CI.A VBS/CoinMiner.EQ Exploit.UACSkip! Win32/Trojan.Downloader.251", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001113", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.Spy.Pefj Win32.Trojan.WisdomEyes.16070401.9500.9992 Trojan.DownLoader11.48785 Trojan.Banker.Win32.91178 W32/Trojan.PJQW-4501 TR/Spy.Banker.368582 Trojan:Win32/Qobahk.B Trojan.Zusy.D22440 Trojan/Win32.Banki.C820251 TScope.Trojan.Delf Trojan-Banker.Win32.Banker Win32/Trojan.c01", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001114", "source": "cyner2_test"}}
+{"text": "The attackers compromised the website to redirect visitors to an exploit kit which attempted to install malware on selected targets.", "spans": {"THREAT_ACTOR: attackers": [[4, 13]], "MALWARE: exploit kit": [[65, 76]], "MALWARE: malware": [[104, 111]]}, "info": {"id": "cyner2_test_001115", "source": "cyner2_test"}}
+{"text": "] clubupload999 [ .", "spans": {}, "info": {"id": "cyner2_test_001116", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: TrojanDownloader.Upatre.A4 Trojan.Bublik.Win32.12537 TROJ_UPATRE.SM2 Win32.Trojan.WisdomEyes.16070401.9500.9996 W32/Trojan3.GOF Win32/Tnega.ATTF TROJ_UPATRE.SM2 Trojan.Win32.Bublik.cqqgyg Trojan.DownLoad3.28161 BehavesLike.Win32.Downloader.lm W32/Trojan.SDXU-6768 Trojan/Bublik.ggx TR/Kazy.295577 Trojan/Win32.Bublik Win32.Troj.Bublik.bl.kcloud TrojanDownloader:Win32/Waski.A Trojan/Win32.Zbot.C218571 Trojan.Bublik Trojan.Waski.A Win32/TrojanDownloader.Waski.A Trojan.Bublik!q4FUqHvnUCs W32/Waski.A!tr Win32/Trojan.bee", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001117", "source": "cyner2_test"}}
+{"text": "Decrypting the assets After being decrypted , the asset turns into the .dex file .", "spans": {}, "info": {"id": "cyner2_test_001118", "source": "cyner2_test"}}
+{"text": "This should be highly alarming to any government agency or enterprise .", "spans": {}, "info": {"id": "cyner2_test_001119", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Backdoor.Farfli Win32.Trojan.WisdomEyes.16070401.9500.9960 Heur.Corrupt.PE Trojan.DownLoader18.34796 TR/Taranis.1439 TrojanDownloader:Win32/Syten.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001120", "source": "cyner2_test"}}
+{"text": "Example of using native code for obfuscation Examples of using string concatenation for obfuscation Example of encrypting strings in the Trojan Asacub distribution geography Asacub is primarily aimed at Russian users : 98 % of infections ( 225,000 ) occur in Russia , since the cybercriminals specifically target clients of a major Russian bank .", "spans": {"MALWARE: Asacub": [[144, 150], [174, 180]]}, "info": {"id": "cyner2_test_001121", "source": "cyner2_test"}}
+{"text": "But during a recent investigation we found a backdoor that takes a very different approach.", "spans": {}, "info": {"id": "cyner2_test_001122", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: VB:Trojan.Valyria.939 Vb.Troj.Valyria!c Trojan.Mdropper X2KM_POWLOAD.THAOEFK VB:Trojan.Valyria.939 VB:Trojan.Valyria.939 Trojan.Ole2.Vbs-heuristic.druvzi VB:Trojan.Valyria.939 VB:Trojan.Valyria.939 X2KM_POWLOAD.THAOEFK TrojanDownloader:O97M/Powdow.F HEUR.VBA.Trojan.e VB:Trojan.Valyria.939 VBA/TrojanDownloader.DIW!tr.dldr virus.office.qexvmc.1095", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001123", "source": "cyner2_test"}}
+{"text": "We have noticed that hundreds of the email addresses are associated with enterprise accounts worldwide .", "spans": {}, "info": {"id": "cyner2_test_001124", "source": "cyner2_test"}}
+{"text": "Sample of the PlugX malware family", "spans": {"MALWARE: PlugX malware family": [[14, 34]]}, "info": {"id": "cyner2_test_001125", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Win32.Agobot.daqfvn Win32.HLLW.Agobot.1609 Backdoor.Agobot.Win32.4720 RDN/Gaobot.worm!f Backdoor/Agobot.blu W32/AgoBot.SSP!tr.bdr Trojan[Backdoor]/Win32.Agobot Trojan.Symmi.428 Backdoor:Win32/Ocivat.A RDN/Gaobot.worm!f Backdoor.Agobot Trj/OCJ.F Win32.Backdoor.Agobot.Pcsf Trojan.Agobot!RVcISK47AgQ Backdoor.Win32.Agobot.ssp Win32/Backdoor.BO.02a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001126", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: TR/FileCoder.129024 W32/Filecoder.EZ!tr Trojan.Zusy.D25F0A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001127", "source": "cyner2_test"}}
+{"text": "All Lookout customers are protected from this threat .", "spans": {"ORGANIZATION: Lookout": [[4, 11]]}, "info": {"id": "cyner2_test_001128", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.Clod1ac.Trojan.2cfd Trojan.Subnix.A Trojan/W32.Subnix.81920 QDel297.dr Trojan.Win32.Subnix.cpbwt Subnix.D TROJ_SUBNIX.A Trojan.Win32.Subnix Trojan.Subnix.A Trojan.Subnix!nbK8wParH3w Trojan.Subnix.A TrojWare.Win32.Subnix.A Trojan.Subnix.A Trojan.Subnix TROJ_SUBNIX.A QDel297.dr Trojan:Win32/Subnix.A Win-Trojan/Subnix.81920 Trojan.Subnix.A W32/Risk.RJJS-1740 Trojan.Subnix Win32/Subnix.A Trojan.Win32.Subnix W32/QDel297.A!tr Trojan.Win32.Subnix.AL", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001130", "source": "cyner2_test"}}
+{"text": "This new attack appears to involve the same actors who reused the same techniques to alter the source code of the widely used open source Telnet/SSH client, PuTTY, and used their network of compromised web servers to serve up similar fake Putty download pages.", "spans": {"THREAT_ACTOR: actors": [[44, 50]], "VULNERABILITY: network of compromised web servers": [[179, 213]]}, "info": {"id": "cyner2_test_001131", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Heur.ciTeuaMV96kb Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.Win32.Yakes.vqgla Packed.Win32.Klone.~KMG Trojan.PWS.Webmonier.804 Trojan.Yakes.Win32.5199 Trojan-Spy.Frethog Trojan/Yakes.elw TR/Obfuscate.C.1823 Trojan/Win32.Yakes PWS:Win32/Chexct.A Troj.GameThief.W32.Magania.l943 Trojan/Win32.OnlineGameHack.R36096 Trojan.Yakes Win32.Trojan.Xytrojan.Lpbj Win32/Trojan.52b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001132", "source": "cyner2_test"}}
+{"text": "The actual amount of money stolen was different in each case, with the average amount around USD$5 million in cash, ranging from USD$3 to USD$10 million.", "spans": {}, "info": {"id": "cyner2_test_001133", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Win32.Swisyn!O Trojan.Swysin.A3 Win32.Trojan.WisdomEyes.16070401.9500.9994 TROJ_DROPPR.SMAI Trojan.Win32.Swisyn.acfk Trojan.Win32.Swisyn.updbv Trojan.Win32.A.Swisyn.100000.H Win32.Trojan.Swisyn.Pfti Trojan.Packed.507 TROJ_DROPPR.SMAI Trojan/Buzus.mfe Trojan/Win32.Swisyn TrojanDropper:Win32/Forcud.A Trojan.Heur.EF59FD Trojan.Win32.Swisyn.acfk Trojan/Win32.Swisyn.R4650 Trojan.Dropper Trojan-Dropper.Win32.Forcud W32/Forcud.A!tr Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001134", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9944 Ransom_HERMES.B Trojan.Win32.Encoder.exsmjb Trojan.Encoder.10700 Ransom_HERMES.B W32.InfoStealer.Zeus W32/Filecoder_Hermes.F!tr Ransom:Win32/Wyhymyz.D Trojan/Win32.Ransomlock.C2400763 Trojan.Ransom.Hermes Ransom.Hermes Win32.Trojan.Filecoder.Hpsg Trojan-Ransom.FileCoder Trj/GdSda.A Win32/Trojan.03f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001135", "source": "cyner2_test"}}
+{"text": "Although this technique is not new, it remains an effective technique for attackers.", "spans": {}, "info": {"id": "cyner2_test_001137", "source": "cyner2_test"}}
+{"text": "As we have progressed in our research and uncovered additional attack phases, tooling, and infrastructure as discussed in our recent posting Striking Oil: A Closer Look at Adversary Infrastructure it has become apparent that the threat group responsible for the OilRig attack campaign is likely to be a unique, previously unknown adversary.", "spans": {"MALWARE: tooling,": [[78, 86]], "SYSTEM: infrastructure": [[91, 105]], "THREAT_ACTOR: Adversary Infrastructure": [[172, 196]], "THREAT_ACTOR: the threat group": [[225, 241]], "THREAT_ACTOR: the OilRig attack campaign": [[258, 284]], "THREAT_ACTOR: unknown adversary.": [[322, 340]]}, "info": {"id": "cyner2_test_001138", "source": "cyner2_test"}}
+{"text": "Conclusion The “ Corona Updates ” app had relatively low downloads in Pakistan , India , Afghanistan , Bangladesh , Iran , Saudi Arabia , Austria , Romania , Grenada , and Russia .", "spans": {}, "info": {"id": "cyner2_test_001140", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Patched.Shopperz.1 Trojan.DllPatcher.A4 PTCH_NOPLE.SMA Trojan.Mentono!inf PTCH_NOPLE.SMA Trojan.Patched.Shopperz.1 Trojan.Win32.Patched.qw Trojan.Patched.Shopperz.1 Trojan.Win32.Patched.ejthtr TrojWare.Win32.Patched.AP Trojan.Patched.Shopperz.1 Trojan.Hosts.37524 Trojan.Win32.Patched Trojan/Win32.Patched.ap Trojan.Patched.Shopperz.1 Trojan.Win32.Patched.qw Win-Trojan/Patched.DY Virus.Win32.Patched.qwb W32/Patched.AP!tr Win32/Trojan.133", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001141", "source": "cyner2_test"}}
+{"text": "More and more smartphone and tablet owners use their devices to access websites , unaware that even the most reputable resources can be hacked .", "spans": {}, "info": {"id": "cyner2_test_001142", "source": "cyner2_test"}}
+{"text": "While not all SMS-based IAP applications steal user data, we recently identified that the Chinese Taomike SDK has begun capturing copies of all messages received by the phone and sending them to a Taomike controlled server.", "spans": {"SYSTEM: SMS-based IAP applications": [[14, 40]], "MALWARE: Chinese Taomike SDK": [[90, 109]]}, "info": {"id": "cyner2_test_001143", "source": "cyner2_test"}}
+{"text": "Zscaler ThreatLabz has been tracking the Nokoyawa ransomware family and its predecessors including Karma and Nemty ransomware.", "spans": {"ORGANIZATION: Zscaler": [[0, 7]], "ORGANIZATION: ThreatLabz": [[8, 18]], "MALWARE: the Nokoyawa ransomware family": [[37, 67]], "MALWARE: Karma": [[99, 104]], "MALWARE: Nemty ransomware.": [[109, 126]]}, "info": {"id": "cyner2_test_001144", "source": "cyner2_test"}}
+{"text": "Data collectors : dump all existing content on the device into a queue .", "spans": {}, "info": {"id": "cyner2_test_001145", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: EXP/Pidief.EB.860 Exp.Pidief.Eb!c Trojan:Win32/Pdfphish.AA Trojan.Win32.Pdfphish Win32/Trojan.Exploit.ca2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001146", "source": "cyner2_test"}}
+{"text": "The com.dsufabunfzs.dowiflubs strings in the screenshot above refer to the internal name this particular malware was given , which in this case was randomized into alphabet salad .", "spans": {}, "info": {"id": "cyner2_test_001148", "source": "cyner2_test"}}
+{"text": "The last time I saw the HoelferText popup, it was sending Spora ransomware link, but now it s Mole ransomware.", "spans": {"MALWARE: HoelferText": [[24, 35]], "MALWARE: Spora ransomware": [[58, 74]], "MALWARE: Mole ransomware.": [[94, 110]]}, "info": {"id": "cyner2_test_001149", "source": "cyner2_test"}}
+{"text": "The message translates roughly to “ You got a photo in MMS format : hxxp : //yyyyyyyy.XXXX.ru/mms.apk. ” So far we identified seven different URLs being used to spread RuMMS in the wild .", "spans": {"MALWARE: RuMMS": [[168, 173]]}, "info": {"id": "cyner2_test_001150", "source": "cyner2_test"}}
+{"text": "The Marcher banking malware uses two main attack vectors .", "spans": {"MALWARE: Marcher": [[4, 11]]}, "info": {"id": "cyner2_test_001151", "source": "cyner2_test"}}
+{"text": "Stegoloader's modular design allows its operator to deploy modules as necessary, limiting the exposure of the malware capabilities during investigations and reverse engineering analysis.", "spans": {"MALWARE: Stegoloader's": [[0, 13]], "MALWARE: malware": [[110, 117]]}, "info": {"id": "cyner2_test_001152", "source": "cyner2_test"}}
+{"text": "The victims created the majority of the data from May 2013 to December 2013.", "spans": {}, "info": {"id": "cyner2_test_001153", "source": "cyner2_test"}}
+{"text": "This week, Proofpoint researchers observed the now infamous man-in-the-browser MITB banking malware Dyre experimenting with new ways to deliver spam attachments.", "spans": {"ORGANIZATION: Proofpoint researchers": [[11, 33]], "MALWARE: man-in-the-browser MITB banking malware Dyre": [[60, 104]]}, "info": {"id": "cyner2_test_001154", "source": "cyner2_test"}}
+{"text": "Unlike other applications within the Microsoft Office suite, Microsoft Publisher does not support a Protected View mode.", "spans": {"SYSTEM: applications": [[13, 25]], "SYSTEM: the Microsoft Office suite, Microsoft Publisher": [[33, 80]], "SYSTEM: Protected View mode.": [[100, 120]]}, "info": {"id": "cyner2_test_001155", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Ransom_HPLOCKY.SME W32/Trojan2.ZCC Trojan.Hachilem Win32/Tnega.VYF Ransom_HPLOCKY.SME Win.Trojan.Hider-5 Trojan.Click.16602 BehavesLike.Win32.Trojan.dc W32/Trojan.LJTW-7715 Trojan/PSW.Almat.dfp Trojan:Win32/Adclicker.AU Trojan.Heur.EACEB7 Trj/Clicker.AKQ", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001156", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.MSIL.Crypt.gblb Trojan.Win32.Crypt.exngtv Trojan.Inject3.2514 Trojan.MSIL.Crypt TR/Dropper.MSIL.abtme Trojan.Razy.D3D634 Trojan.MSIL.Crypt.gblb Trojan.SteamStealer Trj/GdSda.A MSIL/Kryptik.MNQ!tr Win32/Trojan.a01", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001157", "source": "cyner2_test"}}
+{"text": "Anonymous proxies play an important role in protecting one's privacy while on the Internet; however, when unsuspecting individuals have their systems turned into proxies without their consent, it can create a dangerous situation.", "spans": {"SYSTEM: Anonymous proxies": [[0, 17]], "ORGANIZATION: Internet;": [[82, 91]], "THREAT_ACTOR: individuals": [[119, 130]], "SYSTEM: systems": [[142, 149]], "SYSTEM: proxies": [[162, 169]]}, "info": {"id": "cyner2_test_001158", "source": "cyner2_test"}}
+{"text": "The Gaza cybergang is an Arabic-language, politically-motivated cybercriminal group, operating since 2012 and actively targeting the MENA Middle East North Africa region.", "spans": {"THREAT_ACTOR: The Gaza cybergang": [[0, 18]], "THREAT_ACTOR: Arabic-language, politically-motivated cybercriminal group,": [[25, 84]]}, "info": {"id": "cyner2_test_001159", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.DownLoader9.6249 BehavesLike.Win32.Mydoom.nc W32/Trojan.CMRE-8473 WORM/Dramnudge.csjup Worm:Win32/Dramnudge.A Trojan.Jaik.D47C2 BScope.Trojan.IRCbot Virus.Win32.Virut", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001161", "source": "cyner2_test"}}
+{"text": "In this paper, we cover the details of their tools, whom they target, and offer a rare glimpse into", "spans": {}, "info": {"id": "cyner2_test_001162", "source": "cyner2_test"}}
+{"text": "The more interesting one was a targeted attack towards the Secretary General of Taiwan's Government office – Executive Yuan.", "spans": {"ORGANIZATION: the Secretary General of Taiwan's Government office": [[55, 106]], "ORGANIZATION: Executive Yuan.": [[109, 124]]}, "info": {"id": "cyner2_test_001163", "source": "cyner2_test"}}
+{"text": "The “ boot ” module has placeholder classes for the entry points of the infected applications .", "spans": {}, "info": {"id": "cyner2_test_001164", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.VariantScarC.Trojan Trojan/W32.Scar.1595904 Worm.Macoute.S559150 Worm.PasswordStealer/Variant W32.Pholdicon Trojan.DownLoader22.23546 Trojan.Scar.Win32.54986 BehavesLike.Win32.Dropper.tz Trojan.Win32.Scar Trojan/Scar.agsm Trojan.Keylogger.8 Worm:Win32/Macoute.A Trojan/Win32.Scar.R160138 Trojan.Scar Worm.PasswordStealer", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001165", "source": "cyner2_test"}}
+{"text": "The provider ’ s website described how the code 7494 can be used to provide a series of payment-related capabilities .", "spans": {}, "info": {"id": "cyner2_test_001166", "source": "cyner2_test"}}
+{"text": "collect intelligence in support of foreign and security policy decision-making. continue successfully compromising their targets, as well as in their ability to operate with impunity.", "spans": {}, "info": {"id": "cyner2_test_001167", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: HW32.Packed.ADC1 Win32.Trojan.WisdomEyes.16070401.9500.9988 BKDR_HPQAKBOT.SMD16 Trojan.Win32.Kryptik.euukvm Trojan.Inject2.62570 BKDR_HPQAKBOT.SMD16 BehavesLike.Win32.Trojan.gc W32/Trojan.HFDB-6851 TR/Crypt.ZPACK.uyunz Trojan.Razy.D36246 Backdoor/Win32.QBot.C2234313 Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001168", "source": "cyner2_test"}}
+{"text": "changeActivity command The webview injects are not hosted on the C2 , they are hosted on a completely different server .", "spans": {}, "info": {"id": "cyner2_test_001169", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Inject.IA Trojan.Win32.Yakes!O Trojan.Inject.IA TROJ_WIGON.SM Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Pandex!gm TROJ_WIGON.SM Trojan.Inject.IA Trojan.Win32.DNSChanger.zfu Trojan.Inject.IA TrojWare.Win32.Wigon.DC Trojan.Inject.IA BackDoor.Bulknet.739 BehavesLike.Win32.Pykse.ch Trojan.Inject.IA Trojan.Win32.DNSChanger.zfu Packed/Win32.Katusha.C93684 Trojan.Inject.IA W32/Cutwail.RU!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001170", "source": "cyner2_test"}}
+{"text": "The nature and geographic spread of the targets seems to point to a sponsor, or sponsors, with regional, political interests.", "spans": {}, "info": {"id": "cyner2_test_001171", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.MSIL Trojan.Kazy.D2EF3D Win32.Trojan.WisdomEyes.16070401.9500.9687 Infostealer.Derusbi TROJ_DERUSBI.AJ Trojan.Win32.Dwn.dtkwki Trojan.DownLoader12.9606 TROJ_DERUSBI.AJ W32/Trojan.FOPB-8219 Trojan/MSIL.eynz Backdoor:MSIL/Njogv.A Trojan/Win32.Nbdd.C255258 Trj/CI.A W32/BDoor.FGI!tr.bdr Win32/Trojan.f1b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001172", "source": "cyner2_test"}}
+{"text": "The message was a snippet from the article of USA Today, and has a ZIP archive called The Murtadd Vote.zip", "spans": {"ORGANIZATION: USA Today,": [[46, 56]]}, "info": {"id": "cyner2_test_001173", "source": "cyner2_test"}}
+{"text": "The Perkele Android Trojan not only attacks Russian users but also clients of several European banks .", "spans": {"MALWARE: Perkele": [[4, 11]]}, "info": {"id": "cyner2_test_001174", "source": "cyner2_test"}}
+{"text": "In the areas marked ‘ { text } ’ Rotexy displays the text it receives from the C & C .", "spans": {"MALWARE: Rotexy": [[33, 39]]}, "info": {"id": "cyner2_test_001176", "source": "cyner2_test"}}
+{"text": "Attackers exploiting HP OpenView via CVE-2010-1553 to deliver malicious payloads", "spans": {"THREAT_ACTOR: Attackers": [[0, 9]], "SYSTEM: HP OpenView": [[21, 32]], "MALWARE: malicious payloads": [[62, 80]]}, "info": {"id": "cyner2_test_001177", "source": "cyner2_test"}}
+{"text": "Upon analysis , we discovered that this is a decoy functionality and no new payload is generated .", "spans": {}, "info": {"id": "cyner2_test_001179", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.DownLoader7.3270 BehavesLike.Win32.Dropper.lh PWS:Win32/Yahoopass.M Trojan.Zusy.D60ED Trojan.Win32.A.Downloader.81920.VA Dropper/Win32.Daws.R47114 W32/ZLob.BBDE!tr.spy", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001180", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Packed.Win32.TDSS!O Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.FSPM.etswnp Trojan.MulDrop7.44563 BehavesLike.Win32.VBObfus.mc Trojan.Razy.D35F46 PWS:Win32/Tendcef.A Trj/GdSda.A Trojan.NewHeur_VB_Trojan W32/VB.NXC!tr Trojan/Win32.lssj.2cc.rgrk", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001181", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32/Trojan.RRTN-3169 Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001182", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: AutoIt.Trojan.Injector.bq BehavesLike.Win32.Downloader.vh Trojan.Autoit Trojan:AutoIt/Injector.H W32/Injector.COJ!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001183", "source": "cyner2_test"}}
+{"text": "Although we have observed low volume spam campaigns by some cybercriminals who have purchased MWI, we recently discovered spearphishing emails by one group using MWI to direct an attack against point-of-sale POS service providers.", "spans": {"THREAT_ACTOR: cybercriminals": [[60, 74]], "MALWARE: MWI,": [[94, 98]], "THREAT_ACTOR: group": [[150, 155]], "MALWARE: MWI": [[162, 165]], "ORGANIZATION: point-of-sale POS service providers.": [[194, 230]]}, "info": {"id": "cyner2_test_001184", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32/Evid.EJLF-8760 Trojan.Win32.ULPM.etlpga ApplicUnsaf.Win32.Tool.EvID4226 BehavesLike.Win32.Trojan.cz W32/Evid.B HackTool:Win32/Evidpatch.A RiskWare.TCPIPPatcher.A Backdoor.Win32.Virkel.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001185", "source": "cyner2_test"}}
+{"text": "In the same timeframe of the Komplex attacks, we collected several weaponized documents that use a tactic previously not observed in use by the Sofacy group.", "spans": {"MALWARE: Komplex": [[29, 36]], "THREAT_ACTOR: the Sofacy group.": [[140, 157]]}, "info": {"id": "cyner2_test_001186", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.OnGamesFHKAGBAAG.Trojan Trojan/W32.Exploder.43542 Trojan.Win32!O Trojan.Exploder.AX Win32.Trojan.WisdomEyes.16070401.9500.9851 Win.Trojan.ActiveX-3 Trojan.Win32.Exploder Trojan.Win32.Exploder.gtwc Troj.W32.Exploder.l5lq Win32.Trojan.Exploder.Eop TrojWare.AX.Exploder Trojan.Exploder Trojan.Exploder.Win32.1 W32/Trojan.CBQC-1258 Trojan/ActiveX.Exploder TR/NetList.acy Trojan/Win32.Exploder Trojan.Zusy.D41ADC Trojan.Win32.Exploder.29184 Trojan.Win32.Exploder Trojan.Exploder!ToBFf1990Jg Trojan.Win32.Exploder Trojan.ActiveX.Exploder", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001187", "source": "cyner2_test"}}
+{"text": "Should a device become infected , this backdoor can not be removed without root privilege .", "spans": {}, "info": {"id": "cyner2_test_001188", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: TrojanDownloader.Pedrp Trojan.Zusy.DF27 Downloader.Pengdoloder TROJ_PEDRP.AA Trojan.Win32.Pedrp.bcibql Trojan.Click2.44676 TROJ_PEDRP.AA W32/Trojan.UPQQ-8147 TR/Dldr.Pedrp.A TrojanDownloader:Win32/Pedrp.A Trojan.DL.Pedrp!zhWe6bBNULk Trojan-Downloader.Win32.Pedrp W32/DwnLdr.JTQ!tr Win32/Trojan.669", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001189", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: HW32.Packed.3448 Trojan.Ddos.Boxed.A Trojan/W32.DDoS.27718 Trojan.Ddos.Boxed.A Trojan.Ddos.Boxed.A Trojan.Win32.Boxed.fqap Win32/DDoS.Boxed.M Trojan.QHosts.G Trojan.Win32.DDoS-Boxed.27718.B[h] Win32.Trojan-ddos.Boxed.Wlfe Trojan.Ddos.Boxed.A Worm.Win32.Robobot._0 Trojan.Ddos.Boxed.A Flooder.Boxed Tool.Boxed.Win32.13 BehavesLike.Win32.Backdoor.mc Trojan-DDoS.Boxed.a Trojan[DDoS]/Win32.Boxed Trojan.Ddos.Boxed.A Win-Trojan/Boxed.60185 DDoS:Win32/Horst.AK TrojanDDoS.Boxed Trojan.Ddos.Boxed.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001190", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Exploit.Sqlhuc.A Trojan-Exploit/W32.Sqlhuc.61440 Exploit.W32.SQLhuc.a!c Trojan/Exploit.SQLhuc.a Trojan.Exploit.Sqlhuc.A Win32.Trojan.WisdomEyes.16070401.9500.9604 Win.Trojan.Exploit-436 Trojan.Exploit.Sqlhuc.A Exploit.Win32.SQLhuc.a Trojan.Exploit.Sqlhuc.A Exploit.Win32.SQLhuc.ikewf Trojan.Exploit.Sqlhuc.A Exploit.Dameware Exploit.SQLhuc.Win32.13 Exploit.SQLhuc.a Trojan[Exploit]/Win32.SQLhuc Exploit.Win32.SQLhuc.a Trojan.Exploit.Sqlhuc.A Exploit.SQLhuc Win32.Exploit.Sqlhuc.dovt Exploit.SQLhuc!yHLnpmu0I0s Exploit.Win32.SQLhuc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001191", "source": "cyner2_test"}}
+{"text": "With this blog series we will be sharing our research analysis with the research and broader security community , starting with the PHA family , Zen .", "spans": {"MALWARE: Zen": [[145, 148]]}, "info": {"id": "cyner2_test_001192", "source": "cyner2_test"}}
+{"text": "The website uses a different fixed twitter account ( https : //twitter.com/fdgoer343 ) .", "spans": {"ORGANIZATION: twitter": [[35, 42]]}, "info": {"id": "cyner2_test_001194", "source": "cyner2_test"}}
+{"text": "We deployed our IR team andtechnologyand immediately identified two sophisticated adversaries on the network – COZY BEAR and FANCY BEAR.", "spans": {"ORGANIZATION: IR team": [[16, 23]], "THREAT_ACTOR: adversaries": [[82, 93]], "THREAT_ACTOR: COZY BEAR": [[111, 120]], "THREAT_ACTOR: FANCY BEAR.": [[125, 136]]}, "info": {"id": "cyner2_test_001195", "source": "cyner2_test"}}
+{"text": "The configuration file contains a list of financial applications that can be targeted by EventBot .", "spans": {"MALWARE: EventBot": [[89, 97]]}, "info": {"id": "cyner2_test_001196", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Downloader.Small.Win32.93529 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Small.edqjmf TrojWare.MSIL.TrojanDownloader.Small.ANH Trojan.DownLoader22.5786 TR/Dropper.ihejz TrojanDownloader:MSIL/Samll.GM!bit Trojan/Win32.Small.R187245 Trojan-Downloader.MSIL.Small Trj/Downloader.WKR", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001197", "source": "cyner2_test"}}
+{"text": "Each sample contains a userId hardcoded , meaning that each sample can only be used in a victim .", "spans": {}, "info": {"id": "cyner2_test_001199", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.SalemiG.Trojan Trojan-Clicker/W32.Small.94208.B Trojan-Clicker.Win32.Small!O Backdoor.Jepesroot Trojan.Clicker.Small Trojan.Zusy.D177ED TROJ_CLICKER.EXY Win32.Trojan.WisdomEyes.16070401.9500.9993 W32/Trojan.OOJA-2903 Trojan.Downbot TROJ_CLICKER.EXY Trojan-Clicker.Win32.Small.alj Trojan.Win32.Small.ecxxnx Troj.Clicker.W32.Small.alj!c Trojan.Click2.56222 Trojan.Small.Win32.19361 Trojan-Clicker.Win32.Small TrojanClicker.Small.bzp TR/Spy.94208.966 Trojan[Clicker]/Win32.Small Backdoor:Win32/Jepesroot.A Trojan-Clicker.Win32.Small.alj TrojanClicker.Small Win32.Trojan.Small.Fic Trojan.CL.Small!2UY0dzWAQPY W32/Small.ALJ!tr Win32/Trojan.Clicker.7c4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001200", "source": "cyner2_test"}}
+{"text": "] ee Backend server xyz [ .", "spans": {}, "info": {"id": "cyner2_test_001201", "source": "cyner2_test"}}
+{"text": "What did surprise us though was what password combination was first to be hit; ubnt/ubnt.", "spans": {}, "info": {"id": "cyner2_test_001202", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.DownLoad.6018 TrojanDownloader:Win32/Seimon.D Trojan.DL.Win32.Mnless.des Virus.Win32.Crypt.CHY Downloader.Tiny.W", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001203", "source": "cyner2_test"}}
+{"text": "In fact, the malware authors' intention was to cause damage, so they did all that they could to make data decryption very unlikely.", "spans": {"THREAT_ACTOR: malware authors'": [[13, 29]]}, "info": {"id": "cyner2_test_001204", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9789 Backdoor.Trojan W32/Trojan.IJEJ-0016 Trojan:Win32/Piver.A Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001205", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Razy.D182C6 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32.Trojan.Cerber.Ecaz Trojan.DownLoader22.58394 BehavesLike.Win32.BadFile.ph TR/Crypt.ZPACK.shqbd TrojanDownloader:Win32/Aningik.A Trojan/Win32.Injector.C2272311 TrojanDropper.Injector Trj/GdSda.A W32/Kryptik.FQRH!tr Win32/Trojan.0eb", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001206", "source": "cyner2_test"}}
+{"text": "Our research team was able to identify several instances of this activity by cross-referencing data from breached devices with Google Play app reviews .", "spans": {"SYSTEM: Google Play": [[127, 138]]}, "info": {"id": "cyner2_test_001207", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Neutrinopos Troj.Banker.W32.Neutrinopos!c TSPY_EMOTET.SMD3 Win32.Trojan.WisdomEyes.16070401.9500.9993 W32/Trojan.UKAG-9003 Win.Trojan.Emotet-6443084-0 Trojan-Banker.Win32.NeutrinoPOS.aob Trojan.Win32.NeutrinoPOS.exlwaa Trojan.DownLoad4.218 BehavesLike.Win32.MultiPlug.dc TR/Crypt.Xpack.ngfuq Trojan[Banker]/Win32.NeutrinoPOS Trojan:Win32/Awkolo.A Trojan.Trojan.Crypt.21 Trojan.Win32.Z.Neutrinopos.233984 Trojan/Win32.Hermesran.C2375358 Trojan-Banker.Win32.NeutrinoPOS.aob W32/Kryptik.GBHF!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001208", "source": "cyner2_test"}}
+{"text": "To date, two periods of high activity have been identified following the initial attack. These were in May and October 2016.", "spans": {}, "info": {"id": "cyner2_test_001209", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan/W32.Deshacop.1549312 Ransom.Haknata.S1240226 Ransom_AIRACROP.SM Ransom.Haknata!g1 Ransom_AIRACROP.SM Trojan-Ransom.Win32.Xpan.f Trojan.Win32.Deshacop.enxprt TrojWare.Win32.Ransom.XRatLocker.D Trojan.Encoder.11112 Trojan.Xpan.Win32.2 Trojan.Xpan.b Ransom:Win32/Haknata.A!rsm Trojan.Win32.Ransom.1549312 Trojan-Ransom.Win32.Xpan.f Trojan/Win32.Ransom.C1926988 Hoax.Xpan Ransom.NMoreira Trojan-Ransom.Win32.Xpan.f Trojan.Xpan! Win32.Trojan-Ransom.XPan.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001210", "source": "cyner2_test"}}
+{"text": "We also saw a lot of copycats use HiddenTear in local attacks.", "spans": {"MALWARE: HiddenTear": [[34, 44]]}, "info": {"id": "cyner2_test_001211", "source": "cyner2_test"}}
+{"text": "Location services to enable ( GPS/network ) tracking : The email command and control protocol .", "spans": {}, "info": {"id": "cyner2_test_001212", "source": "cyner2_test"}}
+{"text": "When inserted , this method runs every time any Activity object in any Android app is created .", "spans": {}, "info": {"id": "cyner2_test_001213", "source": "cyner2_test"}}
+{"text": "This customer is a global technology company, which deployed Skycure's Enterprise Mobile Threat Defense solution for all iOS and Android devices within their organization.", "spans": {"ORGANIZATION: customer": [[5, 13]], "ORGANIZATION: global technology company,": [[19, 45]], "SYSTEM: Skycure's Enterprise Mobile Threat Defense solution": [[61, 112]], "SYSTEM: iOS": [[121, 124]], "SYSTEM: Android devices": [[129, 144]], "ORGANIZATION: organization.": [[158, 171]]}, "info": {"id": "cyner2_test_001214", "source": "cyner2_test"}}
+{"text": "] it server3fi.exodus.connexxa [ .", "spans": {}, "info": {"id": "cyner2_test_001215", "source": "cyner2_test"}}
+{"text": "The following is the code routine for video capturing .", "spans": {}, "info": {"id": "cyner2_test_001216", "source": "cyner2_test"}}
+{"text": "FIN7 has moved away from weaponized Microsoft Office macros in order to evade detection.", "spans": {"THREAT_ACTOR: FIN7": [[0, 4]], "MALWARE: Microsoft Office macros": [[36, 59]]}, "info": {"id": "cyner2_test_001217", "source": "cyner2_test"}}
+{"text": "PoshCoder has been encrypting files with PowerShell since 2014, and the new variant named PowerWare was reported in March 2016.", "spans": {"MALWARE: PoshCoder": [[0, 9]], "SYSTEM: PowerShell": [[41, 51]], "MALWARE: variant named PowerWare": [[76, 99]]}, "info": {"id": "cyner2_test_001219", "source": "cyner2_test"}}
+{"text": "Previous reports alleged this surveillanceware tool was deployed using ‘ honey traps ’ where the actor behind it would reach out to targets via fake social media profiles of young women .", "spans": {}, "info": {"id": "cyner2_test_001220", "source": "cyner2_test"}}
+{"text": "Its targets? Mostly rural banks.", "spans": {}, "info": {"id": "cyner2_test_001221", "source": "cyner2_test"}}
+{"text": "EventBot is a mobile banking trojan and infostealer that abuses Android ’ s accessibility features to steal user data from financial applications , read user SMS messages , and steal SMS messages to allow the malware to bypass two-factor authentication .", "spans": {"MALWARE: EventBot": [[0, 8]], "SYSTEM: Android": [[64, 71]]}, "info": {"id": "cyner2_test_001222", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan/Delf.okv TROJ_SPNR.07E313 Win32.Trojan.WisdomEyes.16070401.9500.9758 Trojan.Blackrev TROJ_SPNR.07E313 Win.Trojan.BlackRev-1 Backdoor.Win32.Botan.g Trojan.Win32.Botan.brdkmd Backdoor.W32.Botan.g!c BehavesLike.Win32.Downloader.dh Trojan[Backdoor]/Win32.Botan Trojan.Heur.DP.ED2FCD Backdoor.Win32.Botan.g Trojan:Win32/Blaruv.A Backdoor/Win32.Botan.R68943 Backdoor.Botan Win32.Backdoor.Botan.bqxd Backdoor.Botan!qG6ElS48lO0 W32/Botan.G!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001223", "source": "cyner2_test"}}
+{"text": "Check Point analyzed Yingmob ’ s Umeng account to gain further insights into the HummingBad campaign and found that beyond the 10 million devices under the control of malicious apps , Yingmob has non-malicious apps installed on another 75 million or so devices .", "spans": {"ORGANIZATION: Check Point": [[0, 11]], "ORGANIZATION: Yingmob": [[21, 28], [184, 191]], "MALWARE: HummingBad": [[81, 91]]}, "info": {"id": "cyner2_test_001224", "source": "cyner2_test"}}
+{"text": "GreenDispenser provides an attacker the ability to walk up to an infected ATM and drain its cash vault.", "spans": {"MALWARE: GreenDispenser": [[0, 14]], "THREAT_ACTOR: attacker": [[27, 35]]}, "info": {"id": "cyner2_test_001225", "source": "cyner2_test"}}
+{"text": "The time bomb triggers unpacker thread .", "spans": {}, "info": {"id": "cyner2_test_001226", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan-PSW.Win32.IcqSmiley!O Trojan.Comisproc Win32.Trojan.WisdomEyes.16070401.9500.9989 W32/PWStealer.ALC TROJ_SMALL.FUG Win.Trojan.Killav-128 Trojan.Win32.KillAV.ko Trojan.Win32.IcqSmiley.lfar Trojan.Win32.PSWIcqSmiley.318464 Backdoor.W32.Rbot.leZz TrojWare.Win32.TrojanDropper.Delf.~EP Trojan.MulDrop3.64513 TROJ_SMALL.FUG BehavesLike.Win32.Rontokbro.gc W32/PWS.KAIY-5570 BAT/KillAV.OF Trojan/Win32.KillAV PWS:Win32/Icqsmiley.C Trojan.Win32.KillAV.ko Trojan/Win32.Icqsmiley.R2458 TrojanPSW.IcqSmiley Trj/Bifrose.ADX Win32.Trojan.Killav.Lmko Trojan.PWS.IcqSmiley.CT Trojan-PWS.Win32.IcqSmiley", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001227", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Win32.Pendix.hkft WS.Reputation.1 Win32/Tnega.HKQ Trojan.DL.Pendix!lutuOvIGAUo TrojWare.Win32.TrojanDownloader.Small.DO Trojan.DownLoad.31536 TR/Dldr.Pendix.C.4 Win32.TrojDownloader.Small.kcloud TrojanDownloader:Win32/Pendix.C Win-Trojan/Xema.variant TrojanDownloader.Pendix Worm.Win32.Viking.pf Trojan.Crypt.XPACK W32/Dloader.AC!tr.dldr Downloader.Small.61.AQ", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001228", "source": "cyner2_test"}}
+{"text": "Together , during the latter half of 2018 , we worked to remove the apps from the Play store while it was being deployed in the wild .", "spans": {"SYSTEM: Play store": [[82, 92]]}, "info": {"id": "cyner2_test_001230", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Exploit.Rpclsa.Akyn Win32.Trojan.WisdomEyes.16070401.9500.9998 Hacktool.LsassSba Win.Trojan.Packed-85 Exploit.Win32.RPCLsa.01.c Trojan.Win32.RPCLsa.fzmz TrojWare.Win32.PkdMorphine.~AN Exploit.Lsass BehavesLike.Win32.Dropper.mc W32/Risk.UYXY-7581 Packed.Morphine.a HackTool:Win32/Lasba.A Exploit.Win32.RPCLsa.01.c Exploit.RPCLsa.01 Win32/Exploit.RPCLsa.01.C", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001232", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan/W32.HackTool.45056.D HackTool.Win32.IPCCrack Win32/HackTool.IPCCrack.A W32/Downloader.ZNW Hacktool.IPCscan Hacktool.Ipccrack HackTool.Win32.IPCCrack Trojan.Hacktool.Ipccrack.A HackTool.Win32.IPCCrack Tool.IPCcrack Win32/HackTool.IPCCrack.A SPR/Hackto.IPCCrack W32/Downloader.ZNW HackTool.Win32.IPCCrack!IK Riskware.Hackto.IPCCrack Trojan.Hacktool.Ipccrack.A Win-Trojan/IPCHack.45056 HackTool.Win32.IPCCrack HackTool.EB", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001233", "source": "cyner2_test"}}
+{"text": "The energy sector in Europe and North America is being targeted by a new wave of cyber attacks that could provide attackers with the means to severely disrupt affected operations.", "spans": {"ORGANIZATION: The energy sector": [[0, 17]], "THREAT_ACTOR: attackers": [[114, 123]]}, "info": {"id": "cyner2_test_001234", "source": "cyner2_test"}}
+{"text": "By : Tony Bao , Junzhi Lu April 14 , 2020 We discovered a potential cyberespionage campaign , which we have named Project Spy , that infects Android and iOS devices with spyware ( detected by Trend Micro as AndroidOS_ProjectSpy.HRX and IOS_ProjectSpy.A , respectively ) .", "spans": {"MALWARE: Project Spy": [[114, 125]], "SYSTEM: Android": [[141, 148]], "SYSTEM: iOS": [[153, 156]], "ORGANIZATION: Trend Micro": [[192, 203]]}, "info": {"id": "cyner2_test_001235", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Worm/W32.FileInfector.74752 Trojan.Win32.Antavmu!O Trojan.Antavmu.D7 Variant.Kazy.mC6j Trojan/Antavmu.jws Win32.Trojan.WisdomEyes.16070401.9500.9984 Win32/Antavmu.HM TSPY_ANTAVMU_BK08301E.TOMC Win.Trojan.Antavmu-112 Virus.DOS.Moctezuma.2416 Trojan.Win32.Antavmu.dhwgp Trojan.Win32.A.Antavmu.74752 TrojWare.Win32.KillFiles.NEH Trojan.MulDrop7.61508 BehavesLike.Win32.Dropper.lh Backdoor.Poison TR/Antavmu.doena RiskWare[RiskTool]/Win32.Killfiles.neh Trojan:Win32/Antavmu.D Worm.Antavmu Virus.DOS.Moctezuma.2416 Trojan/Win32.Antavmu.R25058 Moctezuma.2416", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001236", "source": "cyner2_test"}}
+{"text": "Malware code showing definition of populateConfigMap Figure 14 .", "spans": {}, "info": {"id": "cyner2_test_001237", "source": "cyner2_test"}}
+{"text": "Earlier this week Symantec released a blog post detailing a new Trojan used by the Duke' family of malware.", "spans": {"ORGANIZATION: Symantec": [[18, 26]], "MALWARE: Trojan": [[64, 70]], "MALWARE: Duke' family of malware.": [[83, 107]]}, "info": {"id": "cyner2_test_001238", "source": "cyner2_test"}}
+{"text": "This Pokémon is known for hiding in the night, which is an appropriate characteristic for a rootkit. We detect Umbreon under the ELF_UMBREON family.", "spans": {"MALWARE: rootkit.": [[92, 100]], "MALWARE: Umbreon": [[111, 118]], "MALWARE: family.": [[141, 148]]}, "info": {"id": "cyner2_test_001239", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.Virut.G Dropper.Injector.Win32.74722 Win32.Trojan.WisdomEyes.16070401.9500.9918 W32/Trojan.KWXU-0317 Worm.Win32.AutoIt.akx Win32.Worm.Autoit.Syrr BehavesLike.Win32.Downloader.bh Worm.Win32.AutoIt Worm:Win32/Wervik.A Worm.Win32.AutoIt.akx Dropper/Win32.Autoit.R153775 Trojan.Autoit.Wirus Win32/Autoit.IV W32/AutoIt.AKX!worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001241", "source": "cyner2_test"}}
+{"text": "The adware functionality is the same in all the apps we analyzed .", "spans": {}, "info": {"id": "cyner2_test_001242", "source": "cyner2_test"}}
+{"text": "In our previous analysis MalwareBytes we showed how the Bunitu Trojan was distributed via the Neutrino exploit kit in various malvertising campaigns.", "spans": {"ORGANIZATION: MalwareBytes": [[25, 37]], "MALWARE: Bunitu Trojan": [[56, 69]], "MALWARE: Neutrino exploit kit": [[94, 114]], "THREAT_ACTOR: malvertising campaigns.": [[126, 149]]}, "info": {"id": "cyner2_test_001243", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: HW32.Packed.43A8 Backdoor.W32.Bifrose!c Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Bifrose Win32/Bifrost.D BKDR_BIFROSE.A Win.Trojan.Packed-85 Backdoor.Win32.Bifrose.uw Trojan.Win32.Bifrose.whnua Backdoor.Win32.A.Bifrose.185028 Trojan.Proxy.993 BKDR_BIFROSE.A BehavesLike.Win32.Sdbot.cc Packed.Morphine.a Backdoor.Win32.Bifrose.uw BackDoor-CEP.svr Win32/Bifrose.E Backdoor.Bifrose.LV Win32/Backdoor.b41", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001244", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan-GameThief.Win32.Nilage!O Trojan.Bitman Troj.Ransom.W32.Bitman!c Trojan.Zusy.D10181 Ransom_Bitman.R002C0DAD18 Win32.Trojan.WisdomEyes.16070401.9500.9824 Ransom_Bitman.R002C0DAD18 Trojan-Ransom.Win32.Bitman.acpk Trojan.Win32.Dwn.rggld Packed.Win32.TDSS.~AA Trojan.DownLoader5.23077 BehavesLike.Win32.Spyware.mm not-a-virus:PSWTool.Win32.PassView.b TrojanDownloader:Win32/Xolondox.A Win32.Trojan.Bitman.Pfta", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001245", "source": "cyner2_test"}}
+{"text": "Some variants have gone so far as to use a different key for the strings of each class .", "spans": {}, "info": {"id": "cyner2_test_001246", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Worm.Dorkbot.I4 Trojan.Graftor.D1F4E7 TROJ_KRYPTK.SM37 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Inject.BIM TROJ_KRYPTK.SM37 Trojan.Win32.Inject.ctewuy Trojan.Inject2.23 Trojan.Injector.Win32.224146 Backdoor/Androm.cbq Trojan[Backdoor]/Win32.Androm Win32.Hack.Androm.bl.kcloud Trojan/Win32.Androm.R95438 TScope.Malware-Cryptor.SB Trj/Crilock.C Virus.Win32.Cryptor", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001249", "source": "cyner2_test"}}
+{"text": "Their publicly advertised products include CCTV management systems , surveillance drones , face and license plate recognition systems .", "spans": {}, "info": {"id": "cyner2_test_001250", "source": "cyner2_test"}}
+{"text": "Proofpoint wrote about the DroidJack RAT side-loaded with the Pokemon GO app back in July 2016 ; the difference here is that there is no game included in the malicious package .", "spans": {"ORGANIZATION: Proofpoint": [[0, 10]], "MALWARE: DroidJack RAT": [[27, 40]], "SYSTEM: Pokemon GO": [[62, 72]]}, "info": {"id": "cyner2_test_001251", "source": "cyner2_test"}}
+{"text": "This indicates that the authors are trying to hide some messages showed by the system during the setup process .", "spans": {}, "info": {"id": "cyner2_test_001252", "source": "cyner2_test"}}
+{"text": "Our logs show a number of simultaneous Red Alert 2.0 campaigns in operation , many ( but not all ) hosted on dynamic DNS domains .", "spans": {"MALWARE: simultaneous Red Alert 2.0 campaigns": [[26, 62]]}, "info": {"id": "cyner2_test_001253", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.DownLoad.33363 TrojanClicker:Win32/Befeenk.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001254", "source": "cyner2_test"}}
+{"text": "Once on the device , as installed by a duped user , the TrickMo component opens and sends an intent to start the accessibility settings activity , coercing the user to grant it with accessibility permissions .", "spans": {"MALWARE: TrickMo": [[56, 63]]}, "info": {"id": "cyner2_test_001255", "source": "cyner2_test"}}
+{"text": "Embedding malicious code in legitimate programs helps conceal infections from the victim .", "spans": {}, "info": {"id": "cyner2_test_001256", "source": "cyner2_test"}}
+{"text": "This figure demonstrates the following interesting information : The time range when threat actors distributed RuMMS on those shared-hosting websites is from January 2016 to March 2016 .", "spans": {"MALWARE: RuMMS": [[111, 116]]}, "info": {"id": "cyner2_test_001257", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Worm.Lehs.A W32/Lehs.A@mm W32/Lehs.A@mm Win32.Lehs Win32.Lehs.A@mm W32/Lehs.A@mm Worm.Win32.Lehs.A W32/Lehs.A@mm Win32.Lehs.a Worm:Win32/Lehs.A Win32/Lehs.A Worm.Win32.Lehs.A Worm.Win32.Lehs.A I-Worm/Lehs.A W32/Lehs.A.worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001258", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.81FD Backdoor.MSIL Win32.Trojan.WisdomEyes.16070401.9500.9747 W32/Trojan.UVNP-1836 Trojan.Win32.TPM.ewgpwa Win32.Trojan.Crypt.Sunr BehavesLike.Win32.PUP.tc Backdoor.MSIL.ycb Trj/CI.A Riskware.Themida! Trojan-Ransom.Win32.Blocker", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001259", "source": "cyner2_test"}}
+{"text": "During our analysis, we were able communicate directly with the command and control server as recently as early June 2017.", "spans": {}, "info": {"id": "cyner2_test_001260", "source": "cyner2_test"}}
+{"text": "In 2007, he reportedly stopped working on it and sold the source code for an estimated $700.", "spans": {}, "info": {"id": "cyner2_test_001261", "source": "cyner2_test"}}
+{"text": "The number to call is received along with the command , as seen in Figure 9 .", "spans": {}, "info": {"id": "cyner2_test_001262", "source": "cyner2_test"}}
+{"text": "If users allow such apps to be installed , then it can be actively installed on the victim ’ s device .", "spans": {}, "info": {"id": "cyner2_test_001263", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Ransom_CERBER.SMALY0 Trojan.Win32.Encoder.etbotv Ransom_CERBER.SMALY0 BehavesLike.Win32.PWSZbot.cc W32/Locky.FWSD!tr.ransom Ransom:Win32/Cryproto.B Win-Trojan/RansomCrypt.Exp Ransom.Locky Trojan-Ransom.Locky", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001264", "source": "cyner2_test"}}
+{"text": "It spreads through public The Shadow Brokers NSA dump SMB exploits: ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH.", "spans": {"VULNERABILITY: SMB exploits:": [[54, 67]], "MALWARE: ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE": [[68, 112]], "MALWARE: ETERNALSYNERGY,": [[117, 132]], "MALWARE: DOUBLEPULSAR, ARCHITOUCH": [[162, 186]], "MALWARE: SMBTOUCH.": [[191, 200]]}, "info": {"id": "cyner2_test_001265", "source": "cyner2_test"}}
+{"text": "In September 2022, a Rust-based version of Nokoyawa ransomware was released.", "spans": {"SYSTEM: Rust-based": [[21, 31]], "MALWARE: Nokoyawa ransomware": [[43, 62]]}, "info": {"id": "cyner2_test_001266", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.PWS.OnlineGames.WNE Trojan-Dropper.Win32.Delf!O Trojan.Nagram PWS-Hook.dll Dropper.Delf.Win32.716 W32.W.Bagle.kZt7 Trojan/Dropper.Delf.rd Trojan.PWS.OnlineGames.WNE Win32.Trojan.WisdomEyes.16070401.9500.9995 W32/Risk.KWGR-4694 Trojan.PWS.QQPass Win.Trojan.Dropper-12698 Trojan-PSW.Win32.QQPass.ji Trojan.PWS.OnlineGames.WNE Trojan.Win32.QQPass.bwvfwk Trojan.PWS.OnlineGames.WNE Trojan.PWS.OnlineGames.WNE Trojan.PWS.Qqpass.97 BehavesLike.Win32.Backdoor.mc W32/Dropper.CTB Trojan/PSW.QQPass.abt TR/Drop.Del.rd.41.A Trojan[PSW]/Win32.QQPass Win32.Troj.PswQQDao.kg.kcloud Trojan.Win32.A.PSW-QQPass.21742[UPX] Trojan-PSW.Win32.QQPass.ji Trojan.PWS.OnlineGames.WNE Trojan/Win32.OnlineGameHack.R2041 Trojan.PWS.OnlineGames.WNE TrojanDropper.Delf Trojan.DR.Delf!tjmeRDZWpSg Trojan-Dropper.Delf W32/HookGetMage.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001267", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Rocalog Trojan.Win32.EncPkMR.lwtoq Virus.Win32.Trojan DangerousObject.Multi.bik Trojan:Win32/Rocalog.A Trj/CI.A Trojan.Rocalog!WvnhEr62E+Q", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001268", "source": "cyner2_test"}}
+{"text": "Geo-location .", "spans": {}, "info": {"id": "cyner2_test_001269", "source": "cyner2_test"}}
+{"text": "The said technique brings the advantage of avoiding auto-start extensibility points ( ASEP ) scanners and programs that checks for binaries installed as service ( for the latter , the service chosen by FinFisher will show up as a clean Windows signed binary ) .", "spans": {"MALWARE: FinFisher": [[202, 211]], "SYSTEM: Windows": [[236, 243]]}, "info": {"id": "cyner2_test_001270", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Rootkit.Win32.Winnti!O Trojan.Winnti Trojan/Winnti.o RTKT_WINNTI.B W32/Trojan.PBJZ-5532 Hacktool.Rootkit RTKT_WINNTI.B Trojan.Win32.Winnti.wtomi Rootkit.W32.Winnti!c Win32.Exploit.Winnti.Wptr Trojan.NtRootKit.14417 Rootkit.Winnti.Win32.3 Rootkit.Patchun.b RKIT/Winnti.o Trojan[Rootkit]/Win32.Winnti Trojan.Zusy.Elzob.D5138 Trojan:Win64/Winnti.A Win-Trojan/Rootkit.14208 TScope.Malware-Cryptor.SB Rootkit.Winnti!QT0JRa+Uack W32/Winnti.O!tr.rkit Win32/RootKit.Rootkit.45b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001271", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.eHeur.Malware10 Trojan-Downloader.Win32.Geral!O Worm.Dogkild.c4 Trojan/Downloader.Geral.mwu TROJ_KILLAV.SMT Win32.Trojan.WisdomEyes.16070401.9500.9987 W32/Downldr2.ILRE Trojan.KillAV TROJ_KILLAV.SMT Win.Trojan.Downloader-29041 Trojan-Downloader.Win32.Geral.mwu Trojan.Win32.Geral.vutjb Trojan.Win32.Downloader.17668.C Trojan-Downloader:W32/Geral.E Trojan.MulDrop5.33035 Downloader.Geral.Win32.3073 Trojan-Downloader.Win32.Geral Trojan/AntiAV.ake Worm:Win32/Dogkild.C TR/Killav.P.1 Trojan[Downloader]/Win32.Geral Trojan-Downloader.Win32.Geral.mwu Worm:Win32/Dogkild.C W32/Spamta.QO.worm Win32.Trojan-downloader.Geral.Wqdc Trojan.DL.Geral!8LJu9xHMBVQ W32/KILLAV.SMT!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001273", "source": "cyner2_test"}}
+{"text": "Encounter In early 2019 , the Check Point Research team observed a surge of Android malware attack attempts against users in India which had strong characteristics of Janus vulnerability abuse ; All samples our team collected during preliminary investigation had the ability to hide their app icons and claim to be Google related updaters or vending modules ( a key component of Google Play framework ) .", "spans": {"ORGANIZATION: Check Point": [[30, 41]], "SYSTEM: Android": [[76, 83]], "VULNERABILITY: Janus": [[167, 172]], "ORGANIZATION: Google": [[315, 321]], "SYSTEM: Google Play": [[379, 390]]}, "info": {"id": "cyner2_test_001274", "source": "cyner2_test"}}
+{"text": "Collection of IOCs related to targeting of civil society by Botherder", "spans": {"ORGANIZATION: civil society by Botherder": [[43, 69]]}, "info": {"id": "cyner2_test_001275", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Tipsac HackTool:Win32/Certsteal.C Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001276", "source": "cyner2_test"}}
+{"text": "To collect the victim's OTP Token combination and proceed with previously prepared fraudulent.", "spans": {}, "info": {"id": "cyner2_test_001277", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Ransom.CardSome Backdoor.Ratenjay MSIL.Trojan-Ransom.CardSome.A TR/RedCap.ugxeq Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001278", "source": "cyner2_test"}}
+{"text": "An investigation by The Intercept indicates that this targeting was likely not an isolated event.", "spans": {"ORGANIZATION: The Intercept indicates": [[20, 43]]}, "info": {"id": "cyner2_test_001280", "source": "cyner2_test"}}
+{"text": "If he doesn ’ t have Viber , the generically-named System Updates app gets downloaded and installed instead .", "spans": {}, "info": {"id": "cyner2_test_001281", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Banker.Android.1352 Android.Trojan.Banker.BV Other:Android.Reputation.2 Infostealer.Bancos Android/Spy.Banker.FU Android.Trojan.Banker.BV A.H.Rog.Ntdmn Trojan.Android.Hidden.efxvou Trojan:Android/Marcher.J Android.Hidden.177 ZIP/PWS.OSOY-64 ANDROID/Spy.Banker.sewvt Android.Trojan.Banker.BV Android-Trojan/Slocker.36a0a Trojan.AndroidOS.Marcher.A a.gray.andrsca.f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001282", "source": "cyner2_test"}}
+{"text": "Today's diary shares indicators from the infection.", "spans": {}, "info": {"id": "cyner2_test_001284", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: HackTool.Win32.Wpakill HackTool:Win32/Wpakill.B HackTool.WpaKill HackTool.Wpakill!SOi5swsIFpg", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001287", "source": "cyner2_test"}}
+{"text": "We will be sharing our findings as we are able on this page and perhaps even open sourcing some aspects of our analysis.", "spans": {}, "info": {"id": "cyner2_test_001288", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: RiskTool.Win32.Inject!O HackTool.Injectxin Backdoor/Poison.aylh W32/Risk.MYRU-5193 Win32/Poison.DZ Trojan-Spy.Win32.ICQ.vir Trojan.Win32.Poison.bmhcw Backdoor.Win32.Poison.268800 ApplicUnwnt.Win32.ToolInj.2688000 Tool.Inject.9 Backdoor.Poison.Win32.18709 W32/MalwareS.BACP Backdoor/Poison.dzl W32.Backdoor.Poisonivy SPR/Tool.inj.268800 RiskWare[RiskTool]/Win32.Inject.f Trojan.Strictor.D128EF Backdoor/Win32.Poison.R2075 TScope.Trojan.Delf Trj/CI.A Win32.Trojan-spy.Icq.Ajln Backdoor.Poison!ABxqWHF7KMk", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001289", "source": "cyner2_test"}}
+{"text": "But TrickMo does things differently .", "spans": {"MALWARE: TrickMo": [[4, 11]]}, "info": {"id": "cyner2_test_001290", "source": "cyner2_test"}}
+{"text": "In fact, Retefe is already around since November 2013.", "spans": {"MALWARE: Retefe": [[9, 15]]}, "info": {"id": "cyner2_test_001291", "source": "cyner2_test"}}
+{"text": "One of the tell-tale signs of an obfuscated malware is the absence of code that defines the classes declared in the manifest file .", "spans": {}, "info": {"id": "cyner2_test_001292", "source": "cyner2_test"}}
+{"text": "Since a full proof of concept for CVE-2016-0189 vulnerability was published on GitHub, Zscaler ThreatLabZ has been closely tracking its proliferation.", "spans": {"VULNERABILITY: vulnerability": [[48, 61]], "ORGANIZATION: GitHub, Zscaler ThreatLabZ": [[79, 105]]}, "info": {"id": "cyner2_test_001293", "source": "cyner2_test"}}
+{"text": "We also found similarities in two older samples disguised as a Google service and , subsequently , as a music app after further investigation .", "spans": {"ORGANIZATION: Google": [[63, 69]]}, "info": {"id": "cyner2_test_001294", "source": "cyner2_test"}}
+{"text": "This indicated a unique skillset, well above the average DDoS botnet master.", "spans": {"MALWARE: DDoS botnet master.": [[57, 76]]}, "info": {"id": "cyner2_test_001295", "source": "cyner2_test"}}
+{"text": "It is a worrying observation .", "spans": {}, "info": {"id": "cyner2_test_001296", "source": "cyner2_test"}}
+{"text": "Kaspersky Internet Security for Android detects all three of Triada ’ s modules , so it can save your money from cybercriminals that are behind Triada .", "spans": {"SYSTEM: Kaspersky Internet Security": [[0, 27]], "SYSTEM: Android": [[32, 39]], "MALWARE: Triada": [[61, 67], [144, 150]]}, "info": {"id": "cyner2_test_001297", "source": "cyner2_test"}}
+{"text": "Note: For a technical walk-through of RTF and its commonly exploited vulnerabilities, we recommend readers take a look at this post by RSA Engineering s Kevin Douglas.", "spans": {"MALWARE: RTF": [[38, 41]], "MALWARE: exploited": [[59, 68]], "VULNERABILITY: vulnerabilities,": [[69, 85]], "MALWARE: at": [[119, 121]], "ORGANIZATION: RSA Engineering s Kevin Douglas.": [[135, 167]]}, "info": {"id": "cyner2_test_001298", "source": "cyner2_test"}}
+{"text": "We decided to take a peek under the hood of a modern member of the Asacub family .", "spans": {"MALWARE: Asacub": [[67, 73]]}, "info": {"id": "cyner2_test_001299", "source": "cyner2_test"}}
+{"text": "This one is a remote access trojan typically used to spy on people's activities or take control of their computers for whatever end the attacker wants to reach.", "spans": {"MALWARE: a remote access trojan": [[12, 34]], "SYSTEM: computers": [[105, 114]], "THREAT_ACTOR: attacker": [[136, 144]]}, "info": {"id": "cyner2_test_001300", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Alien W32/Trojan.BTOY-6638 Trojan.Win32.Alien.bvw Trojan.Win32.Banker1.eseoat Troj.W32.Alien!c Win32.Trojan.Alien.Wuhb Trojan.PWS.Banker1.23328 TrojanDownloader.Delf.aeli TR/Crypt.fkm.amqdk Trojan:Win32/BrobanLaw.D!bit Trojan.Jacard.D10501 Trojan.Win32.Alien.bvw Trojan-Dropper.Win32.Delf Trj/CI.A Win32/Trojan.de4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001301", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.PurityScan!O Spyware.MediaTicketsCDT Trojan.LowZones Win.Dropper.Purityscan-3 Trojan-Dropper.Win32.PurityScan.y Win32.Trojan-dropper.Purityscan.Pbpf Trojan.PurityAd.origin TrojanDropper.PurityScan.a TR/Drop.PurityScan.G.31 Trojan[Dropper]/Win32.PurityScan TrojanDropper:Win32/PurityScan.Y Trojan-Dropper.Win32.PurityScan.y Worm/Win32.IRCBot.R135632 Adware.PurityScan Trojan.DR.PurityScan!ZdsVRGhHA2E Trojan-Dropper.Win32.PurityScan.Q W32/PurityScan.2!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001303", "source": "cyner2_test"}}
+{"text": "Android shell A new package was added that allows the execution of commands in the Android shell .", "spans": {"SYSTEM: Android": [[0, 7], [83, 90]]}, "info": {"id": "cyner2_test_001304", "source": "cyner2_test"}}
+{"text": "Despite the targeted nature of the spearphishing emails, the payload was the widely distributed Vawktrak banking Trojan.", "spans": {"MALWARE: payload": [[61, 68]], "MALWARE: Vawktrak banking Trojan.": [[96, 120]]}, "info": {"id": "cyner2_test_001305", "source": "cyner2_test"}}
+{"text": "We searched for the base64 encoded value which was referenced in the tweet, and were able to identify a sample that had been uploaded to the public malware analysis sandbox, Hybrid Analysis.", "spans": {"SYSTEM: tweet,": [[69, 75]], "MALWARE: sample": [[104, 110]], "MALWARE: malware": [[148, 155]], "SYSTEM: sandbox,": [[165, 173]]}, "info": {"id": "cyner2_test_001306", "source": "cyner2_test"}}
+{"text": "The attackers sent phishing emails to companies in the fields of manufacturing, energy, and the Internet in many European and Asian countries with the subject of product quotations, and discovered an attack against a domestic company.", "spans": {"THREAT_ACTOR: The attackers": [[0, 13]], "ORGANIZATION: companies": [[38, 47]], "ORGANIZATION: manufacturing, energy,": [[65, 87]], "ORGANIZATION: the Internet": [[92, 104]], "ORGANIZATION: a domestic company.": [[215, 234]]}, "info": {"id": "cyner2_test_001307", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Gudra.A7 Trojan/Gudra.a TROJ_GUDRA_EK160090.UVPM TROJ_GUDRA_EK160090.UVPM Trojan:Win32/Gudra.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001308", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.eHeur.Virus02 Virus.Win32.Sality!O Trojan.Inject.Win32.179720 Trojan.Symmi.D1345D Trojan.Win32.Inject.ewwzof BehavesLike.Win32.VTFlooder.nc Trojan.Injector W32/Trojan.RKSR-6539 Variant.Zusy.nm Win32/Trojan.724", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001309", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.VaritanoH.Trojan Trojan.Win32.Zcrypt.1!O Trojan/Buzus.mrww Trojan.Symmi.D219C TROJ_RANSOM.SMWX Win32.Trojan.WisdomEyes.16070401.9500.9692 Trojan.Ransomlock!g32 TROJ_RANSOM.SMWX Trojan.Win32.Inject.ccrpqp Trojan.Win32.A.Buzus.101376.H Win.Troj.Downloader.Dapato.lEzW Trojan.DownLoader.36324 Virus.Win32.Cryptor Trojan/Buzus.bjmw Trojan/Win32.Unknown Trojan:Win32/Nagderr.A Spyware/Win32.Zbot.R45824 Worm.Dorkbot.1312 W32/Asprox.B!tr Win32/Trojan.e6d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001310", "source": "cyner2_test"}}
+{"text": "The attackers accomplished much of this with JavaScript they placed on the media organization's website.", "spans": {"THREAT_ACTOR: attackers": [[4, 13]]}, "info": {"id": "cyner2_test_001311", "source": "cyner2_test"}}
+{"text": "The infamous Sednit espionage group is currently using the Hacking Team exploits disclosed earlier this week to target eastern European institutions.", "spans": {"THREAT_ACTOR: Sednit espionage group": [[13, 35]], "ORGANIZATION: Hacking Team": [[59, 71]], "ORGANIZATION: eastern European institutions.": [[119, 149]]}, "info": {"id": "cyner2_test_001312", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan/Downloader.Delf.abd Trojan.DL.Delf!OrZGbLJDQAk W32/Downloader.KHL W32/DLoader.NJP Win32/Pazscorer.A Win32.Delf.abd Trojan.Downloader.Delf-180 Trojan-Downloader.Win32.Delf.abd Trojan.Downloader.Delf.D TrojWare.Win32.TrojanDownloader.Delf.NCE Trojan.Downloader.Delf.D Trojan.DownLoader.32027 DR/DLoader.aae Trojan-Downloader.Win32.Delf.abd!IK TrojanDownloader.Delf.abfd TrojanDropper:Win32/Delf.DJ Trojan.Win32.A.Downloader.289792.K Trojan.Downloader.Delf.D W32/Downloader.KHL TrojanDownloader.Delf.lbw Win32/TrojanDownloader.Delf.NCE Trojan.DL.Delf.abx Trojan-Downloader.Win32.Delf.abd W32/Delf.ABD!tr Trj/Downloader.GUT", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001313", "source": "cyner2_test"}}
+{"text": "The Lazarus Group has been responsible for several operations since at least 2009, including the attack that affected Sony Pictures Entertainment in 2014.", "spans": {"THREAT_ACTOR: The Lazarus Group": [[0, 17]], "THREAT_ACTOR: operations": [[51, 61]], "ORGANIZATION: Sony Pictures Entertainment": [[118, 145]]}, "info": {"id": "cyner2_test_001314", "source": "cyner2_test"}}
+{"text": "To protect yourself from these threats , FireEye suggests that users : Take caution before clicking any links where you are not sure about the origin .", "spans": {"ORGANIZATION: FireEye": [[41, 48]]}, "info": {"id": "cyner2_test_001315", "source": "cyner2_test"}}
+{"text": "Volexity works closely with several human rights and civil society organizations.", "spans": {"ORGANIZATION: Volexity": [[0, 8]], "ORGANIZATION: civil society organizations.": [[53, 81]]}, "info": {"id": "cyner2_test_001316", "source": "cyner2_test"}}
+{"text": "] orgaryastark [ .", "spans": {}, "info": {"id": "cyner2_test_001317", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor/W32.Farfli.13824 TjnDownldr.Nystprac.S35843 Win32.Trojan.WisdomEyes.16070401.9500.9949 BKDR_ZEGOST.SM32 Backdoor.Win32.Farfli.ajly Trojan.Win32.Farfli.elvztf Win32.Backdoor.Farfli.Akza Trojan.DownLoader21.53580 BKDR_ZEGOST.SM32 TrojanDownloader:Win32/Nystprac.A Backdoor.Win32.Farfli.ajly Trojan/Win32.Farfli.R182355 Backdoor.Farfli Trojan.ServStart Backdoor.Farfli!/eZlV447elU Win32/Trojan.Downloader.9e5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001318", "source": "cyner2_test"}}
+{"text": "We observed a few variants of attacks exploiting CVE-2015-0097 that are using the same PoC to create a .doc exploit.", "spans": {"VULNERABILITY: exploiting": [[38, 48]], "MALWARE: PoC": [[87, 90]], "MALWARE: exploit.": [[108, 116]]}, "info": {"id": "cyner2_test_001319", "source": "cyner2_test"}}
+{"text": "Based on the organization website , it also proposes services and developed zero-day vulnerabilities to test their own products : Zero-day research from lokd.com We can see that the organization owner still has an interest in Android devices .", "spans": {"VULNERABILITY: zero-day vulnerabilities": [[76, 100]], "ORGANIZATION: lokd.com": [[153, 161]], "SYSTEM: Android": [[226, 233]]}, "info": {"id": "cyner2_test_001321", "source": "cyner2_test"}}
+{"text": "Data acquired from mike.jar 's extraction modules is normally XORed and stored in a folder named .lost+found on the SD card .", "spans": {}, "info": {"id": "cyner2_test_001322", "source": "cyner2_test"}}
+{"text": "Rather than rooting devices , the latest variant includes new virtual machine techniques that allow the malware to perform ad fraud better than ever , company researchers said in a blog post published Monday .", "spans": {}, "info": {"id": "cyner2_test_001323", "source": "cyner2_test"}}
+{"text": "They don't seem to bother to have to disappear. With this paper, we feel fairly certain that Rocket Kitten's prime targets are not companies and political organizations as entire bodies but individuals that operate in strategically interesting fields such as diplomacy, foreign policy research, and defense-related businesses.", "spans": {"THREAT_ACTOR: Rocket Kitten's": [[93, 108]], "ORGANIZATION: companies": [[131, 140]], "ORGANIZATION: political organizations": [[145, 168]], "ORGANIZATION: individuals": [[190, 201]], "ORGANIZATION: diplomacy, foreign policy research,": [[259, 294]], "ORGANIZATION: defense-related businesses.": [[299, 326]]}, "info": {"id": "cyner2_test_001324", "source": "cyner2_test"}}
+{"text": "DATA GATHERING Getting a list of all installed applications : Once EventBot is installed on the target machine , it lists all the applications on the target machine and sends them to the C2 .", "spans": {"MALWARE: EventBot": [[67, 75]]}, "info": {"id": "cyner2_test_001325", "source": "cyner2_test"}}
+{"text": "Data encryption : In the initial version of EventBot , the data being exfiltrated is encrypted using Base64 and RC4 .", "spans": {"MALWARE: EventBot": [[44, 52]]}, "info": {"id": "cyner2_test_001326", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: TrojanDropper.MSIL.g5 Trojan/Spy.RapidStealer.a Trojan.Win32.Kazy.didwco W32/Backdoor2.HUPA Trojan.Rapidstealer Win32/Spy.RapidStealer.A TSPY_RSTEALER.B TrojWare.Win32.TrojanSpy.Malas.RA Trojan.DownLoader9.26072 TSPY_RSTEALER.B W32/Backdoor.RBCJ-0211 TR/RapidStealer.A.6 Win32.Troj.Undef.kcloud Trojan:MSIL/RapidStealer.A!dha Trojan/Win32.RapidStealer Trojan.Injector.AEPI MSIL3.ATDO Win32/Trojan.ce9", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001327", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan/W32.RedLeaves.183808 Virus.Win32.Sality!O Trojan.Redleaves Trojan.Win32.RedLeaves.a Trojan.Win32.RedLeaves.euxsiq Troj.W32.Redleaves!c Trojan.DownLoader24.37648 Trojan.RedLeaves.Win32.1 BehavesLike.Win32.Downloader.cc Trojan.Blocker.gvq Trojan/Win32.RedLeaves Trojan.Win32.RedLeaves.a Trojan:Win32/ChChes.A!dha Trojan.RedLeaves! Trj/CI.A Win32/Trojan.6b8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001328", "source": "cyner2_test"}}
+{"text": "In parallel, we received reports from other firms and security researchers seeing similar activity, which pushed us to look into this further.", "spans": {"ORGANIZATION: other firms": [[38, 49]], "ORGANIZATION: security researchers": [[54, 74]]}, "info": {"id": "cyner2_test_001330", "source": "cyner2_test"}}
+{"text": "However , FinFisher is in a different category of malware for the level of its anti-analysis protection .", "spans": {"MALWARE: FinFisher": [[10, 19]]}, "info": {"id": "cyner2_test_001331", "source": "cyner2_test"}}
+{"text": "Malicious activity Once the activation cycle ends , the trojan will start its malicious activities .", "spans": {}, "info": {"id": "cyner2_test_001332", "source": "cyner2_test"}}
+{"text": "As further proof of the malware targeting CIMPILICITY, it drops files into the CIMPLICITY installation directory using the %CIMPATH% environment variable on the victim machines.", "spans": {"MALWARE: malware": [[24, 31]], "SYSTEM: CIMPILICITY,": [[42, 54]], "SYSTEM: CIMPLICITY": [[79, 89]], "SYSTEM: victim machines.": [[161, 177]]}, "info": {"id": "cyner2_test_001333", "source": "cyner2_test"}}
+{"text": "Not only does this malware have the ability to overwrite the affected system's master boot record MBR in order to lock users out, it is also interesting to note that it is delivered to victims via a legitimate cloud storage service in this case, via Dropbox.", "spans": {"MALWARE: malware": [[19, 26]], "SYSTEM: system's master boot record MBR": [[70, 101]], "SYSTEM: cloud storage service": [[210, 231]], "SYSTEM: Dropbox.": [[250, 258]]}, "info": {"id": "cyner2_test_001334", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan/Dropper.Dapato.slg Trojan.Script.Qhost.ddprkv Bicololo.PW Win32/Jorik.KJ Trojan.Win32.Bicololo.bbwh Trojan:W32/Qhost.WE Win32.Troj.Bicololo.bb.kcloud Trojan:Win32/Anaki.A Trojan/Win32.Bicololo Trojan.Win32.Bicololo.AHsn Trojan.Filecoder.W Win32/Bicololo.A Win32.Trojan.Bicololo.Agvb Trojan.BAT.Qhost Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001335", "source": "cyner2_test"}}
+{"text": "As a result , information related to the malicious actor is tentatively redacted in this publication .", "spans": {}, "info": {"id": "cyner2_test_001336", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.Vetor.PE Worm.Autorun.VB.AA Virus.Win32.Virut.1!O W32.Virut.G Worm.Autorun.VB.AA PE_VIRUX.O W32.SillyFDC Win32/Virut.17408 PE_VIRUX.O Virus.Win32.Virut.ce Worm.Autorun.VB.AA Virus.Win32.Virut.hpeg W32.Virut.llPw Worm.Autorun.VB.AA Win32.Virut.56 Virus.Virut.Win32.1938 BehavesLike.Win32.Virut.dt Win32/Virut.bt Virus/Win32.Virut.ce Win32.Virut.cr.61440 Worm.Autorun.VB.AA Virus.Win32.Virut.ce Worm:Win32/Thraegisa.A HEUR/Fakon.mwf Virus.Virut.14 HackTool.Patcher W32/Sality.AO I-Worm.VB.NQK Win32/Virut.NBP Worm.Threagisa.A W32/Virut.CE Virus.Win32.Virut.M", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001337", "source": "cyner2_test"}}
+{"text": "If it ’ s not 0x1B ( for 32-bit systems ) or 0x23 ( for 32-bit system under Wow64 ) , the loader exits .", "spans": {}, "info": {"id": "cyner2_test_001338", "source": "cyner2_test"}}
+{"text": "As the investigation progressed , Talos came to understand that this campaign was associated with the \" ChristinaMorrow '' text message spam scam previously spotted in Australia .", "spans": {"ORGANIZATION: Talos": [[34, 39]]}, "info": {"id": "cyner2_test_001339", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Android.Exploit.GingerBreak.C Android.Exploit.GingerBreak.C ELF/Andr/Lotoor.E Android.5F8D2988 Unix.Exploit.Gingerbreak-2 Exploit.Linux.Lotoor.t Android.Exploit.GingerBreak.C Android.5F8D2988 ELF/Andr/Lotoor.E EXP/Flash.EB.1043 Trojan[Exploit]/Linux.Lotoor.t Exploit.Linux.Lotoor.t Exploit.Linux.Lotoor Linux.Exploit.Lotoor.Hqvh Exploit.Linux.Lotoor Android.Exploit.GingerBreak.C", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001340", "source": "cyner2_test"}}
+{"text": "Port 6208 : IMO extraction service .", "spans": {"SYSTEM: IMO": [[12, 15]]}, "info": {"id": "cyner2_test_001341", "source": "cyner2_test"}}
+{"text": "With Version 0.0.0.1 , there is a dedicated functions class where all main malicious activity happens and can be observed .", "spans": {}, "info": {"id": "cyner2_test_001342", "source": "cyner2_test"}}
+{"text": "It also starts an Android service named MainService .", "spans": {"SYSTEM: Android": [[18, 25]]}, "info": {"id": "cyner2_test_001343", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Win32.Plugax.bh Trojan.Win32.Mdmbot.dptqgl Trojan.Win32.Dllbot.45056.B Trojan.Mdmbot Trojan.Plugax.Win32.2 Trojan.Win32.Plugax W32/Trojan.YOMS-1721 TR/Plugax.dneew Trojan.Razy.D189CB Trojan.Win32.Plugax.bh Backdoor:Win32/Mdmbot.G!dha Trojan/Win32.Dllbot.R23624 Trj/CI.A Win32.Trojan.Plugax.Fsd Trojan.Plugax!XGKVPHd7fzY", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001344", "source": "cyner2_test"}}
+{"text": "Well, sometimes targeted entities have included telecommunication companies, or better, large holdings, but it seems that at least one of their businesses was in some way related to the production or distribution of computer games.", "spans": {"ORGANIZATION: targeted entities": [[16, 33]], "ORGANIZATION: telecommunication companies,": [[48, 76]], "ORGANIZATION: large holdings,": [[88, 103]], "ORGANIZATION: businesses": [[144, 154]], "ORGANIZATION: production": [[186, 196]], "ORGANIZATION: distribution of computer games.": [[200, 231]]}, "info": {"id": "cyner2_test_001345", "source": "cyner2_test"}}
+{"text": "The permissions on the first version of the malware lay out the foundations of a spying trojan .", "spans": {}, "info": {"id": "cyner2_test_001346", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: TrojanPWS.AutoIT.Dclog.S Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Script.AutoIt.estdtw BehavesLike.Win32.AdwareLinkury.tc Trojan[Dropper]/Win32.FrauDrop Trojan.Win32.Injector", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001347", "source": "cyner2_test"}}
+{"text": "] com/aa hxxp : //nttdocomo-qar [ .", "spans": {}, "info": {"id": "cyner2_test_001348", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Win32!O W32/Backdoor.Ripper Backdoor.Trojan Backdoor.Win32.Ripper Trojan.Win32.Ripper.dmld Backdoor.Win32.Ripper_10.Client BackDoor.Ripper Backdoor.Ripper.Win32.2 BehavesLike.Win32.AdwareDealPly.dh Backdoor.Win32.Ripper W32/Backdoor.Ripper Trojan[Backdoor]/Win32.Ripper Backdoor.Win32.Ripper Win-Trojan/Ripper.305664 Backdoor.Ripper Bck/Ripper.Cli", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001349", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: VB:Trojan.Valyria.265 VB:Trojan.Valyria.265 X2KM_DLOAD.YYTK VB:Trojan.Valyria.265 VB:Trojan.Valyria.265 Trojan.Ole2.Vbs-heuristic.druvzi Troj.Dropper.Vbs!c VB:Trojan.Valyria.265 VB:Trojan.Valyria.265 X97M.DownLoader.119 X2KM_DLOAD.YYTK X97M/Dropper.bca TrojanDropper:W97M/Avosim.A VB:Trojan.Valyria.265 X97M/Dropper.bca Win32.Trojan.Downloader.Qszb virus.office.qexvmc.1085", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001350", "source": "cyner2_test"}}
+{"text": "Linux/Moose is a malware family that primarily targets Linux-based consumer routers but that can infect other Linux-based embedded systems in its path.", "spans": {"MALWARE: malware family": [[17, 31]], "SYSTEM: Linux-based consumer routers": [[55, 83]], "SYSTEM: Linux-based embedded systems": [[110, 138]]}, "info": {"id": "cyner2_test_001351", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Zusy.D3C397 Win32.Trojan.WisdomEyes.16070401.9500.9538 Win.Trojan.Ovidiy-6333880-0 PWS:MSIL/Cidekoq.A Spyware.PasswordStealer Trj/CI.A Trojan.FNOI!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001353", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Bladabindi.FC.178 MSIL.Backdoor.Bladabindi.a Backdoor.Ratenjay Win.Trojan.B-468 Trojan.DownLoader25.6185 BDS/Bladabindi.ajoos Backdoor:MSIL/Corinrat.A Trj/GdSda.A Trojan.MSIL.Bladabindi Win32/Trojan.b1d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001354", "source": "cyner2_test"}}
+{"text": "In March 2015, Microsoft patched a remote code execution RCE vulnerability CVE-2015-0097 in Microsoft Office.", "spans": {"ORGANIZATION: Microsoft": [[15, 24]], "MALWARE: remote code execution RCE": [[35, 60]], "VULNERABILITY: vulnerability": [[61, 74]], "SYSTEM: Microsoft Office.": [[92, 109]]}, "info": {"id": "cyner2_test_001355", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Midie.D10C7 Win32.Trojan.WisdomEyes.16070401.9500.9914 Backdoor.MSIL.IRCBot.pfh Trojan.Win32.Bonque.bobhgq Msil.Backdoor.Ircbot.Pbyu Trojan.PWS.Bonque.45 Backdoor.IRCBot Backdoor.MSIL Trojan/Win32.Unknown Backdoor:MSIL/IRCbot.K!bit Backdoor.MSIL.IRCBot.pfh Backdoor/Win32.IRCBot.R87115 Backdoor.IRCBot Backdoor.MSIL.IRCBot Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001357", "source": "cyner2_test"}}
+{"text": "It reminds us of Upatre, which gained notoriety status over the past two years but has now died down, possibly due to the takedowns of its major payloads.", "spans": {"MALWARE: Upatre,": [[17, 24]], "MALWARE: major payloads.": [[139, 154]]}, "info": {"id": "cyner2_test_001358", "source": "cyner2_test"}}
+{"text": "Thus, at first glance, the DNS tunneled traffic generated by ITG08's POS malware looks like any typical DNS address resolution query for a legitimate Akamai domain.", "spans": {"SYSTEM: DNS tunneled traffic": [[27, 47]], "MALWARE: ITG08's POS malware": [[61, 80]]}, "info": {"id": "cyner2_test_001360", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.Virut.G Win32/Virut.NBP Trojan-Dropper.Delf!IK Trojan.SlhBack Virus.Win32.Virut.ce TrojWare.Win32.Inject.~D Virus.Win32.Virut.ce Win32.Virut.56 Win32/Virut.NBP PE_VIRUX.E-2 Win32/Virut.17408 Win32/Virut.bn W32.Virut.CF Virus:Win32/Virut.BM Win32.Virut.AM Virus.Win32.Virut.X5 Constructor.SlhBack.bk Trojan.Win32.Delf.fey Trojan-Dropper.Delf W32/Virut.CE Dropper.Delf W32/Sality.AO", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001361", "source": "cyner2_test"}}
+{"text": "A TrickMo version from January 2020 contained code that checks if the app is running on a rooted device or an emulator to prevent analysis .", "spans": {"MALWARE: TrickMo": [[2, 9]]}, "info": {"id": "cyner2_test_001362", "source": "cyner2_test"}}
+{"text": "With each subsequent request , a new subdomain was generated .", "spans": {}, "info": {"id": "cyner2_test_001363", "source": "cyner2_test"}}
+{"text": "The infrastructure behind the Blank Slate campaign has two distinct phases.", "spans": {"SYSTEM: infrastructure": [[4, 18]], "THREAT_ACTOR: the Blank Slate campaign": [[26, 50]]}, "info": {"id": "cyner2_test_001364", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Adware.Dlhelper Dropper.FrauDropCRTD.Win32.6286 Trojan.Application.Bundler.DlHelper.255 Win32.Trojan.Kryptik.pf not-a-virus:WebToolbar.Win32.MutiBar.sy Riskware.Win32.MutiBar.dygvox Trojan.Zadved.203 PUA.Multibar WebToolbar.MutiBar.by RiskWare[WebToolbar]/Win32.MutiBar not-a-virus:WebToolbar.Win32.MutiBar.sy SScope.Downware.Dlhelper PUA.Toolbar.MutiBar! W32/Kryptik.FWLF!tr Win32/Application.d4d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001365", "source": "cyner2_test"}}
+{"text": "The Infection Chain Once the user downloads and installs one of the infected applications , ‘ SimBad ’ registers itself to the ‘ BOOT_COMPLETE ’ and ‘ USER_PRESENT ’ intents , which lets ‘ SimBad ’ to perform actions after the device has finished booting and while the user is using his device respectively .", "spans": {"MALWARE: SimBad": [[94, 100], [189, 195]]}, "info": {"id": "cyner2_test_001366", "source": "cyner2_test"}}
+{"text": "These features likely suggest ITG03 continues evolving tactics to target users in the cryptocurrency industry.", "spans": {"THREAT_ACTOR: ITG03": [[30, 35]], "ORGANIZATION: users": [[73, 78]], "ORGANIZATION: the cryptocurrency industry.": [[82, 110]]}, "info": {"id": "cyner2_test_001367", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9918 Trojan.Win32.Stealer.exprxh Trojan.Win32.Z.Zusy.2021449 Trojan.PWS.Stealer.1856 W32/Trojan.PKEU-6036 Trojan.Zusy.D3DCC3 Trojan:Win32/SvcMiner.A Trojan/Win32.CoinMiner.R214201 TrojanPSW.Stealer Trojan.FakeMS Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001368", "source": "cyner2_test"}}
+{"text": "It also protects users and organizations from other mobile threats , such as mobile phishing , unsafe network connections , and unauthorized access to sensitive data .", "spans": {}, "info": {"id": "cyner2_test_001369", "source": "cyner2_test"}}
+{"text": "XLoader as Spyware and Banking Trojan XLoader can also collect information related to usage of apps installed in the device .", "spans": {"MALWARE: XLoader": [[0, 7]]}, "info": {"id": "cyner2_test_001370", "source": "cyner2_test"}}
+{"text": "The United Nations has already imposed significant sanctions on North Korea; however, a recent announcement by China that it will shut down North Korean companies operating within its borders could indicate significant financial trouble for North Korea.", "spans": {"ORGANIZATION: The United Nations": [[0, 18]], "ORGANIZATION: North Korean companies": [[140, 162]]}, "info": {"id": "cyner2_test_001371", "source": "cyner2_test"}}
+{"text": "The overlay consisted of a generic credit card grabber targeting social and utility apps , such as Google Play , Facebook , WhatsApp , Chrome , Skype , Instagram and Twitter .", "spans": {"SYSTEM: Google Play": [[99, 110]], "SYSTEM: Facebook": [[113, 121]], "SYSTEM: WhatsApp": [[124, 132]], "SYSTEM: Chrome": [[135, 141]], "SYSTEM: Skype": [[144, 149]], "SYSTEM: Instagram": [[152, 161]], "SYSTEM: Twitter": [[166, 173]]}, "info": {"id": "cyner2_test_001372", "source": "cyner2_test"}}
+{"text": "This vulnerability CVE-2017-7494 relates to all versions of Samba, starting from 3.5.0, which was released in 2010, and was patched only in the latest versions of the package 4.6.4/4.5.10/4.4.14.", "spans": {"VULNERABILITY: vulnerability": [[5, 18]], "MALWARE: Samba,": [[60, 66]], "MALWARE: 3.5.0,": [[81, 87]], "MALWARE: latest versions of the package 4.6.4/4.5.10/4.4.14.": [[144, 195]]}, "info": {"id": "cyner2_test_001373", "source": "cyner2_test"}}
+{"text": "And even more curiously, SeaDuke, with its built-in support for both Windows and Linux, is the first cross-platform malware we have observed from the Duke group.", "spans": {"MALWARE: SeaDuke,": [[25, 33]], "SYSTEM: Windows": [[69, 76]], "SYSTEM: Linux,": [[81, 87]], "MALWARE: cross-platform malware": [[101, 123]], "THREAT_ACTOR: Duke group.": [[150, 161]]}, "info": {"id": "cyner2_test_001375", "source": "cyner2_test"}}
+{"text": "We also noticed how most of these spammed emails were sent between 9 a.m. – 11 a.m. UTC, a time when employees in European countries are starting their day at work.", "spans": {"ORGANIZATION: employees": [[101, 110]]}, "info": {"id": "cyner2_test_001376", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan-PWS/W32.QQPass.103018 Trojan-PSW.Win32.QQShou!O TrojanPWS.QQpass Trojan/PSW.QQPass.ig Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Pws.AJSA Infostealer.Gampass Win.Spyware.WOW-37 Trojan-PSW.Win32.QQPass.ig Trojan.Win32.QQPass.lwwt Trojan.Win32.A.PSW-QQPass.102400.E TrojWare.Win32.PSW.QQShou Trojan.PWS.Tencent Trojan.QQPass.Win32.2020 BehavesLike.Win32.Downloader.cm Trojan-PWS.Win32.QQShou W32/PWS.OWXU-8397 Trojan/PSW.Chuanhua.iq Trojan[PSW]/Win32.QQPass Backdoor.W32.Hupigon.l57k Trojan/Win32.QQShou.R5746 TrojanPSW.QQPass Trj/QQshou.AA Win32/PSW.QQShou Win32.Trojan-qqpass.Qqrob.Syik Trojan.PWS.QQPass!ev/WXAy55hs W32/QQPass.IG!tr.pws Win32/Trojan.d5b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001377", "source": "cyner2_test"}}
+{"text": "This instruction is especially important for malware that tries to avoid user interaction by running in the background as a service .", "spans": {}, "info": {"id": "cyner2_test_001378", "source": "cyner2_test"}}
+{"text": "Unit 42 has been closely tracking the OilRig threat group since May 2016.", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "THREAT_ACTOR: the OilRig threat group": [[34, 57]]}, "info": {"id": "cyner2_test_001379", "source": "cyner2_test"}}
+{"text": "People using certain VPN service providers to protect their privacy are completely unaware that the backend uses a criminal infrastructure of infected computers worldwide.", "spans": {"ORGANIZATION: VPN service providers": [[21, 42]], "SYSTEM: criminal infrastructure": [[115, 138]], "SYSTEM: computers": [[151, 160]]}, "info": {"id": "cyner2_test_001380", "source": "cyner2_test"}}
+{"text": "And others have all malicious content removed , except for log comments referencing the payment process .", "spans": {}, "info": {"id": "cyner2_test_001381", "source": "cyner2_test"}}
+{"text": "Rotexy then sent information about the smartphone to the C & C , including the phone model , number , name of the mobile network operator , versions of the operating system and IMEI .", "spans": {"MALWARE: Rotexy": [[0, 6]]}, "info": {"id": "cyner2_test_001382", "source": "cyner2_test"}}
+{"text": "This ongoing research lead us to a new Middle Eastern campaign.", "spans": {"THREAT_ACTOR: a new Middle Eastern campaign.": [[33, 63]]}, "info": {"id": "cyner2_test_001383", "source": "cyner2_test"}}
+{"text": "The said screen is the ransom note , which contains threats and instructions to pay the ransom .", "spans": {}, "info": {"id": "cyner2_test_001384", "source": "cyner2_test"}}
+{"text": "Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.", "spans": {"THREAT_ACTOR: MuddyWater": [[38, 48]], "MALWARE: tools": [[118, 123]]}, "info": {"id": "cyner2_test_001385", "source": "cyner2_test"}}
+{"text": "Even a fake Facebook profile to pretend to be an actual company, aided in this process.", "spans": {}, "info": {"id": "cyner2_test_001387", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.QuaresLTAAI.Trojan Worm.Fadok.IM5 Win32.Worm.FakeDoc.a WORM_FAKEDOC_FD050240.UVPM Trojan.Win32.Dwn.drcagm TrojWare.Win32.Scar.FAKD Win32.HLLW.Rendoc.3 Trojan.Scar.Win32.88546 WORM_FAKEDOC_FD050240.UVPM Trojan/Scar.bgdv Trojan/Win32.Scar.jfya Worm:Win32/Fadok.A Trojan.Razy.DA7C7 Worm/Win32.Fadok.R189010 Win32/FakeDoc.A Trojan.DownLoader! Worm.Win32.Fakedoc W32/FakeDoc.A!worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001388", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor/W32.KeyStart.181760 Backdoor.Win32.KeyStart!O Backdoor.KeyStart Win32.Trojan.WisdomEyes.16070401.9500.9963 Win32/Slupim.A Backdoor.Win32.KeyStart.ck Trojan.Win32.KeyStart.hfzs Trojan.Win32.Z.Keystart.181760 Backdoor.W32.Keystart!c Trojan.DownLoad.31797 Backdoor.KeyStart.Win32.47 BehavesLike.Win32.Downloader.ch Backdoor.Win32.KeyStart Backdoor/KeyStart.ak Trojan[Backdoor]/Win32.KeyStart Backdoor.Win32.KeyStart.ck Trojan:Win32/Slupim.B Bck/KeyStart.B Win32/Trojan.ec7", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001389", "source": "cyner2_test"}}
+{"text": "The Android rootnik malware uses open-sourced Android root exploit tools and the MTK root scheme from the dashi root tool to gain root access on an Android device.", "spans": {"MALWARE: The Android rootnik malware": [[0, 27]], "VULNERABILITY: open-sourced Android root exploit": [[33, 66]], "MALWARE: tools": [[67, 72]], "MALWARE: dashi root tool": [[106, 121]], "SYSTEM: Android device.": [[148, 163]]}, "info": {"id": "cyner2_test_001390", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Trojan.DNSChanger.R Trojan.DNSChanger Trojan.DNSChanger.R Trojan.DNSChanger.R TROJ_DNSCHAN.ADD Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Flush.G TROJ_DNSCHAN.ADD Win.Downloader.Small-1720 Trojan.DNSChanger.R Trojan.Win32.DNSChanger.as Trojan.DNSChanger.R Trojan.Win32.DNSChanger.gwnl Trojan.DNSChanger.R TrojWare.Win32.DNSChanger.Y Trojan.DNSChanger.R Trojan.DnsChange Trojan.DNSChanger.Win32.6451 BehavesLike.Win32.VTFlooder.mc Trojan.Win32.DNSChanger W32.Alureon.Rootkit Trojan.Win32.DNSChanger.as Trojan/Win32.DNSChanger.R5962 DNSChanger.a MalwareScope.Trojan.DnsChange.1 Trj/DNSChanger.AQ", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001391", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Adware.NetFilter.BH Adware.NetFilter.BH Hacktool.Rootkit Adware.NetFilter.BH Adware.NetFilter.BH Adware.NetFilter.BH Adware.5Hex.Win64.8 AdWare.5hex ADWARE/5Hex.yxyby Trojan:Win64/Detrahere.E Adware.NetFilter.BH", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001392", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Dridex Trojan.Midie.DA3BA Win32.Trojan.WisdomEyes.16070401.9500.9999 W64/Trojan.NYZW-9167 Trojan.Win32.Z.Dridex.679936.E Trojan.Kryptik.Win64.2184 Trojan.Crypt Trojan.Dridex.cy TR/Crypt.ZPACK.ohzec Trojan/Win64.Dridex.R212058 Trj/CI.A Win32/Trojan.82a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001393", "source": "cyner2_test"}}
+{"text": "The primary targets , so far , are based in India though other Asian countries such as Pakistan and Bangladesh are also affected .", "spans": {}, "info": {"id": "cyner2_test_001394", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.eHeur.Malware03 Worm.Drolnux.S644909 Troj.Ransom.W32.Foreign.tnvv Trojan/Ibashade.c Win32.Trojan.Kryptik.bio W32/Trojan.MTDN-3978 Trojan.Toraldrop WORM_DROLNUX_GC310160.UVPM Win.Trojan.Aavirus-2 Trojan.Win32.Kryptik.eljjir Trojan.Win32.Z.Ibashade.507562 Worm.Win32.Ibashade.D Trojan.PackedENT.44 WORM_DROLNUX_GC310160.UVPM BehavesLike.Win32.Jeefo.gh Win32/Ibashade.C Worm.Win32.Ibashade W32/Kryptik.FOAD!tr Win32/Trojan.df3", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001395", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan/Dropper.Delf.nsc Trojan.DR.Delf!iMS7sjct8CE TROJ_DELF.SML TrojWare.Win32.TrojanSpy.Delf.AW TROJ_DELF.SML Trojan-Dropper.Delf!IK Backdoor:Win32/Beastdoor.DT Trojan/Win32.Pincav Trojan-Dropper.Delf Injector.NW", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001396", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Exploit.Linux.68 TROJ_GE.F0CE4FC1 Win32.Trojan.WisdomEyes.16070401.9500.9817 TROJ_GE.F0CE4FC1 HEUR:Exploit.AndroidOS.Psneuter.a Riskware.Rooter.dshucf Tool.Rooter.6 BehavesLike.Win32.Dropper.rc HEUR:Exploit.AndroidOS.Psneuter.a Linux.Riskware.Neuter.A Android/Exploit.PSN.A Exploit.AndroidOS.Psn", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001397", "source": "cyner2_test"}}
+{"text": "XLoader abuses the MessagePack ( a data interchange format ) to package the stolen data and exfiltrate it via the WebSocket protocol for faster and more efficient transmission .", "spans": {"MALWARE: XLoader": [[0, 7]]}, "info": {"id": "cyner2_test_001398", "source": "cyner2_test"}}
+{"text": "Moafee may have chosen its targets based on the rich resources of South China Sea region – the world's second business sea-lane, according to Wikipedia – including rare earth metals, crude oil, and natural gas.", "spans": {"THREAT_ACTOR: Moafee": [[0, 6]], "THREAT_ACTOR: earth": [[169, 174]]}, "info": {"id": "cyner2_test_001399", "source": "cyner2_test"}}
+{"text": "If an incoming SMS contains one of the following magic strings : ” 2736428734″ or ” 7238742800″ the malware will execute multiple initial commands : Keylogger implementation Keylogging is implemented in an original manner .", "spans": {}, "info": {"id": "cyner2_test_001400", "source": "cyner2_test"}}
+{"text": "The attackers behind Operation Pawn Storm have been active since at least 2007 and they continue to launch new campaigns.", "spans": {"THREAT_ACTOR: attackers": [[4, 13]], "THREAT_ACTOR: Operation Pawn Storm": [[21, 41]], "THREAT_ACTOR: campaigns.": [[111, 121]]}, "info": {"id": "cyner2_test_001401", "source": "cyner2_test"}}
+{"text": "After analyzing the traffic associated with these short links , we determined that each one was associated with a referral path from mail.mosa.pna.ps .", "spans": {}, "info": {"id": "cyner2_test_001402", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: HackTool.Fbhack Trojan.MSIL.HackTool.15 Trj/GdSda.A Win32/Trojan.Hacktool.afa", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001403", "source": "cyner2_test"}}
+{"text": "Perhaps the app ’ s false capabilities also fueled the low number of downloads .", "spans": {}, "info": {"id": "cyner2_test_001404", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.Clod692.Trojan.ee6f Backdoor/W32.Thunk.23072 Backdoor/Thunk.a Trojan.Heur.JP.E22B62 W32/Backdoor.FUI Trojan.Bookmarker.C Hoax.Win32.Renos.dv Trojan.Win32.Thunk.ehif Win32.Trojan-psw.Lpkstart.Pftk Backdoor.Win32.Thunk.A BackDoor.Thunker Backdoor.Thunk.Win32.1 BehavesLike.Win32.PWSOnlineGames.mt W32/Backdoor.LZAN-6163 Backdoor/Thunk.c Trojan[Backdoor]/Win32.Thunk Hoax.W32.Renos.dv!c Win-Trojan/Thunk.23072 Trojan.Win32.BadJoke.dv Win32/Thunk.A Trojan.Renos!te8dhAWGe20 Backdoor.Win32.Thunk.a W32/Thunk.A!tr.bdr BackDoor.Thunk.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001405", "source": "cyner2_test"}}
+{"text": "Criminals are increasingly using obfuscation , the deliberate act of creating complex code to make it difficult to analyze .", "spans": {}, "info": {"id": "cyner2_test_001406", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.PePatch!o2sJKTZeQwo W32/TrojanX.BKLZ W32.Spybot.Worm W32/Buzus.HBR Win32.TRBuzus.Adaa Packed.Win32.PePatch.lc Riskware.Win32.CeeInject.A!IK Constructor.Win32.Bifrose.be BackDoor.Poison.61 TR/Bifrose.EB.1 Trojan/Buzus.ejw Trojan.Win32.S.Buzus.1254544 Trojan/Win32.Xema W32/TrojanX.BKLZ BScope.Trojan.871206 Backdoor.Bifrose!rem VirTool.Win32.CeeInject.A W32/Buzus.ADBZ!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001407", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.Injector!O Backdoor.Daserf Dropper.Injector.Win32.60582 Troj.Dropper.W32.Injector.jrzp!c Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan BKDR_DASERF.ZBEI-A Trojan-Dropper.Win32.Injector.jrzp Trojan.Win32.Inject1.cmrdfo Win32.Trojan-dropper.Injector.Wnmi Trojan.Inject1.31463 BKDR_DASERF.ZBEI-A BehavesLike.Win32.Injector.mh Backdoor.Win32.Daserf W32/Trojan.YKAI-2038 W32/Injector.A!tr Trojan[Dropper]/Win32.Injector Backdoor:Win32/Daserf.A Trojan-Dropper.Win32.Injector.jrzp Trojan.Heur.FU.E0F811 Trojan.DR.Injector!lk1UiObxqaY Win32/Trojan.Dropper.cd3", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001408", "source": "cyner2_test"}}
+{"text": "It's often associated with dropping vawtrak and pony.", "spans": {"MALWARE: vawtrak": [[36, 43]], "MALWARE: pony.": [[48, 53]]}, "info": {"id": "cyner2_test_001409", "source": "cyner2_test"}}
+{"text": "] today www [ .", "spans": {}, "info": {"id": "cyner2_test_001410", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9598 Troj.W32.Inject.l78q Trojan.DownLoader5.58525 BehavesLike.Win32.BadFile.ph Trojan[Downloader]/Win32.Unknown Win32.Troj.Undef.kcloud TrojanDownloader:Win32/Swfdown.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001411", "source": "cyner2_test"}}
+{"text": "Proofpoint researchers discovered a never-before-documented malware strain on February 15.", "spans": {"ORGANIZATION: Proofpoint researchers": [[0, 22]], "MALWARE: malware strain": [[60, 74]]}, "info": {"id": "cyner2_test_001412", "source": "cyner2_test"}}
+{"text": "Indicators for BlackEnergy attacks in Ukraine", "spans": {"THREAT_ACTOR: BlackEnergy": [[15, 26]]}, "info": {"id": "cyner2_test_001413", "source": "cyner2_test"}}
+{"text": "This scam is used more and more often to attack businesses, especially SMBs, in various countries.", "spans": {"ORGANIZATION: businesses,": [[48, 59]], "ORGANIZATION: SMBs,": [[71, 76]]}, "info": {"id": "cyner2_test_001414", "source": "cyner2_test"}}
+{"text": "This report covers a campaign of phishing and malware which we have named Operation Manul and which, based on the available evidence, we believe is likely to have been carried out on behalf of the government of Kazakhstan against journalists, dissidents living in Europe, their family members, known associates, and their lawyers.", "spans": {"THREAT_ACTOR: campaign": [[21, 29]], "MALWARE: phishing": [[33, 41]], "MALWARE: malware": [[46, 53]], "THREAT_ACTOR: Operation Manul": [[74, 89]], "ORGANIZATION: the government of Kazakhstan": [[193, 221]], "ORGANIZATION: journalists,": [[230, 242]], "ORGANIZATION: family members, known associates,": [[278, 311]], "ORGANIZATION: their lawyers.": [[316, 330]]}, "info": {"id": "cyner2_test_001415", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: TROJ_AHENTE.RED Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Application.TQMP-8317 Trojan.Krast.C TROJ_AHENTE.RED Trojan.Win32.Gamania.ctppae Trojan.Win32.KeyLogger.93696 Trojan.PWS.Gamania.42279 Trojan.Keylogger.Win32.30981 BehavesLike.Win32.BrowseFox.ch Trojan/Win32.Unknown Win32.Troj.Undef.kcloud Backdoor:Win32/Toyecma.A!dha Trj/Vilsel.AF TrojanSpy.KeyLogger!GSKBdfHkyqU W32/KeyLogger.OFI!tr.spy", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001417", "source": "cyner2_test"}}
+{"text": "Germany is one of the first attack turfs TrickBot spread to when it first emerged in 2016 .", "spans": {"MALWARE: TrickBot": [[41, 49]]}, "info": {"id": "cyner2_test_001418", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: HW32.Packed.16A4 Troj.W32.Monder.l3LF Win32.Trojan.WisdomEyes.16070401.9500.9996 MalCrypt.Indus! Trojan.Packed.338 BehavesLike.Win32.Downloader.mc Trojan-Downloader.Win32.Clopack Trojan.Heur.TDss.E7D957 TrojanDownloader:Win32/Conhook.AF Trojan/Win32.Xema.C130136", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001419", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.Pinfi.B Win32.Parite.B Virus/W32.Parite.C Virus.Win32.Parite.b!O W32.Perite.A Win32.Parite.B Ransom.Locky Virus.Parite.Win32.9 W32/Pate.B Win32.Parite.B PE_PARITE.A Win32.Virus.Parite.d W32/Locky.IGOK-1178 W32.Pinfi.B Win32/Pinfi.A PE_PARITE.A Heuristics.W32.Parite.B Virus.Win32.Parite.b Win32.Parite.B Virus.Win32.Parite.bgvo Virus.Win32.Dropper.c Win32.Parite.B Trojan.DownLoader19.38965 W32/Pate.b W32/Locky.EM Win32/Parite.b Virus/Win32.Parite.c Win32.Parite.b.5756 Win32.Parite.A Virus.Win32.Parite.b Win32.Parite.B W32/Pate.b Virus.Win32.Parite.b Trojan.Locky Win32/Parite.B Win32.Parite.B Virus.Win32.Parite W32/Kryptik.EQFZ!tr W32/Parite.B Virus.Win32.Parite.H", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001420", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Ransom.Filecoder Ransom_MINDLOST.THBOAH Ransom_MINDLOST.THBOAH Trojan.Win32.Ransom.exdtkr TR/Ransom.uxivv Ransom:MSIL/Paggalangrypt.A!rsm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001421", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Skeeyah.5634 Trojan.Zusy.D38734 Win32.Trojan.WisdomEyes.16070401.9500.9944 TROJ_FASTREK.SM Trojan.DownLoader14.31853 TROJ_FASTREK.SM W32/Trojan.SYFE-6527 TR/Spy.A.5028 Trojan:Win32/Fastrek.A Win32.Trojan.Spy.Sudt Win32/Trojan.Spy.102", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001422", "source": "cyner2_test"}}
+{"text": "With the daily growth of the different kinds of ransomware and distribution techniques, Fox-IT's Security Operations Center was investigating a new ransomware called Mole.", "spans": {"MALWARE: ransomware": [[48, 58], [148, 158]], "ORGANIZATION: Fox-IT's Security Operations Center": [[88, 123]], "MALWARE: Mole.": [[166, 171]]}, "info": {"id": "cyner2_test_001424", "source": "cyner2_test"}}
+{"text": "This implies that the authors are actively working to optimize EventBot over time .", "spans": {"MALWARE: EventBot": [[63, 71]]}, "info": {"id": "cyner2_test_001425", "source": "cyner2_test"}}
+{"text": "Despite the lack of sophistication of the technical details of the malware and its mechanisms for spreading, the threat actors have demonstrated ability to compromise governmental websites successfully.", "spans": {"MALWARE: malware": [[67, 74]], "THREAT_ACTOR: the threat actors": [[109, 126]]}, "info": {"id": "cyner2_test_001426", "source": "cyner2_test"}}
+{"text": "We have associated this campaign with APT19, a group that we assess is composed of freelancers, with some degree of sponsorship by the Chinese government.", "spans": {"THREAT_ACTOR: campaign": [[24, 32]], "THREAT_ACTOR: APT19,": [[38, 44]], "THREAT_ACTOR: group": [[47, 52]], "ORGANIZATION: freelancers,": [[83, 95]], "ORGANIZATION: the Chinese government.": [[131, 154]]}, "info": {"id": "cyner2_test_001427", "source": "cyner2_test"}}
+{"text": "App Icon Figure 1 : App icon and fake notification .", "spans": {}, "info": {"id": "cyner2_test_001428", "source": "cyner2_test"}}
+{"text": "Quite possibly , this routine targets older platforms like Windows 7 and machines not taking advantage of hardware protections like UEFI and SecureBoot , available on Windows 10 .", "spans": {"SYSTEM: Windows 7": [[59, 68]], "SYSTEM: Windows 10": [[167, 177]]}, "info": {"id": "cyner2_test_001429", "source": "cyner2_test"}}
+{"text": "January 2016 – May 2018 : In this stage , “ Agent Smith ” hackers started to try out 9Apps as a distribution channel for their adware .", "spans": {"MALWARE: Agent Smith": [[44, 55]]}, "info": {"id": "cyner2_test_001430", "source": "cyner2_test"}}
+{"text": "In fact , recent variants contain code forked from an open-source machine learning module used by developers to automatically resize and crop images based on screen size , a valuable function given the variety of Android devices .", "spans": {"SYSTEM: Android": [[213, 220]]}, "info": {"id": "cyner2_test_001431", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Hacktool.Proxy Win.Trojan.Proxy-1292 Trojan.Proxy.2134 TR/Dldr.Small.ewd.1 TrojanProxy:Win32/Guilt.A Bck/GuilDNS.C", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001432", "source": "cyner2_test"}}
+{"text": "We've been tracking a series of exploit documents which, upon successful exploitation, simply drop a file and perform no other actions; these documents have dropped a variety of backdoors associated with a range of previously identified threat groups.", "spans": {"VULNERABILITY: exploitation,": [[73, 86]], "MALWARE: backdoors": [[178, 187]], "THREAT_ACTOR: threat groups.": [[237, 251]]}, "info": {"id": "cyner2_test_001433", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Fednu.a Backdoor.Trojan Trojan.Win32.Click1.cgqbj TrojWare.Win32.Fedon.a Trojan.Click1.28242 Fednu.a Trojan:Win32/Fednu.A Trojan/Win32.Fedon.R1249 Trojan.Win32.Startpage.d W32/FAKEMS.E!tr Trojan.Win32.StartPage.BL", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001434", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.W.Fearso.lGmx Trojan/Boaxxe.a Trojan.Win32.Boaxxe.112128 TrojWare.Win32.Boaxxe.aak Trojan.Inject.8496 BehavesLike.Win32.Conficker.cc Trojan:Win32/Boaxxe.E Trojan.Beax.2 Trojan:Win32/Boaxxe.E Trojan/Win32.Boaxxe.R2341 Win32/Trojan.0e8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001435", "source": "cyner2_test"}}
+{"text": "The original app looks innocent , with most of its code aimed at implementing the real features that the app claims to provide .", "spans": {}, "info": {"id": "cyner2_test_001436", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.OnGamesFHKAGBAC.Trojan Trojan.Win32.Small!O Trojan.Keebie.S15324 Trojan/Small.akcc Trojan.Naffy.1 W32/Small.HE Win32/Keebie.A RTKT_KEEBIE.SMIA Win.Trojan.Small-14056 Trojan.Win32.A.Small.5632 TrojWare.Win32.Small.GZ Trojan.NtRootKit.17168 RTKT_KEEBIE.SMIA W32/Small.ULEB-5410 Trojan/Small.hyh TR/Small.GO.1 Trojan/Win32.Small Trojan:WinNT/Keebie.A Backdoor/Win32.Buzy.R2623 Trojan.Small Trj/Small.CN Trojan.Win32.Small.ae Trojan.Small!ebs6Gbgb5Gk Trojan.Win32.Small W32/Anno.A!tr RootKit.Win32.Koutodoor.E", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001437", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: TrojanPWS.Fareit Spyware.Pony Trojan.Symmi.D11C87 Win32.Trojan.WisdomEyes.16070401.9500.9803 Trojan-PSW.Win32.Fareit.cpmi Win32.Trojan-qqpass.Qqrob.Huge BehavesLike.Win32.Fareit.dm TR/Dropper.VB.bzhbo Trojan-PSW.Win32.Fareit.cpmi Win32.Trojan.Injector.LG Trojan/Win32.Inject.R198261 BScope.Trojan.VBKrypt Trojan.VB.Crypt W32/Injector.DNRZ!tr Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001439", "source": "cyner2_test"}}
+{"text": "NexusLogger collects keystrokes, system information, stored passwords and will take screenshots.", "spans": {"MALWARE: NexusLogger": [[0, 11]]}, "info": {"id": "cyner2_test_001440", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Win32.Trojan.WisdomEyes.16070401.9500.9998 TROJ_TRUEBOT.SMZIEK-A Win.Trojan.Silence-6367670-0 Trojan.DownLoader25.20128 W32/Trojan.PYHP-7871 TrojanDownloader:Win32/Truebot.A Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001441", "source": "cyner2_test"}}
+{"text": "EventBot Logcat from the infected device Logcat from the infected device .", "spans": {"MALWARE: EventBot": [[0, 8]]}, "info": {"id": "cyner2_test_001442", "source": "cyner2_test"}}
+{"text": "The C & C address was specified in the code and was also unencrypted : In some versions , a dynamically generated low-level domain was used as an address : In its first communication , the Trojan sent the infected device ’ s IMEI to the C & C , and in return it received a set of rules for processing incoming SMSs ( phone numbers , keywords and regular expressions ) – these applied mainly to messages from banks , payment systems and mobile network operators .", "spans": {}, "info": {"id": "cyner2_test_001443", "source": "cyner2_test"}}
+{"text": "The author has introduced the capability to grant the app the device admin permission .", "spans": {}, "info": {"id": "cyner2_test_001444", "source": "cyner2_test"}}
+{"text": "During the final update installation process , it relies on the Janus vulnerability to bypass Android ’ s APK integrity checks .", "spans": {"VULNERABILITY: Janus": [[64, 69]], "SYSTEM: Android": [[94, 101]]}, "info": {"id": "cyner2_test_001445", "source": "cyner2_test"}}
+{"text": "The website was compromised to launch an apparent watering-hole attack against the company's customers.", "spans": {"ORGANIZATION: company's customers.": [[83, 103]]}, "info": {"id": "cyner2_test_001446", "source": "cyner2_test"}}
+{"text": "These are then uploaded to the C & C HTTP server .", "spans": {}, "info": {"id": "cyner2_test_001447", "source": "cyner2_test"}}
+{"text": "The attackers also tend to deploy what works or what s convenient, as we've also seen them attempt to infect the target host with other PoS malware such as PwnPOS TSPY_PWNPOS.SMA, and BlackPOS TSPY_POCARDL.AI.", "spans": {"THREAT_ACTOR: attackers": [[4, 13]], "MALWARE: PoS malware": [[136, 147]], "MALWARE: PwnPOS": [[156, 162]], "MALWARE: BlackPOS": [[184, 192]]}, "info": {"id": "cyner2_test_001448", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Win32.Iconomon.a2.AD Trojan/Delf.cbcd Trojan.Delf!+j/t0TLqQk4 Trojan.Dropper Delf.KXWK Win32/Delf.AQT TROJ_SPNR.30FE12 Trojan.Win32.Delf.chfk Trojan.Win32.Delf.djowe TR/Offend.kdv.99866 TROJ_SPNR.30FE12 Trojan/Delf.sze Trojan:Win32/Iconomon.A Trojan.Win32.A.Delf.320512.H Trojan/Win32.Delf Trojan.Delf.aqjx Trojan.Dropper Win32/Delf.PXF Trojan.Win32.Delf Delf.VWX", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001449", "source": "cyner2_test"}}
+{"text": "The Naikon APT aligns with the actor our colleagues at FireEye recently revealed to be APT30, but we haven't discovered any exact matches.", "spans": {"THREAT_ACTOR: The Naikon APT": [[0, 14]], "ORGANIZATION: FireEye": [[55, 62]], "THREAT_ACTOR: APT30,": [[87, 93]]}, "info": {"id": "cyner2_test_001450", "source": "cyner2_test"}}
+{"text": "We are especially delighted about the platform and programme of work established in the declaration of the conference , upon which we sincerely hope will be built a strong and resolute working relationship on our shared goals for the future .", "spans": {}, "info": {"id": "cyner2_test_001451", "source": "cyner2_test"}}
+{"text": "Xcode is Apple's official tool for developing iOS or OS X apps and it is clear that some Chinese developers have downloaded these Trojanized packages.", "spans": {"SYSTEM: Xcode": [[0, 5]], "ORGANIZATION: Apple's": [[9, 16]], "SYSTEM: iOS": [[46, 49]], "SYSTEM: OS X apps": [[53, 62]], "ORGANIZATION: Chinese developers": [[89, 107]], "MALWARE: Trojanized": [[130, 140]]}, "info": {"id": "cyner2_test_001452", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: HW32.Packed.E526 Trojan/Proxy.Dlena.cb Win32.Trojan.WisdomEyes.16070401.9500.9685 W32/Proxy.AWL Trojan.Packed.9 Win32.HLLM.Bid BehavesLike.Win32.Sality.nc W32/Proxy.MUPL-7031 TrojanProxy.Dlena.bk TrojanProxy:Win32/Dlena.CB Trojan/Win32.Dlena.C245630 BScope.Trojan.Dlena Trojan.PR.Dlena!kg9jx7szz7g Win32/Trojan.ea0", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001453", "source": "cyner2_test"}}
+{"text": "The US government's Cybersecurity and Infrastructure Security Agency CISA has issued a warning about a vulnerability in its IIS server, which allows attackers to exploit a security hole in the network.", "spans": {"ORGANIZATION: The US government's Cybersecurity": [[0, 33]], "ORGANIZATION: Infrastructure Security Agency CISA": [[38, 73]], "VULNERABILITY: vulnerability": [[103, 116]], "SYSTEM: IIS server,": [[124, 135]], "THREAT_ACTOR: attackers": [[149, 158]], "MALWARE: exploit": [[162, 169]], "VULNERABILITY: security hole": [[172, 185]], "SYSTEM: network.": [[193, 201]]}, "info": {"id": "cyner2_test_001454", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Spamer Trojan.Symmi.DDE55 Win32.Trojan.Kryptik.nv Trojan.Win32.Spamer.km Trojan.Win32.Kryptik.ewffdy Troj.W32.Yakes.mAv7 Trojan.DownLoader26.3007 BehavesLike.Win32.Worm.ch W32/Trojan.OMMU-8573 Trojan.Spamer.ae Trojan.Win32.Spamer.km Trojan.Spamer Trj/CI.A Win32.Trojan.Spamer.Akze Trojan.Win32.Crypt W32/Kryptic.ABGK!tr Win32/Trojan.48b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001455", "source": "cyner2_test"}}
+{"text": "We have written about this phenomenon extensively in the past and today we can add another family of malware to the list – Backdoor.Win32.ATMii.", "spans": {"MALWARE: family of malware": [[91, 108]]}, "info": {"id": "cyner2_test_001456", "source": "cyner2_test"}}
+{"text": "This lockdown screen includes two parts : A WebView containing a background picture loaded from a predefined URL .", "spans": {}, "info": {"id": "cyner2_test_001457", "source": "cyner2_test"}}
+{"text": "Change archive command After this activation cycle , the malware will start the collection of information activities and dissemination .", "spans": {}, "info": {"id": "cyner2_test_001458", "source": "cyner2_test"}}
+{"text": "This blog serves to discuss changes made by this group and the SamSa malware family since we last discussed them.", "spans": {"THREAT_ACTOR: group": [[49, 54]], "MALWARE: SamSa malware family": [[63, 83]]}, "info": {"id": "cyner2_test_001459", "source": "cyner2_test"}}
+{"text": "The “ core ” module contacts the C & C server , trying to get a fresh list of applications to search for , or if that fails , use a default app list : whatsapp lenovo.anyshare.gps mxtech.videoplayer.ad jio.jioplay.tv jio.media.jiobeats jiochat.jiochatapp jio.join good.gamecollection opera.mini.native startv.hotstar meitu.beautyplusme domobile.applock touchtype.swiftkey flipkart.android cn.xender eterno truecaller For each application on the list , the “ core ” module checks for a matching version and MD5 hash of the installed application , and also checks for the application running in the user-space .", "spans": {"SYSTEM: whatsapp": [[151, 159]]}, "info": {"id": "cyner2_test_001460", "source": "cyner2_test"}}
+{"text": "The supposed purpose of that app is to obtain and use a required “ security code ” to log in to their online banking site .", "spans": {}, "info": {"id": "cyner2_test_001461", "source": "cyner2_test"}}
+{"text": "youlabuy [ .", "spans": {}, "info": {"id": "cyner2_test_001462", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan-PWS/W32.WebGame.474112 Trojan/OnLineGames.thbb TROJ_GAMETHI.CCS Win32.Trojan.WisdomEyes.16070401.9500.9694 W32/Trojan.DBPJ-8386 Infostealer.Onlinegame Win32/Zajim.A TROJ_GAMETHI.CCS Win.Trojan.Onlinegames-15948 Trojan.Win32.OnLineGames.bqprmm Trojan.Win32.PSWIGames.474112 Troj.GameThief.W32.OnLineGames.thbb!c Backdoor.Win32.DarkstRat.~A Trojan.PWS.Lineage.4854 Trojan.OnLineGames.Win32.74056 BehavesLike.Win32.Dropper.gh Trojan-PWS.Win32.QQPass W32/Trojan2.JUUB TrojanSpy.OnLineGames.eex Trojan:Win32/Blorso.B Trojan[GameThief]/Win32.OnLineGames Win32.PSWTroj.OnLineGames.kcloud Trojan:Win32/Blorso.B Trojan/Win32.OnlineGameHack.R58928 TScope.Trojan.Delf Win32.Trojan-GameThief.Onlinegames.bovd Trojan.PWS.OnLineGames!E2qkzLkLTec W32/OnLineGames.DRT!tr.pws", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001464", "source": "cyner2_test"}}
+{"text": "We have compiled its main features in this brief analysis.", "spans": {}, "info": {"id": "cyner2_test_001465", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor/W32.Bionet.593920 Backdoor.Bionet Backdoor.RAT.BioNet Backdoor.Bionet.Win32.159 Backdoor.W32.Bionet.21!c Backdoor/Bionet.21 W32/Bionet.J Backdoor.Trojan Win32/Bionet.261 Html.Trojan.BioNetPlugin-1 Backdoor.Win32.Bionet.21 Trojan.Win32.Bionet-keyhook.guhf Backdoor.Win32.Bionet_21.EditSvr BackDoor.BioNet.210 Email-Worm.Win32.GOPworm.196 Backdoor.Win32.Bionet W32/Bionet.XPHY-4314 Backdoor/Bionet.21 Trojan.Bionet BDC/Bionet.21.EdS Trojan[Backdoor]/Win32.Bionet Backdoor:Win32/Bionet.2_1 Backdoor.Win32.Bionet.21 Win-Trojan/Bionet_v21.EditSvr Email-Worm.Win32.GOPworm.196 Backdoor.Bionet Win32/Bionet.21 Win32.Backdoor.Bionet.dmkz Backdoor.Bionet!E616B62dMbM W32/Bdoor.FK!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001466", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.AppdataWinupdtLnr.Trojan Trojan.Dusvext.A5 Trojan/Vnfraye.a Trojan.Zusy.DAD2 TROJ_DUSVEXT.SM Win32.Backdoor.Vnfraye.b W32/Dusvext.A Backdoor.Trojan Win32/Tnega.AGBV TROJ_DUSVEXT.SM Backdoor.Win32.Vernet.axt Trojan.Win32.MLW.dpvjba Backdoor.Win32.IRCBot.146944.J Backdoor.W32.Vernet.to4n Backdoor.Win32.Amtar.vna BackDoor.Gbot.2171 Trojan.Vnfraye.Win32.1 BehavesLike.Win32.ZBot.ch W32/Dusvext.JEML-8693 BDS/Vertex.A Trojan:Win32/Dusvext.A Backdoor.Win32.Vernet.axt Backdoor.Vernet Trojan.Vnfraye.A Win32/Vnfraye.A Win32.Backdoor.Vernet.Pjdv Trojan.Vnfraye!ZphwYheYjUY RAT.Vertex W32/Vnfraye.AAA!tr Win32/Trojan.d72", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001467", "source": "cyner2_test"}}
+{"text": "The malware was first spotted by Tatyana Shishkova from Kaspersky by end October 2019 , but actually dates back to June 2019 .", "spans": {"ORGANIZATION: Kaspersky": [[56, 65]]}, "info": {"id": "cyner2_test_001469", "source": "cyner2_test"}}
+{"text": "Of the 10 million people who downloaded HummingBad-contaminated apps , an estimated 286,000 of them were located in the US .", "spans": {"MALWARE: HummingBad-contaminated": [[40, 63]]}, "info": {"id": "cyner2_test_001470", "source": "cyner2_test"}}
+{"text": "] 160 [ .", "spans": {}, "info": {"id": "cyner2_test_001471", "source": "cyner2_test"}}
+{"text": "EventBot is particularly interesting because it is in such early stages .", "spans": {"ORGANIZATION: EventBot": [[0, 8]]}, "info": {"id": "cyner2_test_001472", "source": "cyner2_test"}}
+{"text": "Stolen Data Figure 8 : Sending data to the attacker .", "spans": {}, "info": {"id": "cyner2_test_001473", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.PSW.Sadam Trojan-PWS/W32.Sadam.18944 Trojan.PSW.Sadam Trojan/PSW.Sadam Trojan.Win32.Sadam.fxjw Win32/PSW.Sadam Trojan.PSW.Sadam Trojan-PSW.Win32.Sadam Trojan.PSW.Sadam Trojan.PWS.Sadam!lFmRyYmpwOU Trojan.Win32.A.PSW-Sadam.18944[h] Trojan.PSW.Sadam TrojWare.Win32.PSW.Sadam Trojan.PSW.Sadam Trojan.PWS.Pwl.4 Trojan.Sadam.Win32.1 BehavesLike.Win32.PWSOnlineGames.lm W32/Trojan.HRPL-2973 Trojan/PSW.Sadam W32/Farfli.NJ!tr Trojan[PSW]/Win32.Sadam Trojan.PSW.Sadam Troj.PSW32.W.Sadam!c Win-Trojan/PwlStealer.18944 TrojanPSW.Sadam Trojan.Win32.PSW Trojan.PSW.Sadam Win32/Trojan.PSW.418", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001474", "source": "cyner2_test"}}
+{"text": "In this day and age, it's slightly different.", "spans": {}, "info": {"id": "cyner2_test_001475", "source": "cyner2_test"}}
+{"text": "Mcafee analyzed one recent email campaign with an attached .rar file.", "spans": {"ORGANIZATION: Mcafee": [[0, 6]], "THREAT_ACTOR: email campaign": [[27, 41]]}, "info": {"id": "cyner2_test_001476", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Dropper.YIQ TrojanDropper.Blakamba.A5 Trojan.Dropper.YIQ Trojan.Dropper.YIQ TROJ_BLAKAMBA.SM TROJ_BLAKAMBA.SM Trojan.Dropper.YIQ Trojan.Dropper.YIQ Trojan.Win32.Blakamba.dxuyil Trojan.Dropper.YIQ TrojWare.Win32.TrojanDropper.Blakamba.A Trojan.Dropper.YIQ Adware.Yotoon.Win32.3224 BehavesLike.Win32.Multiplug.tc Virus.Win32.Obfuscator TR/Blakamba.aonaia Malware/Win32.SAPE.C1835825 Win32/Trojan.435", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001477", "source": "cyner2_test"}}
+{"text": "Stolen data will also be encrypted and sent to the C & C server via the socket connection .", "spans": {}, "info": {"id": "cyner2_test_001478", "source": "cyner2_test"}}
+{"text": "Apart from collecting the above data , the spyware monitors users ’ phone calls , records them , and saves the recorded file on the device .", "spans": {}, "info": {"id": "cyner2_test_001480", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Clicker Win32.Trojan.WisdomEyes.16070401.9500.9977 Trojan.DownLoader11.40591 Trojan.Win32.Clicker!BT Trojan.MSIL.TrojanClicker TrojanClicker:MSIL/Ezbro.B Trojan.Zusy.D1C4A9 Trojan.Win32.Clicker!BT", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001481", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.Winib.Worm Trojan.Rincux.AW Backdoor.Rbot Trojan/PSW.Sinowal.ag Trojan.Rincux.AW Win32.Trojan.WisdomEyes.16070401.9500.9982 Win32/Xema.A!Dropper Win.Spyware.7826-2 Trojan.Rincux.AW Backdoor.Win32.Agobot.121020 Troj.Spy.W32!c Trojan.Rincux.AW Trojan.Rincux.AW BackDoor.Monsh BehavesLike.Win32.Dropper.ch W32.Trojan.Rincux Trojan.Rincux.AW Trojan.Rincux.AW Backdoor.Agobot Worm.AutoRun W32/AgoBot.H!tr.bdr Win32/Trojan.d74", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001482", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.A1C4 Trojan/W32.Blocker.1092848 Trojan-Ransom.Win32.Blocker!O Trojan.Zusy.D8875 W32/Trojan.NJLB-1147 Ransom_Blocker.R002C0DLP17 Trojan-Ransom.Win32.Blocker.zdm Trojan.Win32.Blocker.crgjar Trojan.Win32.A.Blocker.1071104 Troj.Ransom.W32.Blocker!c Trojan.Inject1.15883 Trojan.Blocker.Win32.2372 Trojan/Blocker.otu TR/Injector.zuzfm Trojan[Ransom]/Win32.Blocker Trojan-Ransom.Win32.Blocker.zdm Hoax.Blocker Trojan-ransom.Win32.Blocker.kjb Trojan.Blocker!JH0Sb6Ye/p4 W32/Injector.YVK!tr Win32/Trojan.Ransom.ac8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001483", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: VB:Trojan.Valyria.645 W97M.Downloader.BDU W97M/Downloader.cct W97M.Downloader W2KM_DLOADR.YYTBR Doc.Macro.Obfuscation-6331107-0 VB:Trojan.Valyria.645 VB:Trojan.Valyria.645 W97M.S.Downloader.277504.A VB:Trojan.Valyria.645 VB:Trojan.Valyria.645 W2KM_DLOADR.YYTBR W97M/Downloader.cct W2000M/Downloader.MS.102 Trojan:O97M/Paudo.A HEUR.VBA.Trojan.e VB:Trojan.Valyria.645 W97M/Dropper.VM virus.office.qexvmc.1095", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001484", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: WS.Reputation.1 Percol.A Trojan.DownLoad3.22191 TrojanDownloader.Icehart.bt Win32.Troj.Undef.kcloud TrojanDropper:Win32/Percol.B Downloader/Win32.Icehart Trojan-Downloader.Win32.Icehart Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001485", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Nuker.BattlePong.1.0 Trojan/W32.Nuker.199168 Trojan.Battlepong FDoS-BattlePong.03 Trojan/Exploit.Nuker.BattlePong.10 Win32/Nuker.BattlePong.10 Win.Trojan.N-122 Exploit.Win32.Nuker.BattlePong.10 Trojan.Nuker.BattlePong.1.0 Exploit.Win32.BattlePong.cqpilz Exploit.W32.Nuker.BattlePong.10!c Win32.Exploit.Nuker.Lked Trojan.Nuker.BattlePong.1.0 TrojWare.Win32.Nuker.BattlePong.10 Trojan.Nuker.BattlePong.1.0 FDOS.Pong.10 Tool.BattlePong.Win32.2 FDoS-BattlePong.03 Nuker.Win32.BattlePong W32/Risk.MXKK-2153 Nuke/Win32.BattlePong.10 TR/Nuke.BattlePo.10 Trojan[Exploit]/Win32.Nuker Win32.Troj.BattlePong.kcloud Trojan.Nuker.BattlePong.1.0 Trojan.Win32.BattlePong_Nuker Exploit.Win32.Nuker.BattlePong.10 Trojan/Win32.HDC.C1336 Trojan.Nuker.BattlePong.1.0 Nuker.BattlePong Trojan.BattlePong Trojan.Nuker.BattlePong.1.0 Nuker/BattlePong.10 Win32/Trojan.Nuker.129", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001486", "source": "cyner2_test"}}
+{"text": "The Sandworm Team has carried out a global, sustained cyber espionage campaign since at least 2009.", "spans": {"THREAT_ACTOR: The Sandworm Team": [[0, 17]], "THREAT_ACTOR: cyber espionage campaign": [[54, 78]]}, "info": {"id": "cyner2_test_001488", "source": "cyner2_test"}}
+{"text": "Next, it was used in combination with DNS-based exfiltration aka DNS tunneling.", "spans": {"SYSTEM: DNS-based exfiltration": [[38, 60]], "SYSTEM: DNS tunneling.": [[65, 79]]}, "info": {"id": "cyner2_test_001489", "source": "cyner2_test"}}
+{"text": "Check Point reached out to Google on September 10 , 2015 , and the app containing the malware was removed from Google Play on September 15 , 2015 .", "spans": {"ORGANIZATION: Check Point": [[0, 11]], "ORGANIZATION: Google": [[27, 33]], "SYSTEM: Google Play": [[111, 122]]}, "info": {"id": "cyner2_test_001490", "source": "cyner2_test"}}
+{"text": "Kaspersky Internet Security for Android and the Sberbank Online app securely protect users against attacks by this Trojan .", "spans": {"SYSTEM: Kaspersky Internet Security": [[0, 27]], "SYSTEM: Android": [[32, 39]], "SYSTEM: Sberbank Online app": [[48, 67]]}, "info": {"id": "cyner2_test_001491", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: HW32.Packed.8FE8 Win32.Trojan.WisdomEyes.16070401.9500.9998 Win.Trojan.Adylkuzz-6317076-0 BehavesLike.Win32.Ramnit.tc Trojan:Win32/Adylkuzz.B Trojan.Symmi.D1383C Unwanted/Win32.BitCoinMiner.C1986458 Trojan.Win32.Adylkuzz W32/Packed.GV!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001492", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan-PSW.Win32.VB!O TrojanPWS.VB.CX Trojan/PSW.VB.bia Win32.Trojan.WisdomEyes.16070401.9500.9740 W32/PWS.MPWG-1251 Win.Spyware.73829-2 Worm.Win32.VBNA.b Trojan.Win32.VB.eakjix Trojan.Win32.PSWVB.69812 Worm.W32.Vbna!c TrojWare.Win32.PSW.VB.NEC0 Trojan.MulDrop2.64396 Worm.VBNA.Win32.30118 BehavesLike.Win32.BadFile.lt Trojan-PWS.Win32.VB W32/Pws.BOIA Worm.VBNA.pcb Worm/Win32.VBNA Trojan.Heur.VP.E2F388 Worm.Win32.VBNA.b PWS:Win32/Tamenoc.A Worm/Win32.VBNA.C99913 MAS.Trojan.VB.01252 Win32/PSW.VB.NEC Win32.Worm.Vbna.Phqe Trojan.PWS.VB!uu94wtoX/Rs W32/VBNA.B!worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001493", "source": "cyner2_test"}}
+{"text": "The organization appears to be shut down , but the threat actors are still very active .", "spans": {}, "info": {"id": "cyner2_test_001495", "source": "cyner2_test"}}
+{"text": "Taking this information from directory listings , like the one shown above , allowed for the decryption of all content .", "spans": {}, "info": {"id": "cyner2_test_001496", "source": "cyner2_test"}}
+{"text": "These campaigns utilized fileless loading of a relatively new malware called August through the use of Word macros and PowerShell.", "spans": {"THREAT_ACTOR: campaigns": [[6, 15]], "MALWARE: malware": [[62, 69]], "MALWARE: August": [[77, 83]], "MALWARE: Word macros": [[103, 114]], "SYSTEM: PowerShell.": [[119, 130]]}, "info": {"id": "cyner2_test_001497", "source": "cyner2_test"}}
+{"text": "Stegoloader could represent an emerging trend in malware: the use of digital steganography to hide malicious code.", "spans": {"MALWARE: Stegoloader": [[0, 11]], "MALWARE: malware:": [[49, 57]], "MALWARE: malicious code.": [[99, 114]]}, "info": {"id": "cyner2_test_001498", "source": "cyner2_test"}}
+{"text": "Additionally, TA530 customizes the email to each target by specifying the target's name, job title, phone number, and company name in the email body, subject, and attachment names.", "spans": {"THREAT_ACTOR: TA530": [[14, 19]]}, "info": {"id": "cyner2_test_001499", "source": "cyner2_test"}}
+{"text": "Recently, Unit42 discovered a new version of the OceanLotus backdoor in our WildFire cloud analysis platform which may be one of the more advanced backdoors we have seen on macOS to date.", "spans": {"ORGANIZATION: Unit42": [[10, 16]], "MALWARE: OceanLotus": [[49, 59]], "MALWARE: backdoor": [[60, 68]], "MALWARE: advanced backdoors": [[138, 156]], "SYSTEM: macOS": [[173, 178]]}, "info": {"id": "cyner2_test_001500", "source": "cyner2_test"}}
+{"text": "Despite having been in the wild for an extended period of time, the operation appears to still be active.", "spans": {}, "info": {"id": "cyner2_test_001501", "source": "cyner2_test"}}
+{"text": "Gaza cybergang is a politically motivated Arabic cybercriminal group operating in the MENA Middle East North Africa region, mainly Egypt, United Arab Emirates and Yemen.", "spans": {"THREAT_ACTOR: Gaza cybergang": [[0, 14]], "THREAT_ACTOR: Arabic cybercriminal group": [[42, 68]]}, "info": {"id": "cyner2_test_001502", "source": "cyner2_test"}}
+{"text": "For this particular packet , the reason is registration of the bot .", "spans": {}, "info": {"id": "cyner2_test_001503", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: TrojanDropper.Injector Win32.Trojan.WisdomEyes.16070401.9500.9783 W32/Trojan.AFOE-3875 Trojan-Dropper.Win32.Injector.phoq Trojan.Win32.Dwn.eekcko Trojan.Win32.Z.Zusy.396034 W32.W.Fearso.lDrx Trojan.DownLoader14.35508 Trojan.Delf.Win32.76181 BehavesLike.Win32.Oror.fc Trojan.Win32.PSW Trojan.Zusy.D34BC4 Trojan-Dropper.Win32.Injector.phoq PWS:Win32/Cowdenry.A!bit Trojan/Win32.Buzus.R2227 TrojanDropper.Injector Trj/CI.A Win32.Trojan.Inject.Auto Win32/Trojan.5a2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001504", "source": "cyner2_test"}}
+{"text": "The organization was closed after the CSIS presentation .", "spans": {"ORGANIZATION: CSIS": [[38, 42]]}, "info": {"id": "cyner2_test_001505", "source": "cyner2_test"}}
+{"text": "LemonDuck mining botnet, also known as the Eternal Blue downloader Trojan DTLMiner.", "spans": {"MALWARE: LemonDuck mining botnet,": [[0, 24]], "MALWARE: the Eternal Blue downloader Trojan": [[39, 73]], "MALWARE: DTLMiner.": [[74, 83]]}, "info": {"id": "cyner2_test_001506", "source": "cyner2_test"}}
+{"text": "Also known as Disttrack, Shamoon is a highly destructive malware family that effectively wipes the victim machine.", "spans": {"MALWARE: Disttrack, Shamoon": [[14, 32]], "MALWARE: malware family": [[57, 71]], "SYSTEM: the victim machine.": [[95, 114]]}, "info": {"id": "cyner2_test_001507", "source": "cyner2_test"}}
+{"text": "CopyKittens is a cyberespionage group that has been operating since at least 2013.", "spans": {"THREAT_ACTOR: CopyKittens": [[0, 11]], "THREAT_ACTOR: cyberespionage group": [[17, 37]]}, "info": {"id": "cyner2_test_001508", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan/W32.Small.40960.AEH Downloader.Multidl.16282 Trojan.Graftor.DFA71 Trojan.DownLoad3.32618 BehavesLike.Win32.Downloader.pc Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001509", "source": "cyner2_test"}}
+{"text": "Below is a fragment of such a log : Log with specified command Log files can be uploaded to the FTP server and sent to the attacker ’ s email inbox .", "spans": {}, "info": {"id": "cyner2_test_001510", "source": "cyner2_test"}}
+{"text": "About 57 % of these devices are located in Asia and about 9 % are in Europe .", "spans": {}, "info": {"id": "cyner2_test_001512", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Kazy.D2AFE6 MSIL.Backdoor.Bladabindi.a W32/Trojan.ZFGR-8663 Trojan.Msil TR/Spy.zwtrn TrojanSpy:MSIL/Flunuceo.B!bit", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001513", "source": "cyner2_test"}}
+{"text": "With a lot of highly confidential data found in these servers and devices, a UNIX version of BIFROSE can certainly be classified as a threat.", "spans": {"SYSTEM: servers": [[54, 61]], "SYSTEM: devices,": [[66, 74]], "SYSTEM: UNIX version": [[77, 89]], "MALWARE: BIFROSE": [[93, 100]], "MALWARE: threat.": [[134, 141]]}, "info": {"id": "cyner2_test_001514", "source": "cyner2_test"}}
+{"text": "An analysis of the malware family can be found later in this blog.", "spans": {"MALWARE: malware family": [[19, 33]]}, "info": {"id": "cyner2_test_001515", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.Clod7f8.Trojan.ff31 Backdoor.Win32.Vinself!O Backdoor/Vinself.a Win32.Trojan.WisdomEyes.16070401.9500.9569 W32/MalwareF.ADSSJ Backdoor.Trojan Trojan.Win32.Vinself.cpadj Backdoor.Win32.A.Vinself.57344[h] Backdoor.W32.Vinself.a!c BackDoor.Comet.435 BehavesLike.Win32.Dropper.qm W32/Risk.KOVS-4418 Backdoor:Win32/Vinself.A Backdoor.Vinself Win32.Backdoor.Backdoor.Alir Backdoor.Win32.Vinself", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001516", "source": "cyner2_test"}}
+{"text": "This backdoor shares a significant portion of its code with the Windows-based version of the XSLCmd backdoor that has been around since at least 2009.", "spans": {"MALWARE: backdoor": [[5, 13]], "SYSTEM: Windows-based version": [[64, 85]], "MALWARE: XSLCmd backdoor": [[93, 108]]}, "info": {"id": "cyner2_test_001517", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor/W32.CSpam.122880.B Win32.Trojan.WisdomEyes.16070401.9500.9694 Backdoor.Trojan Win.Trojan.Cspam-3 Trojan.Win32.CSpam.vpryu Backdoor.Win32.A.CSpam.118784 Backdoor.W32.CSpam.c!c Trojan.MulDrop3.10935 Backdoor/CSpam.a BDS/CSpam.CA Trojan[Backdoor]/Win32.CSpam Backdoor:Win32/Samcigap.A Backdoor.CSpam Backdoor.CSpam!oR5QSbjV3Js Backdoor.Win32.CSpam Win32/Trojan.3ff", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001519", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojandownloader.Moljec Backdoor.W32.Hupigon.kYZB Trojan.Razy.D3D5A4 Win32.Trojan.WisdomEyes.16070401.9500.9808 BehavesLike.Win32.RAHack.nm Trojan-Downloader.Win32.Moljec TR/Dldr.Moljec.hglxv TrojanDownloader:Win32/Moljec.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001520", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.OnGamesLTLIBMSK.Trojan Backdoor/W32.Nbdd.73728.C Backdoor.Win32.Nbdd!O Backdoor.Venik.A6 Backdoor/Nbdd.myv Trojan.Kazy.D77C8E Win32.Trojan.PcClient.f Backdoor.Trojan Win.Trojan.Nbdd-12 Trojan.Win32.Nbdd.dutcj Trojan.DownLoad.64546 BehavesLike.Win32.Dropper.lh Backdoor/Nbdd.mk Trojan[Backdoor]/Win32.Nbdd Backdoor:Win32/Netbot.D Backdoor/Win32.Nbdd.R12332 Backdoor.Nbdd Backdoor.Nbdd!JW4qDWiwtBQ W32/Nbdd.MYV!tr Backdoor.Win32.NBVIP.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001521", "source": "cyner2_test"}}
+{"text": "The code is heavily obfuscated and made unreadable through name mangling and use of meaningless variable names : Decryption with a twist The malware uses an interesting decryption routine : the string values passed to the decryption function do not correspond to the decrypted value , they correspond to junk code to simply hinder analysis .", "spans": {}, "info": {"id": "cyner2_test_001522", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor/W32.Androm.331776.K Backdoor.Androm Backdoor.W32.Androm!c Win32.Trojan.WisdomEyes.16070401.9500.9514 Backdoor.Win32.Androm.oyyc Trojan.Win32.Androm.exlhcw Trojan.Win32.Z.Androm.331776.Q Trojan.DownLoader26.14144 Trojan.Win32.Injector Backdoor.Androm.wlr Trojan[Backdoor]/Win32.Androm Trojan:Win32/Totbrick.H Backdoor.Win32.Androm.oyyc Trojan.TrickBot Trj/CI.A Trojan.Midie.DAA06 Win32.Backdoor.Androm.Wsud Win32/Backdoor.06f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001523", "source": "cyner2_test"}}
+{"text": "An extended malware hunting process returned to us a large set of “ Agent Smith ” dropper variants which helped us further deduce a relation among multiple C & C server infrastructures .", "spans": {"MALWARE: Agent Smith": [[68, 79]]}, "info": {"id": "cyner2_test_001524", "source": "cyner2_test"}}
+{"text": "Palo Alto Networks' Unit 42 recently blogged about a new Poison Ivy variant targeting Hong Kong activists dubbed SPIVY that uses DLL sideloading and operates quite differently from a variant recently observed by ASERT that has been active for at least the past 12 months.", "spans": {"ORGANIZATION: Palo Alto Networks'": [[0, 19]], "MALWARE: Poison Ivy variant": [[57, 75]], "ORGANIZATION: activists": [[96, 105]], "MALWARE: SPIVY": [[113, 118]], "ORGANIZATION: ASERT": [[212, 217]]}, "info": {"id": "cyner2_test_001525", "source": "cyner2_test"}}
+{"text": "In addition to adding the code , the attackers also changed the icon and package name .", "spans": {}, "info": {"id": "cyner2_test_001526", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Neurevt.A5 Win32.Trojan.WisdomEyes.16070401.9500.9799 W32/Trojan.PLNQ-7286 Trojan.Win32.GuX.ewvemj TrojWare.Win32.Neurevt.BBS Trojan.Win32.Neurevt Trojan.Heur.E04C69 Trojan/Win32.Neurevt.R156208 Trojan.Neurevt Trj/CI.A W32/Neurevt.3C40!tr Win32/Trojan.e6d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001527", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan-Downloader/W32.OneClickNetSearch.69632.C IMIServer.download Trojan/Downloader.OneClickNetSearch.b Trojan.Win32.OneClickNetSearch.dktm W32/Downloader.JOSL-6677 Adware.IEPlugin Win32/TrojanDownloader.OneClickNetS.B SPYW_IMISERV.C Trojan.Downloader.OneClickNetSearch-2 Trojan-Downloader.Win32.OneClickNetSearch.b TrojanDownloader.NetSearch!886wZrg7qCQ Virus.Win32.Heur.c TrojWare.Win32.TrojanDownloader.OneClickNetS.B Trojan.DownLoader.765 Downloader.OneClickNetSearch.Win32.9 SPYW_IMISERV.C BehavesLike.Win32.Comame.kt W32/Downldr2.AGKQ TrojanDownloader.ClkNetSch.b TR/OneClickSrch.E.2 Trojan[Downloader]/Win32.OneClickNetSearch Troj.Downloader.W32.OneClickNetSearch.b!c Win-Trojan/Oneclicknetsearch.69632.C TrojanDownloader:Win32/OneClkNetSrch.B Trj/Imiserv.B Trojan-Downloader.Win32.OneClickNetSearch Downloader.Onenet.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001528", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.Clod664.Trojan.cba8 Win32.Trojan.WisdomEyes.16070401.9500.9684 W32/Trojan.MJBK-1284 BKDR_ISMDOOR.C Trojan.Win32.Revizer.eizvti Trojan.Revizer.1141 trojan.winnt.mooqkel.a Trojan:Win32/Toorf.A!dha Trojan/Win32.Ismdoor.R194423 Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001529", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: JS.Exploit.Pdfka.qe JS/Crypted.LT Bloodhound.Exploit.357 PDF/CVE-2010-2883.A!exploit TROJ_PIDIEF.SMZH Exploit.Win32.CVE-2010-2883.a Exploit.Script.Pdfka.bkbqa Exploit.TTF.CVE-2010-2883.a SCRIPT.Virus BehavesLike.PDF.Evasion.cn JS/Crypted.LT EXP/CVE-2010-2883.AI Trojan[Exploit]/TTF.CVE-2010-2883 Exploit.Win32.CVE-2010-2883.a JS/Exploit.Pdfka.OIB JS.Base64er.B Exploit.Win32.CVE-2010-2883 PDF:Exploit.PDF-JS.AGL virus.cve.20102883", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001530", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9982 Ransom_Zuresq.R002C0DAQ18 Win.Trojan.Zerolocker-1 Hoax.Win32.FakeRansom.df Trojan.Win32.Z.Zuresq.406528 Ransom_Zuresq.R002C0DAQ18 W32/Trojan.LNUU-1055 TR/Fraud.xacle Ransom:Win32/Zuresq.A Trojan.MSILPerseus.D1AE93 Hoax.Win32.FakeRansom.df Trojan/Win32.Ransomcrypt.C536978 Trj/GdSda.A Trojan-Ransom.FileCoder Win32/Trojan.89b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001531", "source": "cyner2_test"}}
+{"text": "Figure 26 : “ Agent Smith ” Campaign timeline Greater “ Agent Smith ” Campaign Discovery Orchestrating a successful 9Apps centric malware campaign , the actor behind “ Agent Smith ” established solid strategies in malware proliferation and payload delivery .", "spans": {"MALWARE: Agent Smith": [[14, 25], [56, 67], [168, 179]], "SYSTEM: 9Apps": [[116, 121]]}, "info": {"id": "cyner2_test_001532", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9959 Trojan.Razy.D1F561 Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001533", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: HW32.Packed.D6C8 Trojan.Farfli.Win32.7981 Win32.Trojan-GameThief.OnlineGames.h BehavesLike.Win32.Trojan.cc TR/Zegost.EB Backdoor:Win32/Morix.B Trojan.Heur.GM.D3D8682 Adware/Win32.NaviPromo.R36681 TScope.Malware-Cryptor.SB Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001534", "source": "cyner2_test"}}
+{"text": "Citizen Lab This report describes an elaborate phishing campaign against targets in Iran's diaspora, and at least one Western activist.", "spans": {"ORGANIZATION: Citizen Lab": [[0, 11]], "THREAT_ACTOR: phishing campaign": [[47, 64]], "ORGANIZATION: Iran's diaspora,": [[84, 100]], "MALWARE: at": [[105, 107]], "ORGANIZATION: Western activist.": [[118, 135]]}, "info": {"id": "cyner2_test_001535", "source": "cyner2_test"}}
+{"text": "What we found was a kit that operated on a relatively small infrastructure footprint, but had what appeared to be one of the largest domain shadowing implementations we had ever seen.", "spans": {"MALWARE: kit": [[20, 23]], "SYSTEM: small infrastructure": [[54, 74]]}, "info": {"id": "cyner2_test_001536", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Suweezy.N5 PUP.Optional.Elex Trojan.Win32.AdLoad.egraob PUP.ELEX/Variant Adware.SoEasy.1 BehavesLike.Win32.PUPXAI.ch Trojan.Adload.f PUP/Win32.Helper.R188556 Trojan.AdLoad Trj/GdSda.A Win32/Virus.e45", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001537", "source": "cyner2_test"}}
+{"text": "Various artifices indicate that the main target of this campaign is IEC – Israel Electric Company.", "spans": {"THREAT_ACTOR: campaign": [[56, 64]], "ORGANIZATION: IEC": [[68, 71]], "ORGANIZATION: Israel Electric Company.": [[74, 98]]}, "info": {"id": "cyner2_test_001538", "source": "cyner2_test"}}
+{"text": "We will continue to monitor this ransomware family to ensure customers are protected and to share our findings and insights to the community for broad protection against these evolving mobile threats .", "spans": {}, "info": {"id": "cyner2_test_001539", "source": "cyner2_test"}}
+{"text": "Based upon our visibility it has primarily targeted organizations in the energy, government, and technology sectors that are either in in or business interests in Saudi Arabia.", "spans": {"ORGANIZATION: organizations": [[52, 65]], "ORGANIZATION: the energy, government,": [[69, 92]], "ORGANIZATION: technology sectors": [[97, 115]], "ORGANIZATION: business interests": [[141, 159]]}, "info": {"id": "cyner2_test_001540", "source": "cyner2_test"}}
+{"text": "A new breed of cybercriminals has surfaced in China.", "spans": {"THREAT_ACTOR: cybercriminals": [[15, 29]]}, "info": {"id": "cyner2_test_001541", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: PDF:Exploit.PDF-JS.VD Exploit.Js.Pdfka!c Trojan.Pidief JS/Exploit.Pdfka.QDD TROJ_PIDIEF.OPL PDF:Exploit.PDF-JS.VD Exploit.JS.Pdfka.giy Trojan.Pdf.Pdfka.blkemm PDF.S.Exploit.806918 Exploit:W32/MiniDuke.C Exploit.PDF.5708 TROJ_PIDIEF.OPL BehavesLike.PDF.Trojan.bb EXP/CVE-2013-0640.A Exploit.JS.Pdfka.giy Exploit-PDF.b Exploit.JS.Pdfka.giy Pdf.Exploit.Pdfka.Ljki Exploit.PDF.Miniduke PDF/Pdfka.GIY!exploit virus.js.unescapepmen.4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001542", "source": "cyner2_test"}}
+{"text": "Weaponizing documents to exploit known Microsoft Word vulnerabilities is a common tactic deployed by many adversary groups, but in this example, we discovered RTF documents containing embedded OLE Word documents further containing embedded Adobe Flash .SWF files, designed to exploit Flash vulnerabilities rather than Microsoft Word.", "spans": {"VULNERABILITY: Microsoft Word vulnerabilities": [[39, 69]], "THREAT_ACTOR: adversary groups,": [[106, 123]], "VULNERABILITY: exploit Flash vulnerabilities": [[276, 305]], "SYSTEM: Microsoft Word.": [[318, 333]]}, "info": {"id": "cyner2_test_001543", "source": "cyner2_test"}}
+{"text": "A few days later, security teams overseas claimed that this incident was related to the BlackEnergy trojan and some malicious code samples had been acquired and analyzed.", "spans": {"ORGANIZATION: security teams overseas": [[18, 41]], "THREAT_ACTOR: BlackEnergy": [[88, 99]], "MALWARE: trojan": [[100, 106]], "MALWARE: malicious code samples": [[116, 138]]}, "info": {"id": "cyner2_test_001544", "source": "cyner2_test"}}
+{"text": "This matches our observations of C2 servers as shown in Figure 7 .", "spans": {}, "info": {"id": "cyner2_test_001545", "source": "cyner2_test"}}
+{"text": "Brazilian cybercriminals are notorious for their ability to develop banking trojans but now they have started to focus their efforts in new areas, including ransomware.", "spans": {"THREAT_ACTOR: Brazilian cybercriminals": [[0, 24]], "MALWARE: develop banking trojans": [[60, 83]], "MALWARE: ransomware.": [[157, 168]]}, "info": {"id": "cyner2_test_001546", "source": "cyner2_test"}}
+{"text": "When rooting fails , a second component delivers a fake system update notification in hopes of tricking users into granting HummingBad system-level permissions .", "spans": {"MALWARE: HummingBad": [[124, 134]]}, "info": {"id": "cyner2_test_001547", "source": "cyner2_test"}}
+{"text": "When all the necessary card details are entered and have been checked , all the information is uploaded to the C & C .", "spans": {}, "info": {"id": "cyner2_test_001548", "source": "cyner2_test"}}
+{"text": "In that case , the only help comes from an antivirus solution , for example , Kaspersky Internet Security for Android .", "spans": {"SYSTEM: Kaspersky Internet Security": [[78, 105]], "SYSTEM: Android": [[110, 117]]}, "info": {"id": "cyner2_test_001549", "source": "cyner2_test"}}
+{"text": "The developer simply has to register and receive a unique ID for his applications .", "spans": {}, "info": {"id": "cyner2_test_001550", "source": "cyner2_test"}}
+{"text": "In early July 2015, Chinese APT actors used an Adobe Flash Player exploit within a specific webpage detailing a noteworthy international legal case between the Philippines and China.", "spans": {"THREAT_ACTOR: Chinese APT actors": [[20, 38]], "SYSTEM: Adobe Flash Player": [[47, 65]], "MALWARE: exploit": [[66, 73]]}, "info": {"id": "cyner2_test_001552", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Kryptik.eumbqf Trojan.Trick.45153 W32/Trojan.CBMR-6295 TR/Crypt.ZPACK.zookg Trojan.Symmi.D1340B Trojan/Win32.Mansabo.R210617 Trj/GdSda.A Win32.Trojan.Graftor.Lhdi Trojan.Win32.Crypt W32/Kryptik.FXWW!tr Win32/Trojan.dbf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001553", "source": "cyner2_test"}}
+{"text": "Figure 12 : Boot module After the patch module is extracted , the “ boot ” module executes it , using the same method described in the “ loader ” module .", "spans": {}, "info": {"id": "cyner2_test_001554", "source": "cyner2_test"}}
+{"text": "The system verifies the signature of the legitimate file while installing the malicious file .", "spans": {}, "info": {"id": "cyner2_test_001556", "source": "cyner2_test"}}
+{"text": "Other MacOS targeting activities reveal continuous refinement of AppleJeus, a MacOS backdoor developed by ITG03, complete with fake website to legitimize itself.", "spans": {"SYSTEM: MacOS": [[6, 11], [78, 83]], "MALWARE: AppleJeus,": [[65, 75]], "MALWARE: backdoor": [[84, 92]], "THREAT_ACTOR: ITG03,": [[106, 112]]}, "info": {"id": "cyner2_test_001557", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.Dzan.A Win32.Trojan.WisdomEyes.16070401.9500.9997 Win32/SillyAutorun.ADC Trojan.MulDrop2.16084 BehavesLike.Win32.Virus.ct W32/Dzan.C Trojan:Win32/Obvesa.A Win32/Dzan.E Virus.Obvesa.24905 Virus.Win32.Dzan.ac Win32/Trojan.aca", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001558", "source": "cyner2_test"}}
+{"text": "SpyDealer uses exploits from a commercial rooting app to gain root privilege, which enables the subsequent data theft.", "spans": {"MALWARE: SpyDealer": [[0, 9]], "MALWARE: exploits": [[15, 23]], "SYSTEM: commercial rooting app": [[31, 53]], "VULNERABILITY: root privilege,": [[62, 77]]}, "info": {"id": "cyner2_test_001559", "source": "cyner2_test"}}
+{"text": "Analysis of this telemetry shows infected devices are completely based in Gaza , Palestine .", "spans": {}, "info": {"id": "cyner2_test_001560", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Yakes.Win32.67751 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Snojan.ccyy Trojan.Win32.Yakes.exngmv Troj.Crypt.Xpack!c Trojan.Ssebot.2 BehavesLike.Win32.Dropper.tc Trojan.Yakes.yvk Trojan/Win32.Yakes Spammer:Win32/Morphisil.A Trojan.Win32.Snojan.ccyy Trojan/Win32.Yakes.C2388388 Trojan.Win32.Krypt W32/Kryptik.EYUI!tr Trj/GdSda.A Win32/Trojan.6c1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001561", "source": "cyner2_test"}}
+{"text": "While adware is usually considered annoying for users and relatively harmless to enterprise security, the adware campaigns we've seen since the beginning of 2016 behave more like advanced network threats.", "spans": {"MALWARE: adware": [[6, 12]], "ORGANIZATION: users": [[48, 53]], "ORGANIZATION: to enterprise security,": [[78, 101]], "THREAT_ACTOR: the adware campaigns": [[102, 122]], "MALWARE: advanced network threats.": [[179, 204]]}, "info": {"id": "cyner2_test_001562", "source": "cyner2_test"}}
+{"text": "In the run up to the French election runoff between Emmanuel Macron and Marine Le Pen, ThreatConnect reviews intelligence suggesting domains spoofing Macron's En-Marche.fr website are associated with Russian cyber activity.", "spans": {"ORGANIZATION: the French election": [[17, 36]], "ORGANIZATION: Emmanuel Macron": [[52, 67]], "ORGANIZATION: Marine Le Pen,": [[72, 86]], "ORGANIZATION: ThreatConnect": [[87, 100]], "THREAT_ACTOR: Russian cyber activity.": [[200, 223]]}, "info": {"id": "cyner2_test_001563", "source": "cyner2_test"}}
+{"text": "We have also been tracking an actor experimenting with various loaders, providing insights into these evolving components of malware ecosystems.", "spans": {"THREAT_ACTOR: actor": [[30, 35]], "MALWARE: loaders,": [[63, 71]], "MALWARE: malware ecosystems.": [[125, 144]]}, "info": {"id": "cyner2_test_001564", "source": "cyner2_test"}}
+{"text": "Widely discussed in the media, the attacks took advantage of known BlackEnergy Trojans as well as several new modules.", "spans": {"ORGANIZATION: media,": [[24, 30]], "THREAT_ACTOR: BlackEnergy": [[67, 78]], "MALWARE: Trojans": [[79, 86]], "MALWARE: modules.": [[110, 118]]}, "info": {"id": "cyner2_test_001565", "source": "cyner2_test"}}
+{"text": "The callee then invokes the getAction method to get the decrypted content .", "spans": {}, "info": {"id": "cyner2_test_001566", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Ransom.Enigma.A7 Ransom_Eniqma.R002C0DA118 W32/Trojan.LKZC-7910 Ransom.Enigma!gm Ransom_Eniqma.R002C0DA118 Win32.Trojan-Ransom.Enigma.A Trojan.Win32.Encoder.ewphil Trojan.Win32.Z.Zusy.537088.HH Trojan.Encoder.4462 BehavesLike.Win32.AdwareConvertAd.hh Trojan.Crynigma.a TR/FileCoder.udtur Trojan[Ransom]/Win32.Crypmod Trojan.Zusy.D2EDC9 Ransom:Win32/Eniqma.A Trojan/Win32.Coverton.C1407984 Trojan-Ransom.FileCoder Win32/Trojan.808", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001567", "source": "cyner2_test"}}
+{"text": "Various versions may also change the index of the split ( e.g .", "spans": {}, "info": {"id": "cyner2_test_001568", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Troj.Undef.kcloud Win32/Scieron.F W32/Scieron.F", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001569", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: VBS.DownLoader.1051 VBS/Downldr.HM VBS/Nemucod.391C!tr.dldr Trojan-Ransom.Script.GlobeImposter", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001570", "source": "cyner2_test"}}
+{"text": "] 11/xvideo/ hxxp : //apple-icloud [ .", "spans": {}, "info": {"id": "cyner2_test_001571", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: TROJ_GE.5C3C51AF Win32.Trojan.WisdomEyes.16070401.9500.9933 Trojan.Win32.Kryptik.eljody Trojan.DownLoader23.49708 TR/Crypt.Xpack.341620 Trojan:Win32/Dacic.A!rfn Trj/CI.A Trojan.MSIL.Disfa Win32/Trojan.d7e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001572", "source": "cyner2_test"}}
+{"text": "Indicators of Compromise ( IoCs ) hxxp : //mcsoft365.com/c hxxp : //pingconnect.net/c Hashes MD5 : 5c749c9fce8c41bf6bcc9bd8a691621b SHA256 : 284bd2d16092b4d13b6bc85d87950eb4c5e8cbba9af2a04d76d88da2f26c485c MD5 : b264af5d2f3390e465052ab502b0726d SHA256 : 8ab1712ce9ca2d7952ab763d8a4872aa6a278c3f60dc13e0aebe59f50e6e30f6 The TrickMo Factor The TrickBot Trojan was one of the most active banking malware strains in the cybercrime arena in 2019 .", "spans": {"MALWARE: TrickMo": [[323, 330]], "MALWARE: TrickBot Trojan": [[342, 357]]}, "info": {"id": "cyner2_test_001573", "source": "cyner2_test"}}
+{"text": "After performing a fraudulent action , stealing the OTP/mTAN , TrickMo buys some time by activating the lock screen and preventing the user from accessing their device .", "spans": {"MALWARE: TrickMo": [[63, 70]]}, "info": {"id": "cyner2_test_001574", "source": "cyner2_test"}}
+{"text": "] today PHA Family Highlights : Zen and its cousins January 11 , 2019 Google Play Protect detects Potentially Harmful Applications ( PHAs ) which Google Play Protect defines as any mobile app that poses a potential security risk to users or to user data—commonly referred to as \" malware .", "spans": {"MALWARE: Zen": [[32, 35]], "SYSTEM: Google Play Protect": [[70, 89], [146, 165]]}, "info": {"id": "cyner2_test_001575", "source": "cyner2_test"}}
+{"text": "A new type of botnet malware written in the Go programming language is active and targets web servers, according to researchers at Palo Alto Networks, who have recently discovered a sample of Go-based malware.", "spans": {"MALWARE: botnet malware": [[14, 28]], "SYSTEM: the Go programming language": [[40, 67]], "SYSTEM: web servers,": [[90, 102]], "ORGANIZATION: researchers": [[116, 127]], "ORGANIZATION: Palo Alto Networks,": [[131, 150]], "MALWARE: Go-based malware.": [[192, 209]]}, "info": {"id": "cyner2_test_001576", "source": "cyner2_test"}}
+{"text": "Javascript RAT mostly targeting Brazilian users.", "spans": {"MALWARE: Javascript RAT": [[0, 14]], "ORGANIZATION: Brazilian users.": [[32, 48]]}, "info": {"id": "cyner2_test_001577", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Downloader.Ponik Backdoor.Win32.Kasidet.fmc BehavesLike.Win32.Trojan.cc Trojan.MSIL.Crypt TR/Dropper.MSIL.owbdk Trojan[Backdoor]/Win32.Kasidet Trojan:Win32/Raybel.A!bit Backdoor.Win32.Kasidet.fmc Win32.Backdoor.Kasidet.Ecan Win32/Backdoor.e94", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001578", "source": "cyner2_test"}}
+{"text": "Sakula enables an adversary to run interactive commands as well as to download and execute additional components.", "spans": {"MALWARE: Sakula": [[0, 6]]}, "info": {"id": "cyner2_test_001579", "source": "cyner2_test"}}
+{"text": "Background Uncovering PHAs takes a lot of detective work and unraveling the mystery of how they 're possibly connected to other apps takes even more .", "spans": {}, "info": {"id": "cyner2_test_001580", "source": "cyner2_test"}}
+{"text": "The packaged application is dropped silently onto the device but has to ask the user to actually install it.", "spans": {"SYSTEM: packaged application": [[4, 24]], "SYSTEM: device": [[54, 60]]}, "info": {"id": "cyner2_test_001581", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Ransom_HPCRYPMIC.SM3 Ransom.CryptXXX!g6 Ransom_HPCRYPMIC.SM3 BehavesLike.Win32.Downloader.gc Trojan.Win32.Crypt TR/ATRAPS.buwr Ransom:Win32/Exxroute.E Trojan/Win32.CryptXXX.R184950 Trojan.Ransom.CryptXXX Trojan.MalPack Trojan.Symmi.D1070E", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001582", "source": "cyner2_test"}}
+{"text": "Dynamic overlays When victims open up a targeted app , Marcher smoothly displays an overlay , a customized WebView , looks in its application preferences ( main_prefs.xml ) and decides which specified URL is needed for the targeted app .", "spans": {"MALWARE: Marcher": [[55, 62]]}, "info": {"id": "cyner2_test_001583", "source": "cyner2_test"}}
+{"text": "TO DECRYPT FILES, PLEASE, CONTACT US WRITING ON THIS EMAIL: headlessbuild@india.com", "spans": {}, "info": {"id": "cyner2_test_001584", "source": "cyner2_test"}}
+{"text": "A backdoor targetting Linux also known as: Linux.Trojan.Turla.A ELF/Trojan.SKID-4 Linux.Turla Linux/Turla.B ELF_TURLA.A Linux.Trojan.Turla.A Trojan.Unix.Turla.ebdolr Backdoor.Linux.Turla!c Linux.Backdoor.Turla.Ajbi Linux.Trojan.Turla.A Backdoor:Linux/Turla.A Linux.BackDoor.Turla.2 Trojan.Turla.Linux.1 ELF_TURLA.A Backdoor.Linux.vp LINUX/Turla.wqxdp Linux.Trojan.Turla.A Backdoor:Linux/Turla.A Linux/Backdoor.801561 Linux.Trojan.Turla.A Trojan.Linux.Turla Linux.Trojan.Turla.A Linux/Turla.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001585", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.VBKrypt.2tPS.Trojan Trojan.Win32.VBKrypt!O Trojan.EyeStye PWS-Spyeye.el Troj.W32.VBKrypt.toSU Trojan/Injector.eyu Trojan.ManBat.1 HT_EYESTYE_GE05002C.UVPM Win32.Trojan.WisdomEyes.16070401.9500.9961 HT_EYESTYE_GE05002C.UVPM Win.Trojan.Vbkrypt-10134 Trojan.Win32.VBKrypt.cgnr Trojan.Win32.Stealer.eaiffn Trojan.Win32.A.VBKrypt.295936.G TrojWare.Win32.VBKrypt.cjub Trojan.PWS.Stealer.379 Trojan.VBKrypt.Win32.80508 BehavesLike.Win32.PWSSpyeye.dc Trojan.Win32.VBKrypt Trojan.VBKrypt.pmn TR/BAS.Samca.2207880 Win32.Troj.VBKrypt.kcloud Trojan.Win32.VBKrypt.cgnr Trojan/Win32.VBKrypt.C47082 SScope.Malware-Cryptor.VBCR.1841 Trojan.VBKrypt!CruzV+TB6eI W32/Injector.MQI!tr Win32/Trojan.script.56b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001586", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan-Dropper.Win32.Mudrop!O Trojan.StartPage.Win32.11288 Trojan/Dropper.Mudrop.vle Trojan-Clicker.Win32.Iedriver.a Trojan.Win32.Mudrop.demyl Trojan.MulDrop3.201 Trojan/StartPage.ize Trojan-Clicker.Win32.Iedriver.a Trojan.DR.Mudrop!xzqlDC4rTJk Trojan.Win32.StartPage", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001587", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32/Trojan.EWSM-6788 TrojanDownloader:Win32/Tipikit.D Heur.Trojan.Hlux Trj/GdSda.A Win32.Trojan.Atraps.Swud Trojan.Win32.Rozena W32/Tiny.NNB!tr Win32/Trojan.5a2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001589", "source": "cyner2_test"}}
+{"text": "Machine learning in Windows Defender ATP further flags suspicious behaviors observed related to the manipulation of legitimate Windows binaries .", "spans": {"SYSTEM: Windows Defender ATP": [[20, 40]], "SYSTEM: Windows": [[127, 134]]}, "info": {"id": "cyner2_test_001590", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Win32.StartPage.qrmpv Trojan.StartPage.47270 BehavesLike.Win32.BadFile.tc Trojan.Win32.StartPage Trojan:Win32/BootInstal.A!dll TScope.Trojan.Delf Trj/CI.A Win32.Trojan.Startpage.ddff Trojan.StartPage!We+P27yFUb0 Win32/Trojan.b7f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001591", "source": "cyner2_test"}}
+{"text": "Recently we came across a new variant of the malware ServStart.", "spans": {"MALWARE: a new variant": [[24, 37]], "MALWARE: the malware ServStart.": [[41, 63]]}, "info": {"id": "cyner2_test_001592", "source": "cyner2_test"}}
+{"text": "http : //www.himobilephone [ .", "spans": {}, "info": {"id": "cyner2_test_001593", "source": "cyner2_test"}}
+{"text": "This article attempts to detail this variant.", "spans": {}, "info": {"id": "cyner2_test_001594", "source": "cyner2_test"}}
+{"text": "Her looks almost certainly helped her apparent popularity.", "spans": {}, "info": {"id": "cyner2_test_001595", "source": "cyner2_test"}}
+{"text": "A Chinese threat group, known as ChinaZ, is using malware to target poorly managed Linux servers and IoT systems, according to AhnLab Security Emergency Response Center ASEC in Seoul.", "spans": {"THREAT_ACTOR: Chinese threat group,": [[2, 23]], "THREAT_ACTOR: ChinaZ,": [[33, 40]], "MALWARE: malware": [[50, 57]], "SYSTEM: Linux servers": [[83, 96]], "SYSTEM: IoT systems,": [[101, 113]], "ORGANIZATION: AhnLab Security Emergency Response Center ASEC": [[127, 173]]}, "info": {"id": "cyner2_test_001596", "source": "cyner2_test"}}
+{"text": "It can also remotely lock infected Android devices, encrypt the user's files in external storage e.g., SD card, and then ask for a U.S. $100 PayPal cash card as ransom.", "spans": {"SYSTEM: Android devices,": [[35, 51]]}, "info": {"id": "cyner2_test_001597", "source": "cyner2_test"}}
+{"text": "A backdoor targetting Linux also known as: Tool.Shark.Linux.1 Hacktool.Linux.Shark!c HackTool.Linux.Shark.a Trojan.Unix.Shark.ewyskc Tool.Shark ELF/Trojan.QXQM-0 HackTool.Linux.z SPR/LNX.Shark.osieo HackTool.Linux.Shark.a Linux.Hacktool.Shark.Hqlw W32/HTShark.A!tr Win32/Trojan.173", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001598", "source": "cyner2_test"}}
+{"text": "Trojan.Win32.Banker.NWT is a Trojan that targets the Windows platform.", "spans": {"MALWARE: Trojan": [[29, 35]], "SYSTEM: Windows platform.": [[53, 70]]}, "info": {"id": "cyner2_test_001599", "source": "cyner2_test"}}
+{"text": "The attackers are also hijacking the device camera to take pictures .", "spans": {}, "info": {"id": "cyner2_test_001600", "source": "cyner2_test"}}
+{"text": "In other words , TrickMo ’ s service will start either after the device becomes interactive or after a new SMS message is received .", "spans": {"MALWARE: TrickMo": [[17, 24]]}, "info": {"id": "cyner2_test_001601", "source": "cyner2_test"}}
+{"text": "It is an invaluable source of intelligence about a given campaign .. The following snippet shows the location within the Trojan where it uses SQLite database commands to store and recall command-and-control addresses : Backdoor Commands The Red Alert code also contains an embedded list of commands the botmaster can send to the bot .", "spans": {"MALWARE: Red Alert code": [[241, 255]]}, "info": {"id": "cyner2_test_001602", "source": "cyner2_test"}}
+{"text": "Since the release of the ETERNALBLUE exploit by The Shadow Brokers' last month security researchers have been watching for a mass attack on global networks.", "spans": {"MALWARE: ETERNALBLUE exploit": [[25, 44]], "THREAT_ACTOR: The Shadow Brokers'": [[48, 67]], "ORGANIZATION: security researchers": [[79, 99]], "ORGANIZATION: global networks.": [[140, 156]]}, "info": {"id": "cyner2_test_001603", "source": "cyner2_test"}}
+{"text": "The person or persons behind the attempted monitoring appear to have run other surveillance operations involving various locations throughout South America, at least one apparently targeting a rabble-rousing Argentine journalist.", "spans": {"THREAT_ACTOR: person": [[4, 10]], "THREAT_ACTOR: persons": [[14, 21]], "MALWARE: at": [[157, 159]], "ORGANIZATION: rabble-rousing Argentine journalist.": [[193, 229]]}, "info": {"id": "cyner2_test_001604", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Win64.PSW TR/Hitbrovi.vjxdb Win32/Trojan.Adware.37e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001605", "source": "cyner2_test"}}
+{"text": "] 923915 [ .", "spans": {}, "info": {"id": "cyner2_test_001606", "source": "cyner2_test"}}
+{"text": "Grabbing the Screen PIN with Support for Samsung Devices Version 0.3.0.1 added an ~800 line long method called grabScreenPin , which uses accessibility features to track pin code changes in the device ’ s settings .", "spans": {"ORGANIZATION: Samsung": [[41, 48]]}, "info": {"id": "cyner2_test_001607", "source": "cyner2_test"}}
+{"text": "However, within six months the malicious actors added the capability to infect iOS devices.", "spans": {"THREAT_ACTOR: malicious actors": [[31, 47]], "SYSTEM: iOS devices.": [[79, 91]]}, "info": {"id": "cyner2_test_001608", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: TSPY_HUNTPOS.SMB Trojan.Huntpos!g1 TSPY_HUNTPOS.SMB Trojan.Win32.Fakealert.exludw Trojan.Win32.Z.Treasurehunter.80896.B Trojan.Fakealert.origin BehavesLike.Win32.Trojan.lm TR/RedCap.rghtn TrojanDropper:Win32/Randrew.A!bit Spyware/Win32.Huntpos.C1261817 W32/Kryptik.1600!tr Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001609", "source": "cyner2_test"}}
+{"text": "We have covered Angler previously, such as the discussion of domain shadowing.", "spans": {"MALWARE: Angler": [[16, 22]]}, "info": {"id": "cyner2_test_001610", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.Virut.G BehavesLikeWin32.FileInfector!IK W32/Virut.BV Win32/Virut.bn Win32.Virut.AM Virus.Win32.Virut.X5 Harm.Win32.Autorun.c BehavesLikeWin32.FileInfector W32/Virut.CE W32/Sality.AO", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001611", "source": "cyner2_test"}}
+{"text": "The 2016 attack on Ukraine's power grid that deprived part of its capital, Kiev, of power for an hour was caused by a cyberattack.", "spans": {"ORGANIZATION: Ukraine's power grid": [[19, 39]]}, "info": {"id": "cyner2_test_001612", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32/Oledata!exploit.6402 Trojan.Dropper TROJ_MDROPPER.XC Trojan-Dropper.MSWord.1Table.bp Exploit.MSWord.CVE-2006-2492.bzzjba Exploit.Word.CVE-2006-2492 Exploit.CVE-2006-2492 TROJ_MDROPPER.XC TrojanDropper.MSWord.1Table.a MSWord/CVE20062492.fam!exploit Trojan-Dropper.MSWord.1Table.bp", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001613", "source": "cyner2_test"}}
+{"text": "With Cybereason Mobile , analysts can address mobile threats in the same platform as traditional endpoint threats , all as part of one incident .", "spans": {"SYSTEM: Cybereason Mobile": [[5, 22]]}, "info": {"id": "cyner2_test_001615", "source": "cyner2_test"}}
+{"text": "Since most of the infrastructure used in the attack relies on cloud services, and the Trojan used is written in Python language, it is named Tengyun Snake.", "spans": {"SYSTEM: infrastructure": [[18, 32]], "SYSTEM: cloud services,": [[62, 77]], "MALWARE: the Trojan": [[82, 92]], "SYSTEM: Python language,": [[112, 128]], "THREAT_ACTOR: Tengyun Snake.": [[141, 155]]}, "info": {"id": "cyner2_test_001616", "source": "cyner2_test"}}
+{"text": "The Trojan download window Asacub masquerades under the guise of an MMS app or a client of a popular free ads service .", "spans": {"MALWARE: Asacub": [[27, 33]]}, "info": {"id": "cyner2_test_001617", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.RemoteHack.C Backdoor/W32.RemoteHack.569344 Backdoor.RemoteHack.C W32/Risk.KPAX-3182 Backdoor.Trojan BKDR_REMHACK.13 Backdoor.RemoteHack.C Backdoor.Win32.RemoteHack.13 Backdoor.RemoteHack.C Trojan.Win32.RemoteHack.gnoa Backdoor.RemoteHack.C Backdoor.Win32.RemoteHack.13 Backdoor.RemoteHack.C BackDoor.RemHack.13 Backdoor.RemoteHack.Win32.37 BKDR_REMHACK.13 Backdoor.Win32.RemoteHack Backdoor/RemoteHack.13 Trojan[Backdoor]/Win32.RemoteHack Backdoor:Win32/RemoteHack.1_3 Backdoor.Win32.RemoteHack.13 Backdoor.RemoteHack.C TScope.Trojan.Delf Win32/VB.OLV Win32.Backdoor.Remotehack.Hoye Backdoor.RemoteHack!IKDTl0tZ3pY W32/RemoteHack.13!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001619", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.StBotTenuA.Trojan Trojan.HorsumCS.S75593 Trojan/Horsum.c Win32.Trojan.Horsum.b TrojWare.Win32.Horsum.A Trojan:Win32/Horsum.B Trojan.Zusy.DEEE5 Win32/Horsum.C", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001620", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Steam.exmzim Trojan.PWS.Steam.1340 BehavesLike.Win32.Trojan.fc TR/Dropper.MSIL.vfmsq Trojan.Kazy.D8D397 Trojan:MSIL/BitcoinMiner.A Trojan/Win32.Kazy.C331514 Trj/GdSda.A Win32.Trojan.Kazy.Svhm Trojan.MSIL.Injector MSIL/Injector.IOF!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001621", "source": "cyner2_test"}}
+{"text": "An interesting Web site infection, this time affecting a Web server belonging to the Turkish government, where the cybercriminals behind the campaign have uploaded a malware-serving fake DivX plug-in Required! Facebook-themed Web page.", "spans": {"SYSTEM: Web server": [[57, 67]], "ORGANIZATION: Turkish government,": [[85, 104]], "THREAT_ACTOR: cybercriminals": [[115, 129]], "THREAT_ACTOR: campaign": [[141, 149]]}, "info": {"id": "cyner2_test_001622", "source": "cyner2_test"}}
+{"text": "It ’ s even possible to send log messages via SMS to the attacker ’ s number .", "spans": {}, "info": {"id": "cyner2_test_001623", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: HW32.Packed.73FF Trojan.Hookmoota Trojan.Strictor.D26544 Win32.Application.PUPStudio.A Trojan.Win32.Blamon.bbg Trojan.Win32.Blamon.exrwow BackDoor.BlackMoon.15 BehavesLike.Win32.Downloader.rc Trojan[Packed]/Win32.Vemply Trojan.Win32.Blamon.bbg Rootkit.HideProc Trj/GdSda.A Win32.Trojan.Blamon.Tcwd", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001624", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Lukicsel Backdoor.PePatch.Win32.4586 Win32.Trojan.Delf.hh W32/Trojan.AKPR-4713 Infostealer.Gampass Win32/Delfsnif.C TROJ_BCKDR.BH Trojan-Spy.Win32.Blaxblax.mp Trojan.Win32.Blaxblax.blctg Backdoor.Lukicsel Trojan.DownLoad.44012 TROJ_BCKDR.BH W32/Trojan2.HCWA Backdoor:Win32/Lukicsel.A Trojan.Win32.A.Blaxblax.399894 Trojan-Spy.Win32.Blaxblax.mp Win32/Delf.OKY Trojan.ATRAPS", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001625", "source": "cyner2_test"}}
+{"text": "We also detected it in apps targeted toward specific Middle Eastern demographics .", "spans": {}, "info": {"id": "cyner2_test_001626", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.Hacktool.Flood.A Trojan.Shell Trojan.Hacktool.Flood.A Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Hacktool.Flood.A Trojan.Hacktool.Flood.A Trojan.Script.Bbdos.cpglly Trojan.Hacktool.Flood.A Perl.Flood.3 W32/Trojan.ERNQ-5964 TR/Hacktool.jtxjg DoS:Perl/UDPFlood.A Trj/CI.A Perl/HackTool.BBSXP.NAB Perl/HackTool.NAB!tr Win32/Trojan.Flooder.363", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001627", "source": "cyner2_test"}}
+{"text": "We believe that the threat actor hijacked an existing, legitimate in-progress conversation and posed as the legitimate senders to send malicious spear phishing emails to the recipients.", "spans": {"THREAT_ACTOR: the threat actor": [[16, 32]], "ORGANIZATION: recipients.": [[174, 185]]}, "info": {"id": "cyner2_test_001628", "source": "cyner2_test"}}
+{"text": "Analysts suggest that both China and the United States are vying for greater influence in Myanmar, with China in particular having geopolitical interest due to sea passages, port deals, and fuel pipelines that are important to its goals.", "spans": {"ORGANIZATION: Analysts": [[0, 8]]}, "info": {"id": "cyner2_test_001629", "source": "cyner2_test"}}
+{"text": "] comkalisi [ .", "spans": {}, "info": {"id": "cyner2_test_001630", "source": "cyner2_test"}}
+{"text": "Pony was originally configured to download different malware families, however, due to criminal strategy changes, it currently only downloads Dyre.", "spans": {"MALWARE: Pony": [[0, 4]], "MALWARE: malware families,": [[53, 70]], "MALWARE: Dyre.": [[142, 147]]}, "info": {"id": "cyner2_test_001631", "source": "cyner2_test"}}
+{"text": "This request is only made upon installation , but there is no guarantee that it will be installed .", "spans": {}, "info": {"id": "cyner2_test_001632", "source": "cyner2_test"}}
+{"text": "Information gathered from the email account provides a lot of the victims ’ personal data , including messages from IM applications .", "spans": {}, "info": {"id": "cyner2_test_001633", "source": "cyner2_test"}}
+{"text": "This is also the first version where the package name changes into something that a less aware user may be tricked by , com.android.playup .", "spans": {}, "info": {"id": "cyner2_test_001634", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan/W32.Dialer.112255.D Trojan-GameThief.Win32.Magania!O Trojan.Aksula.A BackDoor-DVB.e Trojan/Dialer.bkm Win32.Trojan.Farfli.ai Win32/Dialer.NEW TROJ_REDOS.SM2 Trojan-GameThief.Win32.Magania.actz Trojan.Win32.Pigeon.ccmtgy Trojan.Win32.Dialer.vfq TrojWare.Win32.Trojan.Dialer.~AL BackDoor.Pigeon.12989 TROJ_REDOS.SM2 BehavesLike.Win32.Backdoor.ch Trojan/Dialer.dtm Trojan[Rootkit]/Win32.Ressdt Trojan.Win32.Dialer.112771 Trojan-GameThief.Win32.Magania.actz Win32/Gamepass.MCG Spyware.OnlineGames W32/Dropper.TMP!tr BScope.Trojan.SvcHorse.01643 Backdoor.Win32.Gh0st.BS", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001635", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: PDF/Pidief.TI JS.Obfuscator.Z Trojan.Downloader.JMUB JS.Exploit.Pdfka.ij Bloodhound.PDF.21 JS_PIDIEF.SMX Trojan.Downloader.JMUB Exploit.JS.Pdfka.cop Exploit.Script.Pdfka.bzjgv JS_PIDIEF.SMX BehavesLike.PDF.Obfuscated.xb EXP/Pidief.2292 Trojan[Exploit]/JS.Pdfka.cop Exploit:JS/Pdfjsc.R Exploit.JS.Pdfka.cop Exploit.JS.Pdfka.cop Exploit.JS.Pdfka virus.pdf.za.4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001636", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: TR/DelWin.B Trojan.DOS.DelWin.b Trojan.DOS.DelWin.B Trojan.DelWin.b Trojan.QDel TROJ_DELWIN.E Trojan.DOS.DelWin.b Trojan:DOS/Delwin.B DelWin.B DelWin.b!Trojan W32/QDel176.B!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001637", "source": "cyner2_test"}}
+{"text": "The operation used spyware made by the NSO Group, an Israeli company that sells intrusion tools to remotely compromise mobile phones.", "spans": {"THREAT_ACTOR: operation": [[4, 13]], "MALWARE: spyware": [[19, 26]], "THREAT_ACTOR: the NSO Group,": [[35, 49]], "THREAT_ACTOR: Israeli company": [[53, 68]], "MALWARE: intrusion tools": [[80, 95]], "SYSTEM: mobile phones.": [[119, 133]]}, "info": {"id": "cyner2_test_001638", "source": "cyner2_test"}}
+{"text": "Our investigation was conducted with the collaboration and assistance of R3D, SocialTic and Article 19.", "spans": {"ORGANIZATION: R3D, SocialTic": [[73, 87]], "ORGANIZATION: Article 19.": [[92, 103]]}, "info": {"id": "cyner2_test_001639", "source": "cyner2_test"}}
+{"text": "Strider's attacks have tentative links with a previously uncovered group, Flamer.", "spans": {"THREAT_ACTOR: group, Flamer.": [[67, 81]]}, "info": {"id": "cyner2_test_001640", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.BAT.Downloader.DN BAT/CoinMiner.RU TROJ_CONMINER.CFG Trojan.BAT.Downloader.DN Trojan.BAT.Downloader.DN TrojWare.Bat.CoinMiner.~ Trojan.BAT.Downloader.DN TROJ_CONMINER.CFG Trojan.IPVC-4 Trojan.BAT.Downloader.DN BAT.S.Downloader.3133 Trojan:BAT/CoinMiner.A Misc.Riskware.BitCoinMiner Trojan.BAT.Downloader.DN", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001642", "source": "cyner2_test"}}
+{"text": "Seeing as the system loader of the DEX files ( ART ) fully ignores everything that goes after the data section , the patcher writes all of its resources right there .", "spans": {}, "info": {"id": "cyner2_test_001643", "source": "cyner2_test"}}
+{"text": "However , GPP does not treat new apps and updates any differently from an analysis perspective .", "spans": {}, "info": {"id": "cyner2_test_001644", "source": "cyner2_test"}}
+{"text": "Operation Desert Eagle takes a look into the recent activity of the Molerats Gaza cybergang group.", "spans": {"THREAT_ACTOR: Operation Desert Eagle": [[0, 22]], "THREAT_ACTOR: Molerats Gaza cybergang group.": [[68, 98]]}, "info": {"id": "cyner2_test_001645", "source": "cyner2_test"}}
+{"text": "The infection attempts took place in early March of 2016, shortly after the GIEI had criticized the Mexican government for interference in their investigation, and as they were preparing their final report", "spans": {"ORGANIZATION: the GIEI": [[72, 80]], "ORGANIZATION: the Mexican government": [[96, 118]]}, "info": {"id": "cyner2_test_001646", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Trojan.CMOS.A Cmoskill.C TROJ_KILLCMOS.B Trojan.DOS.KillCMOS.b Trojan.CMOS.A TrojWare.DOS.KillCMOS.b Trojan.CMOS.A Trojan.KillCMOS TROJ_KILLCMOS.B Trojan/KillCMOS.b Trojan/DOS.KillCMOS Trojan:Win32/KillCMOS.B Trojan.CMOS.A KillCMOS.B Trojan.DOS.KillCMOS KillCMOS.B KillCmos.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001647", "source": "cyner2_test"}}
+{"text": "Please note that these unblocking instructions are based on an analysis of the current version of Rotexy and have been tested on it .", "spans": {"MALWARE: Rotexy": [[98, 104]]}, "info": {"id": "cyner2_test_001650", "source": "cyner2_test"}}
+{"text": "Although the binary names have mirai mentioned it is probably not wise to treat it just as a mirai variant.", "spans": {"MALWARE: mirai": [[31, 36]], "MALWARE: a mirai variant.": [[91, 107]]}, "info": {"id": "cyner2_test_001651", "source": "cyner2_test"}}
+{"text": "The malware architecture is modular , which means that it can execute plugins .", "spans": {}, "info": {"id": "cyner2_test_001652", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: Backdoor.Win32.VB!O Backdoor/VB.nb Win32.Trojan.WisdomEyes.16070401.9500.9683 W32/MemWatcher.DVPF-1178 Adware.Quadro Win32/Memwatch.F Win.Downloader.VB-61 Backdoor.Win32.VB.nb Trojan.Win32.VB.etebsn Backdoor.Win32.A.VB.233482 Backdoor.Win32.VB.NB Trojan.VbCrypt.60 Backdoor.VB.Win32.2125 BKDR_SANDBOX.A BehavesLike.Win32.VBObfus.dm Backdoor.Win32.VB W32/MemWatcher.A Backdoor/VB.ngt BDS/VB.NB Trojan[Backdoor]/Win32.VB Trojan.Heur.VP.ED107DA Backdoor.Win32.VB.nb Trojan:Win32/Sandbox.A Trojan/Win32.Xema.R122751 Backdoor.VB Win32/VB.NB Win32.Backdoor.Vb.Dzjg Backdoor.VB!sB1m+2s72zg W32/VB.NB!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001653", "source": "cyner2_test"}}
+{"text": "Email account A Gmail account with password is mentioned in the sample ’ s code : It contains the victim ’ s exfiltrated data and “ cmd ” directory with commands for victim devices .", "spans": {"SYSTEM: Gmail": [[16, 21]]}, "info": {"id": "cyner2_test_001655", "source": "cyner2_test"}}
+{"text": "Unit 42's ongoing research into the OilRig campaign shows that the threat actors involved in the original attack campaign continue to add new Trojans to their toolset and continue their persistent attacks in the Middle East.", "spans": {"ORGANIZATION: Unit 42's": [[0, 9]], "THREAT_ACTOR: the OilRig campaign": [[32, 51]], "THREAT_ACTOR: the threat actors": [[63, 80]], "THREAT_ACTOR: the original attack campaign": [[93, 121]], "MALWARE: Trojans": [[142, 149]], "MALWARE: toolset": [[159, 166]]}, "info": {"id": "cyner2_test_001656", "source": "cyner2_test"}}
+{"text": "For several years now, the Vawtrak trojan has been targeting banking and financial institutions, most recently in Canada as reported last week.", "spans": {"MALWARE: Vawtrak trojan": [[27, 41]], "ORGANIZATION: banking": [[61, 68]], "ORGANIZATION: financial institutions,": [[73, 96]]}, "info": {"id": "cyner2_test_001657", "source": "cyner2_test"}}
+{"text": "We chose the name MoonWind' based on debugging strings we saw within the samples, as well as the compiler used to generate the samples.", "spans": {"MALWARE: MoonWind'": [[18, 27]]}, "info": {"id": "cyner2_test_001658", "source": "cyner2_test"}}
+{"text": "A backdoor also known as: W32.HfsAutoB.9C3D Trojan.Graftor.D444DD Win32.Trojan.Kryptik.aey TROJ_HPISDA.SM Win32.Trojan.Injector.HN Trojan.Win32.Dwn.eblljj Trojan.Win32.Z.Graftor.114176.Y Trojan.DownLoader20.53198 TROJ_HPISDA.SM BehavesLike.Win32.Trojan.cm W32/Trojan.QEKF-4451 Trojan[Ransom]/Win32.Locky.e Trojan:Win32/Zlader.A Trojan.Downloader Trj/CI.A Trojan.Win32.Crypt W32/Injector.CZNG!tr Win32/Trojan.af4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_test_001659", "source": "cyner2_test"}}
+{"text": "However, the heavy-handedness of the government has also inadvertently created a situation where Iranian users are better positioned than others to avoid some surveillance activities – increasing the burden of finding pseudonymous users.", "spans": {}, "info": {"id": "cyner2_test_001660", "source": "cyner2_test"}}
+{"text": "Each APK has the ability to target different financial institutions in specific geographical locations.", "spans": {"SYSTEM: APK": [[5, 8]], "ORGANIZATION: different financial institutions": [[35, 67]]}, "info": {"id": "cyner2_test_001661", "source": "cyner2_test"}}
+{"text": "Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles , collaborative document editing sites , and blogs for C&C . Seeing a campaign like this , inevitably the Anunak/Carbanak documented by Fox-IT and Kaspersky comes to mind .", "spans": {"TOOL: Win32/Barlaiy": [[37, 50]], "MALWARE: Anunak/Carbanak": [[212, 227]], "ORGANIZATION: Fox-IT": [[242, 248]], "ORGANIZATION: Kaspersky": [[253, 262]]}, "info": {"id": "cyberner_stix_test_000000", "source": "cyberner_stix_test"}}
+{"text": "Allows an application to use SIP service . The agency's hacking division freed it from having to disclose its often controversial operations to the NSA (its primary bureaucratic rival) in order to draw on the NSA's hacking capacities . APT32 : SeaLotus , OceanLotus , APT-C-00 .", "spans": {"THREAT_ACTOR: hacking division": [[56, 72]], "ORGANIZATION: NSA": [[148, 151]], "THREAT_ACTOR: APT32": [[236, 241]], "THREAT_ACTOR: SeaLotus": [[244, 252]], "THREAT_ACTOR: OceanLotus": [[255, 265]], "THREAT_ACTOR: APT-C-00": [[268, 276]]}, "info": {"id": "cyberner_stix_test_000001", "source": "cyberner_stix_test"}}
+{"text": "Although we do not know who is behind the campaign , the decoy documents ’ content focuses on timely political issues in Gaza and the IP address hosting the campaign ’s command and control node hosts several other domains with Gaza registrants .", "spans": {}, "info": {"id": "cyberner_stix_test_000002", "source": "cyberner_stix_test"}}
+{"text": "Verification that the request is coming from the user ’ s device is completed using two possible methods : The user connects to the site over mobile data , not WiFi ( so the service provider directly handles the connection and can validate the phone number ) ; or The user must retrieve a code sent to them via SMS and enter it into the web page ( thereby proving access to the provided phone number ) . The main targets seem to be US companies in engineering , transport and defense , although it has targeted other organizations around the world . CleanEvent Clear System Event log . By using LotL techniques , the actor likely decreased the time and resources required to conduct its cyber physical attack .", "spans": {"ORGANIZATION: engineering": [[448, 459]], "ORGANIZATION: transport": [[462, 471]], "ORGANIZATION: defense": [[476, 483]]}, "info": {"id": "cyberner_stix_test_000003", "source": "cyberner_stix_test"}}
+{"text": "While absence of evidence is not evidence of absence , it is an interesting detail to note .", "spans": {}, "info": {"id": "cyberner_stix_test_000004", "source": "cyberner_stix_test"}}
+{"text": "Shamoon2 : 07d6406036d6e06dc8019e3ade6ee7de .", "spans": {"MALWARE: Shamoon2": [[0, 8]], "FILEPATH: 07d6406036d6e06dc8019e3ade6ee7de": [[11, 43]]}, "info": {"id": "cyberner_stix_test_000005", "source": "cyberner_stix_test"}}
+{"text": "As a result , a copy of Angry Birds installed from an unofficial app store or downloaded from a forum could easily contain malicious functionality . Thrip was using PsExec to move laterally between computers on the company 's network . These modules , except for RecentFiles , have already been mentioned by Kaspersky and Avast . The article highlighted the increasing popularity of targeted attacks .", "spans": {"SYSTEM: Angry Birds": [[24, 35]], "TOOL: PsExec": [[165, 171]], "ORGANIZATION: Kaspersky": [[308, 317]], "ORGANIZATION: Avast": [[322, 327]]}, "info": {"id": "cyberner_stix_test_000006", "source": "cyberner_stix_test"}}
+{"text": "Its presence on a compromised system allows a threat actor to execute a wide variety of commands , including uploading and downloading files , and spawning a reverse shell .", "spans": {}, "info": {"id": "cyberner_stix_test_000007", "source": "cyberner_stix_test"}}
+{"text": "Longhorn , which we internally refer to as \" The Lamberts \" , first came to the attention of the ITSec community in 2014 , when our colleagues from FireEye discovered an attack using a zero day vulnerability ( CVE-2014-4148 ) . ALLANITE operations continue and intelligence indicates activity since at least May 2017 .", "spans": {"THREAT_ACTOR: The Lamberts": [[45, 57]], "ORGANIZATION: ITSec community": [[97, 112]], "ORGANIZATION: FireEye": [[148, 155]], "VULNERABILITY: zero day vulnerability": [[185, 207]], "VULNERABILITY: CVE-2014-4148": [[210, 223]]}, "info": {"id": "cyberner_stix_test_000008", "source": "cyberner_stix_test"}}
+{"text": "REQUEST_IGNORE_BATTERY_OPTIMIZATIONS - whitelist the app to allow it to ignore battery optimizations . wuaupdt.exe is a CMD backdoor , which can receive and execute CMD commands sent from C2 . Lotus Blossom targeted the government , higher education , and high tech companies .", "spans": {"MALWARE: wuaupdt.exe": [[103, 114]], "TOOL: CMD": [[120, 123]], "THREAT_ACTOR: Lotus Blossom": [[193, 206]], "ORGANIZATION: government": [[220, 230]], "ORGANIZATION: higher education": [[233, 249]], "ORGANIZATION: high tech companies": [[256, 275]]}, "info": {"id": "cyberner_stix_test_000009", "source": "cyberner_stix_test"}}
+{"text": "The functionality for these two parts is implemented by doInBackground and onPostExecute respectively , two API methods of “ android.os.AsyncTask ” as extended by class “ org.starsizew.i ” . Helminth executable samples send artifacts within network beacons to its C2 server that the Trojan refers to as a ' Group ' and ' Name ' . The massive use of weaponized Office documents , Office S-TOOL template injection , sfx archives , wmi and some VBA macro stages S-TOOL that dinamically changes , make the Pterodon attack chain very malleable and adaptive . This is further advanced in the National Institute of Standards and Technology NIST 80037 Risk Management Framework when it says", "spans": {"TOOL: Helminth": [[191, 199]], "TOOL: Office": [[360, 365]], "TOOL: sfx archives": [[412, 424]], "TOOL: wmi": [[427, 430]], "TOOL: VBA macro stages S-TOOL": [[440, 463]], "MALWARE: Pterodon": [[500, 508]], "ORGANIZATION: the National Institute of Standards and Technology NIST 80037 Risk Management Framework": [[580, 667]]}, "info": {"id": "cyberner_stix_test_000010", "source": "cyberner_stix_test"}}
+{"text": "Several TXT files with commands on the attacker ’ s FTP server contain a victim identifier in the names that was probably added by the criminals : CMDS10114-Sun1.txt CMDS10134-Ju_ASUS.txt CMDS10134-Tad.txt CMDS10166-Jana.txt CMDS10187-Sun2.txt CMDS10194-SlavaAl.txt CMDS10209-Nikusha.txt Some of them sound like Russian names : Jana , SlavaAl , Nikusha . HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware to establish persistence . Two days later , on February 14 at 15:12 , the attackers returned and installed Quasar RAT onto the infected computer that communicated with a C&C server ( 217.147.168.123 ) . Have you ever been targeted by a social engineering attack Was it through email or", "spans": {"THREAT_ACTOR: HIDDEN COBRA actors": [[355, 374]], "TOOL: external tool": [[382, 395]], "TOOL: dropper": [[399, 406]], "TOOL: FALLCHILL malware": [[422, 439]], "MALWARE: Quasar RAT": [[547, 557]], "IP_ADDRESS: 217.147.168.123": [[623, 638]]}, "info": {"id": "cyberner_stix_test_000011", "source": "cyberner_stix_test"}}
+{"text": "Release_Time : 2017-08-11 Report_URL : https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html", "spans": {}, "info": {"id": "cyberner_stix_test_000012", "source": "cyberner_stix_test"}}
+{"text": "During our ongoing tracking of this campaign , we found that one victim was compromised by Windows AppleJeus malware in March 2019 .", "spans": {"SYSTEM: Windows": [[91, 98]]}, "info": {"id": "cyberner_stix_test_000013", "source": "cyberner_stix_test"}}
+{"text": "PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . Since at least 2008 , The Lamberts have used multiple sophisticated attack tools against high-profile victims .", "spans": {"THREAT_ACTOR: PLATINUM": [[0, 8]], "ORGANIZATION: specific individuals": [[82, 102]], "VULNERABILITY: zero-day exploits": [[143, 160]], "MALWARE: Lamberts": [[228, 236]]}, "info": {"id": "cyberner_stix_test_000014", "source": "cyberner_stix_test"}}
+{"text": "PeddleCheap is a plugin of DanderSpritz which can be used to configure implants and connect to infected machines . LEAD and Barium are not known for large-scale spear-phishing , so it is unlikely that SOC personnel would have to deal with multiple machines having been compromised by these groups at the same time .", "spans": {"TOOL: PeddleCheap": [[0, 11]], "TOOL: DanderSpritz": [[27, 39]], "THREAT_ACTOR: Barium": [[124, 130]], "ORGANIZATION: SOC personnel": [[201, 214]]}, "info": {"id": "cyberner_stix_test_000015", "source": "cyberner_stix_test"}}
+{"text": "167.114.153.55 94.237.37.28 82.118.242.171 31.220.61.251 128.199.199.187 .", "spans": {"IP_ADDRESS: 167.114.153.55": [[0, 14]], "IP_ADDRESS: 94.237.37.28": [[15, 27]], "IP_ADDRESS: 82.118.242.171": [[28, 42]], "IP_ADDRESS: 31.220.61.251": [[43, 56]], "IP_ADDRESS: 128.199.199.187": [[57, 72]]}, "info": {"id": "cyberner_stix_test_000016", "source": "cyberner_stix_test"}}
+{"text": "Another possibility is that the targeted systems did not have AMT provisioned and PLATINUM , once they've obtained administrative privileges on the system , proceeded to provision AMT . First , when a specific recipient was targeted , the mails often purported to be meeting invitations from established business partners .", "spans": {"TOOL: AMT": [[62, 65]], "THREAT_ACTOR: PLATINUM": [[82, 90]]}, "info": {"id": "cyberner_stix_test_000017", "source": "cyberner_stix_test"}}
+{"text": "According to publicly available information , the founder of Connexxa seems to also be the CEO of eSurv . In this report we continue our research of the actor 's operations with a specific focus on a selection of custom information technology ( IT ) tools and tactics the threat actor leveraged during the early stages of the targeted attack lifecycle . The backdoor achieves persistence using a classic startup item autorun technique : Mandiant has also observed the deployment of various remote monitoring and management ( RMM ) tools following the successful exploitation of CVE-2023 - 4966 .", "spans": {"ORGANIZATION: Connexxa": [[61, 69]], "ORGANIZATION: eSurv": [[98, 103]], "ORGANIZATION: information technology": [[220, 242]], "ORGANIZATION: IT": [[245, 247]], "MALWARE: backdoor": [[358, 366]], "TOOL: remote monitoring and management ( RMM ) tools": [[490, 536]], "VULNERABILITY: CVE-2023 - 4966": [[578, 593]]}, "info": {"id": "cyberner_stix_test_000018", "source": "cyberner_stix_test"}}
+{"text": "Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp . The actor attempts to exploit CVE-2018–8440 — an elevation of privilege vulnerability in Windows when it improperly handles calls to Advanced Local Procedure Call — to elevate the privileges using a modified proof-of-concept exploit .", "spans": {"VULNERABILITY: Carbanak": [[0, 8]], "TOOL: Carberp": [[176, 183]], "THREAT_ACTOR: actor": [[190, 195]], "VULNERABILITY: exploit": [[208, 215], [411, 418]], "VULNERABILITY: CVE-2018–8440": [[216, 229]], "VULNERABILITY: vulnerability": [[258, 271]], "SYSTEM: Windows": [[275, 282]], "VULNERABILITY: proof-of-concept": [[394, 410]]}, "info": {"id": "cyberner_stix_test_000019", "source": "cyberner_stix_test"}}
+{"text": "The group also made it back into the news with the recent WannaCry ransomware that targeted computers around the globe ; it piggybacked on exploits revealed by the Shadow Brokers . Fxmsp specialize in breaching highly secure protected networks to access private corporate and government information .", "spans": {"TOOL: WannaCry ransomware": [[58, 77]], "THREAT_ACTOR: Shadow Brokers": [[164, 178]], "THREAT_ACTOR: Fxmsp": [[181, 186]]}, "info": {"id": "cyberner_stix_test_000020", "source": "cyberner_stix_test"}}
+{"text": "TA505 briefly distributed the Kegotip information stealer in April 2017 .", "spans": {"THREAT_ACTOR: TA505": [[0, 5]], "MALWARE: Kegotip": [[30, 37]], "TOOL: information stealer": [[38, 57]]}, "info": {"id": "cyberner_stix_test_000021", "source": "cyberner_stix_test"}}
+{"text": "The library starts its main worker thread from the DllMain function .", "spans": {}, "info": {"id": "cyberner_stix_test_000022", "source": "cyberner_stix_test"}}
+{"text": "After download , Exodus One would dynamically load and execute the primary stage 2 payload mike.jar using the Android API DexClassLoader ( ) . The email had no subject and what initially drew our attention to OilRig 's attack was the content of the spear phishing email . JhoneRAT : d5f10a0b5c103100a3e74aa9014032c47aa8973b564b3ab03ae817744e74d079 . Among the group ’s most interesting characteristics are : • Strong functional and structural similarities linking its malware toolset to early MiniDuke and more recent CosmicDuke and OnionDuke components In early 2013 , GReAT observed several incidents that were so unusual they suggested the existence of a new , previously unknown threat actor .", "spans": {"MALWARE: Exodus One": [[17, 27]], "SYSTEM: Android API": [[110, 121]], "THREAT_ACTOR: OilRig": [[209, 215]], "MALWARE: JhoneRAT": [[272, 280]], "FILEPATH: d5f10a0b5c103100a3e74aa9014032c47aa8973b564b3ab03ae817744e74d079": [[283, 347]], "MALWARE: MiniDuke": [[493, 501]], "MALWARE: CosmicDuke": [[518, 528]], "MALWARE: OnionDuke": [[533, 542]], "ORGANIZATION: GReAT": [[570, 575]]}, "info": {"id": "cyberner_stix_test_000023", "source": "cyberner_stix_test"}}
+{"text": "They are distributed from polluted DNS domains that send a notification to an unknowing victim ’ s device . However , it is clear is that Donot are actively establishing infrastructure and are targeting governments in South Asia . Trojan : 6f1a8ee627ec2ed7e1d818d32a34a163416938eb13a97783a71f9b79843a80a2 SFX ( self-extracting archive ) ( Executable file ) .", "spans": {"THREAT_ACTOR: Donot": [[138, 143]], "MALWARE: Trojan": [[231, 237]], "FILEPATH: 6f1a8ee627ec2ed7e1d818d32a34a163416938eb13a97783a71f9b79843a80a2": [[240, 304]], "TOOL: SFX": [[305, 308]], "TOOL: self-extracting archive": [[311, 334]]}, "info": {"id": "cyberner_stix_test_000024", "source": "cyberner_stix_test"}}
+{"text": "We analyzed a Quasar sample we found that was communicating with an active C2 server at the time of analysis :", "spans": {"MALWARE: Quasar": [[14, 20]], "TOOL: C2": [[75, 77]]}, "info": {"id": "cyberner_stix_test_000025", "source": "cyberner_stix_test"}}
+{"text": "The campaign ’ s attack vector is also interesting . When conducting programmatic espionage activity , it can presumably become quite confusing if the attacker targets a heavy industry company , an avionics program , and seven other unique targets as to which infected host you will collect what information from . Interestingly , this threat actor created fake companies in order to hire remote pentesters , developers and interpreters to participate in their malicious business . So far , there 's no evidence that customers of the infected game companies were targeted , although in at least one case , malicious code was accidentally installed on gamers ' computers by one of the infected victim companies .", "spans": {"ORGANIZATION: heavy industry company": [[170, 192]], "ORGANIZATION: customers of the infected game companies": [[517, 557]], "MALWARE: malicious code": [[606, 620]], "ORGANIZATION: gamers ' computers": [[651, 669]], "THREAT_ACTOR: the infected victim companies": [[680, 709]]}, "info": {"id": "cyberner_stix_test_000026", "source": "cyberner_stix_test"}}
+{"text": "The list of banks targeted by Red Alert 2.0 includes NatWest , Barclays , Westpac , and Citibank . APT38 also targeted financial transaction exchange companies likely because of their proximity to banks . TAU was able to recover the original code . Adversaries may perform data destruction over the course of an operation .", "spans": {"MALWARE: Red Alert 2.0": [[30, 43]], "ORGANIZATION: Barclays": [[63, 71]], "THREAT_ACTOR: APT38": [[99, 104]], "ORGANIZATION: financial transaction exchange companies": [[119, 159]], "ORGANIZATION: banks": [[197, 202]], "ORGANIZATION: TAU": [[205, 208]]}, "info": {"id": "cyberner_stix_test_000027", "source": "cyberner_stix_test"}}
+{"text": "During the investigation , the server did not provide any configuration to the infected machines .", "spans": {}, "info": {"id": "cyberner_stix_test_000028", "source": "cyberner_stix_test"}}
+{"text": "The DDE instructions attempt to run the following the following command on the victim host , which attempts to download and execute a payload from a remote server .", "spans": {}, "info": {"id": "cyberner_stix_test_000029", "source": "cyberner_stix_test"}}
+{"text": "PHA Family Highlights : Bread ( and Friends ) January 9 , 2020 In this edition of our PHA Family Highlights series we introduce Bread , a large-scale billing fraud family . In addition to maritime operations in this region , Anchor Panda also heavily targeted western companies in the US , Germany , Sweden , the UK , and Australia , and other countries involved in maritime satellite systems , aerospace companies , and defense contractors . The received command is then processed by the ZxShell function with the ProcessCommand function . Since early 2023 , we have seen several new Yashma strains emerge , including ANXZ , Sirattacker , and Shadow Men Team .", "spans": {"MALWARE: Bread": [[24, 29], [128, 133]], "ORGANIZATION: aerospace companies": [[395, 414]], "ORGANIZATION: defense contractors": [[421, 440]], "MALWARE: ZxShell": [[489, 496]], "THREAT_ACTOR: ANXZ": [[619, 623]], "THREAT_ACTOR: Sirattacker": [[626, 637]], "THREAT_ACTOR: Shadow Men Team": [[644, 659]]}, "info": {"id": "cyberner_stix_test_000030", "source": "cyberner_stix_test"}}
+{"text": "Segment networks into logical enclaves and restrict host-to-host communications paths .", "spans": {}, "info": {"id": "cyberner_stix_test_000031", "source": "cyberner_stix_test"}}
+{"text": "Toll Billing Carriers may also provide payment endpoints over a web page . The group has been active since at least January 2013 . SYNFlood Perform a SYN attack on a host . Many threat groups successfully leverage aging vulnerabilities , which , if they had been patched by their victims , may have prevented an attack .", "spans": {"THREAT_ACTOR: threat groups": [[178, 191]], "VULNERABILITY: aging vulnerabilities , which": [[214, 243]]}, "info": {"id": "cyberner_stix_test_000032", "source": "cyberner_stix_test"}}
+{"text": "Open-source reporting has claimed that the Hermes ransomware was developed by the North Korean group STARDUST CHOLLIMA ( activities of which have been public reported as part of the \" Lazarus Group \" ) , because Hermes was executed on a host during the SWIFT compromise of FEIB in October 2017 . ScarCruft is a relatively new APT group ; victims have been observed in Russia , Nepal , South Korea , China , India , Kuwait and Romania .", "spans": {"TOOL: Hermes ransomware": [[43, 60]], "TOOL: Hermes": [[212, 218]], "THREAT_ACTOR: ScarCruft": [[296, 305]]}, "info": {"id": "cyberner_stix_test_000033", "source": "cyberner_stix_test"}}
+{"text": "Domain administrator credentials make it easier for the attacker to find servers hosting the desired intellectual property and gain access to the sensitive materials .", "spans": {}, "info": {"id": "cyberner_stix_test_000034", "source": "cyberner_stix_test"}}
+{"text": "Overall , the discussion above may appear so much splitting of hairs or determining how many angels can dance on the head of a pin – yet given the communicative impacts behind different naming and labeling conventions , this exploration seems not merely useful but necessary .", "spans": {}, "info": {"id": "cyberner_stix_test_000035", "source": "cyberner_stix_test"}}
+{"text": "As the screenshot above shows , the malware has its own command syntax that represents a combination of characters while the “ # ” symbol is a delimiter . Feedback from our Smart Protection Network revealed that apart from attacks in North America ( mainly the U.S. ) , Europe , and South America , the campaign also noticeably affected enterprises in Taiwan , Hong Kong , China , and Bahrain . APT33 : 709df1bbd0a5b15e8f205b2854204e8caf63f78203e3b595e0e66c918ec23951 S-SHA2 LaZagne . CISA noted that threat actors ransomware tactics and techniques were continuing to evolve and become more technologically sophisticated with every passing month .", "spans": {"ORGANIZATION: Smart Protection Network": [[173, 197]], "ORGANIZATION: enterprises": [[337, 348]], "THREAT_ACTOR: APT33": [[395, 400]], "MALWARE: 709df1bbd0a5b15e8f205b2854204e8caf63f78203e3b595e0e66c918ec23951 S-SHA2 LaZagne": [[403, 482]], "ORGANIZATION: CISA": [[485, 489]], "THREAT_ACTOR: threat actors": [[501, 514]]}, "info": {"id": "cyberner_stix_test_000036", "source": "cyberner_stix_test"}}
+{"text": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\runawy.exe .", "spans": {"FILEPATH: C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\runawy.exe": [[0, 86]]}, "info": {"id": "cyberner_stix_test_000037", "source": "cyberner_stix_test"}}
+{"text": "implemented 9 reqcalllog.php Take photo ( muted audio ) with rear camera , send to C2 10 reqcalllog.php Take photo ( muted audio ) with front camera , send to C2 All observed samples with Smali injections were signed by the same debug certificate ( 0x936eacbe07f201df ) . But , thanks to the attackers known affection for decoy documents that pose as news summaries , we were able to date the campaign back to March 2018 . It is fetched by a downloader , and collects information directly from the infected host .", "spans": {"THREAT_ACTOR: attackers": [[292, 301]]}, "info": {"id": "cyberner_stix_test_000038", "source": "cyberner_stix_test"}}
+{"text": "Whitefly rely heavily on tools such as Mimikatz to obtain credentials . We assess that the actors employing this latest Flash zero-day are a suspected North Korean group we track as TEMP.Reaper .", "spans": {"THREAT_ACTOR: Whitefly": [[0, 8]], "TOOL: Mimikatz": [[39, 47]], "TOOL: Flash": [[120, 125]], "VULNERABILITY: zero-day": [[126, 134]], "THREAT_ACTOR: TEMP.Reaper": [[182, 193]]}, "info": {"id": "cyberner_stix_test_000039", "source": "cyberner_stix_test"}}
+{"text": "One of them – ipv4.dll – has been placed by the APT with what is , in fact , a downloader for other malicious components . In the latest attack , Donot group is targeting Pakistani businessman working in China", "spans": {"MALWARE: ipv4.dll": [[14, 22]], "TOOL: downloader": [[79, 89]], "THREAT_ACTOR: Donot group": [[146, 157]], "ORGANIZATION: Pakistani businessman": [[171, 192]]}, "info": {"id": "cyberner_stix_test_000040", "source": "cyberner_stix_test"}}
+{"text": "The following is a more detailed description of the malware and notable campaign attributes associated with TA505 .", "spans": {"THREAT_ACTOR: TA505": [[108, 113]]}, "info": {"id": "cyberner_stix_test_000041", "source": "cyberner_stix_test"}}
+{"text": "PittyTiger leverages social engineering to deliver spearphishing emails , in a variety of languages including English , French and Chinese , and email phishing pages to their targets . executable compilation times suggest early 2012 .", "spans": {"THREAT_ACTOR: PittyTiger": [[0, 10]], "ORGANIZATION: social engineering": [[21, 39]]}, "info": {"id": "cyberner_stix_test_000042", "source": "cyberner_stix_test"}}
+{"text": "After escalating privileges , the app immediately protects itself and starts to collect data , by : Installing itself on the /system partition to persist across factory resets Removing Samsung 's system update app ( com.sec.android.fotaclient ) and disabling auto-updates to maintain persistence ( sets Settings.System.SOFTWARE_UPDATE_AUTO_UPDATE to 0 ) Deleting WAP push messages and changing WAP message settings , possibly for anti-forensic purpose . The period between November 2014 and January 2015 marked one of the earlier instances in which Proofpoint observed persistent exploitation attempts by this actor . If any of them are running , the backdoor stops its execution . Identifying suspicious login patterns based on NetScaler logs", "spans": {"ORGANIZATION: Samsung": [[185, 192]], "ORGANIZATION: Proofpoint": [[549, 559]], "THREAT_ACTOR: actor": [[610, 615]]}, "info": {"id": "cyberner_stix_test_000043", "source": "cyberner_stix_test"}}
+{"text": "We discovered that the sample was obfuscated using .NET reactor .", "spans": {"FILEPATH: the sample": [[19, 29]], "TOOL: obfuscated": [[34, 44]], "TOOL: .NET reactor": [[51, 63]]}, "info": {"id": "cyberner_stix_test_000044", "source": "cyberner_stix_test"}}
+{"text": "EventBot abuses Android ’ s accessibility feature to access valuable user information , system information , and data stored in other applications . There is the exploit code and malware used to gain access to systems , the infrastructure that provides command and control to the malware operator , and the human elements – developers who create the malware , operators who deploy it , and analysts who extract value from the stolen information . To mitigate the threat of the described campaign , security teams can consider blocking access to the C2 server 103.236.150.14 and , where applicable , ensure that the Microsoft Security Update KB2553204 is installed in order to patch the CVE-2017-11882 vulnerability .", "spans": {"MALWARE: EventBot": [[0, 8]], "SYSTEM: Android": [[16, 23]], "MALWARE: exploit code": [[162, 174]], "TOOL: C2": [[549, 551]], "ORGANIZATION: Microsoft": [[615, 624]], "VULNERABILITY: CVE-2017-11882": [[686, 700]]}, "info": {"id": "cyberner_stix_test_000045", "source": "cyberner_stix_test"}}
+{"text": "Emotet activity in 2019 included several high-volume campaigns that collectively distributed tens of millions of messages primarily targeting the manufacturing and healthcare industries . In their latest leak , they have released the UNITEDRAKE NSA exploit , which is a remote access and control tool that can remotely target Windows-based systems to capture desired information and transfer it to a server .", "spans": {"ORGANIZATION: manufacturing": [[146, 159]], "ORGANIZATION: healthcare industries": [[164, 185]], "TOOL: UNITEDRAKE NSA": [[234, 248]], "VULNERABILITY: exploit": [[249, 256]], "SYSTEM: Windows-based": [[326, 339]]}, "info": {"id": "cyberner_stix_test_000046", "source": "cyberner_stix_test"}}
+{"text": "Data Encryption The Curve25519 encryption algorithm was implemented as of EventBot Version 0.0.0.2 . This powerful backdoor can receive commands from the attackers , enabling it to exfiltrate files from the system it is running on , execute additional scripts , delete files , and more . The attacker used a spear-phishing email containing a link to a fake resume hosted on a legitimate website that had been compromised .", "spans": {"MALWARE: EventBot": [[74, 82]], "MALWARE: backdoor": [[115, 123]], "THREAT_ACTOR: attacker": [[289, 297]]}, "info": {"id": "cyberner_stix_test_000047", "source": "cyberner_stix_test"}}
+{"text": "It ’ s clear to see that the capabilities of HenBox are very comprehensive , both in terms of an Android app with its native libraries and given the amount of data it can glean from a victim . Notably , APT41 was observed using proof-of-concept exploit code for CVE-2019-3396 within 23 days after the Confluence . Importantly , PinchDuke trojan samples alACTs contain a notable text string , which we believe is used as a campaign identifier by the Dukes group to distinguish between multiple attack campaigns that are run in parallel .", "spans": {"MALWARE: HenBox": [[45, 51]], "SYSTEM: Android": [[97, 104]], "THREAT_ACTOR: APT41": [[203, 208]], "VULNERABILITY: exploit": [[245, 252]], "VULNERABILITY: CVE-2019-3396": [[262, 275]], "MALWARE: PinchDuke trojan samples": [[328, 352]], "THREAT_ACTOR: Dukes group": [[449, 460]]}, "info": {"id": "cyberner_stix_test_000048", "source": "cyberner_stix_test"}}
+{"text": "Patchwork ( also known as Dropping Elephant ) is a cyberespionage group whose targets included diplomatic and government agencies as well as businesses . We encountered the first document exploit called \" THAM luan - GD - NCKH2.doc \" a few days ago , which appears to be leveraging some vulnerabilities patched with MS12-060 .", "spans": {"THREAT_ACTOR: Patchwork": [[0, 9]], "THREAT_ACTOR: Dropping Elephant": [[26, 43]], "THREAT_ACTOR: cyberespionage group": [[51, 71]], "ORGANIZATION: diplomatic": [[95, 105]], "ORGANIZATION: government agencies": [[110, 129]], "ORGANIZATION: businesses": [[141, 151]], "VULNERABILITY: exploit": [[188, 195]], "FILEPATH: THAM luan - GD -": [[205, 221]], "FILEPATH: NCKH2.doc": [[222, 231]], "MALWARE: MS12-060": [[316, 324]]}, "info": {"id": "cyberner_stix_test_000049", "source": "cyberner_stix_test"}}
+{"text": "We can also see 2 VBA variable names : PathPld , probably for Path Payload , and PathPldBt , for Path Payload Batch .", "spans": {"TOOL: VBA": [[18, 21]]}, "info": {"id": "cyberner_stix_test_000050", "source": "cyberner_stix_test"}}
+{"text": "Despite its name , this tool does not use Amazon’s website , but exploits an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability of a merchant website allowing the abuse of PayPal Payflow link functionality (Figure 9) . Attackers using several locations in China have leveraged C&C servers on purchased hosted services in the United States and compromised servers in the Netherlands to wage attacks against global oil , gas , and petrochemical companies , as well as individuals and executives in Kazakhstan , Taiwan , Greece , and the United States to acquire proprietary and highly confidential information .", "spans": {"TOOL: PayPal Payflow": [[185, 199]], "THREAT_ACTOR: Attackers": [[232, 241]], "TOOL: C&C": [[290, 293]], "ORGANIZATION: oil": [[426, 429]], "ORGANIZATION: gas": [[432, 435]], "ORGANIZATION: petrochemical companies": [[442, 465]], "ORGANIZATION: executives": [[495, 505]]}, "info": {"id": "cyberner_stix_test_000051", "source": "cyberner_stix_test"}}
+{"text": "These types of weaponized documents are not uncommon but are more difficult to identify as malicious by automated analysis systems due to their modular nature .", "spans": {}, "info": {"id": "cyberner_stix_test_000052", "source": "cyberner_stix_test"}}
+{"text": "Both PinchDuke and CosmicDuke would then operate independently on the same compromised host , including performing separate information gathering , data Exfiltration and communication with a command and control ( C&C ) server - although both malware would often use the same C&C server .", "spans": {"MALWARE: PinchDuke": [[5, 14]], "MALWARE: CosmicDuke": [[19, 29]], "TOOL: command and control": [[191, 210]], "TOOL: C&C": [[213, 216], [275, 278]]}, "info": {"id": "cyberner_stix_test_000053", "source": "cyberner_stix_test"}}
+{"text": "The breach on Hacking Team comes almost a year after another surveillance tech company , the competing FinFisher , was hacked in a similar way , with a hacker leaking 40 Gb of internal files . After publishing our initial series of blogposts back in 2016 , Kaspersky have continued to track the ScarCruft threat actor .", "spans": {"ORGANIZATION: FinFisher": [[103, 112]], "ORGANIZATION: Kaspersky": [[257, 266]], "THREAT_ACTOR: ScarCruft": [[295, 304]]}, "info": {"id": "cyberner_stix_test_000054", "source": "cyberner_stix_test"}}
+{"text": "FireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017 . The threat actors used two publicly available techniques , an AppLocker whitelisting bypass and a script to inject shellcode into the userinit.exe process .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "VULNERABILITY: CVE-2017-10271": [[79, 93]], "THREAT_ACTOR: actors": [[178, 184]], "FILEPATH: userinit.exe": [[301, 313]]}, "info": {"id": "cyberner_stix_test_000055", "source": "cyberner_stix_test"}}
+{"text": "BRONZE PRESIDENT regularly leverages Wmiexec to move laterally .", "spans": {"THREAT_ACTOR: BRONZE PRESIDENT": [[0, 16]], "TOOL: Wmiexec": [[37, 44]]}, "info": {"id": "cyberner_stix_test_000056", "source": "cyberner_stix_test"}}
+{"text": "Upon execution , the loader will decrypt the embedded payload ( DLL ) using a custom algorithm , decompress it and save it to the following file : %LOCALAPPDATA%\\cdnver.dll .", "spans": {"TOOL: DLL": [[64, 67]], "FILEPATH: %LOCALAPPDATA%\\cdnver.dll": [[147, 172]]}, "info": {"id": "cyberner_stix_test_000057", "source": "cyberner_stix_test"}}
+{"text": "Additionally , most of the decoy files are publicly available on news websites or social media .", "spans": {}, "info": {"id": "cyberner_stix_test_000058", "source": "cyberner_stix_test"}}
+{"text": "The malware uses several advanced techniques to hide its real intentions and makes it harder to detect . The spear-phishing infection vector is still the most popular way to initiate targeted campaigns . The spearphishing emails were sent to various kinds of businesses only and did not target individuals . Our gathered field data shows the following statistics on CSP usage across the Internet ( based on HTTPArchive March 2020 scan ):", "spans": {"TOOL: emails": [[222, 228]], "SYSTEM: CSP": [[366, 369]], "SYSTEM: Internet": [[387, 395]], "SYSTEM: HTTPArchive": [[407, 418]]}, "info": {"id": "cyberner_stix_test_000059", "source": "cyberner_stix_test"}}
+{"text": "Upon launch , the malware retrieves the victim ’s basic system information , sending it in the following HTTP POST format , as is the case with the macOS malware .", "spans": {"SYSTEM: macOS": [[148, 153]]}, "info": {"id": "cyberner_stix_test_000060", "source": "cyberner_stix_test"}}
+{"text": "We believed that the actors would use this date code to track their attack campaigns ; however , after continued analysis of the malware , we think these static dates could also be a build identifier for the Trojan . The first malware we saw was the lurk downloader , which was distributed on October 26th .", "spans": {"TOOL: date code": [[43, 52]], "MALWARE: lurk downloader": [[250, 265]]}, "info": {"id": "cyberner_stix_test_000061", "source": "cyberner_stix_test"}}
+{"text": "WannaCry utilizes EternalBlue by crafting a custom SMB session request with hard-coded values based on the target system . Turla 's campaign still relies on a fake Flash installer but , instead of directly dropping the two malicious DLLs , it executes a Metasploit shellcode and drops , or downloads from Google Drive , a legitimate Flash installer .", "spans": {"TOOL: WannaCry": [[0, 8]], "VULNERABILITY: EternalBlue": [[18, 29]], "TOOL: SMB": [[51, 54]], "THREAT_ACTOR: Turla": [[123, 128]], "TOOL: Flash": [[164, 169], [333, 338]], "MALWARE: Metasploit shellcode and drops": [[254, 284]]}, "info": {"id": "cyberner_stix_test_000062", "source": "cyberner_stix_test"}}
+{"text": "However , as mentioned earlier , an analysis of this new variant showed some changes in its code in line with its new deployment method . However , the malware shared several traits with the RIPTIDE and HIGHTIDE backdoor that we have attributed to APT12 . The first DNS query by Glimpse requests the mode to be used in future communications with the controller (i.e., ping mode or text ) . The Twitter handle used by Hack520 indicates also an “ est ” portion .", "spans": {"TOOL: RIPTIDE": [[191, 198]], "TOOL: HIGHTIDE backdoor": [[203, 220]], "THREAT_ACTOR: APT12": [[248, 253]], "MALWARE: Glimpse": [[279, 286]], "THREAT_ACTOR: Hack520": [[417, 424]]}, "info": {"id": "cyberner_stix_test_000063", "source": "cyberner_stix_test"}}
+{"text": "They then proceeded to log directly into the VPN using the credentials of the compromised user . Suckfly targeted one of India 's largest e-commerce companies , a major Indian shipping company , one of India 's largest financial organizations , and an IT firm that provides support for India 's largest stock exchange .", "spans": {"TOOL: credentials of the compromised user": [[59, 94]], "ORGANIZATION: e-commerce companies": [[138, 158]], "ORGANIZATION: shipping company": [[176, 192]], "ORGANIZATION: financial organizations": [[219, 242]], "ORGANIZATION: IT firm": [[252, 259]]}, "info": {"id": "cyberner_stix_test_000064", "source": "cyberner_stix_test"}}
+{"text": "Coinminer.Linux.MALXMR.SMDSL32 : fc57bd66c27066104cd6f8962cd463a5dfc05fa59b76b6958cddd3542dfe6a9a .", "spans": {"MALWARE: Coinminer.Linux.MALXMR.SMDSL32": [[0, 30]], "FILEPATH: fc57bd66c27066104cd6f8962cd463a5dfc05fa59b76b6958cddd3542dfe6a9a": [[33, 97]]}, "info": {"id": "cyberner_stix_test_000065", "source": "cyberner_stix_test"}}
+{"text": "Finally , Talos identified a 6th campaign that is also linked to Group 123 . The PowerShell version of the Trojan also has the ability to get screenshots .", "spans": {"ORGANIZATION: Talos": [[10, 15]], "THREAT_ACTOR: Group 123": [[65, 74]], "TOOL: PowerShell": [[81, 91]], "MALWARE: Trojan": [[107, 113]]}, "info": {"id": "cyberner_stix_test_000066", "source": "cyberner_stix_test"}}
+{"text": "Observe the desktop and actions of active user .", "spans": {}, "info": {"id": "cyberner_stix_test_000067", "source": "cyberner_stix_test"}}
+{"text": "The Russian Academy of Missile and Artillery Sciences ( PAPAH ) which specializes in research and development for strengthening Russia ’s defense industrial complex .", "spans": {"ORGANIZATION: Russian Academy of Missile and Artillery Sciences": [[4, 53]], "ORGANIZATION: PAPAH": [[56, 61]]}, "info": {"id": "cyberner_stix_test_000068", "source": "cyberner_stix_test"}}
+{"text": "With the four “ sms_send ” commands , the messages as specified in the key “ text ” will be sent immediately to the specified short numbers . APT34 loosely aligns with public reporting related to the group \" OilRig \" . For this campaign , the attacker chose to use a cloud provider ( Google ) with a good reputation to avoid URL blacklisting . In the USA , Vice Society is the most active among a group of gangs .", "spans": {"THREAT_ACTOR: APT34": [[142, 147]], "THREAT_ACTOR: group": [[200, 205]], "THREAT_ACTOR: OilRig": [[208, 214]], "TOOL: Google": [[284, 290]], "THREAT_ACTOR: Vice Society": [[357, 369]]}, "info": {"id": "cyberner_stix_test_000069", "source": "cyberner_stix_test"}}
+{"text": "] cendata [ . In September 2015 Mofang launched another attack . Ixeshe has been used in targeted attacks since 2009, often against entities in East Asia . As our experience with and knowledge of this threat actor grows , we will update this post or release new technical details as appropriate .", "spans": {"THREAT_ACTOR: Mofang": [[32, 38]], "MALWARE: Ixeshe": [[65, 71]], "THREAT_ACTOR: threat actor": [[201, 213]]}, "info": {"id": "cyberner_stix_test_000070", "source": "cyberner_stix_test"}}
+{"text": "Regardless , the sheer number of servers and publicly available exploit code suggests that CVE-2019-0604 is still a major attack vector .", "spans": {"VULNERABILITY: CVE-2019-0604": [[91, 104]]}, "info": {"id": "cyberner_stix_test_000071", "source": "cyberner_stix_test"}}
+{"text": "Another tie between the activity is the C2 jackhex.md5c [ . Like other Chinese espionage operators , APT41 appears to have moved toward strategic intelligence collection and establishing access and away from direct intellectual property theft since 2015 . APT32 often deploys these backdoors along with the commercially-available Cobalt Strike backdoor .", "spans": {"THREAT_ACTOR: APT41": [[101, 106]], "THREAT_ACTOR: APT32": [[256, 261]], "MALWARE: Cobalt Strike backdoor": [[330, 352]]}, "info": {"id": "cyberner_stix_test_000072", "source": "cyberner_stix_test"}}
+{"text": "After a 10 month hiatus , MUMMY SPIDER returned Emotet to operation in December 2016 but the latest variant is not deploying a banking Trojan module with web injects , it is currently acting as a ' loader ' delivering other malware packages . The malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded EPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities .", "spans": {"THREAT_ACTOR: MUMMY SPIDER": [[26, 38]], "TOOL: Emotet": [[48, 54]], "TOOL: banking Trojan": [[127, 141]], "ORGANIZATION: Unit 42": [[272, 279]], "FILEPATH: EPS files": [[352, 361]], "VULNERABILITY: CVE-2015-2545": [[376, 389]], "VULNERABILITY: CVE-2017-0261": [[394, 407]]}, "info": {"id": "cyberner_stix_test_000073", "source": "cyberner_stix_test"}}
+{"text": "Here is a list of information that GolfSpy steals : Device accounts List of applications installed in the device Device ’ s current running processes Battery status Bookmarks/Histories of the device ’ s default browser Call logs and records Clipboard contents Contacts , including those in VCard format Mobile operator information Files stored on SDcard Device location List of image , audio , and video files stored on the device Storage and memory information Connection information Sensor information SMS messages Pictures GolfSpy also has a function that lets it connect to a remote server to fetch and perform commands Adobe Flash Player exploit . The emails were efficient social-engineering attempts that appealed to a vast number of human emotions ( fear , stress , anger , etc. ) to elicit a response from their victims . Attackers frequently abuse stolen certificates to prevent the malware they 're spreading from being detected by various security protections .", "spans": {"MALWARE: GolfSpy": [[35, 42], [526, 533]], "VULNERABILITY: Adobe Flash Player exploit": [[624, 650]], "TOOL: emails": [[657, 663]], "THREAT_ACTOR: Attackers": [[831, 840]]}, "info": {"id": "cyberner_stix_test_000074", "source": "cyberner_stix_test"}}
+{"text": "The first of these runs used the campaign identifier “ natoinfo_ge ” , an apparent reference to the www.natoinfo.ge website belonging to a Georgian political body that has since been renamed “ Information Centre on NATO and EU ” .", "spans": {"DOMAIN: www.natoinfo.ge": [[100, 115]], "ORGANIZATION: NATO": [[215, 219]]}, "info": {"id": "cyberner_stix_test_000075", "source": "cyberner_stix_test"}}
+{"text": "Execution of code ;", "spans": {}, "info": {"id": "cyberner_stix_test_000076", "source": "cyberner_stix_test"}}
+{"text": "CONCLUSION In this research , the Nocturnus team has dissected a rapidly evolving Android malware in the making . The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities . The threat actor has previously been the subject of a range of open source reporting , including most notably a report by FireEye comprehensively detailing the threat actor 's use of the Poison Ivy malware family and blog posts by Trend Micro similarly detailing the use of EvilGrab malware .", "spans": {"ORGANIZATION: Nocturnus": [[34, 43]], "MALWARE: Android": [[82, 89]], "VULNERABILITY: EternalBlue": [[134, 145]], "TOOL: Metasploit": [[157, 167]], "THREAT_ACTOR: actors": [[196, 202]], "ORGANIZATION: FireEye": [[360, 367]], "MALWARE: Poison Ivy malware family": [[425, 450]], "ORGANIZATION: Trend Micro": [[469, 480]], "MALWARE: EvilGrab": [[512, 520]], "MALWARE: malware": [[521, 528]]}, "info": {"id": "cyberner_stix_test_000077", "source": "cyberner_stix_test"}}
+{"text": "Sofacy APT hits high profile targets with updated toolset .", "spans": {"THREAT_ACTOR: Sofacy": [[0, 6]]}, "info": {"id": "cyberner_stix_test_000078", "source": "cyberner_stix_test"}}
+{"text": "RCSession connects to its C2 server via a custom protocol , can remotely execute commands , and can launch additional tools .", "spans": {"MALWARE: RCSession": [[0, 9]], "TOOL: C2": [[26, 28]]}, "info": {"id": "cyberner_stix_test_000079", "source": "cyberner_stix_test"}}
+{"text": "We refer to this ( somewhat ironic ) technique as a “ Double Edged Sword Attack ” .", "spans": {}, "info": {"id": "cyberner_stix_test_000080", "source": "cyberner_stix_test"}}
+{"text": "To control the full operation , MoneyTaker uses a Pentest framework Server . TG-3390 actors keep track of and leverage existing ASPXTool web shells in their operations , preferring to issue commands via an internally accessible Web shell rather than HTTPBrowser or PlugX .", "spans": {"THREAT_ACTOR: MoneyTaker": [[32, 42]], "TOOL: Pentest framework Server": [[50, 74]], "THREAT_ACTOR: TG-3390": [[77, 84]], "MALWARE: ASPXTool web shells": [[128, 147]], "TOOL: Web shell": [[228, 237]], "MALWARE: HTTPBrowser": [[250, 261]], "MALWARE: PlugX": [[265, 270]]}, "info": {"id": "cyberner_stix_test_000081", "source": "cyberner_stix_test"}}
+{"text": "We would like to acknowledge the possibility of an overlap in the AntSword webshell , as we stated that Emissary Panda used China Chopper in the April attacks and AntSword and China Chopper webshells are incredibly similar .", "spans": {"TOOL: AntSword": [[66, 74], [163, 171]], "THREAT_ACTOR: Emissary Panda": [[104, 118]], "TOOL: Chopper": [[130, 137], [182, 189]]}, "info": {"id": "cyberner_stix_test_000082", "source": "cyberner_stix_test"}}
+{"text": "It is capable of a variety of functions , including credential theft , hard drive and data wiping , disabling security software , and remote desktop functionality . Althoughthe BariumDefendants have relied on differentand distinct infrastructures in an effortto evade detection , Bariumused the same e-mail address ( hostay88@gmail.com ) to register malicious domains used in connection with at least two toolsets that Barium has employed to compromise victim computers .", "spans": {"TOOL: e-mail": [[300, 306]], "EMAIL: hostay88@gmail.com": [[317, 335]], "THREAT_ACTOR: Barium": [[419, 425]]}, "info": {"id": "cyberner_stix_test_000083", "source": "cyberner_stix_test"}}
+{"text": "Prior to sending the data to the server , the data is encrypted and staged in an array like this :", "spans": {}, "info": {"id": "cyberner_stix_test_000084", "source": "cyberner_stix_test"}}
+{"text": "Even when this would not be directly related to the Android malware described in this blogpost , it would be an indicator of wider capabilities and objectives of this actor . DoNot Team has a history of heavily targeting Pakistan , in addition to other neighboring countries . The document is weaponized with malicious macro code triggered when the user opens the document to see the content under the obfuscated view .", "spans": {"SYSTEM: Android": [[52, 59]], "THREAT_ACTOR: DoNot Team": [[175, 185]], "TOOL: malicious macro": [[309, 324]]}, "info": {"id": "cyberner_stix_test_000085", "source": "cyberner_stix_test"}}
+{"text": "The distribution of rooting malware through Google Play is not a new thing . To obtain logins and passwords they applied keyloggers built into Corkow , as well as a commonly used feature of Mimikatz , dumping clear text Windows credentials from LSA . After unpacking them , the code is recognizable as the commercial RAT RevengeRAT . Talos Takes Ep .", "spans": {"SYSTEM: Google Play": [[44, 55]], "TOOL: keyloggers": [[121, 131]], "TOOL: Corkow": [[143, 149]], "MALWARE: RAT": [[317, 320]], "MALWARE: RevengeRAT": [[321, 331]], "ORGANIZATION: Talos": [[334, 339]]}, "info": {"id": "cyberner_stix_test_000086", "source": "cyberner_stix_test"}}
+{"text": "We came to this conclusion in part based on forensic details left in the malware that APT28 had employed since at least 2007 .", "spans": {"THREAT_ACTOR: APT28": [[86, 91]]}, "info": {"id": "cyberner_stix_test_000087", "source": "cyberner_stix_test"}}
+{"text": "An extended malware hunting process returned to us a large set of “ Agent Smith ” dropper variants which helped us further deduce a relation among multiple C & C server infrastructures . Once an exploitable page is identified , the actor will attempt to upload a PHP backdoor to gain remote access to the system . This persistence technique is interesting , because it employs two distinct MITRE ATT&CK techniques : Scheduled Task and Signed Binary Proxy Execution . On March 2 , 2021 , Microsoft released a blog post that detailed multiple zero - day vulnerabilities used to attack on - premises versions of Microsoft Exchange Server .", "spans": {"MALWARE: Agent Smith": [[68, 79]], "TOOL: MITRE ATT&CK": [[390, 402]], "TOOL: Scheduled Task": [[416, 430]], "TOOL: Signed Binary Proxy Execution": [[435, 464]], "ORGANIZATION: Microsoft": [[487, 496]], "VULNERABILITY: multiple zero - day vulnerabilities": [[532, 567]], "SYSTEM: Microsoft Exchange Server": [[609, 634]]}, "info": {"id": "cyberner_stix_test_000088", "source": "cyberner_stix_test"}}
+{"text": "Large-scale Dridex and Locky campaigns returned in Q2 2017 , although none reached the volumes we observed in mid-2016 .", "spans": {"MALWARE: Dridex": [[12, 18]], "MALWARE: Locky": [[23, 28]]}, "info": {"id": "cyberner_stix_test_000089", "source": "cyberner_stix_test"}}
+{"text": "The cybercriminals then send this money to a digital wallet or to a premium number and cash it in . Over the last 10 months , Kaspersky Lab researchers have analyzed a massive cyber-espionage operation which we call \" Epic Turla \" . Recently , there was a blog post on the takedown of a botnet used by threat actor group known as Group 72 and their involvement in Operation SMN . In November 2016 , Volexity documented new Dukes - related activity involving spear phishing with links to a ZIP archive containing a malicious LNK file , which would run PowerShell commands to install a new custom backdoor called PowerDuke .", "spans": {"ORGANIZATION: Kaspersky Lab": [[126, 139]], "TOOL: Epic Turla": [[218, 228]], "MALWARE: botnet": [[287, 293]], "THREAT_ACTOR: Group 72": [[330, 338]], "ORGANIZATION: Volexity": [[399, 407]], "MALWARE: Dukes": [[423, 428]], "MALWARE: PowerDuke": [[611, 620]]}, "info": {"id": "cyberner_stix_test_000090", "source": "cyberner_stix_test"}}
+{"text": "The initial infection vector in this attack is not clear , but it results in installing the “ Downeks ” downloader , which in turn infects the victim computer with the “ Quasar ” RAT .", "spans": {"MALWARE: Downeks": [[94, 101]], "MALWARE: Quasar": [[170, 176]], "TOOL: RAT": [[179, 182]]}, "info": {"id": "cyberner_stix_test_000091", "source": "cyberner_stix_test"}}
+{"text": "During 2011 , the Dukes appear to have significantly expanded both their arsenal of malware toolsets and their C&C infrastructure .", "spans": {"THREAT_ACTOR: Dukes": [[18, 23]], "TOOL: C&C": [[111, 114]]}, "info": {"id": "cyberner_stix_test_000092", "source": "cyberner_stix_test"}}
+{"text": "Device admin request from app that says it is WhatsApp The app then stays in the background listening to commands from the cybercrooks . In May 2017 , APT37 used a bank liquidation letter as a spear phishing lure against a board member of a Middle Eastern financial company . One of the human-readable encryption keys used is . Fast forward to 2021 , we ve seen several notable attacks spanning critical infrastructures to the private sector , such as the attack on the information technology firm Kaseya , which affected up to 1,500 businesses and attempted to extort Kaseya for 70 million .", "spans": {"THREAT_ACTOR: APT37": [[151, 156]], "ORGANIZATION: board member": [[223, 235]], "ORGANIZATION: financial company": [[256, 273]], "ORGANIZATION: critical infrastructures to the private sector": [[395, 441]], "ORGANIZATION: information technology firm Kaseya": [[470, 504]], "ORGANIZATION: Kaseya": [[569, 575]]}, "info": {"id": "cyberner_stix_test_000093", "source": "cyberner_stix_test"}}
+{"text": "Campaign identifiers from 2009 also reveal that by that time , the Dukes were already actively interested in political matters related to the United States ( US ) and the North Atlantic Treaty Organization ( NATO ) , as they ran campaigns targeting ( among other organizations ) a US based foreign policy think tank , another set of campaigns related to a NATO exercise held in Europe , and a third set apparently targeting what was then known as the Georgian “ Information Centre on NATO ” .", "spans": {"THREAT_ACTOR: Dukes": [[67, 72]], "ORGANIZATION: North Atlantic Treaty Organization": [[171, 205]], "ORGANIZATION: NATO": [[208, 212], [356, 360], [484, 488]]}, "info": {"id": "cyberner_stix_test_000094", "source": "cyberner_stix_test"}}
+{"text": "The generalized targeting of organizations involved in energy and petrochemicals mirrors previously observed targeting by other suspected Iranian threat groups , indicating a common interest in the sectors across Iranian actors . With Javafog , we are turning yet another page in the Icefog story by discovering another generation of backdoors used by the attackers .", "spans": {"ORGANIZATION: energy": [[55, 61]], "ORGANIZATION: petrochemicals": [[66, 80]], "THREAT_ACTOR: threat groups": [[146, 159]], "THREAT_ACTOR: actors": [[221, 227]], "MALWARE: Icefog": [[284, 290]]}, "info": {"id": "cyberner_stix_test_000095", "source": "cyberner_stix_test"}}
+{"text": "Upon analysis , we discovered that this is a decoy functionality and no new payload is generated . Gaza Cybergang Group1 is an attack group with limited infrastructure and an open-source type of toolset , which conducts widespread attacks , but is nevertheless focused on Palestinian political problems . This passive implant approach to network persistence has been previously observed with threat actors like Project Sauron and the Lamberts .", "spans": {"THREAT_ACTOR: Gaza Cybergang Group1": [[99, 120]], "ORGANIZATION: Palestinian": [[272, 283]], "TOOL: Project Sauron": [[411, 425]], "TOOL: Lamberts": [[434, 442]]}, "info": {"id": "cyberner_stix_test_000096", "source": "cyberner_stix_test"}}
+{"text": "It listens to events like TYPE_VIEW_TEXT_CHANGED . However , Kaspersky Security Network (KSN) records also contain links that victims clicked from the Outlook web client outlook.live.com” as well as attachments arriving through the Outlook desktop application . Ultimately , APT35 had used access to hundreds of mailboxes to read email communications and steal data related to Middle East organizations , which later became victims of destructive attacks .", "spans": {"ORGANIZATION: Kaspersky": [[61, 70]], "MALWARE: outlook.live.com”": [[170, 187]], "THREAT_ACTOR: APT35": [[275, 280]], "ORGANIZATION: email communications": [[330, 350]]}, "info": {"id": "cyberner_stix_test_000097", "source": "cyberner_stix_test"}}
+{"text": "Recall that the malware hooked the RansomActivity intent with the notification that was created as a “ call ” type notification . As the crisis in Syria escalates , FireEye researchers have discovered a threat group , which we call \" Ke3chang \" , that falsely advertises information updates about the ongoing crisis to compromise MFA networks in Europe . The compiler-level obfuscations like opaque predicates and control flow flattening are started to be observed in the wild by analyst and researchers . As for who was hit the hardest , around 16 percent of ransomware incidents affecting State , Local , Tribal , and Tribunal ( SLTT ) governments were from LockBit , says the MS - ISAC .", "spans": {"ORGANIZATION: FireEye": [[165, 172]], "THREAT_ACTOR: threat group": [[203, 215]], "THREAT_ACTOR: Ke3chang": [[234, 242]], "ORGANIZATION: State , Local , Tribal , and Tribunal ( SLTT ) governments": [[591, 649]], "THREAT_ACTOR: LockBit": [[660, 667]], "ORGANIZATION: MS - ISAC": [[679, 688]]}, "info": {"id": "cyberner_stix_test_000098", "source": "cyberner_stix_test"}}
+{"text": "After flashing , the bootkit will be removed . The APT group is reportedly targeting the Middle East region . APT1 ’s beachhead backdoors are usually what we call WEBC2 backdoors . They used their unauthorized access to obtain digital certificates that were later exploited in malware campaigns targeting other industries and political activists .", "spans": {"THREAT_ACTOR: APT1": [[110, 114]], "MALWARE: WEBC2 backdoors": [[163, 178]], "ORGANIZATION: industries": [[311, 321]], "ORGANIZATION: political activists": [[326, 345]]}, "info": {"id": "cyberner_stix_test_000099", "source": "cyberner_stix_test"}}
+{"text": "These files were likely exfiltrated and exploited offline to retrieve user password hashes , which could then be cracked or used to perform pass-the-hash attacks .", "spans": {}, "info": {"id": "cyberner_stix_test_000100", "source": "cyberner_stix_test"}}
+{"text": "CVE-2016-4117 : Adobe Flash Player 21.0.0.226 Vulnerability .", "spans": {"VULNERABILITY: CVE-2016-4117": [[0, 13]], "TOOL: Adobe Flash Player": [[16, 34]]}, "info": {"id": "cyberner_stix_test_000101", "source": "cyberner_stix_test"}}
+{"text": "Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit.MSWord.CVE-2010-333 , Exploit.Win32.CVE-2012-0158 . The times of day the group is active also suggests that it is based near Beijing and the group has reportedly used malware that has been observed in other Chinese operations , indicating some level of collaboration .", "spans": {"ORGANIZATION: Kaspersky Lab": [[0, 13]], "VULNERABILITY: Microsoft Office exploits": [[37, 62]], "MALWARE: Exploit.MSWord.CVE-2010-333": [[110, 137]], "MALWARE: Exploit.Win32.CVE-2012-0158": [[140, 167]]}, "info": {"id": "cyberner_stix_test_000102", "source": "cyberner_stix_test"}}
+{"text": "] com Given that there is some overlap in the previous two versions , it came as no surprise to us that we finally identified a sample which is an evolution based on both previous versions . There are a number of factors in these groups' campaigns that suggests that the attackers may be based in Iran . We suspect this change was a direct result of the Arbor blog post in order to decrease detection of RIPTIDE by security vendors . PoetRAT used TLS to encrypt communications over port 143 QuasarRAT can use port 4782 on the compromised host for TCP callbacks .", "spans": {"ORGANIZATION: Arbor": [[354, 359]], "MALWARE: RIPTIDE": [[404, 411]], "MALWARE: PoetRAT": [[434, 441]], "SYSTEM: TLS": [[447, 450]], "MALWARE: QuasarRAT": [[491, 500]]}, "info": {"id": "cyberner_stix_test_000103", "source": "cyberner_stix_test"}}
+{"text": "61a1f3b4fb4dbd2877c91e81db4b1af8395547eab199bf920e9dd11a1127221e .", "spans": {"FILEPATH: 61a1f3b4fb4dbd2877c91e81db4b1af8395547eab199bf920e9dd11a1127221e": [[0, 64]]}, "info": {"id": "cyberner_stix_test_000104", "source": "cyberner_stix_test"}}
+{"text": "During a recent campaign , APT32 leveraged social engineering emails with Microsoft ActiveMime file attachments to deliver malicious macros . Despite some exceptions , the Taidoor campaign often used Taiwanese IP addresses as C&C servers and email addresses to send out socially engineered emails with malware as attachments .", "spans": {"THREAT_ACTOR: APT32": [[27, 32]], "MALWARE: Microsoft ActiveMime file": [[74, 99]], "MALWARE: IP": [[210, 212]], "TOOL: C&C": [[226, 229]], "TOOL: email": [[242, 247]], "TOOL: emails": [[290, 296]]}, "info": {"id": "cyberner_stix_test_000105", "source": "cyberner_stix_test"}}
+{"text": "The collected details include : Local user accounts , Network settings , Internet proxy settings , Installed drivers , Running processes , Programs previously executed by users , Programs and services configured to automatically run at startup , Values of environment variables , Files and folders present in any users home folder , Files and folders present in any users My Documents , Programs installed to the Program Files folder , Recently accessed files , folders and programs .", "spans": {}, "info": {"id": "cyberner_stix_test_000106", "source": "cyberner_stix_test"}}
+{"text": "The msvcr90.dll file is opened , read , and decrypted , and the code execution control is transferred to the RunDll exported routine . Ultimately , APT35 had used access to hundreds of mailboxes to read email communications and steal data related to Middle East organizations , which later became victims of destructive attacks . The way the decryption routine is called ( from within the DllMain function , as opposed to an exported function ) . KillNet has also repeatedly promoted messaging related to changes or expansions in the collective ’s operations , ranging from KillNet reforming to become a “ private military hacker company ” to purported partnerships with cyber crime groups .", "spans": {"THREAT_ACTOR: APT35": [[148, 153]], "ORGANIZATION: email communications": [[203, 223]], "TOOL: DllMain": [[389, 396]]}, "info": {"id": "cyberner_stix_test_000107", "source": "cyberner_stix_test"}}
+{"text": "System operators should take the following steps to limit permissions , privileges , and access controls .", "spans": {}, "info": {"id": "cyberner_stix_test_000108", "source": "cyberner_stix_test"}}
+{"text": "The data is then encoded with Base64 :", "spans": {}, "info": {"id": "cyberner_stix_test_000109", "source": "cyberner_stix_test"}}
+{"text": "Other CrowdStrike reporting describes a dropper used by PUTTER PANDA to install the 4H RAT . These campaign-related VPSs are located in South Africa . The tool does all that a typical Trojan needs to accomplish: upload , download and execute files , fingerprint target systems .", "spans": {"ORGANIZATION: CrowdStrike": [[6, 17]], "TOOL: dropper": [[40, 47]], "THREAT_ACTOR: PUTTER PANDA": [[56, 68]], "TOOL: 4H RAT": [[84, 90]], "THREAT_ACTOR: VPSs": [[116, 120]], "FILEPATH: Trojan": [[184, 190]]}, "info": {"id": "cyberner_stix_test_000110", "source": "cyberner_stix_test"}}
+{"text": "Leading up to summer 2017 , infrastructure mostly was created with PDR and Internet Domain Service BS Corp , and their resellers .", "spans": {}, "info": {"id": "cyberner_stix_test_000111", "source": "cyberner_stix_test"}}
+{"text": "HenBox can also access sensors such as the device camera ( s ) and the microphone . The lure used to target the cryptocurrency exchange (displayed in Figure 5 and translated in Figure 6) referenced an online gaming platform , tying the cryptocurrency targeting to APT41's focus on video game-related targeting . As alluded to in our previous blog regarding the Cannon tool , the Sofacy group ( AKA Fancy Bear , APT28 , STRONTIUM , Pawn Storm , Sednit ) has persistently attacked various government and private organizations around the world from mid-October 2018 through mid-November 2018 .", "spans": {"MALWARE: HenBox": [[0, 6]], "THREAT_ACTOR: APT41's": [[264, 271]], "ORGANIZATION: video game-related": [[281, 299]], "MALWARE: Cannon tool": [[361, 372]], "THREAT_ACTOR: Sofacy group": [[379, 391]], "THREAT_ACTOR: Fancy Bear": [[398, 408]], "THREAT_ACTOR: APT28": [[411, 416]], "THREAT_ACTOR: STRONTIUM": [[419, 428]], "THREAT_ACTOR: Pawn Storm": [[431, 441]], "THREAT_ACTOR: Sednit": [[444, 450]], "ORGANIZATION: government": [[487, 497]]}, "info": {"id": "cyberner_stix_test_000112", "source": "cyberner_stix_test"}}
+{"text": "The malware architecture is modular , which means that it can execute plugins . MenuPass spoofed several sender email addresses to send spear phishing emails , most notably public addresses associated with the Sasakawa Peace Foundation and The White House . The launcher loads configuration from resources and uses an export from the backdoor DLL to initialize config values in memory . The executable within this not only played a very funny video , but dropped and ran another CozyDuke executable .", "spans": {"THREAT_ACTOR: MenuPass": [[80, 88]], "ORGANIZATION: Sasakawa Peace Foundation": [[210, 235]], "ORGANIZATION: White House": [[244, 255]], "TOOL: DLL": [[343, 346]]}, "info": {"id": "cyberner_stix_test_000113", "source": "cyberner_stix_test"}}
+{"text": "Serialize the client object ( which will be later encrypted and sent ) .", "spans": {}, "info": {"id": "cyberner_stix_test_000114", "source": "cyberner_stix_test"}}
+{"text": "SOURFACE :", "spans": {"MALWARE: SOURFACE": [[0, 8]]}, "info": {"id": "cyberner_stix_test_000115", "source": "cyberner_stix_test"}}
+{"text": "Cyber espionage activity against the hospitality industry is typically focused on collecting information on or from hotel guests of interest rather than on the hotel industry itself , though actors may also collect information on the hotel as a means of facilitating operations .", "spans": {}, "info": {"id": "cyberner_stix_test_000116", "source": "cyberner_stix_test"}}
+{"text": "As a reminder , it is always a good practice to download apps only from trusted app stores such as Google Play . In August 2013 , FireEye reported that admin@338 had been using the Poison Ivy RAT in its operations . The most notable difference from last year ’s OilRig campaign is the way the attack was delivered . During the investigation , Mandiant observed the threat actor target four ( 4 ) OSX Ventura systems running either versions 13.3 or 13.4.1 .", "spans": {"SYSTEM: Google Play": [[99, 110]], "ORGANIZATION: FireEye": [[130, 137]], "THREAT_ACTOR: admin@338": [[152, 161]], "TOOL: Poison Ivy RAT": [[181, 195]], "MALWARE: OilRig": [[262, 268]], "ORGANIZATION: OSX Ventura systems": [[396, 415]], "ORGANIZATION: versions 13.3 or 13.4.1": [[431, 454]]}, "info": {"id": "cyberner_stix_test_000117", "source": "cyberner_stix_test"}}
+{"text": "While the evidence presented strongly suggests a connection with the Sofacy Group , the artifacts ( in particular Artifact #2 ) are not publicly recognized to be part of the more traditional arsenal of these attackers .", "spans": {"THREAT_ACTOR: Sofacy": [[69, 75]]}, "info": {"id": "cyberner_stix_test_000118", "source": "cyberner_stix_test"}}
+{"text": "Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles , collaborative document editing sites , and blogs for C&C .", "spans": {"MALWARE: Win32/Barlaiy": [[37, 50]], "TOOL: social network profiles": [[82, 105]], "TOOL: collaborative document editing sites": [[108, 144]], "TOOL: blogs": [[151, 156]]}, "info": {"id": "cyberner_stix_test_000119", "source": "cyberner_stix_test"}}
+{"text": "Instead of embedding core malware payload in droppers , the actor switches to a more low-key SDK approach . Confucius' backdoors are delivered through Office documents exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 . RevengeHotels is a targeted cybercrime malware campaign against hotels , hostels , hospitality and tourism companies , mainly , but not exclusively , located in Brazil . Our researchers recently discovered a threat actor conducting several campaigns against government entities , military organizations and civilian users in Ukraine and Poland .", "spans": {"TOOL: Confucius'": [[108, 118]], "VULNERABILITY: CVE-2015-1641": [[213, 226]], "VULNERABILITY: CVE-2017-11882": [[231, 245]], "THREAT_ACTOR: RevengeHotels": [[248, 261]], "ORGANIZATION: government entities": [[506, 525]], "ORGANIZATION: military organizations": [[528, 550]], "ORGANIZATION: civilian users": [[555, 569]]}, "info": {"id": "cyberner_stix_test_000120", "source": "cyberner_stix_test"}}
+{"text": "Older documents used by Patchwork focused on the CVE-2017-0261 vulnerability , however in late January 2018 when , paradoxically , newer documents abandoned this vulnerability to attack the older CVE-2015-2545 vulnerability . Chances are about even , though , that Mofang is a relevant threat actor to any organization that invests in Myanmar or is otherwise politically involved .", "spans": {"THREAT_ACTOR: Patchwork": [[24, 33]], "VULNERABILITY: CVE-2017-0261": [[49, 62]], "VULNERABILITY: CVE-2015-2545": [[196, 209]], "THREAT_ACTOR: Mofang": [[265, 271]], "ORGANIZATION: politically": [[359, 370]]}, "info": {"id": "cyberner_stix_test_000121", "source": "cyberner_stix_test"}}
+{"text": "With this in mind , we thoroughly look forward to working with you on these matters . Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14 , 2017 , FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East . Truvasys has been involved in several attack campaigns , where it has masqueraded as one of server common computer utilities , including WinUtils , TrueCrypt , WinRAR , or SanDisk .", "spans": {"ORGANIZATION: Microsoft": [[109, 118]], "VULNERABILITY: CVE-2017-11882": [[138, 152]], "ORGANIZATION: FireEye": [[173, 180]], "THREAT_ACTOR: attacker": [[193, 201]], "VULNERABILITY: Microsoft Office vulnerability": [[227, 257]], "ORGANIZATION: government organization": [[270, 293]], "MALWARE: Truvasys": [[315, 323]], "ORGANIZATION: computer utilities": [[421, 439]], "ORGANIZATION: WinUtils": [[452, 460]], "ORGANIZATION: TrueCrypt": [[463, 472]], "ORGANIZATION: WinRAR": [[475, 481]], "ORGANIZATION: SanDisk": [[487, 494]]}, "info": {"id": "cyberner_stix_test_000122", "source": "cyberner_stix_test"}}
+{"text": "When using email scams , SilverTerrier actors preferred to use large target audiences , which maximized the likelihood of success with very little risk . To show how this breach and similar breaches can be mitigated , we look at how Windows Defender ATP flags activities associated with BARIUM , LEAD , and other known activity groups and how it provides extensive threat intelligence about these groups .", "spans": {"THREAT_ACTOR: SilverTerrier actors": [[25, 45]], "ORGANIZATION: Windows Defender ATP": [[233, 253]]}, "info": {"id": "cyberner_stix_test_000123", "source": "cyberner_stix_test"}}
+{"text": "In 2013 , 3,905,502 installation packages were used by cybercriminals to distribute mobile malware . There were traces of HyperBro in the infected data center from mid-November 2017 . Since 2013 , it has been demonstrated that Winnti is only one of the many malware families used by the Winnti Group . Once the initial export is called ( in this case , the legitimately named function IETrackingProtectionEnabled ) , the downloader will copy itself and call regsvr32.exe with parameters “ /u /s ” to automatically call the function for unregistering COM servers DllUnregisterServer .", "spans": {"TOOL: HyperBro": [[122, 130]], "MALWARE: Winnti": [[227, 233]], "THREAT_ACTOR: Winnti Group": [[287, 299]], "SYSTEM: COM servers DllUnregisterServer": [[550, 581]]}, "info": {"id": "cyberner_stix_test_000124", "source": "cyberner_stix_test"}}
+{"text": "Some of this information can be directly extracted from the Windows explorer by looking at the properties of the file .", "spans": {"SYSTEM: Windows": [[60, 67]]}, "info": {"id": "cyberner_stix_test_000125", "source": "cyberner_stix_test"}}
+{"text": "Here is a full list of possible commands that can be executed by the first module : Command name Description @ stop Stop IRC @ quit System.exit ( 0 ) @ start Start IRC @ server Set IRC server ( default value is “ irc.freenode.net ” ) , port is always 6667 @ boss Set IRC command and control nickname ( default value is “ ISeency ” ) @ nick Set IRC client nickname @ screen Report every time when screen is on ( enable/disable ) @ root Use root features ( enable/disable ) @ timer Set The Lazarus used a similar infrastructure to earlier threats , including the Destover backdoor variant known as Escad . Symantec has the following protection in place to protect customers against these attacks , APT33 : Backdoor.Notestuk Trojan.Stonedrill Backdoor.Remvio Backdoor.Breut Trojan.Quasar Backdoor.Patpoopy Trojan.Nancrat Trojan.Netweird.B Exp.CVE-2018-20250 SecurityRisk.LaZagne Hacktool.Mimikatz SniffPass . Some cyber criminal groups use their hacking skills to go after large organizations .", "spans": {"THREAT_ACTOR: Lazarus": [[488, 495]], "TOOL: Destover backdoor": [[561, 578]], "TOOL: Escad": [[596, 601]], "THREAT_ACTOR: APT33": [[696, 701]], "MALWARE: Backdoor.Notestuk": [[704, 721]], "MALWARE: Trojan.Stonedrill": [[722, 739]], "MALWARE: Backdoor.Remvio": [[740, 755]], "MALWARE: Backdoor.Breut": [[756, 770]], "MALWARE: Trojan.Quasar": [[771, 784]], "MALWARE: Backdoor.Patpoopy": [[785, 802]], "MALWARE: Trojan.Nancrat": [[803, 817]], "MALWARE: Trojan.Netweird.B": [[818, 835]], "VULNERABILITY: Exp.CVE-2018-20250": [[836, 854]], "MALWARE: SecurityRisk.LaZagne": [[855, 875]], "MALWARE: Hacktool.Mimikatz": [[876, 893]], "MALWARE: SniffPass": [[894, 903]], "THREAT_ACTOR: cyber criminal groups": [[911, 932]], "ORGANIZATION: large organizations": [[970, 989]]}, "info": {"id": "cyberner_stix_test_000126", "source": "cyberner_stix_test"}}
+{"text": "Due to a lack of other PinchDuke samples from 2008 or earlier , we are unable to estimate when the Duke operation originally began .", "spans": {"MALWARE: PinchDuke": [[23, 32]], "THREAT_ACTOR: Duke": [[99, 103]]}, "info": {"id": "cyberner_stix_test_000127", "source": "cyberner_stix_test"}}
+{"text": "CTU researchers have evidence that the threat group compromised U.S and UK organizations in the following verticals : manufacturing ( specifically aerospace ( including defense contractors ) , automotive , technology , energy , and pharmaceuticals ) , education , and legal , as well as organizations focused on international relations . If the domain is in the target , the malware will perform a MitM attack and redirect the traffic to the second proxy ( port 5588 ) , which routes the traffic to the Tor network .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "ORGANIZATION: manufacturing": [[118, 131]], "ORGANIZATION: aerospace": [[147, 156]], "ORGANIZATION: defense contractors": [[169, 188]], "ORGANIZATION: automotive": [[193, 203]], "ORGANIZATION: technology": [[206, 216]], "ORGANIZATION: energy": [[219, 225]], "ORGANIZATION: pharmaceuticals": [[232, 247]], "ORGANIZATION: education": [[252, 261]], "ORGANIZATION: legal": [[268, 273]]}, "info": {"id": "cyberner_stix_test_000128", "source": "cyberner_stix_test"}}
+{"text": "Operation Daybreak appears to have been launched by ScarCruft in March 2016 and employs a previously unknown ( 0-day ) Adobe Flash Player exploit . Anchor Panda uses website and web-server compromise as a means of attack and leverages an enormous cache of tools in its campaigns , to include exploits that take advantage of known CVE software vulnerabilities .", "spans": {"VULNERABILITY: 0-day": [[111, 116]], "VULNERABILITY: Adobe Flash Player exploit": [[119, 145]], "MALWARE: CVE software vulnerabilities": [[330, 358]]}, "info": {"id": "cyberner_stix_test_000129", "source": "cyberner_stix_test"}}
+{"text": "In addition , the Autoit code also creates the following scheduled task for persistence :", "spans": {}, "info": {"id": "cyberner_stix_test_000130", "source": "cyberner_stix_test"}}
+{"text": "Uses SHA256 instead of MD5 to create the key .", "spans": {}, "info": {"id": "cyberner_stix_test_000131", "source": "cyberner_stix_test"}}
+{"text": "In 2016 , an attack campaign by this group was recorded in early May that made use of an exploit for CVE-2016-4117 , a vulnerability in Adobe Flash Player , which at the time was both unknown and unpatched . The attacks were initially discovered while investigating a phishing attack that targeted political figures in the MENA region .", "spans": {"THREAT_ACTOR: group": [[37, 42]], "VULNERABILITY: CVE-2016-4117": [[101, 114]], "ORGANIZATION: political": [[298, 307]]}, "info": {"id": "cyberner_stix_test_000132", "source": "cyberner_stix_test"}}
+{"text": "This functionality can be easily further extended to steal other information , such as bank credentials , although we did not see any banks being targeted in this attack . Filensfer is a family of malware that has been used in targeted attacks since at least 2013 . Threat Group-1314 is an unattributed threat group that has used", "spans": {"MALWARE: Filensfer": [[172, 181]], "THREAT_ACTOR: Threat Group-1314": [[266, 283]]}, "info": {"id": "cyberner_stix_test_000133", "source": "cyberner_stix_test"}}
+{"text": "Other versions included all the pieces needed for a valid disclosure message . Employing a technique known as \" spear phishing \" , Barium has heavily targeted individuals within HumanResources or Business Developmentdepartments ofthe targeted organizations in order to compromise the computers ofsuch individuals . This means that , as seen above , the ZxShell Dll is started in listening mode . The videos were quickly passed around offices while users ’ systems were silently infected in the background , and many of the APT ’s components were signed with phony Intel and AMD digital certificates .", "spans": {"THREAT_ACTOR: Barium": [[131, 137]], "MALWARE: ZxShell": [[353, 360]], "TOOL: Dll": [[361, 364]]}, "info": {"id": "cyberner_stix_test_000134", "source": "cyberner_stix_test"}}
+{"text": "Patchwork 's attack was detected as part of a spear phishing against a government organization in Europe in late May 2016 . We were not able to find additional tools , but the attackers again compromised a legitimate Thai website to host their malware , in this case the student portal for a Thai University .", "spans": {"THREAT_ACTOR: Patchwork": [[0, 9]], "ORGANIZATION: government organization": [[71, 94]]}, "info": {"id": "cyberner_stix_test_000135", "source": "cyberner_stix_test"}}
+{"text": "This web hosting service provider continues to be the hosting provider of choice for the threat actors behind NetTraveler . It appears ScarCruft is primarily targeting intelligence for political and diplomatic purposes .", "spans": {"ORGANIZATION: web hosting service provider": [[5, 33]], "ORGANIZATION: hosting provider": [[54, 70]], "TOOL: NetTraveler": [[110, 121]], "THREAT_ACTOR: ScarCruft": [[135, 144]], "ORGANIZATION: intelligence": [[168, 180]], "ORGANIZATION: political": [[185, 194]], "ORGANIZATION: diplomatic": [[199, 209]]}, "info": {"id": "cyberner_stix_test_000136", "source": "cyberner_stix_test"}}
+{"text": "We observed these Quasar samples :", "spans": {"MALWARE: Quasar": [[18, 24]]}, "info": {"id": "cyberner_stix_test_000137", "source": "cyberner_stix_test"}}
+{"text": "Figure 3: BACKSWING Version 2Version 1:FireEye observed the first version of BACKSWING in late 2016 on websites belonging to a Czech Republic hospitality organization in addition to a government website in Montenegro . POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 .", "spans": {"ORGANIZATION: 1:FireEye": [[37, 46]], "MALWARE: BACKSWING": [[77, 86]], "ORGANIZATION: hospitality organization": [[142, 166]], "ORGANIZATION: government": [[184, 194]], "MALWARE: POWRUNER": [[219, 227]], "FILEPATH: RTF file": [[260, 268]], "VULNERABILITY: CVE-2017-0199": [[284, 297]]}, "info": {"id": "cyberner_stix_test_000138", "source": "cyberner_stix_test"}}
+{"text": "Every 10 minutes , it sends a new request to the server .", "spans": {}, "info": {"id": "cyberner_stix_test_000139", "source": "cyberner_stix_test"}}
+{"text": "In early 2013 we detected two identical applications on Google Play that were allegedly designed for cleaning the operating system of Android-based devices from unnecessary processes . Many of the tools they use now feature new behaviors , including a change in the way they maintain a foothold in the targeted network . The campaign ID is located at offset 0x99 and is the name of the targeted university . Open Babel allows users to “ search , convert , analyze , or store data from molecular modeling , chemistry , solid - state materials , biochemistry , or related areas , ” according to its website , and is used in other popular pieces of software in the science field .", "spans": {"SYSTEM: Google Play": [[56, 67]], "SYSTEM: Android-based": [[134, 147]], "TOOL: Open Babel": [[408, 418]]}, "info": {"id": "cyberner_stix_test_000140", "source": "cyberner_stix_test"}}
+{"text": "In personally responding to several incidents across multiple industry sectors since early 2018 matching TTPs from the TRITON / TRISIS event , these items proved consistent and supported the creation of the XENOTIME activity group .", "spans": {"MALWARE: TRITON": [[119, 125]], "MALWARE: TRISIS": [[128, 134]], "THREAT_ACTOR: XENOTIME": [[207, 215]]}, "info": {"id": "cyberner_stix_test_000141", "source": "cyberner_stix_test"}}
+{"text": "Encryption/Decryption key : version2013 .", "spans": {}, "info": {"id": "cyberner_stix_test_000142", "source": "cyberner_stix_test"}}
+{"text": "The stolen information includes personal and device information . Turla is a well-documented , long operating APT group that is widely believed to be a Russian state-sponsored organization . According to FireEye , the attackers sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL .", "spans": {"THREAT_ACTOR: Turla": [[66, 71]], "ORGANIZATION: FireEye": [[204, 211]], "THREAT_ACTOR: attackers": [[218, 227]], "TOOL: emails": [[237, 243]], "VULNERABILITY: exploit": [[287, 294]], "ORGANIZATION: Microsoft Office": [[295, 311]], "VULNERABILITY: vulnerabilities": [[312, 327]], "MALWARE: LOWBALL": [[378, 385]]}, "info": {"id": "cyberner_stix_test_000143", "source": "cyberner_stix_test"}}
+{"text": "They then identify the Exchange server and attempt to install the OwaAuth web shell .", "spans": {"TOOL: Exchange": [[23, 31]], "MALWARE: OwaAuth": [[66, 73]], "TOOL: web shell": [[74, 83]]}, "info": {"id": "cyberner_stix_test_000144", "source": "cyberner_stix_test"}}
+{"text": "Restricting these privileges may prevent malware from running or limit its capability to spread through the network .", "spans": {}, "info": {"id": "cyberner_stix_test_000145", "source": "cyberner_stix_test"}}
+{"text": "Their campaigns appear to have broken out into subsets of activity and malware involving GAMEFISH , Zebrocy , and SPLM , to name a few .", "spans": {"MALWARE: GAMEFISH": [[89, 97]], "MALWARE: Zebrocy": [[100, 107]], "MALWARE: SPLM": [[114, 118]]}, "info": {"id": "cyberner_stix_test_000146", "source": "cyberner_stix_test"}}
+{"text": "The names of the C2 servers are hardcoded .", "spans": {"TOOL: C2": [[17, 19]]}, "info": {"id": "cyberner_stix_test_000147", "source": "cyberner_stix_test"}}
+{"text": "Service Name Purpose AndroidAlarmManager Uploading last recorded .amr audio AndroidSystemService Audio recording AndroidSystemQueues Location tracking with movement detection ClearSystems GSM tracking ( CID , LAC , PSC ) ClipService Clipboard stealing AndroidFileManager Uploading all exfiltrated data AndroidPush XMPP С & C protocol ( url.plus:5223 ) RegistrationService Registration on C & C via HTTP ( url.plus/app/pro/ ) Interestingly , a self-protection feature was implemented in almost every service However , in the summer of 2016 , NewsBeef deployed a new toolset that includes macro-enabled Office documents , PowerSploit , and the Pupy backdoor . From 2017 through 2018 , the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan .", "spans": {"SYSTEM: GSM": [[188, 191]], "THREAT_ACTOR: NewsBeef": [[541, 549]], "TOOL: macro-enabled Office documents": [[587, 617]], "TOOL: PowerSploit": [[620, 631]], "TOOL: Pupy backdoor": [[642, 655]], "ORGANIZATION: government": [[754, 764]], "ORGANIZATION: military organizations": [[769, 791]]}, "info": {"id": "cyberner_stix_test_000148", "source": "cyberner_stix_test"}}
+{"text": "CTU researchers have observed TG-3390 activity between 04:00 and 09:00 UTC , which is 12:00 to 17:00 local time in China ( UTC +8 ) .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: TG-3390": [[30, 37]]}, "info": {"id": "cyberner_stix_test_000149", "source": "cyberner_stix_test"}}
+{"text": "Dell SecureWorks researchers unveiled a report on Threat Group-3390 that has targeted companies around the world while stealing massive amounts of industrial data . Meanwhile , parallel work at Dragos ( my employer , where I have performed significant work on the activity described above ) uncovered similar conclusions concerning TTPs and behaviors , for both the 2017 event and subsequent activity in other industrial sectors .", "spans": {"ORGANIZATION: Dell SecureWorks": [[0, 16]], "THREAT_ACTOR: Group-3390": [[57, 67]], "ORGANIZATION: Dragos": [[194, 200]], "ORGANIZATION: industrial sectors": [[410, 428]]}, "info": {"id": "cyberner_stix_test_000150", "source": "cyberner_stix_test"}}
+{"text": "The said exploits will root the device and install a shell backdoor . The group has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp . As previously detailed , Leveraging legitimate tools , publicly available malware , and livingofftheland tactics , MuddyWater focused on targeting Exchange Servers as part of a larger effort to deploy web shells and establish a backdoor within target networks .", "spans": {"THREAT_ACTOR: group": [[74, 79]], "ORGANIZATION: consumer": [[147, 155]], "TOOL: Carberp": [[247, 254]], "TOOL: legitimate tools": [[293, 309]], "MALWARE: publicly available malware": [[312, 338]], "THREAT_ACTOR: MuddyWater": [[372, 382]], "SYSTEM: Exchange Servers": [[404, 420]]}, "info": {"id": "cyberner_stix_test_000151", "source": "cyberner_stix_test"}}
+{"text": "However , TA505 was also among the first actors to return to high-volume Dridex distribution this same month , even as they demonstrated their ability to diversify and deliver threats beyond Dridex .", "spans": {"THREAT_ACTOR: TA505": [[10, 15]], "MALWARE: Dridex": [[73, 79], [191, 197]]}, "info": {"id": "cyberner_stix_test_000152", "source": "cyberner_stix_test"}}
+{"text": "On connecting a smartphone in the USB drive emulation mode to a computer running Windows XP , the system automatically starts the Trojan ( if AutoPlay on the external media is not disabled ) and is infected . Execute a command through exploits for CVE-2018-0802 . Interestingly , the timestamp present in this config at offset 0x84 is later than the modules ’ timestamps and the loader compilation timestamp . It crafts configurable IEC-104 Application Service Data Unit ( ASDU ) messages , to change the state of RTU Information Object Addresses ( IOAs ) to ON or OFF .", "spans": {"SYSTEM: USB drive": [[34, 43]], "SYSTEM: Windows XP": [[81, 91]], "VULNERABILITY: CVE-2018-0802": [[248, 261]]}, "info": {"id": "cyberner_stix_test_000153", "source": "cyberner_stix_test"}}
+{"text": "A possible indication for timing might be when the app reaches a specific number of downloads or infected devices . Starting in February 2018 , Palo Alto Networks identified a campaign of attacks performed by members of Gorgon Group targeting governmental organizations in the United Kingdom , Spain , Russia , and the United States . the tail instruction of the dispatcher predecessor can be a conditional jump like jnz , The difference between ProxyNotShell and the newly discovered exploit method we are calling OWASSRF .", "spans": {"ORGANIZATION: Palo Alto Networks": [[144, 162]], "THREAT_ACTOR: Gorgon Group": [[220, 232]], "ORGANIZATION: governmental organizations": [[243, 269]], "VULNERABILITY: ProxyNotShell": [[446, 459]]}, "info": {"id": "cyberner_stix_test_000154", "source": "cyberner_stix_test"}}
+{"text": "iOS development Analysis of these Android samples led to the discovery of infrastructure that contained several samples of an iOS port . Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal . The group has focused mainly on governmental targets in Iraq and Saudi Arabia , according to past telemetry .", "spans": {"SYSTEM: iOS": [[0, 3], [126, 129]], "SYSTEM: Android": [[34, 41]], "MALWARE: Documents": [[137, 146]], "VULNERABILITY: Flash exploit": [[156, 169]], "ORGANIZATION: governmental": [[287, 299]]}, "info": {"id": "cyberner_stix_test_000155", "source": "cyberner_stix_test"}}
+{"text": "They enable engineers and operators to safely control and possibly shutdown processes before a major incident occurs .", "spans": {}, "info": {"id": "cyberner_stix_test_000156", "source": "cyberner_stix_test"}}
+{"text": "spear phishing : 69.87.223.26:8080/p .", "spans": {"URL: 69.87.223.26:8080/p": [[17, 36]]}, "info": {"id": "cyberner_stix_test_000157", "source": "cyberner_stix_test"}}
+{"text": "dllhost.exe : The main host for the .dll file . iviewers.dll : Used to load encrypted payloads and then decrypt them . msfled : The encrypted payload .", "spans": {"FILEPATH: dllhost.exe": [[0, 11]], "FILEPATH: .dll": [[36, 40]], "FILEPATH: iviewers.dll": [[48, 60]]}, "info": {"id": "cyberner_stix_test_000158", "source": "cyberner_stix_test"}}
+{"text": "] it Bologna server1bs.exodus.connexxa [ . There is often a singular focus from the security community on ICS malware largely due to its novel nature and the fact that there are very few examples found in the wild . Once the user logs on to the infected machine , the shortcut points to the file binary location in the C:\\ProgramData\\ folder . CrowdStrike Falcon will detect the OWASSRF exploit method described in this blog , and will block the method if the prevention setting for • None Monitor Exchange servers for signs of exploitation visible in IIS and Remote PowerShell logs using this script developed by CrowdStrike Services • None Consider application - level controls such as web application firewalls .", "spans": {"ORGANIZATION: security community": [[84, 102]], "TOOL: ICS malware": [[106, 117]], "TOOL: CrowdStrike Falcon": [[344, 362]], "SYSTEM: Monitor Exchange servers": [[490, 514]], "ORGANIZATION: CrowdStrike Services": [[614, 634]]}, "info": {"id": "cyberner_stix_test_000159", "source": "cyberner_stix_test"}}
+{"text": "HIDDEN COBRA is known to use vulnerabilities affecting various applications .", "spans": {"THREAT_ACTOR: HIDDEN COBRA": [[0, 12]]}, "info": {"id": "cyberner_stix_test_000160", "source": "cyberner_stix_test"}}
+{"text": "Since 2006 , Hamas has controlled the Gaza strip and Fatah has controlled the West Bank .", "spans": {"ORGANIZATION: Hamas": [[13, 18]], "THREAT_ACTOR: Gaza": [[38, 42]], "ORGANIZATION: Fatah": [[53, 58]]}, "info": {"id": "cyberner_stix_test_000161", "source": "cyberner_stix_test"}}
+{"text": "Specifically , the strings 866-593-54352 ( notice it is one digit too long ) , 403-965-2341 , or the address 522 Clematis .", "spans": {}, "info": {"id": "cyberner_stix_test_000162", "source": "cyberner_stix_test"}}
+{"text": "It use threading so many agent can connect and controlled at the same time . the agent must collect information about the system when it first start then report it to the C2 . there is template for agent which will be filled with ip and port when the C2 run . include functions but not all implemented in the initial POC :", "spans": {"TOOL: C2": [[171, 173], [251, 253]], "TOOL: POC": [[317, 320]]}, "info": {"id": "cyberner_stix_test_000163", "source": "cyberner_stix_test"}}
+{"text": "In Russia , there were several relatively large cybercriminal groups engaged in financial theft via attacks on RBS . CTU researchers have observed TG-3390 activity between 04:00 and 09:00 UTC , which is 12:00 to 17:00 local time in China ( UTC +8 ) .", "spans": {"ORGANIZATION: CTU": [[117, 120]]}, "info": {"id": "cyberner_stix_test_000164", "source": "cyberner_stix_test"}}
+{"text": "In particular , WERDLOD uses scripts running on http://127.0.0.1:5555/#{random_string}.js?ip=#{my_ip} as proxy :", "spans": {"MALWARE: WERDLOD": [[16, 23]], "URL: http://127.0.0.1:5555/#{random_string}.js?ip=#{my_ip}": [[48, 101]]}, "info": {"id": "cyberner_stix_test_000165", "source": "cyberner_stix_test"}}
+{"text": "The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JScript , which allows the cybercriminals to understand the context of the infected workstation . Hackers gained access to a computer in the trading system in September 2014 .", "spans": {"MALWARE: GRIFFON": [[35, 42]]}, "info": {"id": "cyberner_stix_test_000166", "source": "cyberner_stix_test"}}
+{"text": "This data theft module appears to have been compiled in May 2015 and is designed to watch removable drives and collect files from them , depending on a set of rules defined by the attackers .", "spans": {}, "info": {"id": "cyberner_stix_test_000167", "source": "cyberner_stix_test"}}
+{"text": "] clubupload999 [ . We noted in our original blog the large amount of targeting of Iranian citizens in this campaign , we observed almost one-third of all victims to be Iranian . The programs acting as APT1 servers have mainly been : FTP , for transferring files ; web , primarily for WEBC2 ; RDP , for remote graphical control of a system ; HTRAN , for proxying ; and C2 servers associated with various backdoor families . DarkTortilla has used % HiddenReg%", "spans": {"ORGANIZATION: citizens": [[91, 99]], "THREAT_ACTOR: APT1": [[202, 206]], "MALWARE: WEBC2": [[285, 290]], "TOOL: HTRAN": [[342, 347]], "TOOL: C2": [[369, 371]], "MALWARE: DarkTortilla": [[424, 436]]}, "info": {"id": "cyberner_stix_test_000168", "source": "cyberner_stix_test"}}
+{"text": "Although created using a comprehensive vetting process , the possibility of false positives always remains .", "spans": {}, "info": {"id": "cyberner_stix_test_000169", "source": "cyberner_stix_test"}}
+{"text": "This malware uses the public privilege escalation exploit code CVE-2018-8120 or UACME which is normally used by legitimate red teams . APT5 targeted the network of an electronics firm that sells products for both industrial and military applications .", "spans": {"VULNERABILITY: CVE-2018-8120": [[63, 76]], "TOOL: UACME": [[80, 85]], "THREAT_ACTOR: APT5": [[135, 139]], "ORGANIZATION: electronics firm": [[167, 183]], "ORGANIZATION: industrial": [[213, 223]], "ORGANIZATION: military": [[228, 236]]}, "info": {"id": "cyberner_stix_test_000170", "source": "cyberner_stix_test"}}
+{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . Targets included a wide array of high-profile entities , including intelligence services , military , utility providers ( telecommunications and power ) , embassies , and government institutions .", "spans": {"VULNERABILITY: Carbanak": [[20, 28]], "THREAT_ACTOR: criminals": [[95, 104]], "ORGANIZATION: financial industry": [[145, 163]], "ORGANIZATION: customers": [[187, 196]], "ORGANIZATION: intelligence services": [[266, 287]], "ORGANIZATION: military": [[290, 298]], "ORGANIZATION: utility providers": [[301, 318]], "ORGANIZATION: telecommunications": [[321, 339]], "ORGANIZATION: power": [[344, 349]], "ORGANIZATION: embassies": [[354, 363]], "ORGANIZATION: government institutions": [[370, 393]]}, "info": {"id": "cyberner_stix_test_000171", "source": "cyberner_stix_test"}}
+{"text": "* * * End translation * * * Referring again to bit.ly , we can see click statistics for this campaign ( Figure 6 ) . The attackers stole organizations' SSL certificates associated with security appliances such as ASA to obtain VPN credentials , allowing the actors to gain access to the targeted network . The group mainly targets banks and financial institutions and has targeted more than 16 organizations in at least 13 countries since at least 2014 . APT3 : Gothic Panda , Pirpi , UPS Team , Buckeye , Threat Group-0110 , TG-0110 .", "spans": {"THREAT_ACTOR: attackers": [[121, 130]], "TOOL: ASA": [[213, 216]], "THREAT_ACTOR: APT3": [[455, 459]], "THREAT_ACTOR: Gothic Panda": [[462, 474]], "THREAT_ACTOR: Pirpi": [[477, 482]], "THREAT_ACTOR: UPS Team": [[485, 493]], "THREAT_ACTOR: Buckeye": [[496, 503]], "THREAT_ACTOR: Threat Group-0110": [[506, 523]], "THREAT_ACTOR: TG-0110": [[526, 533]]}, "info": {"id": "cyberner_stix_test_000172", "source": "cyberner_stix_test"}}
+{"text": "For example , going back , going home , opening recents , etc . We observed several attacks in June and July 2013 against targets in the Middle East and the U.S. that dropped a PIVY payload that connected to command-and-control ( CnC ) infrastructure used by the Molerats attackers . In recent attacks , the group has persistently targeted at least one government organization in Cambodia B-LOC E-IDTY from December 2018 through January 2019 . These victims are not criminals or terrorists , but instead , they are associated with activism .", "spans": {"TOOL: PIVY": [[177, 181]], "TOOL: command-and-control": [[208, 227]], "TOOL: CnC": [[230, 233]], "THREAT_ACTOR: Molerats": [[263, 271]], "THREAT_ACTOR: attackers": [[272, 281]], "ORGANIZATION: government organization in": [[353, 379]], "ORGANIZATION: activism": [[531, 539]]}, "info": {"id": "cyberner_stix_test_000173", "source": "cyberner_stix_test"}}
+{"text": "TG-3390 actors have also used the following publicly available tools :", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]]}, "info": {"id": "cyberner_stix_test_000174", "source": "cyberner_stix_test"}}
+{"text": "This allows the source process to trace the target . The attackers have targeted a large number of organizations globally since early 2017 , with the main focus on the Middle East and North Africa ( MENA ) , especially Palestine . If the C2 server is discovered or shut down , the threat actors can update the encoded IP address on TechNet to maintain control of the victims ’ machines . The final stage backdoor connects to two servers , one in Panama and one in Turkey to receive the instructions from the attackers .", "spans": {"TOOL: C2": [[238, 240]], "TOOL: TechNet": [[332, 339]], "THREAT_ACTOR: attackers": [[508, 517]]}, "info": {"id": "cyberner_stix_test_000175", "source": "cyberner_stix_test"}}
+{"text": "We believe the developers were scammed to use this malicious SDK , unaware of its content , leading to the fact that this campaign was not targeting a specific county or developed by the same developer . APT39 's focus on the telecommunications and travel industries suggests intent to perform monitoring , tracking , or surveillance operations against specific individuals , collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities , or create additional accesses and vectors to facilitate future campaigns . Similar to its other attacks , Suckfly used the Nidiran back door along with a number of hacktools to infect the victim 's internal hosts .", "spans": {"THREAT_ACTOR: APT39": [[204, 209]], "ORGANIZATION: telecommunications and travel industries": [[226, 266]], "ORGANIZATION: specific individuals": [[353, 373]], "MALWARE: Nidiran back door": [[642, 659]], "MALWARE: hacktools": [[683, 692]]}, "info": {"id": "cyberner_stix_test_000176", "source": "cyberner_stix_test"}}
+{"text": "Check Point ’ s Analysis and Response Team ( ART ) disclosed the finding to Android ’ s Security team who took the appropriate security steps to remove the infected app and added the malware to Android ’ s built-in protection mechanisms . While the Sima moniker could similarly originate from software labels , it is a common female Persian name and a Persian-language word for \" visage \" or \" appearance \" . The links between CopyPaste and FIN7 are still very weak . Though Google meant to have this parameter be used to mention the page the user visited , we used it to exfiltrate the user name and password data encoded in base64 .", "spans": {"ORGANIZATION: Check Point": [[0, 11]], "SYSTEM: Android": [[76, 83], [194, 201]], "THREAT_ACTOR: CopyPaste": [[427, 436]], "THREAT_ACTOR: FIN7": [[441, 445]], "ORGANIZATION: Google": [[475, 481]]}, "info": {"id": "cyberner_stix_test_000177", "source": "cyberner_stix_test"}}
+{"text": "On top of all this , one of the malicious developer ’ s YouTube videos – a tutorial on developing an “ Instant Game ” for Facebook – serves as an example of operational security completely ignored . This blog covers the changes , improvements , and Indicators of Compromise (IOC) of Ploutus-D in order to help financial organizations identify and defend against this threat . On February 28 , the McAfee Advanced Threat Research team discovered that the cybercrime group HIDDEN COBRA continues to target cryptocurrency and financial organizations .", "spans": {"SYSTEM: YouTube": [[56, 63]], "ORGANIZATION: Facebook": [[122, 130]], "MALWARE: Ploutus-D": [[283, 292]], "ORGANIZATION: financial": [[310, 319]], "ORGANIZATION: McAfee Advanced Threat Research": [[397, 428]], "THREAT_ACTOR: HIDDEN COBRA": [[471, 483]], "ORGANIZATION: cryptocurrency": [[504, 518]], "ORGANIZATION: financial organizations": [[523, 546]]}, "info": {"id": "cyberner_stix_test_000178", "source": "cyberner_stix_test"}}
+{"text": "Assuming the C2 is still operational however , Word loads the remote template ( SHA256 : f1e2bceae81ccd54777f7862c616f22b581b47e0dda5cb02d0a722168ef194a5 ) and the user is presented with the screen .", "spans": {"TOOL: C2": [[13, 15]], "TOOL: Word": [[47, 51]], "FILEPATH: f1e2bceae81ccd54777f7862c616f22b581b47e0dda5cb02d0a722168ef194a5": [[89, 153]]}, "info": {"id": "cyberner_stix_test_000179", "source": "cyberner_stix_test"}}
+{"text": "Months Device Remained Infected India 15,230,123 2,017,873,249 2.6 1.7 2.1 Bangladesh 2,539,913 208,026,886 2.4 1.5 2.2 Pakistan 1,686,216 94,296,907 2.4 1.6 2 Indonesia 572,025 67,685,983 2 1.5 2.2 Nepal 469,274 44,961,341 2.4 1.6 2.4 US 302,852 19,327,093 1.7 1.4 1.8 Nigeria 287,167 21,278,498 2.4 1.3 2.3 Hungary 282,826 7,856,064 1.7 1.3 1.7 Saudi Arabia 245,698 18,616,259 2.3 During their previous campaign , we found Confucius using fake romance websites to entice victims into installing malicious Android applications . In addition , every few days more domains are generated to host more payloads . If the system is in a single - system domain , it will execute on the local computer .", "spans": {}, "info": {"id": "cyberner_stix_test_000180", "source": "cyberner_stix_test"}}
+{"text": "Even as software vulnerabilities often take a back seat to human exploits and social engineering , robust defenses must include protection at the email gateway , proactive patch management , and thoughtful end user education .", "spans": {"TOOL: email": [[146, 151]]}, "info": {"id": "cyberner_stix_test_000181", "source": "cyberner_stix_test"}}
+{"text": "After the actor behind RedAlert 2 decided to quit the rental business , we observed a surge in Anubis samples in the wild . This extends to other countries in Latin America , with the Ecuadorean military being another organization highly targeted by Machete . APT38 's targeting of financial institutions is most likely an effort by the North Korean government to supplement their heavily-sanctioned economy .", "spans": {"MALWARE: RedAlert 2": [[23, 33]], "MALWARE: Anubis": [[95, 101]], "ORGANIZATION: military": [[195, 203]], "THREAT_ACTOR: Machete": [[250, 257]], "THREAT_ACTOR: APT38": [[260, 265]], "ORGANIZATION: financial institutions": [[282, 304]]}, "info": {"id": "cyberner_stix_test_000182", "source": "cyberner_stix_test"}}
+{"text": "The encryption algorithm used is RSA , and interestingly , the authors chose to use the private key for decryption and leave it in the code as a hardcoded string . APT33 's focus on aviation may indicate the group 's desire to gain insight into regional military capabilities to enhance Iran 's aviation capabilities or to support Iran 's military and strategic decision making . We don't know the exact date Suckfly stole the certificates from the South Korean organizations .", "spans": {"THREAT_ACTOR: APT33": [[164, 169]], "ORGANIZATION: aviation": [[182, 190]], "ORGANIZATION: military": [[254, 262], [339, 347]]}, "info": {"id": "cyberner_stix_test_000183", "source": "cyberner_stix_test"}}
+{"text": "This malware appears to be newly developed with code that differs significantly from previously known Android malware . This document , written in Vietnamese , appears to be reviewing and discussing best practices for teaching and researching scientific topics . iDefense analysts have identified a campaign likely to be targeting members of or those with affiliation or interest in the ASEAN Defence Minister 's Meeting ( ADMM ) .", "spans": {"SYSTEM: Android": [[102, 109]], "MALWARE: document": [[125, 133]], "ORGANIZATION: iDefense": [[263, 271]], "ORGANIZATION: ASEAN Defence Minister 's Meeting": [[387, 420]], "ORGANIZATION: ADMM": [[423, 427]]}, "info": {"id": "cyberner_stix_test_000184", "source": "cyberner_stix_test"}}
+{"text": "The same websites have hosted different RuMMS samples at different dates . Just over a week later , on January 16 , 2018 , we observed an attack on a Middle Eastern financial institution . The template located on Google Drive contains a macro . On multiple systems , XPdb entries for the malware contained the parent process of the JumpCloud agent , further evidence that the threat actor leveraged JumpCloud to gain initial access to victim environments .", "spans": {"MALWARE: RuMMS": [[40, 45]], "ORGANIZATION: financial institution": [[165, 186]], "TOOL: Google Drive": [[213, 225]], "TOOL: macro": [[237, 242]], "SYSTEM: XPdb": [[267, 271]]}, "info": {"id": "cyberner_stix_test_000185", "source": "cyberner_stix_test"}}
+{"text": "Cisco Talos discovered a new malicious campaign from the well known actor Group 74 ( aka Tsar Team , Sofacy , APT28 , Fancy Bear ) .", "spans": {"THREAT_ACTOR: Group 74": [[74, 82]], "THREAT_ACTOR: Tsar Team": [[89, 98]], "THREAT_ACTOR: Sofacy": [[101, 107]], "THREAT_ACTOR: APT28": [[110, 115]], "THREAT_ACTOR: Fancy Bear": [[118, 128]]}, "info": {"id": "cyberner_stix_test_000186", "source": "cyberner_stix_test"}}
+{"text": "The exploit , which takes advantage of CVE-2018-4878 , allows an attacker to execute arbitrary code such as an implant . In this post , we have presented the evolutions of the Turla Mosquito campaign over the last few months .", "spans": {"VULNERABILITY: CVE-2018-4878": [[39, 52]], "THREAT_ACTOR: attacker": [[65, 73]]}, "info": {"id": "cyberner_stix_test_000187", "source": "cyberner_stix_test"}}
+{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems . Periscope 's activity has previously been suspected of being linked to China , but now researchers believe their evidence links the operation to the Chinese state .", "spans": {"MALWARE: files": [[4, 9]], "VULNERABILITY: Microsoft Office vulnerability": [[33, 63]], "VULNERABILITY: CVE-2012-0158": [[66, 79]]}, "info": {"id": "cyberner_stix_test_000188", "source": "cyberner_stix_test"}}
+{"text": "This is done by sending “ 3458 ” in an SMS to the blocked device – this will revoke the administrator privileges from the Trojan . The second , aptly titled \" kontrakt87.doc \" , copies a generic telecommunications service contract from MegaFon , a large Russian mobile phone operator . This actor , whose espionage activities primarily focus on targets in the US and Western Europe with military ties , has been active since at least 2014 .", "spans": {"MALWARE: kontrakt87.doc": [[159, 173]], "ORGANIZATION: telecommunications service": [[195, 221]], "ORGANIZATION: MegaFon": [[236, 243]], "ORGANIZATION: mobile phone operator": [[262, 283]], "THREAT_ACTOR: actor": [[291, 296]], "ORGANIZATION: military": [[387, 395]]}, "info": {"id": "cyberner_stix_test_000189", "source": "cyberner_stix_test"}}
+{"text": "These factors , in combination with the fact that the command and control infrastructure used by Frozen Cell and Desert Scorpion resides in similar IP blocks , supports the theory that the same actor is responsible for operating , if not developing , both families . Utilizing KillDisk in the attack scenario most likely served one of two purposes : the attackers covering their tracks after an espionage operation , or it was used directly for extortion or cyber-sabotage . Nevertheless, this case does highlight the types of tricks the bad guys are using in an attempt to deliver malware through . It also reveals direct links to secure[.]66[.]to and zhu[.]vn , both of which also belong to Hack520 and contains his personal blog .", "spans": {"MALWARE: Frozen Cell": [[97, 108]], "MALWARE: Desert Scorpion": [[113, 128]], "TOOL: KillDisk": [[277, 285]], "THREAT_ACTOR: attackers": [[354, 363]], "THREAT_ACTOR: cyber-sabotage": [[458, 472]], "ORGANIZATION: Hack520": [[693, 700]]}, "info": {"id": "cyberner_stix_test_000190", "source": "cyberner_stix_test"}}
+{"text": "Previously , Cloud Atlas dropped its validator” implant named PowerShower” directly , after exploiting the Microsoft Equation vulnerability CVE-2017-11882 mixed with CVE-2018-0802 . Kaspersky Lab To compromise the utility , Kaspersky Lab determined that the cyberattackers used stolen digital certificates used by ASUS to sign legitimate binaries , and altered older versions of ASUS software to inject their own malicious code .", "spans": {"THREAT_ACTOR: Cloud Atlas": [[13, 24]], "VULNERABILITY: CVE-2017-11882": [[140, 154]], "VULNERABILITY: CVE-2018-0802": [[166, 179]], "ORGANIZATION: Kaspersky Lab": [[182, 195], [224, 237]]}, "info": {"id": "cyberner_stix_test_000191", "source": "cyberner_stix_test"}}
+{"text": "The main thread also spawns a separate thread for receiving new commands from the C2 servers .", "spans": {"TOOL: C2": [[82, 84]]}, "info": {"id": "cyberner_stix_test_000192", "source": "cyberner_stix_test"}}
+{"text": "Yet the most-recent posting covering TTPs from initial access through prerequisites to enable final delivery of effects on target ( deploying TRITON / TRISIS ) avoids the use of the TEMP.Veles term entirely .", "spans": {"MALWARE: TRITON": [[142, 148]], "MALWARE: TRISIS": [[151, 157]], "THREAT_ACTOR: TEMP.Veles": [[182, 192]]}, "info": {"id": "cyberner_stix_test_000193", "source": "cyberner_stix_test"}}
+{"text": "HD_Audio.exe : 86bd78b4c8c94c046d927fb29ae0b944bf2a8513a378b51b3977b77e59a52806 crashes upon execution . sim.exe 723108103ccb4c166ad9cdff350de6a898489f1dac7eeab23c52cd48b9256a42 connects to hnoor.newphoneapp.com .", "spans": {"FILEPATH: HD_Audio.exe": [[0, 12]], "FILEPATH: 86bd78b4c8c94c046d927fb29ae0b944bf2a8513a378b51b3977b77e59a52806": [[15, 79]], "FILEPATH: sim.exe": [[105, 112]], "FILEPATH: 723108103ccb4c166ad9cdff350de6a898489f1dac7eeab23c52cd48b9256a42": [[113, 177]], "DOMAIN: hnoor.newphoneapp.com": [[190, 211]]}, "info": {"id": "cyberner_stix_test_000194", "source": "cyberner_stix_test"}}
+{"text": "We discuss these changes and its effect on Android and Apple devices . From October 2012 to May 2014 , FireEye observed APT12 utilizing RIPTIDE , that communicates via HTTP to a hard-coded command and control ( C2 ) server . Prior to making any query, a function called AdrGen is used to build a query . Although we can not verify that the service disruptions occurred directly as a result of KillNet operations , the data below illustrates claims that overlap temporally with verified service disruptions .", "spans": {"SYSTEM: Android": [[43, 50]], "SYSTEM: Apple": [[55, 60]], "ORGANIZATION: FireEye": [[103, 110]], "THREAT_ACTOR: APT12": [[120, 125]], "TOOL: RIPTIDE": [[136, 143]], "TOOL: HTTP": [[168, 172]]}, "info": {"id": "cyberner_stix_test_000195", "source": "cyberner_stix_test"}}
+{"text": "Regularly update and patch the router ’ s software and firmware to prevent exploits , and enable its built-in firewall . This malware in turn intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses , allowing the attackers to steal cash from ATMs . The Winnti malware family was first reported in 2013 by Kaspersky Lab .", "spans": {"TOOL: malware": [[126, 133]], "THREAT_ACTOR: Lazarus": [[164, 171]], "MALWARE: Winnti": [[286, 292]], "ORGANIZATION: Kaspersky Lab": [[338, 351]]}, "info": {"id": "cyberner_stix_test_000196", "source": "cyberner_stix_test"}}
+{"text": "Similarly to another Android spyware made in Italy , originally discovered by Lukas Stefanko and later named Skygofree and analyzed in depth by Kaspersky Labs , Exodus also takes advantage of \" protectedapps '' , a feature in Huawei phones that allows to configure power-saving options for running applications . Their next move was to list any remote shared drives and then attempt to access remote shares owned by the specific government office they were targeting , again attempting to extract all Word documents . JhoneRAT : https://drive.google.com/uc?export=download&id=1vED0wN0arm9yu7C7XrbCdspLjpoPKfrQ . Notably , CADDYWIPER has been the most frequently used disruptive tool against Ukrainian entities during the war and has seen consistent operational use since March 2022 , based on public reporting .", "spans": {"SYSTEM: Android": [[21, 28]], "MALWARE: Skygofree": [[109, 118]], "ORGANIZATION: Kaspersky Labs": [[144, 158]], "MALWARE: Exodus": [[161, 167]], "ORGANIZATION: Huawei": [[226, 232]], "ORGANIZATION: government office": [[429, 446]], "MALWARE: Word documents": [[501, 515]], "MALWARE: JhoneRAT": [[518, 526]], "MALWARE: https://drive.google.com/uc?export=download&id=1vED0wN0arm9yu7C7XrbCdspLjpoPKfrQ": [[529, 613]], "MALWARE: CADDYWIPER": [[626, 636]], "ORGANIZATION: Ukrainian entities": [[695, 713]]}, "info": {"id": "cyberner_stix_test_000197", "source": "cyberner_stix_test"}}
+{"text": "We believe the purpose of this parallel use was to ‘ fieldtest ’ the new CosmicDuke tool , while at the same time ensuring operational success with the tried-and-tested PinchDuke .", "spans": {"MALWARE: CosmicDuke": [[73, 83]], "MALWARE: PinchDuke": [[169, 178]]}, "info": {"id": "cyberner_stix_test_000198", "source": "cyberner_stix_test"}}
+{"text": "The greater worry is that these situations may sometimes not be simple mistakes . This powerful backdoor can receive commands from the attackers , enabling it to exfiltrate files from the system it is running on , execute additional scripts , delete files , and more . Darkhotel is a threat group that has been active since at least 2004 .", "spans": {"MALWARE: backdoor": [[96, 104]], "THREAT_ACTOR: Darkhotel": [[266, 275]]}, "info": {"id": "cyberner_stix_test_000199", "source": "cyberner_stix_test"}}
+{"text": "EVENTBOT VERSION 0.4.0.1 Package Name Randomization In this version , the package name is no longer named ‘ com.example.eventbot ’ , which makes it more difficult to track down . This time the document purported to be about the involvement of the Emir of Qatar in funding ISIS , which was seemingly copied from a website critical of Qatar . The Magic Hound has repeatedly used social media to identify and interact with employees at targeted organizations and then used weaponized Excel documents .", "spans": {"MALWARE: document": [[193, 201]], "ORGANIZATION: social media": [[377, 389]], "ORGANIZATION: employees": [[420, 429]]}, "info": {"id": "cyberner_stix_test_000200", "source": "cyberner_stix_test"}}
+{"text": "When popular applications come under fire and are featured prominently in the news , hackers get excited as these newsworthy apps can become their latest target . It is hard to tell if there are geopolitical motives behind this campaign by looking solely at the list of countries it was targeting , since it was not after a specific region and the victims came from different places in the world . The Linux version of Winnti is comprised of two files : a main backdoor ( libxselinux ) and a library ( libxselinux.so ) used to hide it ’s activity on an infected system . ‘ libxselinux.so ’ — the userland rootkit . libxselinux.so.old : 11a9f798227be8a53b06d7e8943f8d68 906dc86cb466c1a22cf847dda27a434d04adf065 4741c2884d1ca3a40dadd3f3f61cb95a59b11f99a0f980dbadc663b85eb77a2a .", "spans": {"SYSTEM: Linux": [[402, 407]], "MALWARE: Winnti": [[419, 425]], "MALWARE: libxselinux": [[472, 483]], "FILEPATH: libxselinux.so": [[502, 516], [573, 587]], "FILEPATH: libxselinux.so.old": [[615, 633]], "FILEPATH: 11a9f798227be8a53b06d7e8943f8d68": [[636, 668]], "FILEPATH: 906dc86cb466c1a22cf847dda27a434d04adf065": [[669, 709]], "FILEPATH: 4741c2884d1ca3a40dadd3f3f61cb95a59b11f99a0f980dbadc663b85eb77a2a": [[710, 774]]}, "info": {"id": "cyberner_stix_test_000201", "source": "cyberner_stix_test"}}
+{"text": "] it Reggio Calabria server3bo.exodus.connexxa [ . Targeting a safety system indicates significant damage and loss of human life were either intentional or acceptable goals of the attack , a consequence not seen in previous disruptive attacks such as the 2016 CRASHOVERRIDE malware that caused a power loss in Ukraine . There are 3 basic commands coming from the server in the form of MD5 hashes : Masquerading the attacks as ransomware provides the threat actors with plausible deniability , which allows the nationstate to send a message without taking direct blame .", "spans": {"TOOL: CRASHOVERRIDE malware": [[260, 281]], "THREAT_ACTOR: threat actors": [[450, 463]]}, "info": {"id": "cyberner_stix_test_000202", "source": "cyberner_stix_test"}}
+{"text": "The image below shows the function that parses the SMS messages , decrypts them using the hardcoded RSA private key and executes the commands . APT33 's focus on aviation may indicate the group 's desire to gain insight into regional military aviation capabilities to enhance Iran 's aviation capabilities or to support Iran 's military and strategic decision making . stolen certificates being used maliciously occurred in early 2014 .", "spans": {"THREAT_ACTOR: APT33": [[144, 149]], "ORGANIZATION: aviation": [[162, 170], [284, 292]], "ORGANIZATION: military": [[328, 336]]}, "info": {"id": "cyberner_stix_test_000203", "source": "cyberner_stix_test"}}
+{"text": "WHO IS BEHIND FAKESPY ’ S SMISHING CAMPAIGNS ? Quite recently , FIN7 threat actors typosquatted the brand Digicert” using the domain name digicert-cdn[.]com , which is used as a command and control server for their GRIFFON implants . APT15 was targeting information related to UK government departments and military technology .", "spans": {"MALWARE: FAKESPY": [[14, 21]], "THREAT_ACTOR: FIN7": [[64, 68]], "ORGANIZATION: Digicert”": [[106, 115]], "TOOL: command": [[178, 185]], "TOOL: control server": [[190, 204]], "THREAT_ACTOR: APT15": [[234, 239]], "ORGANIZATION: government": [[280, 290]], "ORGANIZATION: military technology": [[307, 326]]}, "info": {"id": "cyberner_stix_test_000204", "source": "cyberner_stix_test"}}
+{"text": "Ignore Battery Optimization : This sets permissions to continue to operate at full capacity while the phone 's screen is turned off and the phone locked . The actors uploaded a variety of tools that they used to perform additional activities on the compromised network , such as dumping credentials , as well as locating and pivoting to additional systems on the network . Beginning in early March 2018 , Unit 42 started observing Gorgon group attacks against Russian , Spanish and United States government agencies operating in Pakistan .", "spans": {"THREAT_ACTOR: actors": [[159, 165]], "TOOL: dumping credentials": [[279, 298]], "ORGANIZATION: Unit 42": [[405, 412]], "ORGANIZATION: government agencies": [[496, 515]]}, "info": {"id": "cyberner_stix_test_000205", "source": "cyberner_stix_test"}}
+{"text": "The malicious apps are all developed by a Korean company named Kiniwini , registered on Google Play as ENISTUDIO corp . In October 2017 , a DHS advisory documented ALLANITE technical operations combined with activity with a group . If it is , the botnet connection I/O procedure is called through the MainConnectionIo function . The cyber espionage campaign has been attributed to Iranian APT MuddyWater aka Static Kitten and is reported to be actively ongoing , targeting government agencies , as well as entities in the sectors of tourism and academia , within countries including the UAE , Saudi Arabia , and Israel .", "spans": {"ORGANIZATION: Kiniwini": [[63, 71]], "SYSTEM: Google Play": [[88, 99]], "ORGANIZATION: ENISTUDIO corp": [[103, 117]], "ORGANIZATION: DHS": [[140, 143]], "MALWARE: botnet": [[247, 253]], "THREAT_ACTOR: Iranian APT MuddyWater": [[381, 403]], "THREAT_ACTOR: Static Kitten": [[408, 421]], "ORGANIZATION: government agencies": [[473, 492]], "ORGANIZATION: entities in the sectors of tourism and academia": [[506, 553]]}, "info": {"id": "cyberner_stix_test_000206", "source": "cyberner_stix_test"}}
+{"text": "List of available commands The command names are self-explanatory . The sample analyzed is f589827c4cf94662544066b80bfda6ab from late August 2015 . It shares the same malicious behavior reported by Checkpoint in Rancor : The Year of The Phish E-MAL SHA-1 c829f5f9ff89210c888c1559bb085ec6e65232de . There are two types of logs identified that can be useful in identifying historical evidence of session hijacking after the successful exploitation of CVE-2023 - 4966 .", "spans": {"ORGANIZATION: Checkpoint": [[198, 208]], "THREAT_ACTOR: Rancor": [[212, 218]], "MALWARE: The Year of The": [[221, 236]], "FILEPATH: c829f5f9ff89210c888c1559bb085ec6e65232de": [[255, 295]], "VULNERABILITY: CVE-2023 - 4966": [[449, 464]]}, "info": {"id": "cyberner_stix_test_000207", "source": "cyberner_stix_test"}}
+{"text": "The HTA files contained job descriptions and links to job postings on popular employment websites . LAZARUS GROUP is responsible for attacks ranging from the 2014 attack on Sony Pictures to a number of Bitcoin heists in 2017 .", "spans": {"MALWARE: HTA files": [[4, 13]], "ORGANIZATION: Sony Pictures": [[173, 186]], "TOOL: Bitcoin": [[202, 209]]}, "info": {"id": "cyberner_stix_test_000208", "source": "cyberner_stix_test"}}
+{"text": "X-Force IRIS SHA256 : 528714aaaa4a083e72599c32c18aa146db503eee80da236b20aea11aa43bdf62 .", "spans": {"FILEPATH: 528714aaaa4a083e72599c32c18aa146db503eee80da236b20aea11aa43bdf62": [[22, 86]]}, "info": {"id": "cyberner_stix_test_000209", "source": "cyberner_stix_test"}}
+{"text": "Poison Ivy is a remote access tool that is freely available for download from its official web site at www.poisonivy-rat.com . Overall , the Bookworm infrastructure overlaps with the infrastructure hosting C2 servers used by various attack tools , including FFRAT , Poison Ivy , PlugX , and others .", "spans": {"TOOL: Poison Ivy": [[0, 10]], "MALWARE: Bookworm": [[141, 149]], "TOOL: C2": [[206, 208]], "MALWARE: FFRAT": [[258, 263]], "MALWARE: Poison Ivy": [[266, 276]], "MALWARE: PlugX": [[279, 284]]}, "info": {"id": "cyberner_stix_test_000210", "source": "cyberner_stix_test"}}
+{"text": "Configure firewalls to disallow Remote Desktop Protocol ( RDP ) traffic coming from outside of the network boundary , except for in specific configurations such as when tunneled through a secondary virtual private network ( VPN ) with lower privileges .", "spans": {"TOOL: virtual private network": [[198, 221]], "TOOL: VPN": [[224, 227]]}, "info": {"id": "cyberner_stix_test_000211", "source": "cyberner_stix_test"}}
+{"text": "This ongoing activity and the fact that APT28 continues to refine its toolset means that the group will likely continue to pose a significant threat to nation state targets .", "spans": {"THREAT_ACTOR: APT28": [[40, 45]]}, "info": {"id": "cyberner_stix_test_000212", "source": "cyberner_stix_test"}}
+{"text": "Memory collected from systems involved in the intrusion was analyzed using the Volatility framework .", "spans": {}, "info": {"id": "cyberner_stix_test_000213", "source": "cyberner_stix_test"}}
+{"text": "Following up our most recent Sofacy research in February and March of 2018 , we have found a new campaign that uses a lesser known tool widely attributed to the Sofacy group called Zebrocy .", "spans": {"THREAT_ACTOR: Sofacy": [[29, 35], [161, 167]], "MALWARE: Zebrocy": [[181, 188]]}, "info": {"id": "cyberner_stix_test_000214", "source": "cyberner_stix_test"}}
+{"text": "Last but not least , we publish our findings to help Android users protect themselves . Despite being an older vulnerability , many threat actors continue to leverage CVE-2012-0158 to exploit Microsoft Word . Since at least 2013 , HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government , financial , automotive , and media industries .", "spans": {"SYSTEM: Android": [[53, 60]], "VULNERABILITY: CVE-2012-0158": [[167, 180]], "MALWARE: Microsoft Word": [[192, 206]], "THREAT_ACTOR: HIDDEN COBRA actors": [[231, 250]], "MALWARE: Volgmer": [[276, 283]], "MALWARE: malware": [[284, 291]], "ORGANIZATION: government": [[318, 328]], "ORGANIZATION: financial": [[331, 340]], "ORGANIZATION: automotive": [[343, 353]], "ORGANIZATION: media industries": [[360, 376]]}, "info": {"id": "cyberner_stix_test_000215", "source": "cyberner_stix_test"}}
+{"text": "will result in writing our file instead to the same directory as the Quasar serve code .", "spans": {"MALWARE: Quasar": [[69, 75]]}, "info": {"id": "cyberner_stix_test_000216", "source": "cyberner_stix_test"}}
+{"text": "It is therefore valuable to observe how the Dukes reacted to CosmicDuke ’s outing at the beginning of July .", "spans": {"MALWARE: CosmicDuke": [[61, 71]]}, "info": {"id": "cyberner_stix_test_000217", "source": "cyberner_stix_test"}}
+{"text": "It will also install the malicious app “ com.qualcmm.timeservices. ” These archives contain the file “ .root.sh ” which has some comments in Chinese : Main phase In this phase , the Trojan launches the “ start ” file from Game324.res or Game644.res . FrozenCell is the mobile component of a multi-platform attack we've seen a threat actor known as \" Two-tailed Scorpion/APT-C-23 \" , use to spy on victims through compromised mobile devices and desktops . This data suggests that the number of countries with potential victims is higher than our telemetry has registered . We called this new malware ?", "spans": {"TOOL: FrozenCell": [[251, 261]], "THREAT_ACTOR: Scorpion/APT-C-23": [[361, 378]], "MALWARE: malware": [[591, 598]]}, "info": {"id": "cyberner_stix_test_000218", "source": "cyberner_stix_test"}}
+{"text": "As outlined in the diagram above , It installs an additional application with the same functionality and these two applications monitor the removal of each other . FireEye confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims . When we looked at the cluster of activity which consisted of what appeared to be espionage-focused attacks in the Middle East , we were somewhat confused as the previous public reporting had attributed these attacks to FIN7 .", "spans": {"ORGANIZATION: FireEye": [[164, 171]], "THREAT_ACTOR: APT37": [[218, 223]], "VULNERABILITY: zero-day Adobe Flash vulnerability": [[236, 270]], "VULNERABILITY: CVE-2018-4878": [[273, 286]], "TOOL: DOGCALL malware": [[303, 318]], "THREAT_ACTOR: FIN7": [[564, 568]]}, "info": {"id": "cyberner_stix_test_000219", "source": "cyberner_stix_test"}}
+{"text": "List of commands sewn into the body of the Trojan : Command code Parameters Actions 2 – Sending a list of contacts from the address book of the infected device to the C & C server 7 “ to ” : int Calling the specified number 11 “ to ” : int , “ body ” : string Sending an SMS with the specified text to the specified number 19 “ text ” : string , “ n ” : string Sending SMS with the specified text to numbers from the address book of the infected device , with the name of the addressee from the TG-3390 uses DLL side loading , a technique that involves running a legitimate , typically digitally signed , program that loads a malicious DLL . Shellbot is also used to control the botnet , with a command that is sent and run from the C&C to determine if there is a code execution in the shell , the hostname , and its architecture . None Deploy advanced endpoint detection and response ( EDR ) tools to all endpoints to detect web services spawning PowerShell or command line processes .", "spans": {"SYSTEM: address book": [[124, 136], [417, 429]], "THREAT_ACTOR: TG-3390": [[495, 502]], "MALWARE: Shellbot": [[642, 650]], "MALWARE: botnet": [[679, 685]], "TOOL: C&C": [[733, 736]]}, "info": {"id": "cyberner_stix_test_000220", "source": "cyberner_stix_test"}}
+{"text": "The modifications were minor and likely performed to add capabilities and avoid detection .", "spans": {}, "info": {"id": "cyberner_stix_test_000221", "source": "cyberner_stix_test"}}
+{"text": "The CloudDuke toolset consists of at least a loader , a downloader , and two backdoor variants .", "spans": {"MALWARE: CloudDuke": [[4, 13]], "MALWARE: loader": [[45, 51]], "MALWARE: downloader": [[56, 66]]}, "info": {"id": "cyberner_stix_test_000222", "source": "cyberner_stix_test"}}
+{"text": "Anubis can completely hijack an Android mobile device , steal data , record phone calls , and even hold the device to ransom by encrypting the victim ’ s personal files . The Sima group also engaged in impersonation of Citizenship and Immigration Services at the Department of Homeland Security , posing as a notice about the expiration of the recipient 's Permanent Residence status . It was believed that the arrest of the group leader will have an impact on the group’s operations . One might think we could have updated the CSP to only allow specific TIDs : .", "spans": {"MALWARE: Anubis": [[0, 6]], "SYSTEM: Android": [[32, 39]], "THREAT_ACTOR: Sima": [[175, 179]], "ORGANIZATION: Citizenship": [[219, 230]], "ORGANIZATION: Immigration Services": [[235, 255]], "ORGANIZATION: Department of Homeland Security": [[263, 294]], "SYSTEM: CSP": [[528, 531]]}, "info": {"id": "cyberner_stix_test_000223", "source": "cyberner_stix_test"}}
+{"text": "] 213 To backdoor legitimate applications , attackers used a Smali injection technique – a type of injection that allows attackers to disassemble the code of original app with the Baksmali tool , add their malicious code , and assemble it with Smali . The contents of the decoy PDF is a job descriptions with the South Korean Coast Guard . One of its main functions is to steal information .", "spans": {"MALWARE: the decoy PDF": [[268, 281]], "ORGANIZATION: Coast Guard": [[326, 337]]}, "info": {"id": "cyberner_stix_test_000224", "source": "cyberner_stix_test"}}
+{"text": "similar triggers that are easily detectable . Magic Hound will often find simpler ways for effective compromise , such as creative phishing and simple custom malware . Once all sections are loaded , the relocations get fixed and the MZ/PE headers are zeroed out in memory . It is entirely possible that these threat actors will go as far as compromising close contacts of their targets .", "spans": {"THREAT_ACTOR: threat actors": [[309, 322]]}, "info": {"id": "cyberner_stix_test_000225", "source": "cyberner_stix_test"}}
+{"text": "For the purpose of this report we analyze here the Exodus One sample with hash 8453ce501fee1ca8a321f16b09969c517f92a24b058ac5b54549eabd58bf1884 which communicated with the Command & Control server at 54.71.249.137 . In addition to Helminth , the ISMDoor implant is likely used by the Iran-based adversary to attack targets particularly those in the Middle East region . For this specific condition , it is important because it 's filtering on the keyboard layout to identify the targets . A careful analysis of the domain registrations from this threat actor between 2014 and 2015 allowed us to identify one profile used to register several domains that were used as C&C servers for a particular malware family employed by the Winnti group .", "spans": {"MALWARE: Exodus One": [[51, 61]], "TOOL: Helminth": [[231, 239]], "TOOL: ISMDoor": [[246, 253]]}, "info": {"id": "cyberner_stix_test_000226", "source": "cyberner_stix_test"}}
+{"text": "This backdoor first emerged in December 2019 , and was discovered by Cybereason .", "spans": {"ORGANIZATION: Cybereason": [[69, 79]]}, "info": {"id": "cyberner_stix_test_000227", "source": "cyberner_stix_test"}}
+{"text": "Leafminer attempts to infiltrate target networks through various means of intrusion : watering hole websites , vulnerability scans of network services on the internet , and brute-force login attempts . A window will pop out .", "spans": {"THREAT_ACTOR: Leafminer": [[0, 9]]}, "info": {"id": "cyberner_stix_test_000228", "source": "cyberner_stix_test"}}
+{"text": "Because all the URLs used in this campaign have the form of hxxp : //yyyyyyyy [ . Wingbird , the advanced malware used by NEODYMIUM , has several behaviors that trigger alerts in Windows Defender ATP . The decoy document is written using the ukrainian language mixed to many special chars aimed to lure the target to click on it . A month later , GReAT discovered two more previously unknown infection mechanisms for MiniDuke , which relied on Java and Internet Explorer vulnerabilities to infect the victim ’s PC .", "spans": {"TOOL: Wingbird": [[82, 90]], "THREAT_ACTOR: NEODYMIUM": [[122, 131]], "ORGANIZATION: Windows Defender ATP": [[179, 199]], "ORGANIZATION: GReAT": [[347, 352]], "MALWARE: MiniDuke": [[417, 425]], "VULNERABILITY: Java and Internet Explorer vulnerabilities": [[444, 486]]}, "info": {"id": "cyberner_stix_test_000229", "source": "cyberner_stix_test"}}
+{"text": "The majority of droppers in 9Apps are games , while the rest fall into categories of adult entertainment , media player , photo utilities , and system utilities . The use of InPage as an attack vector is not commonly seen , with the only previously noted attacks being documented by Kaspersky in late 2016 . The MSI packages generally include a clean version of unzIP . The web shell was written to the system by the UMWorkerProcess.exe process , which is associated with Microsoft Exchange Server ’s Unified Messaging service .", "spans": {"SYSTEM: 9Apps": [[28, 33]], "TOOL: InPage": [[174, 180]], "ORGANIZATION: Kaspersky": [[283, 292]], "TOOL: MSI": [[312, 315]], "TOOL: unzIP": [[362, 367]], "SYSTEM: Microsoft Exchange Server ’s Unified Messaging service": [[472, 526]]}, "info": {"id": "cyberner_stix_test_000230", "source": "cyberner_stix_test"}}
+{"text": "Several sources estimate that by the year 2020 some 50 billion IoT devices will be deployed worldwide .", "spans": {"TOOL: IoT": [[63, 66]]}, "info": {"id": "cyberner_stix_test_000231", "source": "cyberner_stix_test"}}
+{"text": "Dolkun lsa Chairman of the Executive Committee Word Uyghur Congress ” While the victim reads this fake message , the malware secretly reports the infection to a command-and-control server . The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199 . PROMETHIUM is an activity group that has been active as early as 2012 .", "spans": {"ORGANIZATION: Executive Committee Word Uyghur Congress": [[27, 67]], "MALWARE: .rtf file": [[233, 242]], "VULNERABILITY: CVE-2017-0199": [[258, 271]], "THREAT_ACTOR: PROMETHIUM": [[274, 284]]}, "info": {"id": "cyberner_stix_test_000232", "source": "cyberner_stix_test"}}
+{"text": "When loaded with startup command 2 , the installer can copy the original explorer.exe file inside its current running directory and rename d3d9.dll to uxtheme.dll . Once connected to the VPN , APT35 focused on stealing domain credentials from a Microsoft Active Directory Domain Controller to allow them to authenticate to the single-factor VPN and Office 365 instance . Varies : The vulnerabilities Talos disclosed to the operators of Open Babel can all be triggered by tricking a user into opening a specially crafted , malformed file .", "spans": {"THREAT_ACTOR: APT35": [[193, 198]], "MALWARE: Varies": [[371, 377]], "ORGANIZATION: Talos": [[400, 405]], "ORGANIZATION: Open Babel": [[436, 446]]}, "info": {"id": "cyberner_stix_test_000233", "source": "cyberner_stix_test"}}
+{"text": "This variant ’ s app name , along with many others , is written in Chinese and describes the app as a backup tool . APT41 espionage operations against the healthcare , high-tech , and telecommunications sectors include establishing and maintaining strategic access , and through mid-2015 , the theft of intellectual property . The malware used by the Wekby group has ties to the HTTPBrowser malware family , and uses DNS requests as a command and control mechanism .", "spans": {"THREAT_ACTOR: APT41": [[116, 121]], "ORGANIZATION: healthcare": [[155, 165]], "ORGANIZATION: high-tech": [[168, 177]], "ORGANIZATION: telecommunications sectors": [[184, 210]], "THREAT_ACTOR: Wekby group": [[351, 362]], "MALWARE: HTTPBrowser malware family": [[379, 405]]}, "info": {"id": "cyberner_stix_test_000234", "source": "cyberner_stix_test"}}
+{"text": "FireEye believes the Ke3chang attackers likely began attempting to exfiltrate sensitive data shortly thereafter . In the former Soviet Union , Silence targeted banks in Kyrgyzstan , Kazakhstan , and Ukraine .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: Ke3chang": [[21, 29]], "THREAT_ACTOR: Silence": [[143, 150]], "ORGANIZATION: banks": [[160, 165]]}, "info": {"id": "cyberner_stix_test_000235", "source": "cyberner_stix_test"}}
+{"text": "Input validation is a method of sanitizing untrusted input provided by users of a web application .", "spans": {}, "info": {"id": "cyberner_stix_test_000236", "source": "cyberner_stix_test"}}
+{"text": "As the actor moved from one device to another , they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting .", "spans": {}, "info": {"id": "cyberner_stix_test_000237", "source": "cyberner_stix_test"}}
+{"text": "If one of them was detected , the other one provided the attacker with continued access .", "spans": {}, "info": {"id": "cyberner_stix_test_000238", "source": "cyberner_stix_test"}}
+{"text": "It came in the form of a \" Tran Duy Linh \" CVE-2012-0158 exploit kit document MD5 : de8a242af3794a8be921df0cfa51885f61 and was observed on April 10 , 2014 . This is also a full-featured backdoor controlled by email , and which can work independently of any other Turla component .", "spans": {"TOOL: Tran Duy Linh": [[27, 40]], "VULNERABILITY: CVE-2012-0158": [[43, 56]], "MALWARE: full-featured backdoor": [[172, 194]], "THREAT_ACTOR: Turla": [[263, 268]]}, "info": {"id": "cyberner_stix_test_000239", "source": "cyberner_stix_test"}}
+{"text": "] com autoandroidup [ . We expect APT33 activity will continue to cover a broad scope of targeted entities , and may spread into other regions and sectors as Iranian interests dictate . Remexi includes different modules that it deploys in its working directory, including configuration decryption and parsing, launching victim activity logging in a separate module, and seven threads for various espionage and auxiliary . Some hackers are motivated by the sense of achievement that comes with cracking open a major system .", "spans": {"MALWARE: Remexi": [[186, 192]], "THREAT_ACTOR: hackers": [[427, 434]]}, "info": {"id": "cyberner_stix_test_000240", "source": "cyberner_stix_test"}}
+{"text": "In green , we can see the references to the SMS API . However , in the same week of September a series of spearphishing attempts once again targeted a set of otherwise unrelated individuals , employing the same tactics as before . To allow the VNC session to connect , the current network socket WSAProtcol_Info structure is written to a named pipe prior to calling zxFunction001 . zxFunction001 modifies the current process memory , uses data contained in the named pipe to create a socket , and then executes the code that sends the remote desktop session to the server controller . The rare opportunity to examine Sharpshooter 's backend operations allowed the researchers to create a fuller picture of the activity and interaction between the various tools used by the threat actor .", "spans": {"TOOL: VNC": [[244, 247]], "TOOL: WSAProtcol_Info": [[296, 311]], "SYSTEM: Sharpshooter 's backend operations": [[617, 651]]}, "info": {"id": "cyberner_stix_test_000241", "source": "cyberner_stix_test"}}
+{"text": "The actor altered their macOS and Windows malware considerably , adding an authentication mechanism in the macOS downloader and changing the macOS development framework .", "spans": {"SYSTEM: macOS": [[24, 29], [107, 112], [141, 146]], "SYSTEM: Windows": [[34, 41]]}, "info": {"id": "cyberner_stix_test_000242", "source": "cyberner_stix_test"}}
+{"text": "Based on this information , CTU researchers assess that TG-3390 aims to collect defense technology and capability intelligence , other industrial intelligence , and political intelligence from governments and NGOs .", "spans": {"ORGANIZATION: CTU": [[28, 31]], "THREAT_ACTOR: TG-3390": [[56, 63]]}, "info": {"id": "cyberner_stix_test_000243", "source": "cyberner_stix_test"}}
+{"text": "RIPPER interacts with the ATM by inserting a specially manufactured ATM card with an EMV chip that serves as the authentication mechanism . Using the information gathered from its reconnaissance on social media sites , Barium packages the phishing e-mail in a ACT that gives the e-mail credibility to the target user , often by making the e-mail appear as ifit were sent from an organization known to and trusted by the victim or concerning a topic of interest to the victim .", "spans": {"MALWARE: RIPPER": [[0, 6]], "ORGANIZATION: social media": [[198, 210]], "THREAT_ACTOR: Barium": [[219, 225]], "TOOL: e-mail": [[279, 285], [339, 345]]}, "info": {"id": "cyberner_stix_test_000244", "source": "cyberner_stix_test"}}
+{"text": "CozyDuke however represents the complete opposite .", "spans": {"MALWARE: CozyDuke": [[0, 8]]}, "info": {"id": "cyberner_stix_test_000245", "source": "cyberner_stix_test"}}
+{"text": "Describing this additional piece of code in detail is outside the scope of this analysis and may require a new dedicated blog post . menuPass has targeted individuals and organizations in Japan since at least 2014 , and as the same organizations and academics were largely targeted each month in these attacks , it further shows menuPass is persistent in attempts to compromise their targets . OceanLotus : {12C044FA-A4AB-433B-88A2-32C3451476CE} memory pointer 4 points to a function that spawns another copy of malicious process . Disrupting supply chains , destroying centrifuges and other attacks can be classified as WarDefense driven .", "spans": {"SYSTEM: scope": [[66, 71]], "THREAT_ACTOR: OceanLotus": [[394, 404]]}, "info": {"id": "cyberner_stix_test_000246", "source": "cyberner_stix_test"}}
+{"text": "Figure 1 . While this particular actor effectively used their almost worn out CVE-2012-0158 exploits in the past , Spring Dragon employs more involved and creative intrusive activity as well . When the payload is started , the registry value is queried and execution is aborted if set . Instead of compiling a list of threats , this technique looks at what is already on a computer and identifies programs as safe , blocking software that does nt match .", "spans": {"THREAT_ACTOR: actor": [[33, 38]], "VULNERABILITY: CVE-2012-0158": [[78, 91]], "THREAT_ACTOR: Spring Dragon": [[115, 128]]}, "info": {"id": "cyberner_stix_test_000247", "source": "cyberner_stix_test"}}
+{"text": "They are selective in their attacks and wait for about three months between incidents , which is approximately three times longer than other financially motivated APT groups , like MoneyTaker , Anunak ( Carbanak ) , Buhtrap or Cobalt . BRONZE UNION has consistently demonstrated the capability to conduct successful large-scale intrusions against high-profile networks and systems .", "spans": {}, "info": {"id": "cyberner_stix_test_000248", "source": "cyberner_stix_test"}}
+{"text": "Government agencies and enterprises should plan to be hit from all angles - cloud services , mobile devices , laptops - in order to build comprehensive security strategies that work . Hancom Office is widely used in South Korea . First , they place malware ( usually in ZIP files ) on the legitimate websites hosted on the hop point and then send spear phishing emails with a link that includes the legitimate FQDN . One might think we could have updated the CSP to only allow specific TIDs : .", "spans": {"TOOL: ZIP": [[270, 273]], "TOOL: emails": [[362, 368]], "TOOL: FQDN": [[410, 414]], "SYSTEM: CSP": [[459, 462]]}, "info": {"id": "cyberner_stix_test_000249", "source": "cyberner_stix_test"}}
+{"text": "TG-3390 : blackcmd.com .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "DOMAIN: blackcmd.com": [[10, 22]]}, "info": {"id": "cyberner_stix_test_000250", "source": "cyberner_stix_test"}}
+{"text": "With every Android update , the malware authors are forced to come up with new tricks . On occasion the APT37 directly included the ROKRAT payload in the malicious document and during other campaigns the attackers leveraged multi-stage infection processes . recently analyzed a series of malware samples that utilized compiler-level obfuscations . We prefer to keep it secret , we have no goal to destroy your business .", "spans": {"SYSTEM: Android": [[11, 18]], "THREAT_ACTOR: APT37": [[104, 109]], "TOOL: ROKRAT": [[132, 138]], "THREAT_ACTOR: attackers": [[204, 213]]}, "info": {"id": "cyberner_stix_test_000251", "source": "cyberner_stix_test"}}
+{"text": "This module monitors a wide range of device activities including application installation / remove / update , phone restart and battery charge . Periodically , the malware tries to contact the command-and-control ( C&C ) server with the username encoded into parameters .", "spans": {"MALWARE: module": [[5, 11]], "TOOL: command-and-control": [[193, 212]], "TOOL: C&C": [[215, 218]]}, "info": {"id": "cyberner_stix_test_000252", "source": "cyberner_stix_test"}}
+{"text": "After launch , it downloads a codec for MP3 encoding directly from the C & C server : http : //54.67.109.199/skype_resource/libmp3lame.dll The skype_sync2.exe module has a compilation timestamp – Feb 06 2017 and the following PDB string : \\\\vmware-host\\Shared Folders\\dati\\Backup\\Projects\\REcodin_2\\REcodin_2\\obj\\x86\\Release\\REcodin_2.pdb network.exe is a It turns out that contacts data isn’t the only unusual data SWAnalytics is interested in . The group generally targets defense and government organizations , but has also targeted a range of industries including engineering firms , shipping and transportation , manufacturing , defense , government offices , and research universities in the United States , Western Europe , and along the South China Sea .", "spans": {"MALWARE: SWAnalytics": [[416, 427]]}, "info": {"id": "cyberner_stix_test_000253", "source": "cyberner_stix_test"}}
+{"text": "This new campaign , dubbed HaoBao , resumes Lazarus ' previous phishing emails , posed as employee recruitment , but now targets Bitcoin users and global financial organizations . Madcap” is similar to the XAgent malware , but the former is focused on recording audio .", "spans": {"THREAT_ACTOR: Lazarus": [[44, 51]], "ORGANIZATION: Bitcoin users": [[129, 142]], "ORGANIZATION: financial organizations": [[154, 177]], "FILEPATH: Madcap”": [[180, 187]], "FILEPATH: XAgent": [[206, 212]]}, "info": {"id": "cyberner_stix_test_000254", "source": "cyberner_stix_test"}}
+{"text": "In late 2016 , versions of the Trojan emerged that contained the card.html phishing page in the assets/www folder . To set up persistence , the loader writes a file to \" c:\\temp\\rr.exe \" and executes it with specific command line arguments to create auto run registry keys . We also saw that the attack technique bears some resemblance to a previous 2017 Lazarus attack , analyzed by BAE Systems , against targets in Asia .", "spans": {"MALWARE: c:\\temp\\rr.exe": [[170, 184]], "ORGANIZATION: BAE Systems": [[384, 395]]}, "info": {"id": "cyberner_stix_test_000255", "source": "cyberner_stix_test"}}
+{"text": "As a backdoor Trojan , Volgmer has several capabilities including : gathering system information , updating service registry keys , downloading and uploading files , executing commands , terminating processes , and listing directories . We speculate that other attacks delivering Bookworm were also targeting organizations in Thailand based on the contents of the associated decoys documents , as well as several of the dynamic DNS domain names used to host C2 servers that contain the words \" Thai \" or \" Thailand \" .", "spans": {"TOOL: backdoor Trojan": [[5, 20]], "TOOL: Volgmer": [[23, 30]], "MALWARE: Bookworm": [[280, 288]], "FILEPATH: decoys documents": [[375, 391]], "MALWARE: dynamic DNS domain": [[420, 438]], "TOOL: C2": [[458, 460]]}, "info": {"id": "cyberner_stix_test_000256", "source": "cyberner_stix_test"}}
+{"text": "If the user closes the windows , they will appear again due to the timer configuration . Lastly , ITG08 used Comodo code-signing certificates several times during the course of the campaign . Operation Daybreak appears to have been launched by unknown attackers to infect high profile targets through spear-phishing e-mails .", "spans": {"THREAT_ACTOR: ITG08": [[98, 103]], "TOOL: Comodo code-signing certificates": [[109, 141]], "THREAT_ACTOR: attackers": [[252, 261]]}, "info": {"id": "cyberner_stix_test_000257", "source": "cyberner_stix_test"}}
+{"text": "Fraud Both of the billing methods detailed above provide device verification , but not user verification . The times of day the group is active also suggests that it is based near Beijing and the group has reportedly used malware that has been observed in other Chinese operations , indicating some level of collaboration . FindPass Find login account password . Although this wave did not use any zero day exploits , it relied on steganography and NTFS alternate data streams to complicate detection .", "spans": {}, "info": {"id": "cyberner_stix_test_000258", "source": "cyberner_stix_test"}}
+{"text": "Microsoft addressed the SMBv1 vulnerabilities in March 2017 with Security Bulletin MS17-010 . Recently , we found several new versions of Carbon , a second stage backdoor in the Turla group arsenal .", "spans": {"ORGANIZATION: Microsoft": [[0, 9]], "VULNERABILITY: SMBv1 vulnerabilities": [[24, 45]], "MALWARE: Carbon": [[138, 144]], "THREAT_ACTOR: Turla": [[178, 183]]}, "info": {"id": "cyberner_stix_test_000259", "source": "cyberner_stix_test"}}
+{"text": "Only samples mentioned or relevant to the relational analysis have been included .", "spans": {}, "info": {"id": "cyberner_stix_test_000260", "source": "cyberner_stix_test"}}
+{"text": "On the other hand , ShadowBrokers group made headlines in 2016 when it claimed to have robbed various exploitation tools used by the NSA including the notorious ETERNALBLUE that was a vital component in the WannaCry ransomware campaign causing damages to systems worldwide . According to the researchers , the group injected malicious JavaScript code into the official government websites associated with the data center in order to conduct watering hole attacks .", "spans": {"ORGANIZATION: NSA": [[133, 136]], "VULNERABILITY: ETERNALBLUE": [[161, 172]], "MALWARE: JavaScript code": [[335, 350]]}, "info": {"id": "cyberner_stix_test_000261", "source": "cyberner_stix_test"}}
+{"text": "For example , they used Nmap to scan various internal IP address ranges and SMB ports .", "spans": {"TOOL: Nmap": [[24, 28]]}, "info": {"id": "cyberner_stix_test_000262", "source": "cyberner_stix_test"}}
+{"text": "The banking app test : the credentials as entered ( left ) and as available in the database ( right ) Second , we wrote a test message in an email client . It is interesting to note that Turla operators used the free email provider GMX again , as in the Outlook Backdoor and in LightNeuron . Because of this , additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL .", "spans": {"THREAT_ACTOR: Turla": [[187, 192]], "TOOL: Outlook Backdoor": [[254, 270]], "TOOL: LightNeuron": [[278, 289]], "MALWARE: HIDDEN COBRA malware": [[321, 341]], "MALWARE: FALLCHILL": [[385, 394]]}, "info": {"id": "cyberner_stix_test_000263", "source": "cyberner_stix_test"}}
+{"text": "The targets and capabilities of HenBox , in addition to the ties to previous activity using four different Windows malware families with political-themed lures against several different South East Asian countries , indicates this activity likely represents an at least three-year-old espionage campaign . Interestingly , some of the APT41's POISONPLUG malware samples leverage the Steam Community website associated with Valve , a video game developer and publisher . We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia 's military aviation capabilities to enhance Iran 's domestic aviation capabilities or to support Iran 's military and strategic decision making vis a vis Saudi Arabia .", "spans": {"MALWARE: HenBox": [[32, 38]], "THREAT_ACTOR: APT41's": [[333, 340]], "TOOL: POISONPLUG": [[341, 351]], "THREAT_ACTOR: APT33": [[580, 585]], "ORGANIZATION: military": [[749, 757]]}, "info": {"id": "cyberner_stix_test_000264", "source": "cyberner_stix_test"}}
+{"text": "These components are responsible for a myriad of functions including handling decryption , network communications , gaining super-user privileges , monitoring system logs , loading additional Dalvik code files , tracking the device location and more . The group also targeted companies involved in producing motherboards , processors , and server solutions for enterprises . Given the available data , we assess that APT28 's work is sponsored by the Russian government .", "spans": {"THREAT_ACTOR: group": [[256, 261]], "ORGANIZATION: producing motherboards": [[298, 320]], "ORGANIZATION: processors": [[323, 333]], "ORGANIZATION: server solutions": [[340, 356]], "THREAT_ACTOR: APT28": [[417, 422]], "ORGANIZATION: Russian government": [[451, 469]]}, "info": {"id": "cyberner_stix_test_000265", "source": "cyberner_stix_test"}}
+{"text": "The malware uses an RC4 encryption key that was previously used by the CHOPSTICK backdoor .", "spans": {"MALWARE: CHOPSTICK backdoor": [[71, 89]]}, "info": {"id": "cyberner_stix_test_000266", "source": "cyberner_stix_test"}}
+{"text": "During the investigation , this app was able to successfully connect to the command and control server , but it received no commands . We named the actor DustSquad and have provided private intelligence reports to our customers on four of their campaigns involving custom Android and Windows malware . We refer to this group as “ APT1 ” and it is one of more than 20 APT groups with origins inChina . Once they are downloaded to the machine , they can fetch a larger backdoor which carries out the cyberespionage activities , through functions such as copy file , move file , remove file , make directory , kill process and of course , download and execute new malware and lateral movement tools .", "spans": {"THREAT_ACTOR: DustSquad": [[154, 163]], "TOOL: Windows malware": [[284, 299]], "THREAT_ACTOR: APT1": [[330, 334]], "THREAT_ACTOR: the cyberespionage activities": [[494, 523]]}, "info": {"id": "cyberner_stix_test_000267", "source": "cyberner_stix_test"}}
+{"text": "Proofpoint researchers observed one DanaBot affiliate ( Affid 11 ) specifically targeting Canada with \" Canada Post \" themed lures between January 1 and May 1 , 2019 . When we first encountered Lurk , in 2011 , it was a nameless Trojan .", "spans": {"ORGANIZATION: Proofpoint": [[0, 10]], "TOOL: DanaBot": [[36, 43]], "ORGANIZATION: Canada Post": [[104, 115]], "MALWARE: Lurk": [[194, 198]], "MALWARE: Trojan": [[229, 235]]}, "info": {"id": "cyberner_stix_test_000268", "source": "cyberner_stix_test"}}
+{"text": "The main DLL also contains eClient subclasses that implement some of the native capabilities . China Chopper contains a remote shell (Virtual Terminal) function that has a first suggested command of netstat an|find ESTABLISHED . On May 16 , 2019 FireEye 's Advanced Practices team attributed the remaining \" suspected APT33 activity \" to APT33 , operating at the behest of the Iranian government .", "spans": {"MALWARE: China Chopper": [[95, 108]], "ORGANIZATION: FireEye 's Advanced Practices": [[246, 275]], "THREAT_ACTOR: APT33": [[338, 343]]}, "info": {"id": "cyberner_stix_test_000269", "source": "cyberner_stix_test"}}
+{"text": "Since it becomes a part of the boot partition , formatting the device will not solve the problem . We are also grateful to the Private Office of his Holiness the Dalai Lama , the Tibetan Government-in-Exile , the missions of Tibet in London , Brussels , and New York , and Drewla ( a Tibetan NGO ) . Since 2006 , Mandiant has observed APT1 compromise 141 companies spanning 20 major industries . That DLL file is the main module of Miniduke , and it uses the URL http://twitter.com/TamicaCGerald to fetch commands .", "spans": {"ORGANIZATION: Tibet": [[225, 230]], "ORGANIZATION: Brussels": [[243, 251]], "ORGANIZATION: Drewla": [[273, 279]], "ORGANIZATION: Tibetan": [[284, 291]], "ORGANIZATION: NGO": [[292, 295]], "ORGANIZATION: Mandiant": [[313, 321]], "THREAT_ACTOR: APT1": [[335, 339]]}, "info": {"id": "cyberner_stix_test_000270", "source": "cyberner_stix_test"}}
+{"text": "The Trojan displays a fake HTML update page ( update.html ) that blocks the device ’ s screen for a long period of time . Even an experienced user can be fooled by downloading a malicious file that is apparently from adobe.com , since the URL and the IP address correspond to Adobe 's legitimate infrastructure . RASPITE targeting includes entities in the US , Middle East , Europe , and East Asia .", "spans": {"MALWARE: malicious file": [[178, 192]], "THREAT_ACTOR: RASPITE": [[313, 320]]}, "info": {"id": "cyberner_stix_test_000271", "source": "cyberner_stix_test"}}
+{"text": "Push notifications were also used to control audio recording . To mitigate the threat of the described campaign , security teams can consider blocking access to the C2 server 103.236.150.14 and , where applicable , ensure that the Microsoft Security Update KB2553204 is installed in order to patch the CVE-2017-11882 vulnerability . Despite last month 's report on aspects of the MuddyWater campaign , the group is undeterred and continues to perform operations .", "spans": {"VULNERABILITY: CVE-2017-11882": [[302, 316]]}, "info": {"id": "cyberner_stix_test_000272", "source": "cyberner_stix_test"}}
+{"text": "Furthermore , there are indications that APT32 actors are targeting peripheral network security and technology infrastructure corporations . Talos reported that these DNS hijacks also paved the ACT for the attackers to obtain SSL encryption certificates for the targeted domains ( webmail.finance.gov.lb ) , which allowed them to decrypt the intercepted email and VPN credentials and view them in plain text .", "spans": {"THREAT_ACTOR: APT32": [[41, 46]], "ORGANIZATION: security": [[87, 95]], "ORGANIZATION: technology": [[100, 110]], "ORGANIZATION: Talos": [[141, 146]], "DOMAIN: webmail.finance.gov.lb": [[281, 303]], "TOOL: email": [[354, 359]], "TOOL: VPN": [[364, 367]]}, "info": {"id": "cyberner_stix_test_000273", "source": "cyberner_stix_test"}}
+{"text": "They have different functions and ways of spreading , but the same purpose — to steal money from the accounts of businesses . CTU researchers assess with high confidence that TG-3390 uses information gathered from prior reconnaissance activities to selectively compromise users who visit websites under its control .", "spans": {"ORGANIZATION: businesses": [[113, 123]], "ORGANIZATION: CTU": [[126, 129]], "THREAT_ACTOR: TG-3390": [[175, 182]]}, "info": {"id": "cyberner_stix_test_000274", "source": "cyberner_stix_test"}}
+{"text": "Persistence mechanism Registry Key :", "spans": {}, "info": {"id": "cyberner_stix_test_000275", "source": "cyberner_stix_test"}}
+{"text": "In May 2018 , campaigns being conducted by SWEED began leveraging another vulnerability in Microsoft Office: CVE-2017-11882 , a remote code execution bug in Microsoft Office that is commonly observed being leveraged in malicious documents used in commodity malware distribution . The scanner was identified as the Acunetix Web Vulnerability Scanner which is a commercial penetration testing tool that is readily available as a 14-day trial .", "spans": {"THREAT_ACTOR: SWEED": [[43, 48]], "VULNERABILITY: CVE-2017-11882": [[109, 123]], "FILEPATH: Acunetix Web Vulnerability Scanner": [[314, 348]]}, "info": {"id": "cyberner_stix_test_000276", "source": "cyberner_stix_test"}}
+{"text": "Some sources claimed that GOLD LOWELL operations specifically targeted the healthcare vertical following public SamSam incidents in 2016 and 2018 . The first new connection SPEAR identified was derived from an email address listed in Blue Coat Systems' original report on PassCV .", "spans": {"THREAT_ACTOR: GOLD LOWELL": [[26, 37]], "ORGANIZATION: healthcare": [[75, 85]], "TOOL: SamSam": [[112, 118]], "ORGANIZATION: SPEAR": [[173, 178]], "TOOL: email": [[210, 215]], "THREAT_ACTOR: PassCV": [[272, 278]]}, "info": {"id": "cyberner_stix_test_000277", "source": "cyberner_stix_test"}}
+{"text": "That the Dukes were already developing and operating at least two distinct malware toolsets by the second half of 2008 suggests to us that either the size of their cyberespionage operation was already large enough to warrant such an arsenal of tools , or that they expected their operation to grow significantly enough in the foreseeable future to warrant the development of such an arsenal .", "spans": {"THREAT_ACTOR: Dukes": [[9, 14]]}, "info": {"id": "cyberner_stix_test_000278", "source": "cyberner_stix_test"}}
+{"text": "This pattern is shared across the original samples .", "spans": {}, "info": {"id": "cyberner_stix_test_000279", "source": "cyberner_stix_test"}}
+{"text": "In this blog post , FireEye researchers are going to examine a recent instance where FireEye Managed Defense came toe-to-toe with APT41 . The malware then writes the R resource data to the file C:\\WINDOWS\\tasksche.exe .", "spans": {"ORGANIZATION: FireEye": [[20, 27], [85, 92]], "THREAT_ACTOR: APT41": [[130, 135]], "FILEPATH: malware": [[142, 149]], "FILEPATH: file": [[189, 193]], "FILEPATH: C:\\WINDOWS\\tasksche.exe": [[194, 217]]}, "info": {"id": "cyberner_stix_test_000280", "source": "cyberner_stix_test"}}
+{"text": "DealersChoice :", "spans": {"TOOL: DealersChoice": [[0, 13]]}, "info": {"id": "cyberner_stix_test_000281", "source": "cyberner_stix_test"}}
+{"text": "Contrary to what might be expected from malware , early CozyDuke versions also lacked any attempt at obfuscating or hiding their true nature .", "spans": {"MALWARE: CozyDuke": [[56, 64]]}, "info": {"id": "cyberner_stix_test_000282", "source": "cyberner_stix_test"}}
+{"text": "The DllMain function only decrypts the data structures and initializes Windows API pointers .", "spans": {"SYSTEM: Windows": [[71, 78]]}, "info": {"id": "cyberner_stix_test_000283", "source": "cyberner_stix_test"}}
+{"text": "An investigation of the web shell , later classified as a modified version of the China Chopper web shell , uncovered several attack phases and TTPs . Barium has targeted Microsoft customers both in Virginia , the United States , and around the world .", "spans": {"TOOL: China Chopper web shell": [[82, 105]], "THREAT_ACTOR: Barium": [[151, 157]], "ORGANIZATION: Microsoft customers": [[171, 190]]}, "info": {"id": "cyberner_stix_test_000284", "source": "cyberner_stix_test"}}
+{"text": "This adversary has been identified leveraging custom-developed plugins for versions 2 and 3 of the commodity malware Black Energy to target entities associated with energy , industrial control systems and SCADA , government , and media for espionage and destructive purposes , since at least 2011 . It appears the Desert Falcons sent malicious executables though phishing campaigns impersonating individuals associated with the Palestinian Security Services , the General Directorate of Civil Defence - Ministry of the Interior , and the 7th Fateh Conference of the Palestinian National Liberation Front ( held in late 2016 ) .", "spans": {"TOOL: Black Energy": [[117, 129]], "ORGANIZATION: energy": [[165, 171]], "ORGANIZATION: government": [[213, 223]], "ORGANIZATION: media": [[230, 235]], "THREAT_ACTOR: espionage": [[240, 249]], "THREAT_ACTOR: Desert Falcons": [[314, 328]], "ORGANIZATION: Palestinian National Liberation Front": [[566, 603]]}, "info": {"id": "cyberner_stix_test_000285", "source": "cyberner_stix_test"}}
+{"text": "Much like we have seen in recent months , anyone can be impacted by a mobile device attack . Through the exploitation of the HTA handler vulnerability described in CVE-2017-1099 , the observed RTF attachments download . The campaign , which we refer to as Operation Cloud Hopper , has targeted managed IT service providers ( MSPs ) , allowing APT10 unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally .", "spans": {"VULNERABILITY: CVE-2017-1099": [[164, 177]], "MALWARE: RTF attachments": [[193, 208]], "ORGANIZATION: managed IT service providers": [[294, 322]], "ORGANIZATION: MSPs": [[325, 329], [437, 441]], "THREAT_ACTOR: APT10": [[343, 348]]}, "info": {"id": "cyberner_stix_test_000286", "source": "cyberner_stix_test"}}
+{"text": "In contrast , LEAD has established a far greater reputation for industrial espionage .", "spans": {"THREAT_ACTOR: LEAD": [[14, 18]]}, "info": {"id": "cyberner_stix_test_000287", "source": "cyberner_stix_test"}}
+{"text": "First , the malicious app tries to determine whether it is being tested by the Google Play security mechanism . Group-IB reveals the unknown details of attacks from one of the most notorious APT groups , Lazarus . Execute a command .", "spans": {"SYSTEM: Google Play": [[79, 90]], "ORGANIZATION: Group-IB": [[112, 120]], "THREAT_ACTOR: Lazarus": [[204, 211]]}, "info": {"id": "cyberner_stix_test_000288", "source": "cyberner_stix_test"}}
+{"text": "Until this incident , no malware had been discovered misusing the AMT SOL feature for communication . The new activity described in this blogpost was detected by ESET in Taiwan , where the Plead malware has alACTs been most actively deployed .", "spans": {"ORGANIZATION: ESET": [[162, 166]], "MALWARE: Plead": [[189, 194]], "MALWARE: malware": [[195, 202]]}, "info": {"id": "cyberner_stix_test_000289", "source": "cyberner_stix_test"}}
+{"text": "Svpeng sends the corresponding messages to the SMS services of two banks . Turla APT group makes an extra effort to avoid detection by wiping files securely , changing the strings and randomizing what could be simple markers through the different backdoor versions . Winnti : C&C : w[org_name].livehost.live : 443 . The ISO file contained at least the following :", "spans": {"MALWARE: Svpeng": [[0, 6]], "THREAT_ACTOR: Turla APT group": [[75, 90]], "THREAT_ACTOR: Winnti": [[267, 273]], "TOOL: C&C": [[276, 279]], "URL: w[org_name].livehost.live": [[282, 307]], "SYSTEM: ISO file": [[320, 328]]}, "info": {"id": "cyberner_stix_test_000290", "source": "cyberner_stix_test"}}
+{"text": "As this is a complex process , we recommend powering off your device and approaching a certified technician , or your mobile service provider , to request that your device be “ re-flashed. ” Change your Google account passwords immediately after this process . APT39 has prioritized the telecommunications sector , with additional targeting of the travel industry and IT firms that support it and the high-tech industry . This is important to perform in each maturity level as the obfuscated code could be modified or removed as the code becomes more optimized . Both TANKTRAP GPOs deployed CADDYWIPER from a staged directory to systems as msserver.exe .", "spans": {"ORGANIZATION: Google": [[203, 209]], "THREAT_ACTOR: APT39": [[261, 266]], "ORGANIZATION: telecommunications sector": [[287, 312]], "ORGANIZATION: travel industry": [[348, 363]], "ORGANIZATION: IT firms": [[368, 376]], "ORGANIZATION: high-tech industry": [[401, 419]], "MALWARE: CADDYWIPER": [[591, 601]]}, "info": {"id": "cyberner_stix_test_000291", "source": "cyberner_stix_test"}}
+{"text": "Elections were not held in Gaza .", "spans": {}, "info": {"id": "cyberner_stix_test_000292", "source": "cyberner_stix_test"}}
+{"text": "Moreover , we were able to confirm that several of the victims are linked to cryptocurrency business entities .", "spans": {}, "info": {"id": "cyberner_stix_test_000293", "source": "cyberner_stix_test"}}
+{"text": "Their victims have been identified in the United States , Western Europe , Brazil , Canada , China , Georgia , Iran , Japan , Malaysia and South Korea .", "spans": {}, "info": {"id": "cyberner_stix_test_000294", "source": "cyberner_stix_test"}}
+{"text": "EventBot C2 URLs C2 URLs and other settings in a nested class . To make this data harvesting operation flexible , SWAnalytics equips the ability to receive and process configuration files from a remote Command-and-Control . COBALT GYPSY 's continued social media use reinforces the importance of recurring social engineering training .", "spans": {"MALWARE: SWAnalytics": [[114, 125]], "THREAT_ACTOR: COBALT GYPSY": [[224, 236]], "ORGANIZATION: social media": [[250, 262]], "ORGANIZATION: social engineering": [[306, 324]]}, "info": {"id": "cyberner_stix_test_000295", "source": "cyberner_stix_test"}}
+{"text": "Secondly , the value the Dukes intended to gain from these MiniDuke campaigns may have been so great that they deemed it worth the risk of getting noticed .", "spans": {"THREAT_ACTOR: Dukes": [[25, 30]], "MALWARE: MiniDuke": [[59, 67]]}, "info": {"id": "cyberner_stix_test_000296", "source": "cyberner_stix_test"}}
+{"text": "GEMINIDUKE : First known activity January 2009 , Most recent known activity December 2012 , C&C communication methods HTTP(S) , Known toolset components Loader , Information stealer , Multiple persistence components .", "spans": {"MALWARE: GEMINIDUKE": [[0, 10]], "TOOL: C&C": [[92, 95]], "TOOL: Loader": [[153, 159]], "TOOL: Information stealer": [[162, 181]], "TOOL: Multiple persistence components": [[184, 215]]}, "info": {"id": "cyberner_stix_test_000297", "source": "cyberner_stix_test"}}
+{"text": "While tracking what days of the week Suckfly used its hacktools , we discovered that the group was only active Monday through Friday .", "spans": {"THREAT_ACTOR: Suckfly": [[37, 44]]}, "info": {"id": "cyberner_stix_test_000298", "source": "cyberner_stix_test"}}
+{"text": "This strengthens our suspicion that this malware is still undergoing development and has not been officially marketed or released yet . The earliest step in any possible attack(s) involving this variant of KopiLuwak of which Proofpoint researchers are currently aware begin with the MSIL dropper . We present the connection between Behzad Mesri , an Iranian national recently indicted for his involvement in hacking HBO , and Charming Kitten .", "spans": {"MALWARE: KopiLuwak": [[206, 215]], "MALWARE: MSIL dropper": [[283, 295]], "THREAT_ACTOR: Behzad Mesri": [[332, 344]], "THREAT_ACTOR: Charming Kitten": [[426, 441]]}, "info": {"id": "cyberner_stix_test_000299", "source": "cyberner_stix_test"}}
+{"text": "The “ id ” value inside the “ data ” block is equal to the “ timestamp ” value of the relevant command : In addition , the Trojan sets itself as the default SMS application and , on receiving a new SMS , forwards the sender ’ s number and the message text in base64 format to the cybercriminal : Thus , Asacub can withdraw funds from a bank card linked to the phone by sending SMS for the transfer of funds to another account using the number of the card or mobile phone . When the adversaries' operations are live , they modify the record again to point the C2 domain to an IP address they can access . Considering the amount of resources needed to deploy all the necessary patches for an enterprise ( such as quality testing and operations alignment ) , which implies costly downtime for operations and the hesitation to update all systems immediately , Outlaw may find even more targets and victims for their updated botnets every time there is a patch released and waiting to be downloaded . While no substantive posts have been made to the FuckNATO channel since late April 2023 , Mandiant anticipates that KillNet and its affiliates will continue to target NATO for the continued future , with the potential for developments in the war in Ukraine to reinvigorate targeting .", "spans": {"MALWARE: Asacub": [[303, 309]], "THREAT_ACTOR: Outlaw": [[856, 862]], "ORGANIZATION: target NATO": [[1156, 1167]], "VULNERABILITY: the war in Ukraine": [[1234, 1252]]}, "info": {"id": "cyberner_stix_test_000300", "source": "cyberner_stix_test"}}
+{"text": "] com and appupdatemoremagic [ . Both BalkanRAT and BalkanDoor spread in Croatia , Serbia , Montenegro , and Bosnia and Herzegovina . APT33 has targeted organizations – spanning multiple industries – headquartered in the United States , Saudi Arabia and South Korea .", "spans": {"MALWARE: BalkanRAT": [[38, 47]], "MALWARE: BalkanDoor": [[52, 62]], "THREAT_ACTOR: APT33": [[134, 139]], "ORGANIZATION: spanning multiple industries": [[169, 197]]}, "info": {"id": "cyberner_stix_test_000301", "source": "cyberner_stix_test"}}
+{"text": "Since mid-November 2015 , the threat actor referred to as “ Sofacy ” or “ APT28 ” has been utilizing a unique payload and delivery mechanism written in Delphi and AutoIT .", "spans": {"THREAT_ACTOR: Sofacy": [[60, 66]], "THREAT_ACTOR: APT28": [[74, 79]], "TOOL: Delphi": [[152, 158]], "TOOL: AutoIT": [[163, 169]]}, "info": {"id": "cyberner_stix_test_000302", "source": "cyberner_stix_test"}}
+{"text": "It contained approximately 8GB of stolen data . In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe \" . The graph can also be viewed in the VTGraph Console for additional exploration . Also , the names he used are not randomized and begin with .", "spans": {"THREAT_ACTOR: APT32": [[58, 63]], "MALWARE: Vietnam.exe": [[162, 173]], "TOOL: VTGraph Console": [[214, 229]]}, "info": {"id": "cyberner_stix_test_000303", "source": "cyberner_stix_test"}}
+{"text": "The Dukes group as a whole however showed no sign of slowing down .", "spans": {"THREAT_ACTOR: Dukes": [[4, 9]]}, "info": {"id": "cyberner_stix_test_000304", "source": "cyberner_stix_test"}}
+{"text": "The malware leverages an exploit , codenamed EternalBlue” , that was released by the Shadow Brokers on April 14 , 2017 . attacks to a Chinese-speaking threat actor group called LuckyMouse .", "spans": {"VULNERABILITY: EternalBlue”": [[45, 57]], "THREAT_ACTOR: Shadow Brokers": [[85, 99]]}, "info": {"id": "cyberner_stix_test_000305", "source": "cyberner_stix_test"}}
+{"text": "Figure 2: Zyklon attack flowInfection Techniques CVE-2017-8759 . Further analysis uncovered a handful of ties indicating the actors may also be using the PCShare malware family , which has not been previously tied to the group .", "spans": {"THREAT_ACTOR: Zyklon": [[10, 16]], "VULNERABILITY: CVE-2017-8759": [[49, 62]], "MALWARE: PCShare malware family": [[154, 176]]}, "info": {"id": "cyberner_stix_test_000306", "source": "cyberner_stix_test"}}
+{"text": "In a 2018 blogpost , ESET researchers predicted that Turla would use more and more generic tools . By 2014 , the Winnti malware code was no longer limited to game manufacturers . Winnti is targeting high-tech companies as well as chemical and pharmaceutical companies . Winnti is attacking companies in Japan , France , the U.S. and Germany . The Winnti hackers broke into Henkel’s network in 2014 . Henkel confirms the Winnti incident and issues the following statement: The cyberattack was discovered in the summer of 2014 and Henkel promptly took all necessary precautions . Far from attacking Henkel and the other companies arbitrarily , Winnti takes a highly strategic approach . The hackers behind Winnti have also set their sights on Japan’s biggest chemical company , Shin-Etsu Chemical . In the case of another Japanese company , Sumitomo Electric , Winnti apparently penetrated their networks during the summer of 2016 . Winnti hackers also penetrated the BASF and Siemens networks . Thanks to this tool , we found out back in March 2019 that the Bayer pharmaceutical group had been hacked by Winnti . At Gameforge , the Winnti hackers had already been removed from the networks when a staff member noticed a Windows start screen with Chinese characters . To witnesses , the spy appears to be running a program showing videos , presenting slides ( Prezi ) , playing a computer game or even running a fake virus scanner .", "spans": {"ORGANIZATION: ESET": [[21, 25]], "THREAT_ACTOR: Turla": [[53, 58]], "THREAT_ACTOR: Winnti": [[113, 119], [179, 185], [270, 276], [347, 353], [420, 426], [642, 648], [859, 865], [931, 937], [1103, 1109], [1131, 1137]], "ORGANIZATION: game manufacturers": [[158, 176]], "ORGANIZATION: high-tech companies": [[199, 218]], "ORGANIZATION: pharmaceutical companies": [[243, 267]], "ORGANIZATION: Henkel’s": [[373, 381]], "ORGANIZATION: Henkel": [[400, 406], [597, 603]], "MALWARE: Winnti": [[704, 710]], "ORGANIZATION: chemical company": [[757, 773]], "ORGANIZATION: Shin-Etsu Chemical": [[776, 794]], "ORGANIZATION: Sumitomo Electric": [[839, 856]], "ORGANIZATION: BASF": [[966, 970]], "ORGANIZATION: Siemens": [[975, 982]], "ORGANIZATION: networks": [[983, 991]], "ORGANIZATION: Bayer pharmaceutical": [[1057, 1077]], "ORGANIZATION: Gameforge": [[1115, 1124]], "SYSTEM: Windows": [[1219, 1226]], "THREAT_ACTOR: spy": [[1285, 1288]], "MALWARE: presenting slides": [[1338, 1355]], "MALWARE: Prezi": [[1358, 1363]]}, "info": {"id": "cyberner_stix_test_000307", "source": "cyberner_stix_test"}}
+{"text": "In 2020 , it appears that TrickBot ’ s vast bank fraud is an ongoing project that helps the gang monetize compromised accounts . Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT Maudi Surveillance Operation which was previously reported in 2013 . This latest attack consisted of three waves between May and June 2018 .", "spans": {"MALWARE: TrickBot": [[26, 34]], "THREAT_ACTOR: Attackers": [[129, 138]], "VULNERABILITY: CVE-2018-0798": [[183, 196]], "THREAT_ACTOR: Maudi": [[274, 279]]}, "info": {"id": "cyberner_stix_test_000308", "source": "cyberner_stix_test"}}
+{"text": "In Operation Sheep’s case , Shun Wang likely harvests end user contact lists without application developer acknowledgement . wuaupdt.exe is a CMD backdoor , which can receive and execute CMD commands sent from C2 .", "spans": {"THREAT_ACTOR: Shun Wang": [[28, 37]], "FILEPATH: wuaupdt.exe": [[125, 136]], "MALWARE: CMD backdoor": [[142, 154]], "TOOL: C2": [[210, 212]]}, "info": {"id": "cyberner_stix_test_000309", "source": "cyberner_stix_test"}}
+{"text": "In this blog , we showed that the threat actor behind the recent FakeSpy campaign is a Chinese-speaking group called “ Roaming Mantis ” known to operate mainly in Asia . The first version of Proyecto RAT” was published at the end of 2010 . The U.S. Government refers to the malicious cyber activity by the North Korean government as HIDDEN COBRA .", "spans": {"MALWARE: FakeSpy": [[65, 72]], "ORGANIZATION: Roaming Mantis": [[119, 133]], "MALWARE: Proyecto RAT”": [[191, 204]], "ORGANIZATION: U.S. Government": [[244, 259]], "THREAT_ACTOR: HIDDEN COBRA": [[333, 345]]}, "info": {"id": "cyberner_stix_test_000310", "source": "cyberner_stix_test"}}
+{"text": "The malware authors used QtBitcoinTrader developed by Centrabit .", "spans": {"TOOL: QtBitcoinTrader": [[25, 40]], "ORGANIZATION: Centrabit": [[54, 63]]}, "info": {"id": "cyberner_stix_test_000311", "source": "cyberner_stix_test"}}
+{"text": "Most of the samples we found date from the last half of 2017 , fewer samples date from 2016 , and a handful date back to 2015 . Turla's goal could include diplomats , experts in the areas of interest related to the Digital Economy Task Force , or possibly even journalists . The admin@338 used the popular Poison Ivy RAT and WinHTTPHelper malware to compromise the computers of government officials .", "spans": {"THREAT_ACTOR: Turla's": [[128, 135]], "ORGANIZATION: Digital Economy": [[215, 230]], "THREAT_ACTOR: admin@338": [[279, 288]], "MALWARE: Poison Ivy RAT": [[306, 320]], "MALWARE: WinHTTPHelper": [[325, 338]], "MALWARE: malware": [[339, 346]], "ORGANIZATION: government officials": [[378, 398]]}, "info": {"id": "cyberner_stix_test_000312", "source": "cyberner_stix_test"}}
+{"text": "It also appears the attackers use this as second-stage malware . At the end of June 2015 Mofang started its campaign to gather information of a specific target in relation to the sezs : the cpg Corporation .", "spans": {"THREAT_ACTOR: attackers": [[20, 29]], "TOOL: second-stage malware": [[42, 62]], "ORGANIZATION: cpg Corporation": [[190, 205]]}, "info": {"id": "cyberner_stix_test_000313", "source": "cyberner_stix_test"}}
+{"text": "One example of a lure document used in the Spark campaign is a PDF file that is used to deliver the Spark backdoor to the victim .", "spans": {"MALWARE: Spark": [[43, 48]], "TOOL: PDF": [[63, 66]], "MALWARE: Spark backdoor": [[100, 114]]}, "info": {"id": "cyberner_stix_test_000314", "source": "cyberner_stix_test"}}
+{"text": "However , the malware wouldn ’ t want to depend on user interaction to trigger the ransomware screen , so , it adds another functionality of Android callback : As the code snippet shows , the malware overrides the onUserLeaveHint ( ) callback function of Activity class . Large-scale cyber espionage campaigns such as \" GhostNet \" . 0xf001 ) Therefore , having access to such code allows threat actors with minimum programming knowledge to modify and compile their own ransomware variants .", "spans": {"SYSTEM: Android": [[141, 148]]}, "info": {"id": "cyberner_stix_test_000315", "source": "cyberner_stix_test"}}
+{"text": "Pacha Group is believed to be of Chinese origin , and is actively delivering new campaigns , deploying a broad number of components , many of which are undetected and operating within compromised third party servers . These spearphishing attempts represent an evolution of Iranian actors based on their social engineering tactics and narrow targeting .", "spans": {"THREAT_ACTOR: Pacha Group": [[0, 11]]}, "info": {"id": "cyberner_stix_test_000316", "source": "cyberner_stix_test"}}
+{"text": "The only instances which we are aware of where the Dukes did not use spear-phishing as the initial infection vector is with certain OnionDuke variants .", "spans": {"THREAT_ACTOR: Dukes": [[51, 56]], "MALWARE: OnionDuke": [[132, 141]]}, "info": {"id": "cyberner_stix_test_000317", "source": "cyberner_stix_test"}}
+{"text": "It also researches methods for enabling enterprise safety in emergency situations .", "spans": {}, "info": {"id": "cyberner_stix_test_000318", "source": "cyberner_stix_test"}}
+{"text": "Four of the 16 short links were clicked , three by the senior staff members .", "spans": {}, "info": {"id": "cyberner_stix_test_000319", "source": "cyberner_stix_test"}}
+{"text": "With each new version , the malware adds new features like dynamic library loading , encryption , and adjustments to different locales and manufacturers . The malware leverages an exploit , codenamed EternalBlue” , that was released by the Shadow Brokers on April 14 , 2017 . The research and ongoing tracking of APT10 by both PwC UK and BAE .", "spans": {"VULNERABILITY: EternalBlue”": [[200, 212]], "THREAT_ACTOR: Shadow Brokers": [[240, 254]], "THREAT_ACTOR: APT10": [[313, 318]], "ORGANIZATION: PwC UK": [[327, 333]], "ORGANIZATION: BAE": [[338, 341]]}, "info": {"id": "cyberner_stix_test_000320", "source": "cyberner_stix_test"}}
+{"text": "Trojan.Zekapab Backdoor.Zekapab .", "spans": {"MALWARE: Trojan.Zekapab": [[0, 14]], "MALWARE: Backdoor.Zekapab": [[15, 31]]}, "info": {"id": "cyberner_stix_test_000321", "source": "cyberner_stix_test"}}
+{"text": "For example , one zero-day vulnerability exploit ( CVE-2015-2545 ) used by PLATINUM was addressed immediately in September 2015 . The backdoor will load the encrypted configuration file and decrypt it , then use Secure Sockets Layer ( SSL ) protocol to connect to command-and-control ( C&C ) servers .", "spans": {"VULNERABILITY: zero-day vulnerability": [[18, 40]], "VULNERABILITY: CVE-2015-2545": [[51, 64]], "THREAT_ACTOR: PLATINUM": [[75, 83]], "TOOL: command-and-control": [[264, 283]], "TOOL: C&C": [[286, 289]]}, "info": {"id": "cyberner_stix_test_000322", "source": "cyberner_stix_test"}}
+{"text": "31edacd064debdae892ab0bc788091c58a03808997e11b6c46a6a5de493ed25d 87ffec0fe0e7a83e6433694d7f24cfde2f70fc45800aa2acb8e816ceba428951 eabc604fe6b5943187c12b8635755c303c450f718cc0c8e561df22a27264f101 Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Since that analysis , CTU researchers have observed multiple BRONZE UNION threat campaigns that illustrate the evolution of the group 's methods and espionage objectives . Outlaw : 1800de5f0fb7c5ef3c0d9787260ed61bc324d861bc92d9673d4737d1421972aa Cryptocurrency miner Trojan.SH.MALXMR.UWEJP . In addition , individuals like Hack520 prove that these threat actors are composed of varied individuals who have their own set of expertise .", "spans": {"SYSTEM: ARM": [[255, 258]], "ORGANIZATION: CTU": [[281, 284]], "THREAT_ACTOR: Outlaw": [[431, 437]], "FILEPATH: 1800de5f0fb7c5ef3c0d9787260ed61bc324d861bc92d9673d4737d1421972aa": [[440, 504]], "TOOL: Cryptocurrency miner": [[505, 525]], "MALWARE: Trojan.SH.MALXMR.UWEJP": [[526, 548]], "THREAT_ACTOR: Hack520": [[582, 589]]}, "info": {"id": "cyberner_stix_test_000323", "source": "cyberner_stix_test"}}
+{"text": "Within days , the Check Point research team detected another instance with a different package name but which uses the same code . Sometimes the attackers send an MS PowerPoint document instead , which exploits CVE-2014-6352 . For example , PwC UK has observed APT10 compiling DLLs out of tools , such as Mimikatz and PwDump6 , and using legitimate , signed software , such as Windows Defender to load the malicious payloads .", "spans": {"ORGANIZATION: Check Point": [[18, 29]], "THREAT_ACTOR: attackers": [[145, 154]], "MALWARE: MS PowerPoint document": [[163, 185]], "VULNERABILITY: CVE-2014-6352": [[211, 224]], "ORGANIZATION: PwC UK": [[241, 247]], "THREAT_ACTOR: APT10": [[261, 266]], "MALWARE: Mimikatz": [[305, 313]], "MALWARE: PwDump6": [[318, 325]], "MALWARE: signed software": [[351, 366]], "SYSTEM: Windows": [[377, 384]]}, "info": {"id": "cyberner_stix_test_000324", "source": "cyberner_stix_test"}}
+{"text": "Volexity has also found that , in addition to sending malware lures , the Patchwork threat actors are leveraging unique tracking links in their e-mails for the purpose of identifying which recipients opened their e-mail messages . Examples as early as 2008 document malware operations against Tibetan non-governmental organizations ( NGOs ) that also targeted Falun Gong and Uyghur groups .", "spans": {"ORGANIZATION: Volexity": [[0, 8]], "THREAT_ACTOR: Patchwork threat actors": [[74, 97]], "FILEPATH: document malware": [[257, 273]], "ORGANIZATION: Tibetan non-governmental organizations": [[293, 331]], "ORGANIZATION: NGOs": [[334, 338]], "ORGANIZATION: Falun Gong": [[360, 370]], "ORGANIZATION: Uyghur groups": [[375, 388]]}, "info": {"id": "cyberner_stix_test_000325", "source": "cyberner_stix_test"}}
+{"text": "Seedworm likely functions as a cyber espionage group to secure actionable intelligence that could benefit their sponsor 's interests . We identified file creation times for numerous files that TEMP.Veles created during lateral movement on a target 's network .", "spans": {"THREAT_ACTOR: Seedworm": [[0, 8]], "THREAT_ACTOR: cyber espionage group": [[31, 52]], "THREAT_ACTOR: TEMP.Veles": [[193, 203]]}, "info": {"id": "cyberner_stix_test_000326", "source": "cyberner_stix_test"}}
+{"text": "The regsvr32.exe executable can be used to download a Windows Script Component file ( SCT file ) by passing the URL of the SCT file as an argument .", "spans": {"FILEPATH: regsvr32.exe": [[4, 16]], "SYSTEM: Windows": [[54, 61]], "TOOL: Script Component": [[62, 78]], "TOOL: SCT": [[86, 89]]}, "info": {"id": "cyberner_stix_test_000327", "source": "cyberner_stix_test"}}
+{"text": "CTU researchers do not have evidence that these spearphishing emails are connected to the DNC network compromise that was revealed on June 14 .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "TOOL: emails": [[62, 68]], "ORGANIZATION: DNC": [[90, 93]]}, "info": {"id": "cyberner_stix_test_000328", "source": "cyberner_stix_test"}}
+{"text": "AdFind — This command-line tool conducts AD queries .", "spans": {"TOOL: AdFind": [[0, 6]], "TOOL: AD": [[41, 43]]}, "info": {"id": "cyberner_stix_test_000329", "source": "cyberner_stix_test"}}
+{"text": "As mentioned in a recent ISC diary entry , the macro gets the contents of cells in column 170 in rows 2227 to 2248 to obtain the base64 encoded payload .", "spans": {"TOOL: ISC": [[25, 28]], "TOOL: macro": [[47, 52]]}, "info": {"id": "cyberner_stix_test_000330", "source": "cyberner_stix_test"}}
+{"text": "As recently as this past week , researchers observed Chinese hackers escalating cyber-attack efforts to steal military research secrets from US universities . Much like the observers watching the shadows of objects cast upon the wall of the cave , these two definitions ( XENOTIME and TEMP.Veles , both presumably referring to \" the TRITON actor \" ) describe the same phenomena , yet at the same time appear different .", "spans": {"ORGANIZATION: universities": [[144, 156]], "THREAT_ACTOR: XENOTIME": [[272, 280]], "THREAT_ACTOR: TEMP.Veles": [[285, 295]], "THREAT_ACTOR: TRITON": [[333, 339]]}, "info": {"id": "cyberner_stix_test_000331", "source": "cyberner_stix_test"}}
+{"text": "These dumpers are quickly removed once they have done their job .", "spans": {}, "info": {"id": "cyberner_stix_test_000332", "source": "cyberner_stix_test"}}
+{"text": "There is a ‘ protected apps ’ list in this brand ’ s smartphones , related to a battery-saving concept . A high volume of redirections from the compromised site continues into mid-January 2017 . APT41 has been active since as early as 2012 .", "spans": {"THREAT_ACTOR: redirections": [[122, 134]], "THREAT_ACTOR: APT41": [[195, 200]]}, "info": {"id": "cyberner_stix_test_000333", "source": "cyberner_stix_test"}}
+{"text": "In April 2016 , a security researcher demonstrated a way to bypass this using regsvr32.exe , a legitimate Microsoft executable permitted to execute in many AppLocker policies .", "spans": {"FILEPATH: regsvr32.exe": [[78, 90]], "TOOL: legitimate Microsoft executable": [[95, 126]]}, "info": {"id": "cyberner_stix_test_000334", "source": "cyberner_stix_test"}}
+{"text": "In addition to adding the code , the attackers also changed the icon and package name . The Buhtrap group is well known for its targeting of financial institutions and businesses in Russia . We have also shared more details with our threat intelligence customers in the past .", "spans": {"THREAT_ACTOR: Buhtrap": [[92, 99]], "ORGANIZATION: financial institutions": [[141, 163]]}, "info": {"id": "cyberner_stix_test_000335", "source": "cyberner_stix_test"}}
+{"text": "FireEye analyzed the malware found on DNC networks and determined that it was consistent with our previous observations of APT28 tools .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "ORGANIZATION: DNC": [[38, 41]], "THREAT_ACTOR: APT28": [[123, 128]]}, "info": {"id": "cyberner_stix_test_000336", "source": "cyberner_stix_test"}}
+{"text": "Mandianta 's APT1 report was the first to change the game , and paved the way for private security companies to expose advanced threat actors en masse . The backdoor can connect to any of the C&Cs from a hardcoded list – a measure to increase resilience .", "spans": {"ORGANIZATION: Mandianta": [[0, 9]], "THREAT_ACTOR: APT1": [[13, 17]], "ORGANIZATION: private security companies": [[82, 108]], "THREAT_ACTOR: threat actors": [[128, 141]], "FILEPATH: backdoor": [[157, 165]]}, "info": {"id": "cyberner_stix_test_000337", "source": "cyberner_stix_test"}}
+{"text": "Shamoon2 : analytics-google.org : 69/checkFile.aspx .", "spans": {"MALWARE: Shamoon2": [[0, 8]], "IP_ADDRESS: analytics-google.org : 69/checkFile.aspx": [[11, 51]]}, "info": {"id": "cyberner_stix_test_000338", "source": "cyberner_stix_test"}}
+{"text": "At peak times of activity , we have seen up to 23 different apps from this family submitted to Play in one day . Blackgear 's campaigns also use email as an entry point , which is why it's important to secure the email gateway . The data is stored in the last 0x100 bytes of the file . Next , it sends a “ C_SC_NA_1 – single command ” to each hardcoded IOA to modify the state of the target station ’s IOA ( OFF or ON ) .", "spans": {"SYSTEM: Play": [[95, 99]]}, "info": {"id": "cyberner_stix_test_000339", "source": "cyberner_stix_test"}}
+{"text": "The malware checks the infected system ’s information and compares it to a given value .", "spans": {}, "info": {"id": "cyberner_stix_test_000340", "source": "cyberner_stix_test"}}
+{"text": "The email purported to have been sent from legitimate email ids .", "spans": {"TOOL: email": [[4, 9], [54, 59]]}, "info": {"id": "cyberner_stix_test_000341", "source": "cyberner_stix_test"}}
+{"text": "] 64 [ . In 2017 , APT37 targeted a company in Middle East that entered into a joint venture with the North Korean government to provide telecommunications service to the country . To decrypt the configuration data, the malware uses XOR with 25-character keys such as “waEHleblxiQjoxFJQaIMLdHKz” that are different for every . Additionally , different attackers may have different motivations .", "spans": {"THREAT_ACTOR: APT37": [[19, 24]], "ORGANIZATION: telecommunications service": [[137, 163]]}, "info": {"id": "cyberner_stix_test_000342", "source": "cyberner_stix_test"}}
+{"text": "Symantec tracks the group behind this activity as Blackfly and detects the malware they use as Backdoor.Winnti . The exploit installs Silence’s loader , designed to download backdoors and other malicious programs .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: Blackfly": [[50, 58]], "TOOL: Backdoor.Winnti": [[95, 110]], "VULNERABILITY: exploit": [[117, 124]], "THREAT_ACTOR: Silence’s": [[134, 143]]}, "info": {"id": "cyberner_stix_test_000343", "source": "cyberner_stix_test"}}
+{"text": "The script then waits 20 minutes before it runs the wrapper script initall :", "spans": {}, "info": {"id": "cyberner_stix_test_000344", "source": "cyberner_stix_test"}}
+{"text": "The first type of content , starting with “ method=install ” , will be sent when the app is started for the first time , including the following device private information : Victim identifier Network operator Device model Device OS version Phone number Device identifier App version Country The second type of information will be sent periodically to indicate that the device is alive . The two variants of Helminth do require different delivery methods , with the script variant relying on an Excel spreadsheet for delivery , while the executable variant is more traditional in the fact that it can be installed without a delivery document . Gamaredon : http://get-icons.ddns.net/apu.dot/ . Monitor MSSQL Servers with access to OT systems and networks for evidence of : • Reconnaissance and enumeration activity of MSSQL servers and credentials .", "spans": {"TOOL: Helminth": [[407, 415]], "THREAT_ACTOR: Gamaredon": [[643, 652]], "URL: http://get-icons.ddns.net/apu.dot/": [[655, 689]]}, "info": {"id": "cyberner_stix_test_000345", "source": "cyberner_stix_test"}}
+{"text": "For example , in a 2015 attack on one South American foreign ministry , the group appeared to be searching for very specific information . The samples provided were alleged to be targeting Tibetan and Chinese Pro-Democracy Activists .", "spans": {"THREAT_ACTOR: group": [[76, 81]]}, "info": {"id": "cyberner_stix_test_000346", "source": "cyberner_stix_test"}}
+{"text": "The attackers use their access to deploy additional tools and malware to other endpoints or escalate privileges in the network .", "spans": {}, "info": {"id": "cyberner_stix_test_000347", "source": "cyberner_stix_test"}}
+{"text": "Over the last twelve months , Microsoft has delivered nearly 1400 nation-state notifications to those who have been targeted or compromised by STRONTIUM .", "spans": {"ORGANIZATION: Microsoft": [[30, 39]], "THREAT_ACTOR: STRONTIUM": [[143, 152]]}, "info": {"id": "cyberner_stix_test_000348", "source": "cyberner_stix_test"}}
+{"text": "The TRITON sample Mandiant analyzed added an attacker-provided program to the execution table of the Triconex controller . Trend Micro endpoint solutions such as Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security can protect users and businesses from these threats by detecting malicious files and spammed messages as well as blocking all related malicious URLs .", "spans": {"THREAT_ACTOR: TRITON": [[4, 10]], "ORGANIZATION: Mandiant": [[18, 26]], "TOOL: Triconex controller": [[101, 120]], "ORGANIZATION: Trend Micro": [[123, 134]], "ORGANIZATION: Trend Micro™ Smart Protection Suites": [[162, 198]], "ORGANIZATION: Worry-Free™ Business Security": [[203, 232]], "ORGANIZATION: businesses": [[255, 265]], "FILEPATH: malicious files": [[298, 313]]}, "info": {"id": "cyberner_stix_test_000349", "source": "cyberner_stix_test"}}
+{"text": "Enlarge / Hummingbad/Shedun infections by Android version . In November 2017 , CTU researchers discovered the North Korean cyber threat group , known as Lazarus Group , had launched a malicious spearphishing campaign using the lure of a job opening for the CFO role at a European-based cryptocurrency company . APT33 : 195.20.52.172 mynetwork.cf . In other instances , such as the Babuk source code , the leaks were seemingly an operational error .", "spans": {"MALWARE: Hummingbad/Shedun": [[10, 27]], "SYSTEM: Android": [[42, 49]], "ORGANIZATION: CTU": [[79, 82]], "THREAT_ACTOR: cyber threat group": [[123, 141]], "THREAT_ACTOR: Lazarus Group": [[153, 166]], "ORGANIZATION: cryptocurrency company": [[286, 308]], "THREAT_ACTOR: APT33": [[311, 316]], "IP_ADDRESS: 195.20.52.172": [[319, 332]], "DOMAIN: mynetwork.cf": [[333, 345]], "MALWARE: Babuk source code": [[381, 398]]}, "info": {"id": "cyberner_stix_test_000350", "source": "cyberner_stix_test"}}
+{"text": "And my answer for this is : neither is perfect , but both are useful – depending upon your goals and objectives .", "spans": {}, "info": {"id": "cyberner_stix_test_000351", "source": "cyberner_stix_test"}}
+{"text": "But if your device is not from a Chinese manufacturer , then chances that you are a victim of it , are very less . GhostNet represents a network of compromised computers resident in high-value political , economic , and media locations spread across numerous countries worldwide . In almost every case , APT backdoors initiate outbound connections to the intruder ’s “ command and control ” ( C2 ) server . We have discovered and analysed two previously unknown infector vectors that were used in the MiniDuke attacks .", "spans": {"ORGANIZATION: political": [[193, 202]], "ORGANIZATION: economic": [[205, 213]], "ORGANIZATION: media": [[220, 225]], "TOOL: C2": [[393, 395]], "THREAT_ACTOR: MiniDuke attacks": [[501, 517]]}, "info": {"id": "cyberner_stix_test_000352", "source": "cyberner_stix_test"}}
+{"text": "'Improvise' is a toolset for configuration , post-processing , payload setup and execution vector selection for survey/exfiltration tools supporting all major operating systems like Windows (Bartender) , MacOS (JukeBox) and Linux (DanceFloor) . The decoy documents dropped suggest that the targets are likely to be politically or militarily motivated , with subjects such as Intelligence reports and political situations being used as lure documents .", "spans": {"MALWARE: 'Improvise'": [[0, 11]], "FILEPATH: decoy documents": [[249, 264]], "ORGANIZATION: politically": [[315, 326]], "ORGANIZATION: militarily": [[330, 340]], "ORGANIZATION: political": [[400, 409]]}, "info": {"id": "cyberner_stix_test_000353", "source": "cyberner_stix_test"}}
+{"text": "Two strings are passed into the call , the shortcode and keyword used for SMS billing ( getter methods renamed here for clarity ) . In contrast to many other APT campaigns , which tend to rely heavily on spear phishing to gain victims , \" th3bug \" is known for compromising legitimate websites their intended visitors are likely to frequent . Uninstall Uninstall and terminate ZxShell bot DLL . The exploits were sourced from different VPN provider IP addresses and previously compromised third - party devices .", "spans": {"MALWARE: ZxShell": [[377, 384]], "TOOL: DLL": [[389, 392]], "SYSTEM: VPN provider": [[436, 448]], "SYSTEM: IP addresses": [[449, 461]], "ORGANIZATION: previously compromised third - party devices .": [[466, 512]]}, "info": {"id": "cyberner_stix_test_000354", "source": "cyberner_stix_test"}}
+{"text": "EventBot VirusTotal search for the malicious IP address VirusTotal search for the malicious IP address . The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content . In 2011 , three years after the most recent release of PIVY , attackers used the RAT to compromise security firm RSA and steal data about its SecureID authentication system .", "spans": {"MALWARE: EventBot": [[0, 8]], "MALWARE: archive": [[119, 126]], "VULNERABILITY: vulnerability": [[187, 200]], "MALWARE: PIVY": [[293, 297]], "THREAT_ACTOR: attackers": [[300, 309]], "MALWARE: RAT": [[319, 322]], "ORGANIZATION: security firm RSA": [[337, 354]]}, "info": {"id": "cyberner_stix_test_000355", "source": "cyberner_stix_test"}}
+{"text": "Extract information from th GMail app . Russia . Cyber Espionage with a New Malware : The Cybereason Nocturnus team has discovered recent , targeted attacks in the Middle East to deliver the Pierogi backdoor for politically-driven cyber espionage . Ukrainian and Polish government and military organizations among those targeted Talos first discovered a campaign in late April using several malicious files very likely intended for users in Ukraine , based on the content of the lure displayed when the target opens a malicious Microsoft Excel file .", "spans": {"SYSTEM: GMail": [[28, 33]], "ORGANIZATION: Cybereason Nocturnus": [[90, 110]], "MALWARE: Pierogi backdoor": [[191, 207]], "ORGANIZATION: Ukrainian": [[249, 258]], "ORGANIZATION: Polish government": [[263, 280]], "ORGANIZATION: military organizations": [[285, 307]], "ORGANIZATION: Talos": [[329, 334]], "ORGANIZATION: users in Ukraine": [[432, 448]]}, "info": {"id": "cyberner_stix_test_000356", "source": "cyberner_stix_test"}}
+{"text": "The code responsible for this verification is shown in the following snippet : How it works When the malware is first started on the device it will begin by hiding its icon from the application drawer . In 2019 , the SectorJ04 group expanded its hacking activities to cover various industrial sectors located across Southeast Asia and East Asia , and is changing the pattern of their attacks from targeted attacks to searching for random victims . APT39 facilitates lateral movement through myriad tools such as Remote Desktop Protocol ( RDP ) , Secure Shell ( SSH ) , PsExec , RemCom , and xCmdSvc .", "spans": {"THREAT_ACTOR: SectorJ04": [[217, 226]], "ORGANIZATION: industrial sectors": [[282, 300]], "THREAT_ACTOR: APT39": [[448, 453]], "MALWARE: Remote Desktop Protocol": [[512, 535]], "MALWARE: RDP": [[538, 541]], "MALWARE: Secure Shell": [[546, 558]], "MALWARE: SSH": [[561, 564]], "MALWARE: PsExec": [[569, 575]], "MALWARE: RemCom": [[578, 584]], "MALWARE: xCmdSvc": [[591, 598]]}, "info": {"id": "cyberner_stix_test_000357", "source": "cyberner_stix_test"}}
+{"text": "Upon opening of the MS Word document , our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module , 'NavShExt.dll' , which is then injected into iexplore.exe to install the backdoor , begin collection , and activate command and control . After further analysis , it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft ’s Equation Editor ( EQNEDT32 ) .", "spans": {"VULNERABILITY: CVE-2017-11882": [[66, 80]], "MALWARE: 'NavShExt.dll'": [[147, 161]], "MALWARE: iexplore.exe": [[192, 204]], "FILEPATH: RTF files": [[337, 346]], "VULNERABILITY: CVE-2018-0798": [[367, 380]], "ORGANIZATION: Microsoft": [[398, 407]], "TOOL: Equation Editor": [[411, 426]], "TOOL: EQNEDT32": [[429, 437]]}, "info": {"id": "cyberner_stix_test_000358", "source": "cyberner_stix_test"}}
+{"text": "In January 2017 , new domain names appeared in the campaign hosted on a different IP location . The APT38 uses DYEPACK to manipulate the SWIFT transaction records and hide evidence of the malicious transactions , so bank personnel are none the wiser when they review recent transactions .", "spans": {"THREAT_ACTOR: APT38": [[100, 105]], "MALWARE: DYEPACK": [[111, 118]], "ORGANIZATION: bank personnel": [[216, 230]]}, "info": {"id": "cyberner_stix_test_000359", "source": "cyberner_stix_test"}}
+{"text": "Gallmaker 's activity appears to be highly targeted , with its victims all related to government , military , or defense sectors . Since early 2013 , we have observed activity from a unique threat actor group , which we began to investigate based on increased activities against human right activists in the beginning of 2015 .", "spans": {"THREAT_ACTOR: Gallmaker": [[0, 9]], "ORGANIZATION: government": [[86, 96]], "ORGANIZATION: military": [[99, 107]], "ORGANIZATION: defense sectors": [[113, 128]], "ORGANIZATION: activists": [[291, 300]]}, "info": {"id": "cyberner_stix_test_000360", "source": "cyberner_stix_test"}}
+{"text": "Perhaps the app ’ s false capabilities also fueled the low number of downloads . In one remarkable case , the Carbanak 2.0 gang used its access to a financial institution that stores information about shareholders to change the ownership details of a large company . Last , As the victims of commercial spyware are highly targeted individuals , the sobering truth is that some attackers have the means to be able to spend six figures to compromise a single target .", "spans": {"VULNERABILITY: Carbanak": [[110, 118]], "ORGANIZATION: financial institution": [[149, 170]], "TOOL: commercial spyware": [[292, 310]], "ORGANIZATION: individuals": [[331, 342]]}, "info": {"id": "cyberner_stix_test_000361", "source": "cyberner_stix_test"}}
+{"text": "A lull in June 2016 associated with a disruption in the Necurs botnet ; TA505 is heavily reliant on this massive botnet to send out high-volume malicious spam campaigns and disappearances of TA505 activity frequently accompany disruptions in Necurs .", "spans": {"MALWARE: Necurs": [[56, 62], [242, 248]], "THREAT_ACTOR: TA505": [[72, 77], [191, 196]]}, "info": {"id": "cyberner_stix_test_000362", "source": "cyberner_stix_test"}}
+{"text": "In 2017 , APT37 expanded its targeting beyond the Korean peninsula to include Japan , Vietnam and the Middle East , and to a wider range of industry verticals , including chemicals , electronics , manufacturing , aerospace , automotive and healthcare entities . The Cloud Atlas implants utilize a rather unusual C&C mechanism .", "spans": {"THREAT_ACTOR: APT37": [[10, 15]], "ORGANIZATION: chemicals": [[171, 180]], "ORGANIZATION: electronics": [[183, 194]], "ORGANIZATION: manufacturing": [[197, 210]], "ORGANIZATION: aerospace": [[213, 222]], "ORGANIZATION: automotive": [[225, 235]], "ORGANIZATION: healthcare entities": [[240, 259]]}, "info": {"id": "cyberner_stix_test_000363", "source": "cyberner_stix_test"}}
+{"text": "Figure 1 shows one such landing page using stolen branding from Bank Austria . Once the script runs , it passes the decoded script from the image file to the Windows command line in a variable $x , which uses cmd.exe to execute the obfuscated script and run it via PowerShell . FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016 .", "spans": {"THREAT_ACTOR: it": [[102, 104]], "MALWARE: cmd.exe": [[209, 216]], "TOOL: PowerShell": [[265, 275]], "THREAT_ACTOR: FIN10": [[278, 283]]}, "info": {"id": "cyberner_stix_test_000364", "source": "cyberner_stix_test"}}
+{"text": "As such , the blog continues to push forward the narrative of how ICS attacks are enabled through prepositioning and initial intrusion operations – an item I have discussed at length .", "spans": {}, "info": {"id": "cyberner_stix_test_000365", "source": "cyberner_stix_test"}}
+{"text": "Ginp - A malware patchwork borrowing from Anubis November 2019 Intro ThreatFabric analysts have recently investigated an interesting new strain of banking malware . For example , Comodo was defeated by CIA malware placing itself in the Window's Recycle Bin . They have also targeted companies related to industrial control systems .", "spans": {"MALWARE: Ginp": [[0, 4]], "MALWARE: Anubis": [[42, 48]], "SYSTEM: ThreatFabric": [[69, 81]], "ORGANIZATION: Comodo": [[179, 185]], "THREAT_ACTOR: CIA": [[202, 205]]}, "info": {"id": "cyberner_stix_test_000366", "source": "cyberner_stix_test"}}
+{"text": "The threat actor attempted to compromise critical assets , such as database servers , billing servers , and the active directory . Several times , APT5 has targeted organizations and personnel based in Southeast Asia .", "spans": {"THREAT_ACTOR: threat actor": [[4, 16]], "THREAT_ACTOR: APT5": [[147, 151]], "ORGANIZATION: organizations": [[165, 178]], "ORGANIZATION: personnel": [[183, 192]]}, "info": {"id": "cyberner_stix_test_000367", "source": "cyberner_stix_test"}}
+{"text": "Zygote is the core process in the Android OS that is used as a template for every application , which means that once the Trojan gets into Zygote , it becomes a part of literally every app that is launched on the device . Earlier this month , we caught another zero-day Adobe Flash Player exploit deployed in targeted attacks . This suggests that the threat actors are not only focused on financial organizations , as their target set could include other industries as well .", "spans": {"SYSTEM: Zygote": [[0, 6], [139, 145]], "SYSTEM: Android": [[34, 41]], "VULNERABILITY: zero-day Adobe Flash Player exploit": [[261, 296]], "THREAT_ACTOR: actors": [[358, 364]], "ORGANIZATION: financial organizations": [[389, 412]]}, "info": {"id": "cyberner_stix_test_000368", "source": "cyberner_stix_test"}}
+{"text": "Five of the individuals also had a hillaryclinton.com email account that was targeted by TG-4127 .", "spans": {"DOMAIN: hillaryclinton.com": [[35, 53]], "TOOL: email": [[54, 59]], "THREAT_ACTOR: TG-4127": [[89, 96]]}, "info": {"id": "cyberner_stix_test_000369", "source": "cyberner_stix_test"}}
+{"text": "In November 2018 , a version of the Trojan for the English market appeared in the shape of Gumtree.apk . The PowerShell script will look at the architecture of the system to check which malicious DLL files should be downloaded . In this campaign , the dropper filename was beauty.scr .", "spans": {"TOOL: PowerShell script": [[109, 126]], "MALWARE: malicious DLL files": [[186, 205]], "FILEPATH: beauty.scr": [[273, 283]]}, "info": {"id": "cyberner_stix_test_000370", "source": "cyberner_stix_test"}}
+{"text": "Based on this , we do not believe that the Dukes are replacing their covert and targeted campaigns with the overt and opportunistic CozyDuke and CloudDuke style of campaigns .", "spans": {"THREAT_ACTOR: Dukes": [[43, 48]], "MALWARE: CozyDuke": [[132, 140]], "MALWARE: CloudDuke": [[145, 154]]}, "info": {"id": "cyberner_stix_test_000371", "source": "cyberner_stix_test"}}
+{"text": "It is a worrying observation . Confucius' operations include deploying bespoke backdoors and stealing files from their victim 's systems with tailored file stealers , some of which bore resemblances to Patchwork 's . Because of these carefully designed layers of polymorphism , a traditional file-based detection approach wouldn’t be effective against Dexphot . While the use of web shells is common amongst threat actors , the parent processes , timing , and victim(s ) of these files clearly indicate activity that commenced with the abuse of Microsoft Exchange .", "spans": {"THREAT_ACTOR: Patchwork": [[202, 211]], "MALWARE: Dexphot": [[352, 359]]}, "info": {"id": "cyberner_stix_test_000372", "source": "cyberner_stix_test"}}
+{"text": "How they did it : GRU hackers .", "spans": {}, "info": {"id": "cyberner_stix_test_000373", "source": "cyberner_stix_test"}}
+{"text": "Indexed directories on C2 infrastructure While exfiltrated content is encrypted , information used to generate the password is plainly visible in the top level directories for each device . Resecurity claims that IRIDIUM breached Citrix 's network during December 2018 . The names suggest websites that professionals might visit : Instead of using twitter ’s google - analytic account , we used an account we control .", "spans": {"ORGANIZATION: Resecurity": [[190, 200]], "ORGANIZATION: Citrix": [[230, 236]], "SYSTEM: twitter ’s google - analytic account": [[348, 384]]}, "info": {"id": "cyberner_stix_test_000374", "source": "cyberner_stix_test"}}
+{"text": "EventBot method responsible for the library loading The method responsible for the library loading . In addition , a current ANY.RUN playback of our observed Elise infection is also available . Many of the fake personas utilized by APT35 claimed to be part of news organizations , which led to APT35 being referred to as the Newscaster Team .", "spans": {"MALWARE: ANY.RUN": [[125, 132]], "MALWARE: Elise": [[158, 163]], "THREAT_ACTOR: APT35": [[232, 237], [294, 299]], "ORGANIZATION: news organizations": [[260, 278]], "THREAT_ACTOR: Newscaster Team": [[325, 340]]}, "info": {"id": "cyberner_stix_test_000375", "source": "cyberner_stix_test"}}
+{"text": "of our analysis , we also found samples sharing code with the ViceLeaker malware , in particular they shared a delimiter that was used in both cases to parse commands from the C2 server . Since the middle of 2015 , one of the preferred attack vectors for BlackEnergy in Ukraine has been Excel documents with macros that drop the Trojan to disk if the user chooses to run the script in the document . ScarCruft also attacked a diplomatic agency in Hong Kong , and another diplomatic agency in North Korea .", "spans": {"MALWARE: ViceLeaker": [[62, 72]], "THREAT_ACTOR: BlackEnergy": [[255, 266]], "THREAT_ACTOR: ScarCruft": [[400, 409]]}, "info": {"id": "cyberner_stix_test_000376", "source": "cyberner_stix_test"}}
+{"text": "While analyzing the code , we found that the whole system consists of four critical components , as follows : penetration solutions , ways to get inside the device , either via SMS/email or a legitimate app low-level native code , advanced exploits and spy tools beyond Android ’ s security framework high-level Java agent – the app ’ s malicious APK command-and-control ( C & C ) servers , used to remotely send/receive malicious commands Attackers use two methods to get targets to download RCSAndroid . FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015 . If the variable registers for the comparison and assignment are different , Therefore , there are cases where these vulnerabilities are accessible via the internet .", "spans": {"SYSTEM: Android": [[270, 277]], "MALWARE: RCSAndroid": [[493, 503]], "THREAT_ACTOR: FIN7": [[506, 510]], "THREAT_ACTOR: threat group": [[538, 550]], "VULNERABILITY: vulnerabilities are accessible via the internet": [[745, 792]]}, "info": {"id": "cyberner_stix_test_000377", "source": "cyberner_stix_test"}}
+{"text": "It is interesting to observe that the actual target list contains : 7 French banking apps 7 U.S. banking apps 1 Japanese banking app 15 non-banking apps This uncommon target list might either be the result of specific customer demand , or due to some actors having partially reused an existing target list . Prior to 2019 , the SectorJ04 group conducted large-scale hacking activities for financial gain using exploit kits on websites to install ransomware , such as Locky and GlobeImporter , along with its banking Trojan , on its victims computers . The group has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems .", "spans": {"THREAT_ACTOR: SectorJ04": [[328, 337]], "TOOL: exploit kits": [[410, 422]], "TOOL: Locky": [[467, 472]], "TOOL: GlobeImporter": [[477, 490]], "TOOL: banking Trojan": [[508, 522]], "VULNERABILITY: zero-day": [[617, 625]]}, "info": {"id": "cyberner_stix_test_000378", "source": "cyberner_stix_test"}}
+{"text": "This method checks if eight hours have passed from the first run of application , and if so , request containing the device ’ s data to the server . This vulnerability was discovered by FireEye in September 2017 , and it is a vulnerability we have observed being exploited in the wild . We observed several attacks in June and July 2013 against targets in the Middle East and the U.S. that dropped a PIVY payload that connected to command-and-control ( CnC ) infrastructure used by the Molerats attackers .", "spans": {"VULNERABILITY: vulnerability": [[154, 167]], "ORGANIZATION: FireEye": [[186, 193]], "MALWARE: PIVY": [[400, 404]], "TOOL: command-and-control": [[431, 450]], "TOOL: CnC": [[453, 456]], "THREAT_ACTOR: Molerats": [[486, 494]], "THREAT_ACTOR: attackers": [[495, 504]]}, "info": {"id": "cyberner_stix_test_000379", "source": "cyberner_stix_test"}}
+{"text": "Malware code showing decryption of assets Figure 10 . This report demonstrates that Ke3chang is able to successfully penetrate government targets using exploits for vulnerabilities that have already been patched and despite the fact that these ministries have defenses in place . Both are compressed when archived, and both indicate that they are the only file in their ZIP structures as indicated in their local file headers and EOCDs . We have observed individuals with managerial , digital marketing , digital media , and human resources roles in companies to have been targeted .", "spans": {"THREAT_ACTOR: Ke3chang": [[84, 92]], "ORGANIZATION: government": [[127, 137]], "ORGANIZATION: individuals with managerial , digital marketing , digital media , and human resources roles": [[455, 546]]}, "info": {"id": "cyberner_stix_test_000380", "source": "cyberner_stix_test"}}
+{"text": "HummingBad also has the ability to inject code into Google Play to tamper with its ratings and statistics . In May 2017 , SecureWorks® Counter Threat Unit® ( CTU ) researchers investigated a widespread and opportunistic WCry ( also known as WanaCry , WanaCrypt , and Wana Decrypt0r ) ransomware campaign that impacted many systems around the world . APT33 : 64.251.19.214 [REDACTED].ddns.net . None After initial access via this new exploit method , the threat actor leveraged maintain access , and performed anti - forensics techniques on the Microsoft Exchange server in an attempt to hide their activity .", "spans": {"MALWARE: HummingBad": [[0, 10]], "SYSTEM: Google Play": [[52, 63]], "ORGANIZATION: SecureWorks® Counter Threat Unit®": [[122, 155]], "ORGANIZATION: CTU": [[158, 161]], "TOOL: WCry": [[220, 224]], "THREAT_ACTOR: APT33": [[350, 355]], "IP_ADDRESS: 64.251.19.214": [[358, 371]], "DOMAIN: [REDACTED].ddns.net": [[372, 391]], "ORGANIZATION: Microsoft Exchange server": [[544, 569]]}, "info": {"id": "cyberner_stix_test_000381", "source": "cyberner_stix_test"}}
+{"text": "At line 5 , local variable v4 specifies the first parameter url , which can be changed by the remote C2 server later . This suggests that the threat actors are not only focused on financial organizations , as their target set could include other industries as well . Gamaredon : e2cb06e0a5c14b4c5f58d0e56a1dc10b6a1007cf56c77ae6cb07946c3dfe82d8 . In the case of ProxyNotShell , the targeted backend service is the Remote PowerShell service .", "spans": {"THREAT_ACTOR: threat actors": [[142, 155]], "ORGANIZATION: financial organizations": [[180, 203]], "THREAT_ACTOR: Gamaredon": [[267, 276]], "FILEPATH: e2cb06e0a5c14b4c5f58d0e56a1dc10b6a1007cf56c77ae6cb07946c3dfe82d8": [[279, 343]], "VULNERABILITY: ProxyNotShell": [[361, 374]]}, "info": {"id": "cyberner_stix_test_000382", "source": "cyberner_stix_test"}}
+{"text": "Figure 12 . After the executable is executed , it downloads Pony and Vawtrak malware variants to steal data . Filename: adobe distillist.lnk .", "spans": {"MALWARE: Pony": [[60, 64]], "MALWARE: Vawtrak": [[69, 76]], "FILEPATH: adobe distillist.lnk": [[120, 140]]}, "info": {"id": "cyberner_stix_test_000383", "source": "cyberner_stix_test"}}
+{"text": "FireEye detects this activity across our platforms , including named detection for TONEDEAF , VALUEVAULT , and LONGWATCH . While there have been several Suckfly campaigns that infected organizations with the group 's custom malware Backdoor.Nidiran , the Indian targets show a greater amount of post-infection activity than targets in other regions .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "MALWARE: TONEDEAF": [[83, 91]], "MALWARE: VALUEVAULT": [[94, 104]], "MALWARE: LONGWATCH": [[111, 120]], "FILEPATH: Backdoor.Nidiran": [[232, 248]]}, "info": {"id": "cyberner_stix_test_000384", "source": "cyberner_stix_test"}}
+{"text": "This section will contain a fake export table mimicking the same export table of the original system DLL chosen . CTU researchers determined that the COBALT GYPSY threat group orchestrated this activity due to the tools , techniques , and procedures ( TTPs ) used in both campaigns . Loads next-stage payload using custom .png steganography . Further analysis of COSMICENERGY is available as part of .", "spans": {"ORGANIZATION: CTU": [[114, 117]], "THREAT_ACTOR: COBALT GYPSY": [[150, 162]], "THREAT_ACTOR: threat group": [[163, 175]], "TOOL: custom .png steganography": [[315, 340]], "MALWARE: COSMICENERGY": [[363, 375]]}, "info": {"id": "cyberner_stix_test_000385", "source": "cyberner_stix_test"}}
+{"text": "The variety of malware delivered by the group also demonstrates their deep connections to the underground malware scene .", "spans": {}, "info": {"id": "cyberner_stix_test_000386", "source": "cyberner_stix_test"}}
+{"text": "We believe that it is the largest Google account breach to date , and we are working with Google to continue the investigation . The group has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks . To handle this type of scenario , For more information , contact : intelreports@kaspersky.comPowerShell event logs for the creation of an arbitrary process from PowerShell .", "spans": {"MALWARE: Google": [[34, 40]], "ORGANIZATION: Google": [[90, 96]], "THREAT_ACTOR: group": [[133, 138]], "TOOL: Daserf malware": [[221, 235]], "VULNERABILITY: Flash exploits": [[261, 275]], "TOOL: PowerShell": [[455, 465]]}, "info": {"id": "cyberner_stix_test_000387", "source": "cyberner_stix_test"}}
+{"text": "The module aborts the thread receiving C2 command after it fails to correctly execute commands more than six times in a row , i.e. if file or process creation fails .", "spans": {"TOOL: C2": [[39, 41]]}, "info": {"id": "cyberner_stix_test_000388", "source": "cyberner_stix_test"}}
+{"text": "rm.rf operatore.italia it.offertetelefonicheperte it.servizipremium assistenza.sim assistenza.linea.riattiva assistenza.linea it.promofferte Exodus Two 64c11fdb317d6b7c9930e639f55863df592f23f3c7c861ddd97048891a90c64b a42a05bf9b412cd84ea92b166d790e8e72f1d01764f93b05ace62237fbabe40e Exodus Two This seems confusing as FireEye earlier publicly declared the TRITON as a discrete entity , linked to a Russian research institution , and christened it as \" TEMP.Veles \" . The records of the domains and IPs involved in this campaign seem to show that the attackers created a new infrastructure specifically for this campaign . Reconstruction of the host ’s anti - virus logs indicates “ lun.vbs ” and “ n.bat ” were executed in close time proximity .", "spans": {"MALWARE: Exodus Two": [[141, 151], [282, 292]], "ORGANIZATION: FireEye": [[317, 324]], "TOOL: TRITON": [[355, 361]], "ORGANIZATION: research institution": [[405, 425]], "THREAT_ACTOR: TEMP.Veles": [[451, 461]]}, "info": {"id": "cyberner_stix_test_000389", "source": "cyberner_stix_test"}}
+{"text": "by the great enthusiasm , contribution and desire from all in attendance to make this occasion something meaningful , the outcome of which produced some concrete , action-orientated solutions to our shared grievances . The Middle Eastern hacker group in this case is codenamed \" BlackOasis \" Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday . In particular , we noticed that the Naikon group was spear-phished by an actor we now call \" Hellsing \" .", "spans": {"THREAT_ACTOR: hacker group": [[238, 250]], "THREAT_ACTOR: BlackOasis": [[279, 289]], "ORGANIZATION: Kaspersky": [[292, 301]], "THREAT_ACTOR: group": [[312, 317]], "VULNERABILITY: Adobe Flash Player zero-day vulnerability": [[335, 376]], "VULNERABILITY: CVE-2016-4117": [[379, 392]], "TOOL: FinSpy": [[439, 445]], "THREAT_ACTOR: Naikon group": [[542, 554]], "THREAT_ACTOR: actor": [[579, 584]], "THREAT_ACTOR: Hellsing": [[599, 607]]}, "info": {"id": "cyberner_stix_test_000390", "source": "cyberner_stix_test"}}
+{"text": "Once the dropped file ( officeupdate.exe ) is executed the malware drops additional files ( googleupdate.exe , malib.dll and msccvs.dll ) into the %AllUsersProfile%\\Google directory and then executes the dropped googleupdate.exe Upon execution malware makes a connection to the c2 server on port 5555 and sends the system & operating system information along with some base64 encoded strings to the attacker as shown below .", "spans": {"FILEPATH: officeupdate.exe": [[24, 40]], "MALWARE: the malware": [[55, 66]], "FILEPATH: googleupdate.exe": [[92, 108], [212, 228]], "FILEPATH: malib.dll": [[111, 120]], "FILEPATH: msccvs.dll": [[125, 135]], "ORGANIZATION: %AllUsersProfile%\\Google": [[147, 171]], "MALWARE: malware": [[244, 251]], "TOOL: c2": [[278, 280]]}, "info": {"id": "cyberner_stix_test_000391", "source": "cyberner_stix_test"}}
+{"text": "They have also been seen using Heartbleed vulnerability in order to directly get valid credentials . three computers in China being used to launch the Thrip attacks .", "spans": {"VULNERABILITY: Heartbleed vulnerability": [[31, 55]]}, "info": {"id": "cyberner_stix_test_000392", "source": "cyberner_stix_test"}}
+{"text": "In addition to using SWCs to target specific types of organizations , TG-3390 uses spearphishing emails to target specific victims .", "spans": {"TOOL: SWCs": [[21, 25]], "THREAT_ACTOR: TG-3390": [[70, 77]], "TOOL: emails": [[97, 103]]}, "info": {"id": "cyberner_stix_test_000393", "source": "cyberner_stix_test"}}
+{"text": "This loader , known as Phorpiex Downloader , is not specifically tied to GandCrab or PINCHY SPIDER , and it has previously been observed dropping other malware , such as Smoke Bot , Azorult , and XMRig . The company specializes in finance and natural resources specific to that region .", "spans": {"TOOL: Phorpiex Downloader": [[23, 42]], "THREAT_ACTOR: GandCrab": [[73, 81]], "THREAT_ACTOR: PINCHY SPIDER": [[85, 98]], "TOOL: Smoke Bot": [[170, 179]], "TOOL: Azorult": [[182, 189]], "TOOL: XMRig": [[196, 201]], "ORGANIZATION: finance": [[231, 238]]}, "info": {"id": "cyberner_stix_test_000394", "source": "cyberner_stix_test"}}
+{"text": "In addition to Dipsind and its variants , PLATINUM uses a few other families of custom-built backdoors within its attack toolset . In this report , we'll review how the NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan .", "spans": {"TOOL: Dipsind": [[15, 22]], "THREAT_ACTOR: PLATINUM": [[42, 50]], "TOOL: custom-built backdoors": [[80, 102]], "MALWARE: NetTraveler": [[169, 180]], "VULNERABILITY: exploit": [[194, 201]], "VULNERABILITY: CVE-2012-0158": [[202, 215]], "MALWARE: NetTraveler Trojan": [[231, 249]]}, "info": {"id": "cyberner_stix_test_000395", "source": "cyberner_stix_test"}}
+{"text": "The Office document contains a VBA script .", "spans": {"TOOL: Office": [[4, 10]], "TOOL: VBA": [[31, 34]]}, "info": {"id": "cyberner_stix_test_000396", "source": "cyberner_stix_test"}}
+{"text": "For example , we found several suspicious strings written in the Chinese language in a function called isNetworkAvailable , previously discussed in this blog : An almost identical function is mentioned in an earlier research , that ties FakeSpy and other malware to the Roaming Mantis group . We also unearthed and detailed our other findings on MuddyWater , such as its connection to four Android malware variants and its use of false flag techniques , among others , in our report New MuddyWater Activities Uncovered: Threat Actors Used Multi-Stage Backdoors , False Flags , Android Malware , and More . APT15 is known for committing cyberespionage against companies and organizations located in many different countries , targeting different sectors such as the oil industry , government contractors , military , and more .", "spans": {"MALWARE: FakeSpy": [[237, 244]], "ORGANIZATION: Roaming Mantis": [[270, 284]], "THREAT_ACTOR: MuddyWater": [[346, 356]], "TOOL: Android malware": [[390, 405]], "TOOL: Multi-Stage Backdoors": [[539, 560]], "TOOL: False Flags": [[563, 574]], "TOOL: Android Malware": [[577, 592]], "THREAT_ACTOR: APT15": [[606, 611]], "THREAT_ACTOR: cyberespionage": [[636, 650]], "ORGANIZATION: oil industry": [[765, 777]], "ORGANIZATION: government contractors": [[780, 802]], "ORGANIZATION: military": [[805, 813]]}, "info": {"id": "cyberner_stix_test_000397", "source": "cyberner_stix_test"}}
+{"text": "Hot patching is an operating system-supported feature for installing updates without having to reboot or restart a process . In addition , the NetTraveler toolkit was able to install additional info-stealing malware as a backdoor , and it could be customized to steal other types of sensitive information such as configuration details for an application or computer-aided design files .", "spans": {"TOOL: operating system-supported feature": [[19, 53]], "MALWARE: NetTraveler toolkit": [[143, 162]]}, "info": {"id": "cyberner_stix_test_000398", "source": "cyberner_stix_test"}}
+{"text": "The executable will then load iviewers.dll , which is normally a clean , legitimate file .", "spans": {"FILEPATH: iviewers.dll": [[30, 42]]}, "info": {"id": "cyberner_stix_test_000399", "source": "cyberner_stix_test"}}
+{"text": "Instead of relying on SMS messages , which can be easily intercepted by third-party apps , these applications started using push notifications for users , containing the transaction details and the TAN . Most of these data-stealing capabilities were present in the oldest variants of CARBANAK that we have seen and some were added over time . In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch .", "spans": {"MALWARE: CARBANAK": [[284, 292]], "THREAT_ACTOR: APT34": [[362, 367]], "TOOL: Microsoft Office": [[382, 398]], "VULNERABILITY: CVE-2017-11882": [[413, 427]], "MALWARE: POWRUNER": [[438, 446]], "MALWARE: BONDUPDATER": [[451, 462]], "ORGANIZATION: Microsoft": [[486, 495]]}, "info": {"id": "cyberner_stix_test_000400", "source": "cyberner_stix_test"}}
+{"text": "with a register 0xE CMP Compare the value pointed by the internal VM descriptor with an immediate value 0xF XCHG Exchange the value pointed by the internal VM descriptor with a register 0x10 SHL Jump to a function ( same as opcode 0x1 ) This additional virtual machine performs the same duties as the one already described but in a 64-bit environment . APT34 often uses compromised accounts to conduct spear-phishing operations . In case the payload is bigger than the image used to store it , the remaining payload bytes are simply attached to the image after its IEND marker , and read directly from the file . NoEscape is a new ransomware which been doing the rounds in underground forums since May 2023 .", "spans": {"THREAT_ACTOR: APT34": [[353, 358]], "TOOL: compromised accounts": [[370, 390]], "MALWARE: NoEscape": [[613, 621]]}, "info": {"id": "cyberner_stix_test_000401", "source": "cyberner_stix_test"}}
+{"text": "These attackers have used additional malware families in previous activity dating to at least 2015 that include PlugX , Zupdax , 9002 , and Poison Ivy . Assuming this variant of KopiLuwak has been observed in the wild , there are a number of ways it may have been delivered including some of Turla’s previous attack methods such as spear phishing or via a watering hole . This week the experts at FireEye discovered that a group of Chinese-based hackers called admin@338 had sent multiple MH370-themed spear phishing emails , the attackers targeted government officials in Asia-Pacific , it is likely for cyber espionage purpose .", "spans": {"MALWARE: PlugX": [[112, 117]], "MALWARE: Zupdax": [[120, 126]], "MALWARE: 9002": [[129, 133]], "MALWARE: Poison Ivy": [[140, 150]], "THREAT_ACTOR: Turla’s": [[292, 299]], "ORGANIZATION: FireEye": [[397, 404]], "THREAT_ACTOR: admin@338": [[461, 470]], "TOOL: emails": [[517, 523]], "THREAT_ACTOR: attackers": [[530, 539]], "ORGANIZATION: government officials": [[549, 569]], "THREAT_ACTOR: cyber espionage": [[605, 620]]}, "info": {"id": "cyberner_stix_test_000402", "source": "cyberner_stix_test"}}
+{"text": "backdoor , Xagent , webhp , SPLM .", "spans": {"MALWARE: Xagent": [[11, 17]], "MALWARE: webhp": [[20, 25]], "MALWARE: SPLM": [[28, 32]]}, "info": {"id": "cyberner_stix_test_000403", "source": "cyberner_stix_test"}}
+{"text": "] today www [ . Chances are about even , though , that Mofang is a relevant threat actor to any organization that invests in Myanmar or is otherwise politically involved . Akin to turning a battleship , retooling TTPs of large threat actors is formidable . The observed activity included creation of web shells for persistent access , remote code execution , and reconnaissance for endpoint security solutions .", "spans": {"THREAT_ACTOR: Mofang": [[55, 61]], "ORGANIZATION: politically": [[149, 160]]}, "info": {"id": "cyberner_stix_test_000404", "source": "cyberner_stix_test"}}
+{"text": "X-Force IRIS identified the below malicious document .", "spans": {"ORGANIZATION: X-Force IRIS": [[0, 12]]}, "info": {"id": "cyberner_stix_test_000405", "source": "cyberner_stix_test"}}
+{"text": "1000 50″ , ” timestamp ” : ” 1452272572″ } } , { “ command ” : ” sent & & & ” , ” params ” : { “ to ” : ” +79262000900″ , ” body ” : ” BALANCE ” , ” timestamp ” : ” 1452272573″ } } ] Instructions received from the server A comparison can also be made of the format in which Asacub and Smaps forward incoming SMS ( encoded with the base64 algorithm ) from the device to the C & C server : Smaps TG-3390 uses older exploits to compromise targets , and CTU researchers have not observed the threat actors using zero-day exploits as of this publication . The script then waits 20 minutes before it runs the wrapper script initall : The CozyDuke malware utilizes a backdoor and dropper , and exfiltrates data to a C2 server .", "spans": {"THREAT_ACTOR: TG-3390": [[394, 401]], "ORGANIZATION: CTU": [[450, 453]], "VULNERABILITY: zero-day exploits": [[508, 525]], "FILEPATH: initall": [[618, 625]], "MALWARE: CozyDuke": [[632, 640]], "SYSTEM: C2 server": [[709, 718]]}, "info": {"id": "cyberner_stix_test_000406", "source": "cyberner_stix_test"}}
+{"text": "The mobile ransomware , detected by Microsoft Defender for Endpoint as AndroidOS/MalLocker.B , is the latest variant of a ransomware family that ’ s been in the wild for a while but has been evolving non-stop . Between April 1 , 2018 and May 30 , 2018 , we observed the domain stevemike-fireforce.info used in a Gorgon Group cybercrime campaign involving more than 2,300 emails and 19 documents in the initial attack . It should be noted every function is not always obfuscated . Ashley Madison ’s executives understood that only a handful of employees at the time would have had access to the systems needed to produce the screenshots McNeill published online .", "spans": {"SYSTEM: Microsoft Defender": [[36, 54]], "SYSTEM: systems needed to produce the screenshots McNeill published online": [[594, 660]]}, "info": {"id": "cyberner_stix_test_000407", "source": "cyberner_stix_test"}}
+{"text": "Yet one point of confusion in the blog comes at the very start : referring to the entity responsible for TRITON as the “ TRITON actor ” .", "spans": {"MALWARE: TRITON": [[105, 111], [121, 127]]}, "info": {"id": "cyberner_stix_test_000408", "source": "cyberner_stix_test"}}
+{"text": "Group-IB specialists have established that the aim of the attack was to deliver and launch the second stage of Silence’s Trojan , known as Silence.MainModule . While in most cases the infection vector remains unknown , the high profile attack from 2014 used a very complex Windows TTF zero-day exploit ( CVE-2014-4148 ) .", "spans": {"ORGANIZATION: Group-IB": [[0, 8]], "THREAT_ACTOR: Silence’s": [[111, 120]], "SYSTEM: Windows": [[273, 280]], "VULNERABILITY: zero-day": [[285, 293]], "VULNERABILITY: exploit": [[294, 301]], "VULNERABILITY: CVE-2014-4148": [[304, 317]]}, "info": {"id": "cyberner_stix_test_000409", "source": "cyberner_stix_test"}}
+{"text": "Microsoft ’ s mobile threat defense capabilities further enrich the visibility that organizations have on threats in their networks , as well as provide more tools to detect and respond to threats across domains and across platforms . As part of the investigation , Unit 42 researchers were able to identify an interesting characteristic about how the Gorgon Group crew uses shared infrastructure between cybercrime and targeted attacks . 3d2b3c9f50ed36bef90139e6dd250f140c373664984b97a97a5a70333387d18d . The collective has claimed responsibility for DDoS attacks , data theft , and leaks against entities across multiple industries , including transportation , defense , government and military , financial services , global institutions , and telecommunications .", "spans": {"ORGANIZATION: Microsoft": [[0, 9]], "ORGANIZATION: Unit 42": [[266, 273]], "THREAT_ACTOR: Gorgon Group": [[352, 364]], "TOOL: shared infrastructure": [[375, 396]], "FILEPATH: 3d2b3c9f50ed36bef90139e6dd250f140c373664984b97a97a5a70333387d18d": [[439, 503]], "THREAT_ACTOR: DDoS attacks": [[552, 564]]}, "info": {"id": "cyberner_stix_test_000410", "source": "cyberner_stix_test"}}
+{"text": "ASPXTool — A modified version of the ASPXSpy web shell .", "spans": {"MALWARE: ASPXTool": [[0, 8]], "MALWARE: ASPXSpy": [[37, 44]], "TOOL: web shell": [[45, 54]]}, "info": {"id": "cyberner_stix_test_000411", "source": "cyberner_stix_test"}}
+{"text": "The C2 infrastructure contains a lack of sophistication such as open panels , reuse of old servers publicly tagged as malicious… So what ? This was the case in two known intrusions in 2015 , where attackers named the implant DLL \" ASPNET_FILTER.DLL \" to disguise it as the DLL for the ASP.NET ISAPI Filter . The IXESHE attackers have been actively launching highly targeted attacks since at least July 2009 . On June 22 , @AnFam17 spotted the same fake browser update leveraging URL shortcuts .", "spans": {"MALWARE: ASPNET_FILTER.DLL": [[231, 248]], "MALWARE: ASP.NET ISAPI Filter": [[285, 305]], "THREAT_ACTOR: IXESHE": [[312, 318]], "ORGANIZATION: @AnFam17": [[422, 430]]}, "info": {"id": "cyberner_stix_test_000412", "source": "cyberner_stix_test"}}
+{"text": "While the JHUHUGIT ( and more recently , “ JKEYSKW ” ) implant used in most of the Sofacy attacks , high profile victims are being targeted with another first level implant , representing the latest evolution of their AZZYTrojan .", "spans": {"MALWARE: JHUHUGIT": [[10, 18]], "MALWARE: JKEYSKW": [[43, 50]], "THREAT_ACTOR: Sofacy": [[83, 89]], "MALWARE: AZZYTrojan": [[218, 228]]}, "info": {"id": "cyberner_stix_test_000413", "source": "cyberner_stix_test"}}
+{"text": "Figure 3 : Step two of the credential phish asking for the victim ’ s email address and phone number Having stolen the victim ’ s account and personal information , the scammer introduces a social engineering scheme , informing users that they currently do not have the “ Bank Austria Security App ” installed on their smartphone and must download it to proceed . As an example , DNS records indicate that a targeted domain resolved to an actor-controlled MitM server . This group reportedly compromised the Democratic National Committee starting in the summer of 2015 .", "spans": {"SYSTEM: Bank Austria Security App": [[272, 297]], "THREAT_ACTOR: actor-controlled": [[439, 455]], "TOOL: MitM server": [[456, 467]], "ORGANIZATION: Democratic National Committee": [[508, 537]]}, "info": {"id": "cyberner_stix_test_000414", "source": "cyberner_stix_test"}}
+{"text": "The majority of victims recorded to date have been in electronic gaming , multimedia , and Internet content industries , although occasional intrusions against technology companies have occurred .", "spans": {"ORGANIZATION: technology companies": [[160, 180]]}, "info": {"id": "cyberner_stix_test_000415", "source": "cyberner_stix_test"}}
+{"text": "Of course , Sony ( one of Vevo 's joint owners ) fell victim to a devastating hack in 2014 after a group of hackers calling themselves the \" Guardians of Peace \" dumped a wealth of its confidential data online . We conclude that the actor behind the attack is Silence group , a relatively new threat actor that's been operating since mid-2016 .", "spans": {"ORGANIZATION: Sony": [[12, 16]]}, "info": {"id": "cyberner_stix_test_000416", "source": "cyberner_stix_test"}}
+{"text": "Also , some code pieces are directly re-used in the analyzed campaigns , such as the i.cmd and exit.exe files , and , at the same time , some new components have been introduced , for instance the rtegre.exe and the veter1605_MAPS_10cr0.exe file . Just a few months later , in February 2015 , we announced the discovery of Carbanak , a cyber-criminal gang that used custom malware and APT techniques to steal millions of dollars while infecting hundreds of financial institutions in at least 30 countries .", "spans": {"MALWARE: i.cmd": [[85, 90]], "MALWARE: exit.exe": [[95, 103]], "MALWARE: rtegre.exe": [[197, 207]], "MALWARE: veter1605_MAPS_10cr0.exe": [[216, 240]], "MALWARE: Carbanak": [[323, 331]], "THREAT_ACTOR: cyber-criminal gang": [[336, 355]], "ORGANIZATION: financial institutions": [[457, 479]]}, "info": {"id": "cyberner_stix_test_000417", "source": "cyberner_stix_test"}}
+{"text": "The knowledge graph below shows the various techniques this ransomware family has been seen using , including abusing the system alert window , abusing accessibility features , and , more recently , abusing notification services . Each attack comprises a variety of phases , including reconnaissance , exploitation , command and control , lateral movement , and exfiltration . Unfortunately , • Identify and investigate the creation , transfer , and/or execution of unauthorized Python - packaged executables ( e.g. , PyInstaller or Py2Exe ) on OT systems or systems with access to OT resources .", "spans": {"TOOL: PyInstaller": [[518, 529]], "TOOL: Py2Exe": [[533, 539]], "SYSTEM: OT systems": [[545, 555]], "SYSTEM: systems with access to OT resources": [[559, 594]]}, "info": {"id": "cyberner_stix_test_000418", "source": "cyberner_stix_test"}}
+{"text": "In all known cases where exploits were employed , we believe the Dukes did not themselves discover the vulnerabilities or design the original exploits ; for the exploited zero-day , we believe the Dukes purchased the exploit .", "spans": {"THREAT_ACTOR: Dukes": [[65, 70], [197, 202]], "VULNERABILITY: zero-day": [[171, 179]]}, "info": {"id": "cyberner_stix_test_000419", "source": "cyberner_stix_test"}}
+{"text": "Active setup : StubPath .", "spans": {}, "info": {"id": "cyberner_stix_test_000420", "source": "cyberner_stix_test"}}
+{"text": "According to the security experts , this collection of malware was discovered after their first initial report was published , meaning that Group 27 ignored the fact they were unmasked and continued to infect their targets regardless , through the same entry point , the Myanmar Union Election Commission ( UEC ) website . TG-3390 actors have deployed the OwaAuth web shell to Exchange servers , disguising it as an ISAPI filter .", "spans": {"ORGANIZATION: Myanmar Union Election Commission": [[271, 304]], "ORGANIZATION: UEC": [[307, 310]], "THREAT_ACTOR: TG-3390": [[323, 330]], "MALWARE: OwaAuth web shell": [[356, 373]]}, "info": {"id": "cyberner_stix_test_000421", "source": "cyberner_stix_test"}}
+{"text": "From the server , the Trojan receives commands ( for example , to send SMS ) and changes in the configuration . Google and Microsoft have already confirmed the Russian hacker group APT28 used a Flash vulnerability CVE-2016-7855 along with this kernel privilege escalation flaw to perform a targeted attack . Thanks to this modification , the malware can be executed with a non-administrator account .", "spans": {"ORGANIZATION: Google": [[112, 118]], "ORGANIZATION: Microsoft": [[123, 132]], "THREAT_ACTOR: APT28": [[181, 186]], "VULNERABILITY: CVE-2016-7855": [[214, 227]]}, "info": {"id": "cyberner_stix_test_000422", "source": "cyberner_stix_test"}}
+{"text": "Upon execution , this .NET executable checks whether the command line argument is “ /Embedding ” or not .", "spans": {"FILEPATH: .NET": [[22, 26]]}, "info": {"id": "cyberner_stix_test_000423", "source": "cyberner_stix_test"}}
+{"text": "millions of users 24 Oct 2019 - 11:30AM We detected a large adware campaign running for about a year , with the involved apps installed eight million times from Google Play alone . Early in Q2 , Kaspersky identified an interesting Lazarus attack targeting a mobile gaming company in South Korea that we believe was aimed at stealing application source code . Contrary to the previous version , the developers moved the core of malware to the library .", "spans": {"SYSTEM: Google Play": [[161, 172]], "ORGANIZATION: Kaspersky": [[195, 204]], "THREAT_ACTOR: Lazarus": [[231, 238]], "ORGANIZATION: mobile gaming": [[258, 271]]}, "info": {"id": "cyberner_stix_test_000424", "source": "cyberner_stix_test"}}
+{"text": "Structurally this sample was very similar to the initially analyzed document , but the payload turned out to be a completely new tool which we have named Cannon .", "spans": {"MALWARE: Cannon": [[154, 160]]}, "info": {"id": "cyberner_stix_test_000425", "source": "cyberner_stix_test"}}
+{"text": "The macro prepends the string —–BEGIN CERTIFICATE—– to the beginning of the base64 encoded payload and appends —–END CERTIFICATE—– to the end of the data .", "spans": {"TOOL: macro": [[4, 9]]}, "info": {"id": "cyberner_stix_test_000426", "source": "cyberner_stix_test"}}
+{"text": "Downeks enumerates any antivirus products installed on the victim machine and transmits the list to the C2 .", "spans": {"MALWARE: Downeks": [[0, 7]], "TOOL: C2": [[104, 106]]}, "info": {"id": "cyberner_stix_test_000427", "source": "cyberner_stix_test"}}
+{"text": "Backdoor.APT.PittyTiger1.3 ( aka CT RAT ) – This malware is likely used as a second-stage backdoor . Some of the documents exploited CVE-2017-0199 to deliver the payload .", "spans": {"MALWARE: Backdoor.APT.PittyTiger1.3": [[0, 26]], "TOOL: CT RAT": [[33, 39]], "TOOL: second-stage backdoor": [[77, 98]], "FILEPATH: documents": [[113, 122]], "VULNERABILITY: CVE-2017-0199": [[133, 146]]}, "info": {"id": "cyberner_stix_test_000428", "source": "cyberner_stix_test"}}
+{"text": "Threat actors may use the date string hardcoded into each Bookworm sample as a build identifier . The executable would install the real Ammyy product , but would also launch a file called either AmmyyService.exe or AmmyySvc.exe which contained the malicious payload .", "spans": {"MALWARE: date string hardcoded": [[26, 47]], "TOOL: Bookworm sample": [[58, 73]], "FILEPATH: AmmyyService.exe": [[195, 211]], "FILEPATH: AmmyySvc.exe": [[215, 227]]}, "info": {"id": "cyberner_stix_test_000429", "source": "cyberner_stix_test"}}
+{"text": "The SLUB malware was delivered through watering hole websites that were injected with exploits for CVE-2018-8174 or CVE-2019-0752 . We initially became aware of Careto when we observed attempts to exploit a vulnerability in our products to make the malware \" invisible \" in the system .", "spans": {"THREAT_ACTOR: SLUB": [[4, 8]], "VULNERABILITY: CVE-2018-8174": [[99, 112]], "VULNERABILITY: CVE-2019-0752": [[116, 129]], "FILEPATH: Careto": [[161, 167]], "VULNERABILITY: exploit": [[197, 204]]}, "info": {"id": "cyberner_stix_test_000430", "source": "cyberner_stix_test"}}
+{"text": "] com/ hxxp : //files.spamo [ . On December 29 , 2016 , the Department of Homeland Security ( DHS ) and Federal Bureau of Investigation ( FBI ) released a Joint Analysis Report confirming FireEye 's long held public assessment that the Russian Government sponsors APT28 . Query: 239055e965eca60000CC30T.66654667676673003300C93CC92212953EDACEDA.33333210100A.sample-domain.evil , Response: 39.2.3.56 , Query: 05639e9652eca6000057C06T.COCTabCOCT33333210100A.sample-domain.evil , Response: 253.25.42.87 . Additionally , while KillNet has targeted NATO countries and organizations since early to mid-2022 , it declared a focused operation against NATO in early 2023 and created a Telegram channel in April 2023 dedicated to this operation .", "spans": {"ORGANIZATION: Department of Homeland Security": [[60, 91]], "ORGANIZATION: DHS": [[94, 97]], "ORGANIZATION: FBI": [[138, 141]], "ORGANIZATION: FireEye": [[188, 195]], "THREAT_ACTOR: APT28": [[264, 269]], "FILEPATH: 239055e965eca60000CC30T.66654667676673003300C93CC92212953EDACEDA.33333210100A.sample-domain.evil": [[279, 375]], "IP_ADDRESS: 39.2.3.56": [[388, 397]], "FILEPATH: 05639e9652eca6000057C06T.COCTabCOCT33333210100A.sample-domain.evil": [[407, 473]], "IP_ADDRESS: 253.25.42.87": [[486, 498]], "ORGANIZATION: targeted NATO countries": [[534, 557]]}, "info": {"id": "cyberner_stix_test_000431", "source": "cyberner_stix_test"}}
+{"text": "The Powershell backdoor is ingenious in its simplicity and power .", "spans": {"TOOL: Powershell": [[4, 14]]}, "info": {"id": "cyberner_stix_test_000432", "source": "cyberner_stix_test"}}
+{"text": "Numerous Windows hacking tools are also among the new batch of files the Shadow Brokers dumped Friday . NetTraveler has been used to target diplomats , embassies and government institutions for over a decade , and remains the tool of choice by the adversaries behind these cyber espionage campaigns .", "spans": {"TOOL: Windows hacking tools": [[9, 30]], "MALWARE: NetTraveler": [[104, 115]], "ORGANIZATION: diplomats": [[140, 149]], "ORGANIZATION: embassies": [[152, 161]], "ORGANIZATION: government institutions": [[166, 189]]}, "info": {"id": "cyberner_stix_test_000433", "source": "cyberner_stix_test"}}
+{"text": "Malware used by the threat group can be configured to bypass network-based detection ; however , the threat actors rarely modify host-based configuration settings when deploying payloads .", "spans": {}, "info": {"id": "cyberner_stix_test_000434", "source": "cyberner_stix_test"}}
+{"text": "We found that among the leaked files is the code for Hacking Team ’ s open-source malware suite RCSAndroid ( Remote Control System Android ) , which was sold by the company as a tool for monitoring targets . While investigating a 2016 intrusion , Secureworks incident responders identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization . maturity level . Additionally , by using leaked source code , threat actors can confuse or mislead investigators , as security professionals may be more likely to misattribute the activity to the wrong actor .", "spans": {"MALWARE: RCSAndroid": [[96, 106]], "MALWARE: Remote Control System Android": [[109, 138]], "ORGANIZATION: Secureworks": [[247, 258]], "THREAT_ACTOR: BRONZE BUTLER": [[290, 303]], "VULNERABILITY: CVE-2016-7836": [[370, 383]], "ORGANIZATION: security professionals": [[588, 610]], "VULNERABILITY: misattribute the activity to the wrong actor": [[633, 677]]}, "info": {"id": "cyberner_stix_test_000435", "source": "cyberner_stix_test"}}
+{"text": "At this point , the attackers know the user has opened the document and send another spear-phishing email , this time containing an MS Word document with an embedded executable . Microsoft addressed the SMBv1 vulnerabilities in March 2017 with Security Bulletin MS17-010 .", "spans": {"THREAT_ACTOR: attackers": [[20, 29]], "MALWARE: MS Word document": [[132, 148]], "ORGANIZATION: Microsoft": [[179, 188]], "TOOL: SMBv1": [[203, 208]], "VULNERABILITY: vulnerabilities": [[209, 224]]}, "info": {"id": "cyberner_stix_test_000436", "source": "cyberner_stix_test"}}
+{"text": "The attackers spoofed the email ids associated with Indian Ministry of Home Affairs to send out email to the victims .", "spans": {"TOOL: email": [[26, 31], [96, 101]], "ORGANIZATION: Indian Ministry of Home Affairs": [[52, 83]]}, "info": {"id": "cyberner_stix_test_000437", "source": "cyberner_stix_test"}}
+{"text": "READ_SMS - Allows the application to read text messages . FireEye’s Advanced Practices and Intelligence teams were able to identify additional artifacts and activity from the APT34 actors at other victim organizations . Gorgon used numerous decoy documents and phishing emails , both styles of attacks lacked overall sophistication .", "spans": {"ORGANIZATION: FireEye’s": [[58, 67]], "THREAT_ACTOR: APT34": [[175, 180]], "ORGANIZATION: victim organizations": [[197, 217]], "THREAT_ACTOR: Gorgon": [[220, 226]], "TOOL: emails": [[270, 276]]}, "info": {"id": "cyberner_stix_test_000438", "source": "cyberner_stix_test"}}
+{"text": "Malicious activity Once the activation cycle ends , the trojan will start its malicious activities . The threat group in this recently observed campaign a TEMP.Zagros a weaponized their malware using the following techniques . The malware collects and transmits data from the host , such as hostname and is XOR encoded with the first byte of the network traffic being the key . The SCIL - API interface in MicroSCADA has been disabled - by - default since the release of MicroSCADA 9.4 in 2014 .", "spans": {"THREAT_ACTOR: threat group": [[105, 117]], "TOOL: SCIL - API interface": [[382, 402]], "SYSTEM: MicroSCADA": [[406, 416]], "SYSTEM: MicroSCADA 9.4": [[471, 485]]}, "info": {"id": "cyberner_stix_test_000439", "source": "cyberner_stix_test"}}
+{"text": "Quasar serve includes a File Manager window , allowing the attacker to select victim files , and trigger file operations – for example , uploading a file from victim machine to server .", "spans": {"MALWARE: Quasar": [[0, 6]], "TOOL: File Manager window": [[24, 43]]}, "info": {"id": "cyberner_stix_test_000440", "source": "cyberner_stix_test"}}
+{"text": "Long-term access to email accounts of senior campaign advisors , who may be appointed to staff positions in a Clinton administration , could provide TG-4127 and the Russian government with access to those individual's accounts .", "spans": {"TOOL: email": [[20, 25]], "THREAT_ACTOR: TG-4127": [[149, 156]]}, "info": {"id": "cyberner_stix_test_000441", "source": "cyberner_stix_test"}}
+{"text": "Business and government personnel who are traveling , especially in a foreign country , often rely on systems to conduct business other than those at their home office , and may be unfamiliar with threats posed while abroad .", "spans": {}, "info": {"id": "cyberner_stix_test_000442", "source": "cyberner_stix_test"}}
+{"text": "In January 2017 , GOLD LOWELL began targeting legitimate RDP account credentials , in some cases discovering and compromising accounts using brute-force techniques . The PassCV group continues to be extremely effective in compromising both small and large game companies and surreptitiously using their code-signing certificates to infect an even larger swath of organizations .", "spans": {"TOOL: RDP": [[57, 60]], "THREAT_ACTOR: PassCV": [[170, 176]], "ORGANIZATION: game companies": [[256, 270]]}, "info": {"id": "cyberner_stix_test_000443", "source": "cyberner_stix_test"}}
+{"text": "Detecting threat actors in recent German industrial attacks with Windows Defender ATP .", "spans": {"TOOL: Windows Defender ATP": [[65, 85]]}, "info": {"id": "cyberner_stix_test_000444", "source": "cyberner_stix_test"}}
+{"text": "Open remote desktop connection .", "spans": {}, "info": {"id": "cyberner_stix_test_000445", "source": "cyberner_stix_test"}}
+{"text": "1819d2546d9c9580193827c0d2f5aad7e7f2856f7d5e6d40fd739b6cecdb1e9e b213c1de737b72f8dd7185186a246277951b651c64812692da0b9fdf1be5bf15 453e7827e943cdda9121948f3f4a68d6289d09777538f92389ca56f6e6de03f0 0246dd4acd9f64ff1508131c57a7b29e995e102c74477d5624e1271700ecb0e2 The attackers appeared to be Chinese-speaking and targeted mainly top-level government agencies and civil and military organizations in countries such as the Philippines , Malaysia , Cambodia , Indonesia , Vietnam , Myanmar , Singapore , Nepal . Rancor : BC1C3E754BE9F2175B718ABA62174A550CDC3D98AB9C36671A58073140381659 . Although this wave did not use any zero day exploits , it relied on steganography and NTFS alternate data streams to complicate detection .", "spans": {"THREAT_ACTOR: attackers": [[264, 273]], "ORGANIZATION: government agencies": [[336, 355]], "ORGANIZATION: civil and military organizations": [[360, 392]], "THREAT_ACTOR: Rancor": [[506, 512]], "FILEPATH: BC1C3E754BE9F2175B718ABA62174A550CDC3D98AB9C36671A58073140381659": [[515, 579]]}, "info": {"id": "cyberner_stix_test_000446", "source": "cyberner_stix_test"}}
+{"text": "The app is fitted with standard information-stealing capabilities ; however , this banker is exceptionally insidious in that after installation it requires a single action from the victim – enable Android ’ s Accessibility Service – to fully unleash the app ’ s malicious functionality . As we explained in our most recent blogpost about Zebrocy , the configuration of the backdoor is stored in in the resource section and is split into four different hex-encoded , encrypted blobs . PapaAlfa is believed to be one of the proxy malware components that the Lazarus Group uses to hide the true command and control server for operations .", "spans": {"SYSTEM: Android": [[197, 204]], "ORGANIZATION: we": [[291, 293]], "THREAT_ACTOR: Zebrocy": [[338, 345]], "TOOL: backdoor": [[373, 381]], "MALWARE: PapaAlfa": [[484, 492]], "THREAT_ACTOR: Lazarus Group": [[556, 569]]}, "info": {"id": "cyberner_stix_test_000447", "source": "cyberner_stix_test"}}
+{"text": "There are also many other modifications , fully described in our private report . In that case , we observed Buhtrap using a local privilege escalation exploit , CVE-2019-1132 , against one of its victims . In addition , this victim was also attacked by the Konni malware on 03 April 2018 .", "spans": {"THREAT_ACTOR: Buhtrap": [[109, 116]], "VULNERABILITY: CVE-2019-1132": [[162, 175]], "MALWARE: Konni": [[258, 263]]}, "info": {"id": "cyberner_stix_test_000448", "source": "cyberner_stix_test"}}
+{"text": "Originally targeting Western European banks , Emotet has since been developed into a robust global botnet that is comprised of several modules , each of which equips Emotet with different spamming , email logging , information stealing , bank fraud , downloading , and DDoS , among others . On the other hand , ShadowBrokers group made headlines in 2016 when it claimed to have robbed various exploitation tools used by the NSA including the notorious EternalBlue that was a vital component in the WannaCry ransomware campaign causing damages to systems worldwide .", "spans": {"ORGANIZATION: banks": [[38, 43]], "TOOL: Emotet": [[46, 52], [166, 172]], "ORGANIZATION: NSA": [[424, 427]], "VULNERABILITY: EternalBlue": [[452, 463]]}, "info": {"id": "cyberner_stix_test_000449", "source": "cyberner_stix_test"}}
+{"text": "If the user has provided the details of another card , then the following window is displayed : The application leaves the user with almost no option but to enter the correct card number , as it checks the entered number against the bank card details the cybercriminals received earlier . Due to these changes without a new date string , we believe the date codes are used for campaign tracking rather than a Bookworm build identifier . Between August 2 and 4 , the Leviathan sent targeted spearphishing emails containing malicious URLs linking to documents to multiple defense contractors .", "spans": {"MALWARE: date string": [[324, 335]], "MALWARE: date codes": [[353, 363]], "TOOL: Bookworm": [[409, 417]], "THREAT_ACTOR: Leviathan": [[466, 475]], "TOOL: emails": [[504, 510]], "ORGANIZATION: defense contractors": [[570, 589]]}, "info": {"id": "cyberner_stix_test_000450", "source": "cyberner_stix_test"}}
+{"text": "Limiting app installations on corporate devices , as well as ensuring that applications are created by trusted developers on official marketplaces , can help in reducing the risk of infection as well . Wild Neutron 's targeting of major IT companies , spyware developers ( FlexiSPY ) , jihadist forums ( the \" Ansar Al-Mujahideen English Forum \" ) and Bitcoin companies indicate a flexible yet unusual mindset and interests . The ScarCruft group uses common malware delivery techniques such as spear phishing and Strategic Web Compromises ( SWC ) . This shorcut uses the WebDav HTTP protocol extension to retrieve the file launcher-upd.hta from a remote server : This heavily obfuscated script is responsible for the execution of PowerShell that downloads the final malware payload ( NetSupport RAT ) .", "spans": {"THREAT_ACTOR: Wild Neutron": [[202, 214]], "ORGANIZATION: IT companies": [[237, 249]], "ORGANIZATION: spyware developers": [[252, 270]], "ORGANIZATION: FlexiSPY": [[273, 281]], "ORGANIZATION: jihadist forums": [[286, 301]], "ORGANIZATION: Ansar Al-Mujahideen English Forum": [[310, 343]], "ORGANIZATION: Bitcoin companies": [[352, 369]], "THREAT_ACTOR: ScarCruft": [[430, 439]], "MALWARE: NetSupport RAT": [[784, 798]]}, "info": {"id": "cyberner_stix_test_000451", "source": "cyberner_stix_test"}}
+{"text": "The advertisement SDK also collects statistics about clicks and impressions to make it easier to track revenue . The NetTraveler trojan has been known to be used in targeted cyber espionage attacks for more than a decade by nation state threat actors and continues to be used to target its victims and exfiltrate data . Unlike the previous exploit documents , this malicious attachment did not contain any visible text when opened in Microsoft Word . Two leading Republican members of the U.S. House came out hours after the Biden administration released the roadmap , saying they would use their respective House panels to , “ exercise strict oversight on CISA ’s efforts ” to implement many of the policies outlined .", "spans": {"TOOL: NetTraveler trojan": [[117, 135]], "ORGANIZATION: Microsoft": [[434, 443]], "TOOL: Word": [[444, 448]], "ORGANIZATION: U.S. House": [[489, 499]], "ORGANIZATION: Biden administration": [[525, 545]]}, "info": {"id": "cyberner_stix_test_000452", "source": "cyberner_stix_test"}}
+{"text": "] it Catania server1fermo.exodus.connexxa [ . Analysis of these cryptcat binaries indicates that the actor continually modified them to decrease AV detection rates . ( C:\\ProgramData\\GUID.bin ) . They are specifically engaged in cyber crime to further their nations own interests .", "spans": {}, "info": {"id": "cyberner_stix_test_000453", "source": "cyberner_stix_test"}}
+{"text": "ThreatConnect had made the same observation regarding this patterning in September 2017 .", "spans": {"TOOL: ThreatConnect": [[0, 13]]}, "info": {"id": "cyberner_stix_test_000454", "source": "cyberner_stix_test"}}
+{"text": "Operation Daybreak appears to have been launched by unknown attackers to infect high profile targets through spear-phishing e-mails . In October 2015 the Callisto Group targeted a handful of individuals with phishing emails that attempted to obtain the target 's webmail credentials .", "spans": {"THREAT_ACTOR: attackers": [[60, 69]], "TOOL: emails": [[217, 223]]}, "info": {"id": "cyberner_stix_test_000455", "source": "cyberner_stix_test"}}
+{"text": "Mark Zuckerberg , Jack Dorsey , Sundar Pichai , and Daniel Ek — the CEOs of Facebook , Twitter , Google and Spotify , respectively — have also fallen victim to the hackers , dispelling the notion that a career in software and technology exempts one from being compromised . In September 2017 , we discovered a new targeted attack on financial institutions .", "spans": {"ORGANIZATION: Facebook": [[76, 84]], "ORGANIZATION: Twitter": [[87, 94]], "ORGANIZATION: Google": [[97, 103]], "ORGANIZATION: technology": [[226, 236]], "ORGANIZATION: financial institutions": [[333, 355]]}, "info": {"id": "cyberner_stix_test_000456", "source": "cyberner_stix_test"}}
+{"text": "Delivering a backdoor and spyware , this campaign was designed to steal information from infected systems using a malware client capable of filtering out \" uninteresting \" files , and spread primarily via a targeted phishing email usually promising a pornographic video . Incident response engagements have given CTU researchers insight into the tactics TG-3390 employs during intrusions .", "spans": {"ORGANIZATION: CTU": [[313, 316]], "THREAT_ACTOR: TG-3390": [[354, 361]]}, "info": {"id": "cyberner_stix_test_000457", "source": "cyberner_stix_test"}}
+{"text": "In this research , we review common features of the malware and examine the improvements the threat actor made in each version . Similar to the Bisonal variant targeting the Russian organization , this sample was also disguised as PDF document . In addition , Emissary appears to against Taiwan or Hong Kong , all of the decoys are written in Traditional Chinese , and they use themes related to the government or military .", "spans": {"MALWARE: Bisonal": [[144, 151]], "MALWARE: Emissary": [[260, 268]], "ORGANIZATION: government": [[400, 410]], "ORGANIZATION: military": [[414, 422]]}, "info": {"id": "cyberner_stix_test_000458", "source": "cyberner_stix_test"}}
+{"text": "Even when we observed LuckyMouse using weaponized documents with CVE-2017-11882 ( Microsoft Office Equation Editor , widely used by Chinese-speaking actors since December 2017 ) , we can′t prove they were related to this particular attack . We assess with high confidence that the Winnti umbrella is associated with the Chinese state intelligence apparatus , with at least some elements located in the Xicheng District of Beijing .", "spans": {"VULNERABILITY: CVE-2017-11882": [[65, 79]], "TOOL: Microsoft Office Equation Editor": [[82, 114]], "MALWARE: Winnti": [[281, 287]]}, "info": {"id": "cyberner_stix_test_000459", "source": "cyberner_stix_test"}}
+{"text": "We are able to send commands to the service such as dumpmsgdb or getkey ( which dumps the tgnet.dat file ) . In March 2016 , Symantec published a blog on Suckfly , an advanced cyberespionage group that conducted attacks against a number of South Korean organizations to steal digital certificates . Internet in government.pdf / Define the Internet in government institutions.pdf : These observations leave open the possibility that COSMICENERGY was developed with malicious intent , and at a minimum that it can be used to support targeted threat activity in the wild .", "spans": {"ORGANIZATION: Symantec": [[125, 133]], "FILEPATH: Internet in government.pdf": [[299, 325]], "FILEPATH: Define the Internet in government institutions.pdf": [[328, 378]], "MALWARE: COSMICENERGY": [[432, 444]]}, "info": {"id": "cyberner_stix_test_000460", "source": "cyberner_stix_test"}}
+{"text": "Use application whitelisting .", "spans": {}, "info": {"id": "cyberner_stix_test_000461", "source": "cyberner_stix_test"}}
+{"text": "Donot attacked government agencies , aiming for classified intelligence . This script relays commands and output between the controller and the system .", "spans": {"THREAT_ACTOR: Donot": [[0, 5]], "ORGANIZATION: government agencies": [[15, 34]]}, "info": {"id": "cyberner_stix_test_000462", "source": "cyberner_stix_test"}}
+{"text": "Grabbing the Screen PIN with Support for Samsung Devices Version 0.3.0.1 added an ~800 line long method called grabScreenPin , which uses accessibility features to track pin code changes in the device ’ s settings . Usually , the Stageless Meterpreter has the Ext_server_stdapi.x64.dll” , Ext_server_extapi.x64.dll” , and Ext_server_espia.x64.dll” extensions . The campaigns delivered PupyRAT , an open-source cross-platform remote access trojan ( RAT ) .", "spans": {"ORGANIZATION: Samsung": [[41, 48]], "MALWARE: Stageless Meterpreter": [[230, 251]], "MALWARE: Ext_server_stdapi.x64.dll”": [[260, 286]], "MALWARE: Ext_server_extapi.x64.dll”": [[289, 315]], "MALWARE: Ext_server_espia.x64.dll”": [[322, 347]], "MALWARE: PupyRAT": [[385, 392]], "MALWARE: remote access trojan": [[425, 445]], "MALWARE: RAT": [[448, 451]]}, "info": {"id": "cyberner_stix_test_000463", "source": "cyberner_stix_test"}}
+{"text": "Extracting hashes from the NTDS.dit file requires access to the SYSTEM file in the system registry .", "spans": {"FILEPATH: NTDS.dit": [[27, 35]]}, "info": {"id": "cyberner_stix_test_000464", "source": "cyberner_stix_test"}}
+{"text": "Other commands commonly seen executed shortly after these backdoors are activated .", "spans": {}, "info": {"id": "cyberner_stix_test_000465", "source": "cyberner_stix_test"}}
+{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload . Visitors to sites exploited by Emissary Panda are directed by code embedded in the sites to a malicious webpage , which screens their IP address .", "spans": {"MALWARE: malicious Microsoft Word document": [[90, 123]], "VULNERABILITY: CVE-2012-0158": [[143, 156]]}, "info": {"id": "cyberner_stix_test_000466", "source": "cyberner_stix_test"}}
+{"text": "Unpacker thread decrypt java archive from assets directory “ start.ogg ” , and dynamically loads it and calls the method “ a.a.a.b ” from this archive . Figure 2: Zyklon attack flowInfection Techniques CVE-2017-8759 . We do not know whether using PIVY is an attempt by those behind the Molerats campaign to frame China-based threat actors for their attacks or simply evidence that they have added another effective , publicly-available RAT to its arsenal .", "spans": {"THREAT_ACTOR: Zyklon": [[163, 169]], "VULNERABILITY: CVE-2017-8759": [[202, 215]], "MALWARE: PIVY": [[247, 251]], "THREAT_ACTOR: actors": [[332, 338]], "MALWARE: RAT": [[436, 439]]}, "info": {"id": "cyberner_stix_test_000467", "source": "cyberner_stix_test"}}
+{"text": "Among the various features we discuss in this post , we believe that TrickMo ’ s most significant novelty is an app recording feature , which gives it the ability to overcome the newer pushTAN app validations used by German banks . Of particular note is their use of tools to identify systems vulnerable to CVE-2017-0144 , which is the same vulnerability exploited by EternalBlue that is best known for its use in the WannaCry attacks of 2017 . On January 8 , 2018 , the OilRig threat group sent an email with the subject Beirut Insurance Seminar Invitation to an insurance agency in the Middle East .", "spans": {"MALWARE: TrickMo": [[69, 76]], "VULNERABILITY: CVE-2017-0144": [[307, 320]], "THREAT_ACTOR: OilRig": [[471, 477]], "ORGANIZATION: insurance agency": [[564, 580]]}, "info": {"id": "cyberner_stix_test_000468", "source": "cyberner_stix_test"}}
+{"text": "Earworm uses two malware tools .", "spans": {"THREAT_ACTOR: Earworm": [[0, 7]]}, "info": {"id": "cyberner_stix_test_000469", "source": "cyberner_stix_test"}}
+{"text": "There is rarely a dull day at CrowdStrike where we are not detecting or responding to a breach at a company somewhere around the globe .", "spans": {"ORGANIZATION: CrowdStrike": [[30, 41]]}, "info": {"id": "cyberner_stix_test_000470", "source": "cyberner_stix_test"}}
+{"text": "In this case , it registers three broadcast receivers : MyReceiver - Triggers when the device is booted . However , Symantec has now found evidence that the Buckeye cyber espionage group (aka APT3 , Gothic Panda ) began using Equation Group tools in attacks at least a year prior to the Shadow Brokers leak . BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group .", "spans": {"ORGANIZATION: Symantec": [[116, 124]], "THREAT_ACTOR: Buckeye": [[157, 164]], "THREAT_ACTOR: (aka APT3": [[187, 196]], "THREAT_ACTOR: Gothic Panda": [[199, 211]], "TOOL: Equation Group tools": [[226, 246]], "THREAT_ACTOR: BlackOasis": [[309, 319]], "ORGANIZATION: Gamma Group": [[390, 401]]}, "info": {"id": "cyberner_stix_test_000471", "source": "cyberner_stix_test"}}
+{"text": "Shared import hashes across multiple files would likely identify files that are part of the same malware family .", "spans": {}, "info": {"id": "cyberner_stix_test_000472", "source": "cyberner_stix_test"}}
+{"text": "Cannon acknowledges the successful execution by sending an email to sahro.bella7@post.cz with s.txt ( contains {SysPar = 65} string ) as the attachment , ok5 within the body and a subject with the unique system identifier via SMTPS from one of the three accounts from Step 1 .", "spans": {"MALWARE: Cannon": [[0, 6]], "TOOL: email": [[59, 64]], "EMAIL: sahro.bella7@post.cz": [[68, 88]], "FILEPATH: s.txt": [[94, 99]]}, "info": {"id": "cyberner_stix_test_000473", "source": "cyberner_stix_test"}}
+{"text": "A quick search with the AutoFocus transform to pull tag information shows these are specifically related to Nymaim , most likely for the DGA seed ; however , looking at domains with less links , other malware families begin to emerge .", "spans": {"MALWARE: Nymaim": [[108, 114]], "MALWARE: other malware families": [[195, 217]]}, "info": {"id": "cyberner_stix_test_000474", "source": "cyberner_stix_test"}}
+{"text": "As we ’ve observed with cybercriminal groups that aim to maximize profits for every campaign , silence doesn’t necessarily mean inactivity .", "spans": {}, "info": {"id": "cyberner_stix_test_000475", "source": "cyberner_stix_test"}}
+{"text": "Segment networks into logical enclaves and restrict host-to-host communication paths .", "spans": {}, "info": {"id": "cyberner_stix_test_000476", "source": "cyberner_stix_test"}}
+{"text": "This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . Most of the Blue and Green Lambert samples have two C&C servers hardcoded in their configuration block : a hostname and an IP address .", "spans": {"MALWARE: Microsoft Word attachment": [[80, 105]], "VULNERABILITY: CVE-2017-0199": [[138, 151]], "TOOL: ZeroT Trojan": [[166, 178]], "TOOL: PlugX Remote Access Trojan": [[210, 236]], "TOOL: RAT": [[239, 242]], "MALWARE: Blue and Green Lambert samples": [[259, 289]], "TOOL: C&C": [[299, 302]]}, "info": {"id": "cyberner_stix_test_000477", "source": "cyberner_stix_test"}}
+{"text": "During the rest of 2014 and the spring of 2015 , the Dukes continued making similar evasionfocused modifications to CosmicDuke , as well as experimenting with ways to obfuscate the loader .", "spans": {"THREAT_ACTOR: Dukes": [[53, 58]], "MALWARE: CosmicDuke": [[116, 126]]}, "info": {"id": "cyberner_stix_test_000478", "source": "cyberner_stix_test"}}
+{"text": "IoT devices are purposefully designed to connect to a network and many are simply connected to the internet with little management or oversight .", "spans": {"TOOL: IoT": [[0, 3]]}, "info": {"id": "cyberner_stix_test_000479", "source": "cyberner_stix_test"}}
+{"text": "CTU researchers identified the owners of three of these accounts ; two belonged to the DNC 's secretary emeritus , and one belonged to the communications director .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "ORGANIZATION: DNC": [[87, 90]]}, "info": {"id": "cyberner_stix_test_000480", "source": "cyberner_stix_test"}}
+{"text": "The malware will start the main service if all the requested permissions and the device admin privileges are granted . The attackers compromised two legitimate Thai websites to host the malware , which is a tactic this group has used in the past . Same initial delivery method ( spear phishing email ) with a Microsoft Word Document exploiting CVE-2012-0158 . User Execution : Malicious Link APT29 has used various forms of spearphishing attempting to get a user to click on a malicous link .002 User Execution : Malicious File APT29 has used various forms of spearphishing attempting to get a user to open attachments , including , but not limited to , malicious Microsoft Word documents , .pdf , and .lnk files .", "spans": {"TOOL: legitimate Thai websites": [[149, 173]], "TOOL: email": [[294, 299]], "ORGANIZATION: Microsoft": [[309, 318]], "TOOL: Word": [[319, 323]], "VULNERABILITY: CVE-2012-0158": [[344, 357]], "THREAT_ACTOR: Malicious Link APT29": [[377, 397]], "THREAT_ACTOR: Malicious File APT29": [[513, 533]]}, "info": {"id": "cyberner_stix_test_000481", "source": "cyberner_stix_test"}}
+{"text": "The key in our version is : key=b\"\\x08\\x7A\\x05\\x04\\x60\\x7c\\x3e\\x3c\\x5d\\x0b\\x18\\x3c\\x55\\x64\" .", "spans": {}, "info": {"id": "cyberner_stix_test_000482", "source": "cyberner_stix_test"}}
+{"text": "You can also try to re-flash your device with its original ROM . The banking malware GozNym has legs ; only a few weeks after the hybrid Trojan was discovered , it has reportedly spread into Europe and begun plaguing banking customers in Poland with redirection attacks . They offer the attacker a toe-hold to perform simple tasks like retrieve files , gather basic system information and trigger the execution of other more significant capabilities such as a standard backdoor . The attackers work from computers with Chinese and Korean language configurations .", "spans": {"TOOL: GozNym": [[85, 91]], "ORGANIZATION: banking customers": [[217, 234]], "THREAT_ACTOR: attackers": [[484, 493]], "SYSTEM: computers with Chinese and Korean language configurations": [[504, 561]]}, "info": {"id": "cyberner_stix_test_000483", "source": "cyberner_stix_test"}}
+{"text": "In this case , the device should be re-flashed with an official ROM . Sensitive bank documents have be found on the servers that were controlling Carbanak . Little detail is given on the nature of how the connection between DNSMessenger and MuddyWater was discovered it isn't possible for us to verify this link .", "spans": {"VULNERABILITY: Carbanak": [[146, 154]], "MALWARE: DNSMessenger": [[224, 236]], "MALWARE: MuddyWater": [[241, 251]]}, "info": {"id": "cyberner_stix_test_000484", "source": "cyberner_stix_test"}}
+{"text": "While MiniDuke activity decreased significantly during the rest of 2013 following the attention it garnered from researchers , the beginning of 2014 saw the toolset back in full force .", "spans": {"MALWARE: MiniDuke": [[6, 14]]}, "info": {"id": "cyberner_stix_test_000485", "source": "cyberner_stix_test"}}
+{"text": "next packet 0x7 CALL Call an imported API ( whose address is stored in the internal VM value ) 0x8 LOAD Load a value into the VM descriptor structure * 0x9 STORE Store the internal VM value inside a register 0xA WRITE Resolve a pointer and store the value of a register in its content 0xB READ Move the value pointed by the VM internal value into a register 0xC LOAD Load a value into the VM descriptor structure ( not optimized ) 0xD CMP Compare the value pointed by the internal VM descriptor APT34 uses a mix of public and non-public tools . The payload is encoded in the same way as the size – each byte of the payload is computed from the ARGB color codes of each subsequent pixel in the image . It uses a hardcoded mutex value to make sure that the victim is not infected twice by calling followed by a call to to check the last error code .", "spans": {"THREAT_ACTOR: APT34": [[495, 500]], "TOOL: public and non-public tools": [[515, 542]]}, "info": {"id": "cyberner_stix_test_000486", "source": "cyberner_stix_test"}}
+{"text": "Between mid-March and mid-April 2016 , TG-4127 created 16 short links targeting nine dnc.org email accounts .", "spans": {"THREAT_ACTOR: TG-4127": [[39, 46]], "DOMAIN: dnc.org": [[85, 92]], "TOOL: email": [[93, 98]]}, "info": {"id": "cyberner_stix_test_000487", "source": "cyberner_stix_test"}}
+{"text": "Minor changes and updates to the code were released with these deployments , including a new mutex format and the exclusive use of encrypted HTTP communications over TLS .", "spans": {}, "info": {"id": "cyberner_stix_test_000488", "source": "cyberner_stix_test"}}
+{"text": "So , when a device connects to the established network , this process will be in silent and automatic mode . The law firm in this scheme is based in the United Kingdom and is the sole location for targets outside of SA for this campaign . APT39 : Chafer .", "spans": {"THREAT_ACTOR: targets": [[197, 204]], "THREAT_ACTOR: APT39": [[239, 244]], "THREAT_ACTOR: Chafer": [[247, 253]]}, "info": {"id": "cyberner_stix_test_000489", "source": "cyberner_stix_test"}}
+{"text": "There , they are prompted to download a new version of the mobile app , under which guise the Trojan is hidden . FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnam’s manufacturing , consumer products , and hospitality sectors . The name of the .scr file was directly linked to tension between North Korea and USA in March 2016 more information .", "spans": {"ORGANIZATION: FireEye": [[113, 120]], "THREAT_ACTOR: APT32": [[134, 139]], "ORGANIZATION: Vietnam’s manufacturing": [[197, 220]], "ORGANIZATION: consumer products": [[223, 240]], "ORGANIZATION: hospitality": [[247, 258]], "FILEPATH: .scr": [[285, 289]]}, "info": {"id": "cyberner_stix_test_000490", "source": "cyberner_stix_test"}}
+{"text": "Note that there are fewer payloads than there are samples , indicating many of the documents download the same payload .", "spans": {}, "info": {"id": "cyberner_stix_test_000491", "source": "cyberner_stix_test"}}
+{"text": "The overlay window is often indistinguishable from the expected screen ( such as a login screen for a banking app ) and is used to steal the victim ’ s banking credentials . Recently , the JPCERT published a thorough analysis of the Plead backdoor , which , according to Trend Micro , is used by the cyberespionage group BlackTech . Otherwise , if an IP address is configured , it will connect directly to that IP address . Our demonstration shows how using the Google Analytics API , a web skimmer can send data to be collected in his own account instance .", "spans": {"ORGANIZATION: JPCERT": [[189, 195]], "TOOL: Plead backdoor": [[233, 247]], "ORGANIZATION: Trend Micro": [[271, 282]], "SYSTEM: Google Analytics API": [[462, 482]], "THREAT_ACTOR: a web skimmer": [[485, 498]]}, "info": {"id": "cyberner_stix_test_000492", "source": "cyberner_stix_test"}}
+{"text": "] 11/xvideo/ hxxp : //apple-icloud [ . Since at least 2007 , APT28 has engaged in extensive operations in support of Russian strategic interests . An additional counter exists to handle cases where the file being sent is larger than 250 . The purpose of these attacks and their focus on IT and communication companies is believed to be to facilitate supply chain attacks on their clients .", "spans": {"THREAT_ACTOR: APT28": [[61, 66]], "ORGANIZATION: IT and communication companies": [[287, 317]]}, "info": {"id": "cyberner_stix_test_000493", "source": "cyberner_stix_test"}}
+{"text": "If granted , the ransomware locks the device and displays a message demanding payment : You need to pay for us , otherwise we will sell portion of your personal information on black market every 30 minutes . They tried new techniques to steal from banking systems , including AWS CBR ( the Russian Central Bank 's Automated Workstation Client ) , ATMs , and card processing . A few interesting overlaps in recent FIN7 campaigns : Both used macros to copy wscript.exe to another file , which began with “ ms ” ( mses.exe – FIN7 , msutil.exe – EmpireMonkey ) . Monitor for changes made to firewall rules for unexpected modifications to allow / block specific network traffic that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {"ORGANIZATION: Central Bank 's Automated Workstation Client": [[298, 342]], "ORGANIZATION: ATMs": [[347, 351]], "THREAT_ACTOR: FIN7": [[413, 417], [522, 526]], "TOOL: macros": [[440, 446]], "FILEPATH: wscript.exe": [[455, 466]], "FILEPATH: mses.exe": [[511, 519]], "FILEPATH: msutil.exe": [[529, 539]], "MALWARE: EmpireMonkey": [[542, 554]]}, "info": {"id": "cyberner_stix_test_000494", "source": "cyberner_stix_test"}}
+{"text": "Cybereason classifies EventBot as a mobile banking trojan and infostealer based on the stealing features discussed in this research . DanderSpritz is the framework for controlling infected machines , different from FuZZbuNch as the latter provides a limited toolkit for the post-exploitation stage with specific functions such as DisableSecurity and EnableSecurity for DarkPulsar . PwC UK has been engaged in supporting investigations linked to APT10 compromises .", "spans": {"ORGANIZATION: Cybereason": [[0, 10]], "MALWARE: EventBot": [[22, 30]], "TOOL: DanderSpritz": [[134, 146]], "TOOL: FuZZbuNch": [[215, 224]], "TOOL: DisableSecurity": [[330, 345]], "TOOL: EnableSecurity": [[350, 364]], "TOOL: DarkPulsar": [[369, 379]], "ORGANIZATION: PwC UK": [[382, 388]], "THREAT_ACTOR: APT10": [[445, 450]]}, "info": {"id": "cyberner_stix_test_000495", "source": "cyberner_stix_test"}}
+{"text": "Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory . The fake certificate imitates the COMODO root certificate .", "spans": {"MALWARE: Mimikatz": [[0, 8]], "ORGANIZATION: COMODO": [[139, 145]]}, "info": {"id": "cyberner_stix_test_000496", "source": "cyberner_stix_test"}}
+{"text": "The document includes a special report allegedly quoted from the Egyptian newspaper Al-Ahram .", "spans": {"ORGANIZATION: Al-Ahram": [[84, 92]]}, "info": {"id": "cyberner_stix_test_000497", "source": "cyberner_stix_test"}}
+{"text": "This match shows a direct relationship between Sheldor and TeamSpy , although we do not known if the connection is only at the tool level or at the operation level too . The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": {"ORGANIZATION: specific individuals": [[253, 273]], "VULNERABILITY: zero-day": [[314, 322]]}, "info": {"id": "cyberner_stix_test_000498", "source": "cyberner_stix_test"}}
+{"text": "Steps to request the user 's credit card information In our sample configuration , the request for the views above can not be canceled or removed from the screen — behaving just like a screen lock that wo n't be disabled without providing credit card information . The attackers used this technique to remotely install a Metasploit reverse TCP stager on select systems , subsequently spawning a Meterpreter session and Mimikatz . Group123 is constantly evolving as the new fileless capability that was added to ROKRAT demonstrates .", "spans": {"THREAT_ACTOR: attackers": [[269, 278]], "THREAT_ACTOR: Group123": [[430, 438]], "MALWARE: ROKRAT": [[511, 517]]}, "info": {"id": "cyberner_stix_test_000499", "source": "cyberner_stix_test"}}
+{"text": "TG-3390 's obfuscation techniques in SWCs complicate detection of malicious web traffic redirects .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "TOOL: SWCs": [[37, 41]]}, "info": {"id": "cyberner_stix_test_000500", "source": "cyberner_stix_test"}}
+{"text": "Upload / download / execute files .", "spans": {}, "info": {"id": "cyberner_stix_test_000501", "source": "cyberner_stix_test"}}
+{"text": "As opposed to previous campaigns performed by this actor , this latest version does not contain privilege escalation and it simply executes the payload and configures persistence mechanisms .", "spans": {}, "info": {"id": "cyberner_stix_test_000502", "source": "cyberner_stix_test"}}
+{"text": "According to public records it appears that eSurv began to also develop intrusion software in 2016 . In July 2017 , we observed the OilRig group using a tool they developed called ISMAgent in a new set of targeted attacks . It checks for new commands in the tweets from the handle @jhone87438316 ( suspended by Twitter ) every 10 seconds using the BeautifulSoup HTML parser to identify new tweets . Researchers first spotted the activity in March 2021 , but the MuddyWater campaign began in October 2019 targeting an Asian airline to steal flight reservation and continued to 2021 .", "spans": {"ORGANIZATION: eSurv": [[44, 49]], "THREAT_ACTOR: OilRig group": [[132, 144]], "TOOL: ISMAgent": [[180, 188]], "TOOL: Twitter": [[311, 318]], "TOOL: BeautifulSoup HTML parser": [[348, 373]], "ORGANIZATION: Asian airline": [[517, 530]]}, "info": {"id": "cyberner_stix_test_000503", "source": "cyberner_stix_test"}}
+{"text": "In fact , our team considers them some of the best threat actors out of all the numerous nation-state , criminal and hacktivist/terrorist groups we encounter on a daily basis .", "spans": {}, "info": {"id": "cyberner_stix_test_000504", "source": "cyberner_stix_test"}}
+{"text": "Our analysis of the malware shows it uses multiple , advanced techniques to avoid Google Play malware detection and to maintain persistency on target devices . The document files exploit at least three known vulnerabilities in Microsoft Office , which we discuss in the Infection Techniques section . Observed APT10 targeting is in line with many of the historic compromises we have outlined previously as originating from China .", "spans": {"SYSTEM: Google Play": [[82, 93]], "MALWARE: document files": [[164, 178]], "VULNERABILITY: vulnerabilities": [[208, 223]], "THREAT_ACTOR: APT10": [[310, 315]]}, "info": {"id": "cyberner_stix_test_000505", "source": "cyberner_stix_test"}}
+{"text": "This code starts by allocating two chunks of memory : a global 1 MB buffer and one 64 KB buffer per thread . Lotus Blossom attempted to exploit CVE-2014-6332 using the POC code available in the wild . The RC5 key is derived from the hard drive serial number and the string “ f@Ukd!rCto R$. ” — we were not able to obtain any MUI files nor the code that installs them in the first place . Malwarebytes customers are shielded against this campaign via our web protection in Endpoint Protection ( EP ) , Endpoint Detection and Response ( EDR ) and Malwarebytes Premium .", "spans": {"THREAT_ACTOR: Lotus Blossom": [[109, 122]], "VULNERABILITY: CVE-2014-6332": [[144, 157]], "TOOL: RC5": [[205, 208]], "ORGANIZATION: Malwarebytes": [[388, 400]]}, "info": {"id": "cyberner_stix_test_000506", "source": "cyberner_stix_test"}}
+{"text": "However , we have noted a significantly small number of downloads of the app in Pakistan , India , Afghanistan , Bangladesh , Iran , Saudi Arabia , Austria , Romania , Grenada , and Russia . These VNC exectuables would either be included in the SFX file or downloaded by the batch script . In the second case , While Mandiant was unable to determine the initial intrusion point , our analysis suggests the OT component of this attack may have been developed in as little as two months .", "spans": {"TOOL: VNC": [[197, 200]], "ORGANIZATION: Mandiant": [[317, 325]], "SYSTEM: OT component": [[406, 418]]}, "info": {"id": "cyberner_stix_test_000507", "source": "cyberner_stix_test"}}
+{"text": "Several weeks ago , Check Point Mobile Threat Prevention detected and quarantined the Android device of an unsuspecting customer employee who downloaded and installed a 0day mobile ransomware from Google Play dubbed “ Charger. ” This incident demonstrates how malware can be a dangerous threat to your business , and how advanced behavioral detection fills mobile security gaps attackers use to penetrate entire networks . Although Silence 's phishing emails were also sent to bank employees in Central and Western Europe , Africa , and Asia ) . After a successful penetration , it uses its own backdoors and the CobaltStrike framework or Powershell Empire components to hop to interesting parts of the network , where it can monetize its access . Monitor for newly constructed files that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {"ORGANIZATION: Check Point": [[20, 31]], "SYSTEM: Android": [[86, 93]], "SYSTEM: Google Play": [[197, 208]], "MALWARE: Charger.": [[218, 226]], "ORGANIZATION: bank employees": [[477, 491]], "TOOL: CobaltStrike": [[613, 625]], "TOOL: Powershell": [[639, 649]], "TOOL: Empire": [[650, 656]]}, "info": {"id": "cyberner_stix_test_000508", "source": "cyberner_stix_test"}}
+{"text": "Notifications : Push notifications C2 Resilience : Auxiliary C2 list Self-protection : Hiding the App icon Self-protection : Preventing removal Self-protection : Emulation-detection Architecture : Modular Overlay attack Most Android banking Trojans use overlay attacks to trick the victim into providing their personal information ( such as but not limited to : credit card information , banking credentials , mail credentials ) and Cerberus is no exception . The email stealer collects connection protocol information and account information , such as SMTP , IMAP , and POP3 , which are stored in the registry by Outlook and Thunderbird mail clients and sends them to the attacker server in a specific format . Targeting data supports the belief that APT39 's key mission is to track or monitor targets of interest , collect personal information , including travel itineraries , and gather customer data from telecommunications firms .", "spans": {"MALWARE: Cerberus": [[433, 441]], "MALWARE: email stealer": [[464, 477]], "THREAT_ACTOR: APT39": [[752, 757]], "ORGANIZATION: telecommunications firms": [[910, 934]]}, "info": {"id": "cyberner_stix_test_000509", "source": "cyberner_stix_test"}}
+{"text": "Figure 13 . Discovered for the first time in Mexico back in 2013 , Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message , a technique that had never been seen before . Malefactors used watering hole attacks to compromise legitimate and trusted websites frequently visited by their targets .", "spans": {"MALWARE: Ploutus": [[67, 74]], "THREAT_ACTOR: Malefactors": [[232, 243]]}, "info": {"id": "cyberner_stix_test_000510", "source": "cyberner_stix_test"}}
+{"text": "FANCY BEAR ( also known as Sofacy or APT 28 ) is a separate Russian-based threat actor , which has been active since mid 2000s , and has been responsible for targeted intrusion campaigns against the Aerospace , Defense , Energy , Government and Media sectors . The above network shows relationships between three tools used by Hidden Lynx during its VOHO campaign : Trojan.Naid , Backdoor.Moudoor , and Backdoor.Hikit .", "spans": {"THREAT_ACTOR: FANCY BEAR": [[0, 10]], "THREAT_ACTOR: Sofacy": [[27, 33]], "THREAT_ACTOR: APT 28": [[37, 43]], "THREAT_ACTOR: threat actor": [[74, 86]], "ORGANIZATION: Aerospace": [[199, 208]], "ORGANIZATION: Defense": [[211, 218]], "ORGANIZATION: Energy": [[221, 227]], "ORGANIZATION: Government": [[230, 240]], "ORGANIZATION: Media sectors": [[245, 258]], "MALWARE: Trojan.Naid": [[366, 377]], "FILEPATH: Backdoor.Moudoor": [[380, 396]], "MALWARE: Backdoor.Hikit": [[403, 417]]}, "info": {"id": "cyberner_stix_test_000511", "source": "cyberner_stix_test"}}
+{"text": "ACCESS_NETWORK_STATE - allow the app to access information about networks . Other open source and semi-legitimate pen-testing tools like nbtscan and powercat are being used for mapping available resources and lateral movement as well . While it lacks more advanced functionality like screen capturing , it is still able to carry out most tasks desired by threat actors : Exfiltration of files , ability to download and execute additional payloads , and gain remote shell access .", "spans": {"MALWARE: nbtscan": [[137, 144]], "MALWARE: powercat": [[149, 157]], "THREAT_ACTOR: actors": [[362, 368]]}, "info": {"id": "cyberner_stix_test_000512", "source": "cyberner_stix_test"}}
+{"text": "It steals bank card information ( the number , the expiry date , CVC2/CVV2 ) imitating the process of registering the bank card with Google Play . The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including military . Frequently , a remote administration tool ( RAT ) is used to maintain persistence within a victim ’s organization . Copies of the site at archive.org show it was the work of someone calling themselves “ The Chaos Creator . ”", "spans": {"SYSTEM: Google Play": [[133, 144]], "TOOL: Epic Turla": [[168, 178]], "ORGANIZATION: military": [[257, 265]], "TOOL: remote administration tool": [[283, 309]], "TOOL: RAT": [[312, 315]], "THREAT_ACTOR: The Chaos Creator": [[471, 488]]}, "info": {"id": "cyberner_stix_test_000513", "source": "cyberner_stix_test"}}
+{"text": "These gtags have been closely associated with LUNAR SPIDER activity . Group-IB detected the first incidents relating to Silence in June 2016 .", "spans": {"TOOL: gtags": [[6, 11]], "ORGANIZATION: Group-IB": [[70, 78]]}, "info": {"id": "cyberner_stix_test_000514", "source": "cyberner_stix_test"}}
+{"text": "In 2015 we noticed another wave of attacks which took advantage of a new release of the AZZY implant , largely undetected by antivirus products .", "spans": {"MALWARE: AZZY": [[88, 92]]}, "info": {"id": "cyberner_stix_test_000515", "source": "cyberner_stix_test"}}
+{"text": "To mitigate the threat of the described campaign , security teams can consider blocking access to the C2 server 103.236.150.14 and , where applicable , ensure that the Microsoft Security Update KB2553204 is installed in order to patch the CVE-2017-11882 vulnerability . We identified several European governments and defense companies compromised with this group .", "spans": {"VULNERABILITY: CVE-2017-11882": [[239, 253]], "ORGANIZATION: European governments": [[292, 312]], "ORGANIZATION: defense companies": [[317, 334]]}, "info": {"id": "cyberner_stix_test_000516", "source": "cyberner_stix_test"}}
+{"text": "If the user ignores or rejects the request , the window reopens every few seconds . TG-3390 sends spearphishing emails with ZIP archive attachments . The a binary is a script wrapper to start run , a Perl-obfuscated script for installation of a Shellbot to gain control of the infected system . Ransomware source code is a malicious program that contains the instructions and algorithms that define the ransomware ’s behavior .", "spans": {"THREAT_ACTOR: TG-3390": [[84, 91]], "TOOL: script wrapper": [[168, 182]], "TOOL: Perl-obfuscated script": [[200, 222]], "MALWARE: Shellbot": [[245, 253]], "MALWARE: Ransomware source code": [[295, 317]]}, "info": {"id": "cyberner_stix_test_000517", "source": "cyberner_stix_test"}}
+{"text": "the accessibility service ENABLE_HIDDEN_SMS Set malware as default SMS app DISABLE_HIDDEN_SMS Remove malware as default SMS app ENABLE_EXTENDED_INJECT Enable overlay attacks DISABLE_EXTENDED_INJECT Disable overlay attacks ENABLE_CC_GRABBER Enable the Google Play overlay DISABLE_CC_GRABBER Disable the Google Play overlay START_DEBUG Enable debugging GET_LOGCAT Get logs from the device STOP_DEBUG Disable debugging GET_APPS The December APT10 indictment noted that the group’s malicious activities breached at least 45 companies and managed service providers in 12 countries , including Brazil , Canada , Finland , France , Germany , India , Japan , Sweden , Switzerland , the United Arab Emirates , the United Kingdom , and the United States . As noted in a later section , another Invader sample shared different C2 servers with Daserf .", "spans": {"SYSTEM: Google Play": [[251, 262], [302, 313]], "THREAT_ACTOR: APT10": [[438, 443]], "MALWARE: Invader": [[784, 791]], "TOOL: C2": [[816, 818]], "MALWARE: Daserf": [[832, 838]]}, "info": {"id": "cyberner_stix_test_000518", "source": "cyberner_stix_test"}}
+{"text": "There are two known variants of this module ; they only differ in timestamp values and version information in the resource section .", "spans": {}, "info": {"id": "cyberner_stix_test_000519", "source": "cyberner_stix_test"}}
+{"text": "The first artifact – identified across this report as Artifact #1 – has the following attributes :", "spans": {}, "info": {"id": "cyberner_stix_test_000520", "source": "cyberner_stix_test"}}
+{"text": "“ The takeaway ? This is a first for an APT group , and shows Sednit has access to very sophisticated tools to conduct its espionage operations . A rudimentary but somewhat clever design , KiloAlfa provides keylogging capability for the Lazarus Group 's collection of malicious tools .", "spans": {"THREAT_ACTOR: Sednit": [[62, 68]], "TOOL: sophisticated tools": [[88, 107]], "MALWARE: KiloAlfa": [[189, 197]], "THREAT_ACTOR: Lazarus Group": [[237, 250]]}, "info": {"id": "cyberner_stix_test_000521", "source": "cyberner_stix_test"}}
+{"text": "Restrict users' ability ( permissions ) to install and run unwanted software applications , and apply the principle of Least Privilege to all systems and services .", "spans": {"TOOL: Least Privilege": [[119, 134]]}, "info": {"id": "cyberner_stix_test_000522", "source": "cyberner_stix_test"}}
+{"text": "Consider using type-safe stored procedures and prepared statements .", "spans": {}, "info": {"id": "cyberner_stix_test_000523", "source": "cyberner_stix_test"}}
+{"text": "CTU researchers identified TG-4127 targeting 26 personal gmail.com accounts belonging to individuals linked to the Hillary for America campaign , the DNC , or other aspects of U.S. national politics .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: TG-4127": [[27, 34]], "ORGANIZATION: DNC": [[150, 153]]}, "info": {"id": "cyberner_stix_test_000524", "source": "cyberner_stix_test"}}
+{"text": "This increase in threat activity was consistent with other observations documented over the last few months in blogs by 360 Threat Intelligence Center analyzing attacks on Chinese organizations and Trend Micro noting targets in South Asia . They are often targeted simultaneously with other ethnic minorities and religious groups in China .", "spans": {"ORGANIZATION: 360 Threat Intelligence Center": [[120, 150]], "ORGANIZATION: Trend Micro": [[198, 209]], "ORGANIZATION: ethnic minorities": [[291, 308]], "ORGANIZATION: religious groups": [[313, 329]]}, "info": {"id": "cyberner_stix_test_000525", "source": "cyberner_stix_test"}}
+{"text": "The document uses the logic flaw to first download the file power.rtf from http://122.9.52.215/news/power.rtf .", "spans": {"FILEPATH: power.rtf": [[60, 69]], "URL: http://122.9.52.215/news/power.rtf": [[75, 109]]}, "info": {"id": "cyberner_stix_test_000526", "source": "cyberner_stix_test"}}
+{"text": "Hosting URL : http://briefl.ink/qhtma .", "spans": {"URL: http://briefl.ink/qhtma": [[14, 37]]}, "info": {"id": "cyberner_stix_test_000527", "source": "cyberner_stix_test"}}
+{"text": "In order to simulate this technique , we took two videos side by side of how FakeSpy ( the Royal Mail sample ) behaves differently on a physical device versus an emulator . The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JScript , which allows the cybercriminals to understand the context of the infected workstation . The Ke3chang attackers used the older \" MyWeb \" malware family from 2010 to 2011 .", "spans": {"MALWARE: FakeSpy": [[77, 84]], "ORGANIZATION: Royal Mail": [[91, 101]], "MALWARE: GRIFFON": [[208, 215]], "THREAT_ACTOR: Ke3chang": [[379, 387]], "THREAT_ACTOR: attackers": [[388, 397]], "MALWARE: MyWeb": [[415, 420]]}, "info": {"id": "cyberner_stix_test_000528", "source": "cyberner_stix_test"}}
+{"text": "Compared to Patchwork , whose Trojanized documents exploit at least five security flaws , Confucius' backdoors are delivered through Office files exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 . In October 2017 , a DHS advisory documented ALLANITE technical operations combined with activity with a group Symantec calls Dragonfly .", "spans": {"THREAT_ACTOR: Patchwork": [[12, 21]], "VULNERABILITY: CVE-2015-1641": [[191, 204]], "VULNERABILITY: CVE-2017-11882": [[209, 223]], "ORGANIZATION: DHS": [[246, 249]], "ORGANIZATION: Symantec": [[336, 344]], "THREAT_ACTOR: Dragonfly": [[351, 360]]}, "info": {"id": "cyberner_stix_test_000529", "source": "cyberner_stix_test"}}
+{"text": "Silence.MainModule is a typical remote control Trojan that provides access to the command shell CMD.EXE with the possibility of downloading files from remote nodes to a computer and uploading files from a computer to a remote server . Russian-speaking hackers are believed to be responsible for these attacks and used the Corkow Trojan .", "spans": {"MALWARE: Silence.MainModule": [[0, 18]], "MALWARE: CMD.EXE": [[96, 103]], "MALWARE: Corkow Trojan": [[322, 335]]}, "info": {"id": "cyberner_stix_test_000530", "source": "cyberner_stix_test"}}
+{"text": "Once installed , the RAT registers the infected device as shown below . In August 2015 , the admin@338 sent spear phishing emails to a number of Hong Kong-based media organizations . Microsoft released the patch for the vulnerability on April 11 , but many organizations have not yet deployed the update . Our initial investigation on the domains registered by Hack520 revealed that similar domains ( listed below ) were registered by another profile .", "spans": {"THREAT_ACTOR: admin@338": [[93, 102]], "ORGANIZATION: media organizations": [[161, 180]], "ORGANIZATION: Microsoft": [[183, 192]], "THREAT_ACTOR: Hack520": [[361, 368]]}, "info": {"id": "cyberner_stix_test_000531", "source": "cyberner_stix_test"}}
+{"text": "The Sofacy threat group continues to target government organizations in the EU , US , and former Soviet states to deliver the Zebrocy tool as a payload .", "spans": {"THREAT_ACTOR: Sofacy": [[4, 10]], "MALWARE: Zebrocy": [[126, 133]]}, "info": {"id": "cyberner_stix_test_000532", "source": "cyberner_stix_test"}}
+{"text": "Backdoor command and control .", "spans": {}, "info": {"id": "cyberner_stix_test_000533", "source": "cyberner_stix_test"}}
+{"text": "The RAT , however , had a multitude of functionalities (as listed in the table below) such as to download and execute , compress , encrypt , upload , search directories , etc . In Clever Kitten 's attacks , the goal is lateral movement ; this is an attempt to move further into the target environment in order to begin intelligence collection .", "spans": {"MALWARE: RAT": [[4, 7]]}, "info": {"id": "cyberner_stix_test_000534", "source": "cyberner_stix_test"}}
+{"text": "Multiple files have Cyrillic names and artifacts .", "spans": {}, "info": {"id": "cyberner_stix_test_000535", "source": "cyberner_stix_test"}}
+{"text": "\" In the end , the consumer needs to vote with their wallet , '' he says . Although it has focused most of its efforts on the Middle East region , the political affiliations , motives and purposes behind MuddyWater’s attacks are not very well- defined , thus earning it its name . Charming Kitten is an Iranian cyber espionage group that has been active since approximately 2014 .", "spans": {"THREAT_ACTOR: MuddyWater’s": [[203, 215]], "THREAT_ACTOR: Charming Kitten": [[279, 294]]}, "info": {"id": "cyberner_stix_test_000536", "source": "cyberner_stix_test"}}
+{"text": "Our visibility into APT28’s operations , which date to at least 2007 , has allowed us to understand the group’s malware , operational changes and motivations . The threat is likely targeting employees of various Palestinian government agencies , security services , Palestinian students , and those affiliated with the Fatah political party .", "spans": {"THREAT_ACTOR: APT28’s": [[20, 27]], "ORGANIZATION: employees": [[191, 200]], "ORGANIZATION: government agencies": [[224, 243]], "ORGANIZATION: security services": [[246, 263]], "ORGANIZATION: students": [[278, 286]], "ORGANIZATION: Fatah political party": [[319, 340]]}, "info": {"id": "cyberner_stix_test_000537", "source": "cyberner_stix_test"}}
+{"text": "This email was later forwarded on Oct 24th,2016 from a spoofed email id which is associated with Thailand Indian embassy to various email recipients connected to the Indian Ministry of External Affairs as shown in the below screen shot .", "spans": {"TOOL: email": [[5, 10], [63, 68], [132, 137]], "ORGANIZATION: Indian embassy": [[106, 120]], "ORGANIZATION: Indian Ministry of External Affairs": [[166, 201]]}, "info": {"id": "cyberner_stix_test_000538", "source": "cyberner_stix_test"}}
+{"text": "The sample we analyzed uses an icon very similar to Google Apps , with the label \" Google Play Marketplace '' to disguise itself . Further investigation revealed approximately 40 additional sites , all of which appear to be targeting the government of China and other organisations in China . We identified APT33 malware tied to an Iranian persona who may have been employed by the Iranian government to conduct cyber threat activity against its adversaries .", "spans": {"SYSTEM: Google Apps": [[52, 63]], "SYSTEM: Google Play Marketplace": [[83, 106]], "ORGANIZATION: government": [[238, 248]], "ORGANIZATION: organisations": [[268, 281]], "MALWARE: APT33": [[307, 312]], "MALWARE: malware": [[313, 320]]}, "info": {"id": "cyberner_stix_test_000539", "source": "cyberner_stix_test"}}
+{"text": "What 's new ? Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles , collaborative document editing sites , and blogs for C&C . Looking at threat intelligence derived from tracking APT campaigns over time primarily based on the network traffic generated by the malware used , we were able to develop indicators of compromise for the IXESHE campaign . While FakeSG appears to be a newcomer , it uses different layers of obfuscation and delivery techniques that make it a threat to take seriously and which could potentially rival with SocGholish .", "spans": {"TOOL: Win32/Barlaiy": [[51, 64]], "THREAT_ACTOR: IXESHE": [[386, 392]], "MALWARE: FakeSG": [[410, 416]], "MALWARE: SocGholish": [[587, 597]]}, "info": {"id": "cyberner_stix_test_000540", "source": "cyberner_stix_test"}}
+{"text": "In fact , in 2009 a PinchDuke sample had been included in the malware set used by the AV-Test security product testing organization to perform anti-virus product comparison reviews .", "spans": {"MALWARE: PinchDuke": [[20, 29]], "ORGANIZATION: AV-Test": [[86, 93]]}, "info": {"id": "cyberner_stix_test_000541", "source": "cyberner_stix_test"}}
+{"text": "The batch script would then attempt to have the VNC program connect to a command and control ( C2 ) server to enable the server to control the compromised system . The developers designed Bookworm to be a modular Trojan not limited to just the initial architecture of the Trojan , as Bookworm can also load additional modules provided by the C2 server .", "spans": {"TOOL: VNC": [[48, 51]], "MALWARE: Bookworm": [[188, 196], [284, 292]], "MALWARE: modular Trojan": [[205, 219]], "MALWARE: Trojan": [[272, 278]], "TOOL: C2": [[342, 344]]}, "info": {"id": "cyberner_stix_test_000542", "source": "cyberner_stix_test"}}
+{"text": "Both malware share the same proxy settings and script :", "spans": {"MALWARE: malware": [[5, 12]]}, "info": {"id": "cyberner_stix_test_000543", "source": "cyberner_stix_test"}}
+{"text": "When the document was opened in Word , PLATINUM exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer . To conduct targeted attacks , MoneyTaker use a distributed infrastructure that is difficult to track .", "spans": {"TOOL: Word": [[32, 36]], "THREAT_ACTOR: PLATINUM": [[39, 47]], "VULNERABILITY: CVE-2015-2545": [[153, 166]], "THREAT_ACTOR: attacker": [[200, 208]], "THREAT_ACTOR: MoneyTaker": [[312, 322]], "MALWARE: distributed infrastructure": [[329, 355]]}, "info": {"id": "cyberner_stix_test_000544", "source": "cyberner_stix_test"}}
+{"text": "f-secure.exe : 99a7cb43fb2898810956b6137d803c8f97651e23f9f13e91887f188749bd5e8f connects to hnoor.newphoneapp.com .", "spans": {"FILEPATH: f-secure.exe": [[0, 12]], "FILEPATH: 99a7cb43fb2898810956b6137d803c8f97651e23f9f13e91887f188749bd5e8f": [[15, 79]], "DOMAIN: hnoor.newphoneapp.com": [[92, 113]]}, "info": {"id": "cyberner_stix_test_000545", "source": "cyberner_stix_test"}}
+{"text": "TEMP.Periscope BackgroundActive since at least 2013 , TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals , including engineering firms , shipping and transportation , manufacturing , defense , government offices , and research universities . The malware is distributed primarily through laced spam emails that lure recipients into opening attachments .", "spans": {"THREAT_ACTOR: TEMP.Periscope": [[0, 14], [54, 68]], "ORGANIZATION: maritime-related": [[94, 110]], "ORGANIZATION: engineering firms": [[157, 174]], "ORGANIZATION: shipping": [[177, 185]], "ORGANIZATION: transportation": [[190, 204]], "ORGANIZATION: manufacturing": [[207, 220]], "ORGANIZATION: defense": [[223, 230]], "ORGANIZATION: government": [[233, 243]], "ORGANIZATION: research universities": [[258, 279]], "TOOL: emails": [[338, 344]]}, "info": {"id": "cyberner_stix_test_000546", "source": "cyberner_stix_test"}}
+{"text": "However , while we observed the presence of the codes , the functions of upd , sync and aptitude were disabled in the kits ’ latest version .", "spans": {}, "info": {"id": "cyberner_stix_test_000547", "source": "cyberner_stix_test"}}
+{"text": "In addition , the NetTraveler toolkit was able to install additional info-stealing malware as a backdoor , and it could be customized to steal other types of sensitive information such as configuration details for an application or computer-aided design files . The campaign was active until January 2014 , but during our investigations the C&C servers were shut down .", "spans": {"TOOL: NetTraveler toolkit": [[18, 37]], "TOOL: C&C": [[341, 344]]}, "info": {"id": "cyberner_stix_test_000548", "source": "cyberner_stix_test"}}
+{"text": "] comgo-mail-accounts [ . Over the course of three years of observation of campaigns targeting civil society and human rights organizations , from records of well over two hundred spearphishing and other intrusion attempts against individuals inside of Iran and in the diaspora , a narrative of persistent intrusion efforts emerges . Names that can be translated through DNS to IP addresses are referred to as Fully Qualified Domain Names ( FQDNs ) . for third - party application logging , messaging , and/or other artifacts that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {"ORGANIZATION: civil society": [[95, 108]], "ORGANIZATION: human rights organizations": [[113, 139]], "ORGANIZATION: diaspora": [[269, 277]], "TOOL: Fully Qualified Domain Names": [[410, 438]], "TOOL: FQDNs": [[441, 446]]}, "info": {"id": "cyberner_stix_test_000549", "source": "cyberner_stix_test"}}
+{"text": "The Magic Hound has repeatedly used social media to identify and interact with employees at targeted organizations and then used weaponized Excel documents . At this stage , the malware gathers information about the infected computer .", "spans": {"ORGANIZATION: social media": [[36, 48]], "ORGANIZATION: employees": [[79, 88]]}, "info": {"id": "cyberner_stix_test_000550", "source": "cyberner_stix_test"}}
+{"text": "This particular unit is believed to hack into victim companies throughout the world in order to steal corporate trade secrets , primarily relating to the satellite , aerospace and communication industries . As confirmation that the malware writers are still very active even at the time of this writing , ESET detected a new Potao sample compiled on July 20 , 2015 .", "spans": {"ORGANIZATION: aerospace": [[166, 175]], "ORGANIZATION: communication industries": [[180, 204]], "ORGANIZATION: ESET": [[305, 309]], "MALWARE: Potao sample": [[325, 337]]}, "info": {"id": "cyberner_stix_test_000551", "source": "cyberner_stix_test"}}
+{"text": "Example Response in JSON format In particular , short number “ +7494 ” is associated with a payment service provider in Russia . The vulnerability was patched by Microsoft on Nov 14 , 2017 . In this campaign , focusing detection of the network is not the best approach . Simultaneously , a new variant of Monti , based on the Linux platform , has surfaced , demonstrating notable differences from its previous Linux - based versions .", "spans": {"ORGANIZATION: Microsoft": [[162, 171]], "THREAT_ACTOR: Monti": [[305, 310]], "ORGANIZATION: Linux platform": [[326, 340]]}, "info": {"id": "cyberner_stix_test_000552", "source": "cyberner_stix_test"}}
+{"text": "While researching elements in the IBM report , ASERT discovered additional malicious domains , IP addresses , and artifacts .", "spans": {"ORGANIZATION: IBM": [[34, 37]], "TOOL: IP": [[95, 97]]}, "info": {"id": "cyberner_stix_test_000553", "source": "cyberner_stix_test"}}
+{"text": "This year we are going to be releasing a monthly blog post introducing the \" Threat Actor of the Month \" , complete with detailed background information on that actor . OurMine is well known : They hijacked WikiLeaks' DNS last month shortly after they took over HBO 's Twitter account ; last year , they took over Mark Zuckerberg 's Twitter and Pinterest accounts ; and they hit both BuzzFeed and TechCrunch not long after that .", "spans": {"THREAT_ACTOR: Threat Actor": [[77, 89]], "THREAT_ACTOR: actor": [[161, 166]], "THREAT_ACTOR: OurMine": [[169, 176]], "ORGANIZATION: WikiLeaks'": [[207, 217]], "ORGANIZATION: Twitter": [[269, 276], [333, 340]], "ORGANIZATION: Mark Zuckerberg": [[314, 329]], "ORGANIZATION: Pinterest": [[345, 354]], "ORGANIZATION: BuzzFeed": [[384, 392]], "ORGANIZATION: TechCrunch": [[397, 407]]}, "info": {"id": "cyberner_stix_test_000554", "source": "cyberner_stix_test"}}
+{"text": "Its authors claim that it was used for private operations for two years preceding the start of the rental . ESET researchers have detected an ongoing , highly targeted campaign , with a majority of the targets being military organizations . As detailed in the DOJ complaint , a sample of WHITEOUT malware we attribute to APT38 was used between 2015 and 2016 against a Southeast Asian bank .", "spans": {"ORGANIZATION: ESET": [[108, 112]], "ORGANIZATION: military": [[216, 224]], "MALWARE: WHITEOUT": [[288, 296]], "MALWARE: malware": [[297, 304]], "THREAT_ACTOR: APT38": [[321, 326]], "ORGANIZATION: bank": [[384, 388]]}, "info": {"id": "cyberner_stix_test_000555", "source": "cyberner_stix_test"}}
+{"text": "The macro sleeps for two seconds and then executes the newly dropped executable .", "spans": {"TOOL: macro": [[4, 9]]}, "info": {"id": "cyberner_stix_test_000556", "source": "cyberner_stix_test"}}
+{"text": "The shortened URL leads the victim to an IP-address-based URL , where the archived payload is located .", "spans": {}, "info": {"id": "cyberner_stix_test_000557", "source": "cyberner_stix_test"}}
+{"text": "Monitoring efforts on this new variant revealed that the malicious websites are spread through smishing . The attackers used the popular Poison Ivy RAT and WinHTTPHelper malware to compromise the computers of government officials . 1.vbs BE7F1D411CC4160BB221C7181DA4370972B6C867AF110C12850CAD77981976ED . None Organizations should apply the November 8 , 2022 patches for Exchange to prevent exploitation since the URL rewrite mitigations for ProxyNotShell are not effective against this exploit method .", "spans": {"THREAT_ACTOR: attackers": [[110, 119]], "TOOL: Poison Ivy RAT": [[137, 151]], "TOOL: WinHTTPHelper malware": [[156, 177]], "ORGANIZATION: government officials": [[209, 229]], "FILEPATH: 1.vbs": [[232, 237]], "FILEPATH: BE7F1D411CC4160BB221C7181DA4370972B6C867AF110C12850CAD77981976ED": [[238, 302]], "VULNERABILITY: ProxyNotShell": [[442, 455]]}, "info": {"id": "cyberner_stix_test_000558", "source": "cyberner_stix_test"}}
+{"text": "Through the use of PowerShell and publicly available security control bypasses and scripts , most steps in the attack are performed exclusively in memory and leave few forensic artifacts on a compromised host .", "spans": {"TOOL: PowerShell": [[19, 29]], "TOOL: publicly available security control bypasses and scripts": [[34, 90]]}, "info": {"id": "cyberner_stix_test_000559", "source": "cyberner_stix_test"}}
+{"text": "Package Name SHA256 digest SHA1 certificate com.network.android ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5 44f6d1caa257799e57f0ecaf4e2e216178f4cb3d com.network.android 3474625e63d0893fc8f83034e835472d95195254e1e4bdf99153b7c74eb44d86 516f8f516cc0fd8db53785a48c0a86554f75c3ba The Leviathan group has specifically targeted engineering , transportation , and the defense industry , especially where these sectors overlap with maritime technologies . Winnti : gxxservice.com 2018-08-14 13:53:41 None or unknown . The initial beacon contains hardcoded string added to IP parameters .", "spans": {"THREAT_ACTOR: Leviathan group": [[300, 315]], "ORGANIZATION: engineering": [[342, 353]], "ORGANIZATION: transportation": [[356, 370]], "ORGANIZATION: defense industry": [[381, 397]], "THREAT_ACTOR: Winnti": [[468, 474]], "DOMAIN: gxxservice.com": [[477, 491]]}, "info": {"id": "cyberner_stix_test_000560", "source": "cyberner_stix_test"}}
+{"text": "It is perhaps the first in a new wave of targeted attacks aimed at Android users . The documents that exploit CVE2017-11882 download another payload — an HTML Application ( HTA ) file toting a malicious Visual Basic ( VBS ) script — from the server , which is executed accordingly by the command-line tool mshta.exe . In addition , the attackers employed hacking tools of Chinese origin and that are prevalent on Chinese underground hacking forums .", "spans": {"SYSTEM: Android": [[67, 74]], "VULNERABILITY: CVE2017-11882": [[110, 123]], "TOOL: HTML Application": [[154, 170]], "MALWARE: HTA": [[173, 176]], "MALWARE: mshta.exe": [[306, 315]], "THREAT_ACTOR: attackers": [[336, 345]]}, "info": {"id": "cyberner_stix_test_000561", "source": "cyberner_stix_test"}}
+{"text": "“ jackhex ” has also been part of a C2 for what is likely related Poison Ivy activity detailed below , along with additional infrastructure ties . Interestingly , despite the significant effort required to execute supply chain compromises and the large number of affected organizations , APT41 limits the deployment of follow-on malware to specific victim systems by matching against individual system identifiers . From 2016 through 2017 , two consumer products corporations , located inside Vietnam , were the target of APT32 intrusion operations .", "spans": {"MALWARE: Poison Ivy": [[66, 76]], "THREAT_ACTOR: APT41": [[288, 293]], "ORGANIZATION: consumer products corporations": [[445, 475]], "THREAT_ACTOR: APT32": [[522, 527]]}, "info": {"id": "cyberner_stix_test_000562", "source": "cyberner_stix_test"}}
+{"text": "TG-3390 : bel.updatawindows.com .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "DOMAIN: bel.updatawindows.com": [[10, 31]]}, "info": {"id": "cyberner_stix_test_000563", "source": "cyberner_stix_test"}}
+{"text": "Two binder tools — used to disguise custom executables as legitimate Microsoft implants — were discovered by Falcon Intelligence and linked to MYTHIC LEOPARD in July 2017 . In total , PLATINUM made use of four zero-day exploits during these two attack campaigns ( two remote code execution bugs , one privilege escalation , and one information disclosure ) , showing an ability to spend a non-trivial amount of resources to either acquire professionally written zero-day exploits from unknown markets , or research and utilize the zero-day exploits themselves .", "spans": {"ORGANIZATION: Microsoft": [[69, 78]], "ORGANIZATION: Falcon Intelligence": [[109, 128]], "THREAT_ACTOR: MYTHIC LEOPARD": [[143, 157]], "THREAT_ACTOR: PLATINUM": [[184, 192]], "VULNERABILITY: zero-day": [[210, 218], [462, 470], [531, 539]]}, "info": {"id": "cyberner_stix_test_000564", "source": "cyberner_stix_test"}}
+{"text": "From early April , hackers started to build a new major update to the “ Agent Smith ” campaign under the name “ leechsdk ” . The CONFUCIUS_B executable is disguised as a PowerPoint presentation , using a Right-To-Left-Override ( RTLO ) trick and a false icon . Dexphot : ba9467e0d63ba65bf10650a3c8d36cd292b3f846983032a44a835e5966bc7e88 . Republican state lawmakers are backing a legal challenge in the court systems to block an Environmental Protection Administration rule that asked local water systems to evaluate their current cybersecurity systems and protections while conducting sanitation surveys .", "spans": {"MALWARE: Agent Smith": [[72, 83]], "MALWARE: CONFUCIUS_B": [[129, 140]], "TOOL: RTLO": [[229, 233]], "MALWARE: Dexphot": [[261, 268]], "FILEPATH: ba9467e0d63ba65bf10650a3c8d36cd292b3f846983032a44a835e5966bc7e88": [[271, 335]], "ORGANIZATION: Republican state lawmakers": [[338, 364]], "ORGANIZATION: Environmental Protection Administration": [[428, 467]]}, "info": {"id": "cyberner_stix_test_000565", "source": "cyberner_stix_test"}}
+{"text": "Artifact #1 was retrieved from a File Server operated by Die Linke .", "spans": {"TOOL: File Server": [[33, 44]]}, "info": {"id": "cyberner_stix_test_000566", "source": "cyberner_stix_test"}}
+{"text": "This alert provides technical details on the tools and infrastructure used by cyber actors of the North Korean government to target the media , aerospace , financial , and critical infrastructure sectors in the United States and globally .", "spans": {}, "info": {"id": "cyberner_stix_test_000567", "source": "cyberner_stix_test"}}
+{"text": "Since at least 2013 , the Iranian threat group FireEye tracks as APT33 has carried out a cyber espionage operation to collect information from defense , aerospace and petrochemical organizations . Resecurity claims that IRIDIUM breached Citrix 's network during December 2018 .", "spans": {"THREAT_ACTOR: threat group": [[34, 46]], "ORGANIZATION: FireEye": [[47, 54]], "THREAT_ACTOR: APT33": [[65, 70]], "ORGANIZATION: defense": [[143, 150]], "ORGANIZATION: aerospace": [[153, 162]], "ORGANIZATION: petrochemical organizations": [[167, 194]], "ORGANIZATION: Resecurity": [[197, 207]], "ORGANIZATION: Citrix": [[237, 243]]}, "info": {"id": "cyberner_stix_test_000568", "source": "cyberner_stix_test"}}
+{"text": "We assess that the actors employing this latest Flash zero-day are a suspected North Korean group we track as TEMP.Reaper . In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload .", "spans": {"VULNERABILITY: zero-day": [[54, 62]], "THREAT_ACTOR: TEMP.Reaper": [[110, 121]], "TOOL: emails": [[131, 137]], "ORGANIZATION: government officials": [[152, 172]], "FILEPATH: malicious Microsoft Word document": [[214, 247]], "VULNERABILITY: CVE-2012-0158": [[267, 280]]}, "info": {"id": "cyberner_stix_test_000569", "source": "cyberner_stix_test"}}
+{"text": "Shamoon2 : go-microstf.com .", "spans": {"MALWARE: Shamoon2": [[0, 8]], "DOMAIN: go-microstf.com": [[11, 26]]}, "info": {"id": "cyberner_stix_test_000570", "source": "cyberner_stix_test"}}
+{"text": "In a much-improved Android security environment , the actors behind Agent Smith seem to have moved into the more complex world of constantly searching for new loopholes , such as Janus , Bundle and Man-in-the-Disk , to achieve a 3-stage infection chain , in order to build a botnet of controlled devices to earn profit for the perpetrator . Also , Bookworm uses a combination of encryption and compression algorithms to obfuscate the traffic between the system and C2 server . There is also an interest in international activists and think tanks … Victims of BlackOasis have been observed in the following countries : Russia , Iraq , Afghanistan , Nigeria , Libya , Jordan , Tunisia , Saudi Arabia , Iran , Netherlands , Bahrain , United Kingdom and Angola . ” RedLeaves can use HTTP over non - standard ports , such as 995 , for C2.Rocke 's miner connects to a C2 server using port 51640.[32 ]", "spans": {"SYSTEM: Android": [[19, 26]], "MALWARE: Agent Smith": [[68, 79]], "VULNERABILITY: Janus": [[179, 184]], "VULNERABILITY: Bundle": [[187, 193]], "VULNERABILITY: Man-in-the-Disk": [[198, 213]], "TOOL: Bookworm": [[348, 356]], "THREAT_ACTOR: BlackOasis": [[559, 569]], "MALWARE: RedLeaves": [[761, 770]], "SYSTEM: C2 server": [[862, 871]]}, "info": {"id": "cyberner_stix_test_000571", "source": "cyberner_stix_test"}}
+{"text": "] 151/ as a command and control server . Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library ( .dll ) APT33 : 8.26.21.119 hyperservice.ddns.net . The U.S. government attributed the SolarWinds supply chain compromise which we track as UNC2452 to the Russian Foreign Intelligence Service ( SVR ) .", "spans": {"TOOL: Volgmer": [[41, 48]], "MALWARE: .dll": [[140, 144]], "THREAT_ACTOR: APT33": [[147, 152]], "IP_ADDRESS: 8.26.21.119": [[155, 166]], "DOMAIN: hyperservice.ddns.net": [[167, 188]], "ORGANIZATION: The U.S. government": [[191, 210]], "THREAT_ACTOR: UNC2452": [[279, 286]], "ORGANIZATION: Russian Foreign Intelligence Service ( SVR )": [[294, 338]]}, "info": {"id": "cyberner_stix_test_000572", "source": "cyberner_stix_test"}}
+{"text": "Google was swiftly notified and removed the infected applications from the Google Play Store . APT38 relies on DYEPACK , a SWIFT transaction-hijacking framework , to initiate transactions , steal money , and hide any evidence of the fraudulent transactions from the victimized bank . The first known Suckfly campaign began in April of 2014 .", "spans": {"ORGANIZATION: Google": [[0, 6]], "SYSTEM: Google Play": [[75, 86]], "THREAT_ACTOR: APT38": [[95, 100]], "TOOL: DYEPACK": [[111, 118]], "ORGANIZATION: bank": [[277, 281]]}, "info": {"id": "cyberner_stix_test_000573", "source": "cyberner_stix_test"}}
+{"text": "All posts are encrypted , unlike the last time we analyzed a sample from this actor , when the first POST was accidentally not encrypted .", "spans": {}, "info": {"id": "cyberner_stix_test_000574", "source": "cyberner_stix_test"}}
+{"text": "16311b16fd48c1c87c6476a455093e7a Screenshot capturing skype_sync2.exe 6bcc3559d7405f25ea403317353d905f Skype call recording to MP3 All modules , except skype_sync2.exe , are written in Python and packed to binary files via the Py2exe tool . In the course of this email correspondence , the attacker — Safeena” — then sent what appeared to be invitations to access several documents on Google Drive . Rancor is a threat group that has led targeted campaigns against the South East Asia region .", "spans": {"SYSTEM: Skype": [[103, 108]], "SYSTEM: Python": [[185, 191]], "SYSTEM: Py2exe": [[227, 233]], "THREAT_ACTOR: attacker": [[290, 298]], "THREAT_ACTOR: Rancor": [[400, 406]]}, "info": {"id": "cyberner_stix_test_000575", "source": "cyberner_stix_test"}}
+{"text": "But TrickMo does things differently . The group primarily uses the MSR 606 Software (Figure 12) and Hardware (Figure 13) to create cloned cards . While continuing research on the August 2018 attacks on a Middle eastern government that delivered BONDUPDATER , Unit 42 researchers observed OilRig 's testing activities and with high confidence links this testing to the creation of the weaponized delivery document used in this attack .", "spans": {"MALWARE: TrickMo": [[4, 11]], "THREAT_ACTOR: group": [[42, 47]], "TOOL: MSR 606 Software": [[67, 83]], "TOOL: Hardware": [[100, 108]], "ORGANIZATION: government": [[219, 229]], "MALWARE: BONDUPDATER": [[245, 256]], "ORGANIZATION: Unit 42": [[259, 266]], "THREAT_ACTOR: OilRig": [[288, 294]]}, "info": {"id": "cyberner_stix_test_000576", "source": "cyberner_stix_test"}}
+{"text": "A series of pilot runs were executed . This blog post examines two similar malware families that utilize the aforementioned technique to abuse legitimate websites , their connections to each other , and their connections to known espionage campaigns . The detection , blocking , and remediation of Dexphot on endpoints are exposed in Microsoft Defender Security Center , where Microsoft Defender ATP ’s rich capabilities like endpoint detection and response , automated investigation and remediation , and others enable security operations teams to investigate and remediate attacks in enterprise environments . The contents of the Exchange Web Server ( also found within the folder ) • At least 14 days of Exchange Control Panel ( ECP ) logs , located in We have found significant hunting and analysis value in these log folders , especially for suspicious CMD parameters in the ECP Server logs .", "spans": {"MALWARE: Dexphot": [[298, 305]], "TOOL: Microsoft Defender Security Center": [[334, 368]], "TOOL: Microsoft Defender ATP": [[377, 399]], "SYSTEM: Exchange Web Server": [[632, 651]], "SYSTEM: Exchange Control Panel ( ECP ) logs": [[707, 742]], "SYSTEM: ECP Server logs": [[880, 895]]}, "info": {"id": "cyberner_stix_test_000577", "source": "cyberner_stix_test"}}
+{"text": "New scheme , same goal In the past , Android ransomware used a special permission called “ SYSTEM_ALERT_WINDOW ” to display their ransom note . This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 . These fixes will be prioritized for future releases . The key to the success of an effort like No More Ransomware is informationsharing and collaboration .", "spans": {"SYSTEM: Android": [[37, 44]], "MALWARE: Microsoft Word documents": [[208, 232]], "VULNERABILITY: CVE-2017-0199": [[244, 257]]}, "info": {"id": "cyberner_stix_test_000578", "source": "cyberner_stix_test"}}
+{"text": "Gold Lowell then provide a download link to a unique XML executable file and corresponding RSA private key to decrypt the files . BBSRAT is typically packaged within a portable executable file , although in a few of the observed instances , a raw DLL was discovered to contain BBSRAT .", "spans": {"THREAT_ACTOR: Gold Lowell": [[0, 11]], "TOOL: XML executable file": [[53, 72]], "TOOL: RSA": [[91, 94]], "MALWARE: BBSRAT": [[130, 136], [277, 283]], "TOOL: DLL": [[247, 250]]}, "info": {"id": "cyberner_stix_test_000579", "source": "cyberner_stix_test"}}
+{"text": "TG-3390 uses DLL side loading , a technique that involves running a legitimate , typically digitally signed , program that loads a malicious DLL .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "TOOL: DLL": [[13, 16], [141, 144]]}, "info": {"id": "cyberner_stix_test_000580", "source": "cyberner_stix_test"}}
+{"text": "The exploit installs Silence’s loader , designed to download backdoors and other malicious programs . Take note that the fake certificate does not contain a COMODO Certificate Authority seal that certifies its validity , as seen in the comparison below :", "spans": {"VULNERABILITY: exploit": [[4, 11]], "THREAT_ACTOR: Silence’s": [[21, 30]], "ORGANIZATION: COMODO Certificate Authority": [[157, 185]]}, "info": {"id": "cyberner_stix_test_000581", "source": "cyberner_stix_test"}}
+{"text": "Just 40 seconds after the suspected exploitation of CVE-2019-0604 , we observed the first HTTP GET request to a webshell at c.aspx , which is a modified version of the freely available awen asp.net webshell .", "spans": {"VULNERABILITY: CVE-2019-0604": [[52, 65]], "FILEPATH: c.aspx": [[124, 130]], "TOOL: awen": [[185, 189]], "FILEPATH: asp.net": [[190, 197]]}, "info": {"id": "cyberner_stix_test_000582", "source": "cyberner_stix_test"}}
+{"text": "Both of these alerts discussed campaigns in which actors used the CVE-2019-0604 to exploit SharePoint servers to install the China Chopper webshell . We speculate that other attacks delivering Bookworm were also targeting organizations in Thailand based on the contents of the associated decoys documents , as well as several of the dynamic DNS domain names used to host C2 servers that contain the words \" Thai \" or \" Thailand \" .", "spans": {"THREAT_ACTOR: actors": [[50, 56]], "VULNERABILITY: CVE-2019-0604": [[66, 79]], "TOOL: China Chopper webshell": [[125, 147]], "MALWARE: Bookworm": [[193, 201]], "FILEPATH: decoys documents": [[288, 304]], "MALWARE: dynamic DNS domain": [[333, 351]], "TOOL: C2": [[371, 373]]}, "info": {"id": "cyberner_stix_test_000583", "source": "cyberner_stix_test"}}
+{"text": "However , around a month ago , Rocke started targeting systems that run Jenkins by attempting to exploit CVE-2018-1000861 and CVE-2019-1003000 . The backdoor noted by other security researchers was encoded with different algorithms and configured with different parameter names in 2016 , for instance .", "spans": {"THREAT_ACTOR: Rocke": [[31, 36]], "VULNERABILITY: CVE-2018-1000861": [[105, 121]], "VULNERABILITY: CVE-2019-1003000": [[126, 142]]}, "info": {"id": "cyberner_stix_test_000584", "source": "cyberner_stix_test"}}
+{"text": "call_number : to forward phone calls to intercept voice based two-factor authentication . This threat group has conducted broad targeting across a variety of industries , including financial , government , energy , chemical , and telecommunications , and has largely focused its operations within the Middle East . The filtering is performed by checking the keyboard layout of the infected systems . The VBA code in all files is similar , with minor variations , where some functions serve a legitimate purpose ( e.g. , some functions for conversion of strings into numbers in Excel ) .", "spans": {"THREAT_ACTOR: threat group": [[95, 107]], "ORGANIZATION: financial": [[181, 190]], "ORGANIZATION: government": [[193, 203]], "ORGANIZATION: energy": [[206, 212]], "ORGANIZATION: chemical": [[215, 223]], "ORGANIZATION: telecommunications": [[230, 248]]}, "info": {"id": "cyberner_stix_test_000585", "source": "cyberner_stix_test"}}
+{"text": "The DLL exploited another previously unknown vulnerability ( designated CVE-2015-2546 ) in the Windows kernel , which enabled it to elevate privileges for the Word executable and subsequently install a backdoor through the application . In all cases , based on the nature of the computers infected by Thrip , it appeared that the telecoms companies themselves and not their customers were the targets of these attacks .", "spans": {"TOOL: DLL": [[4, 7]], "VULNERABILITY: CVE-2015-2546": [[72, 85]], "TOOL: Word": [[159, 163]], "ORGANIZATION: telecoms companies": [[330, 348]], "ORGANIZATION: customers": [[374, 383]]}, "info": {"id": "cyberner_stix_test_000586", "source": "cyberner_stix_test"}}
+{"text": "Until this incident , no malware had been discovered misusing the AMT SOL feature for communication . They then moved on to the motor industry in late May .", "spans": {"ORGANIZATION: motor industry": [[128, 142]]}, "info": {"id": "cyberner_stix_test_000587", "source": "cyberner_stix_test"}}
+{"text": "BalkanRAT enables the attacker to remotely control the compromised computer via a graphical interface , i.e , manually; BalkanDoor enables them to remotely control the compromised computer via a command line , i.e , possibly en masse . The email also comes with two files attached claiming to contain questions for the user : one is a .zip file , which is a fake OS X app , while the other is a .docx file used to target Windows operating systems using WERDLOD .", "spans": {"MALWARE: BalkanRAT": [[0, 9]], "MALWARE: BalkanDoor": [[120, 130]], "TOOL: email": [[240, 245]], "TOOL: OS X app": [[363, 371]], "SYSTEM: Windows": [[421, 428]], "MALWARE: WERDLOD": [[453, 460]]}, "info": {"id": "cyberner_stix_test_000588", "source": "cyberner_stix_test"}}
+{"text": "Trojan native capabilities This is a full-fledged trojan with capabilities ranging from those of a banking trojan to a full spying trojan . Previously , Cloud Atlas dropped its validator” implant named PowerShower” directly , after exploiting the Microsoft Equation vulnerability CVE-2017-11882 mixed with CVE-2018-0802 . We believe a organization located in Middle East was targeted by APT37 because it had been involved with a North Korean company and a business deal went bad .", "spans": {"THREAT_ACTOR: Cloud Atlas": [[153, 164]], "VULNERABILITY: CVE-2017-11882": [[280, 294]], "VULNERABILITY: CVE-2018-0802": [[306, 319]], "THREAT_ACTOR: APT37": [[387, 392]], "ORGANIZATION: company": [[442, 449]]}, "info": {"id": "cyberner_stix_test_000589", "source": "cyberner_stix_test"}}
+{"text": "] net/mms.apk to view the message ” Once the APK package is downloaded , potential victims are urged to grant the malicious app a wide range of permissions on their Android device : App permissions SEND_SMS RECEIVE_BOOT_COMPLETED INTERNET SYSTEM_ALERT_WINDOW WRITE_SMS ACCESS_NETWORK_STATE WAKE_LOCK GET_TASKS CALL_PHONE RECEIVE_SMS READ_PHONE_STATE READ_SMS ERASE_PHONE Once installed , MazarBOT downloads a copy of Gallmaker 's activity appears to be highly targeted , with its victims all related to government , military , or defense sectors . this is the final event for optimizations ) If you want a good example , just look at the infection map for Flame it is tightly grouped around the Gulf States .", "spans": {"MALWARE: MazarBOT": [[388, 396]], "THREAT_ACTOR: Gallmaker": [[417, 426]], "ORGANIZATION: government": [[503, 513]], "ORGANIZATION: military": [[516, 524]], "ORGANIZATION: defense sectors": [[530, 545]], "MALWARE: Flame": [[656, 661]]}, "info": {"id": "cyberner_stix_test_000590", "source": "cyberner_stix_test"}}
+{"text": "Malicious code hidden in a package named “ com.google ” Hunting down the developer Using open-source information , we tracked down the developer of the adware , who we also identified as the campaign ’ s operator and owner of the C & C server . February saw three particularly interesting publications on the topic of macOS malware: a Trojan Cocoa application that sends system information including keychain data back to the attacker , a macOS version of APT28’s Xagent malware , and a new Trojan ransomware . SHA256 : 413772d81e4532fec5119e9dce5e2bf90b7538be33066cf9a6ff796254a5225f .", "spans": {"THREAT_ACTOR: attacker": [[426, 434]], "THREAT_ACTOR: APT28’s": [[456, 463]], "MALWARE: Trojan ransomware": [[491, 508]], "FILEPATH: 413772d81e4532fec5119e9dce5e2bf90b7538be33066cf9a6ff796254a5225f": [[520, 584]]}, "info": {"id": "cyberner_stix_test_000591", "source": "cyberner_stix_test"}}
+{"text": "The page was designed to steal users ’ bank card details : 2017–2018 From early 2017 , the HTML phishing pages bank.html , update.html and extortionist.html started appearing in the assets folder . The Magic Hound campaign was also discovered using a custom dropper tool , which we have named MagicHound.DropIt . WannaCry utilizes EternalBlue by crafting a custom SMB session request with hard-coded values based on the target system .", "spans": {"TOOL: custom dropper": [[251, 265]], "MALWARE: MagicHound.DropIt": [[293, 310]], "MALWARE: WannaCry": [[313, 321]], "VULNERABILITY: EternalBlue": [[331, 342]], "MALWARE: SMB": [[364, 367]]}, "info": {"id": "cyberner_stix_test_000592", "source": "cyberner_stix_test"}}
+{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload . With this level of access , the gang has been able to pull off a clever trick by automating the rollback of ATM transactions .", "spans": {"MALWARE: documents": [[12, 21]], "VULNERABILITY: CVE-2017-0199": [[32, 45]]}, "info": {"id": "cyberner_stix_test_000593", "source": "cyberner_stix_test"}}
+{"text": "Also , the certificate embedded in the Quasar sample was issued at 22.12.2018 , which correlates with the file’s compilation date . In September 2015 , Kaspersky Lab 's Anti-Targeted Attack Platform discovered anomalous network traffic in a government organization network .", "spans": {"MALWARE: sample": [[46, 52]], "ORGANIZATION: Kaspersky Lab": [[152, 165]], "FILEPATH: anomalous network traffic": [[210, 235]], "ORGANIZATION: government organization": [[241, 264]]}, "info": {"id": "cyberner_stix_test_000594", "source": "cyberner_stix_test"}}
+{"text": "In August , the Guccifer 2.0 persona contacted reporters covering U.S. House of Representative races to announce newly leaked documents from the DCCC pertaining to Democratic candidates .", "spans": {"THREAT_ACTOR: Guccifer": [[16, 24]], "ORGANIZATION: House of Representative": [[71, 94]], "ORGANIZATION: DCCC": [[145, 149]]}, "info": {"id": "cyberner_stix_test_000595", "source": "cyberner_stix_test"}}
+{"text": "Cerberus is already capable to fulfill this demand . In June , SectorJ04 group conducted hacking using spam emails written in various languages , including English , Arabic , Korean and Italian , and the emails were written with various contents , including remittance card , invoice and tax invoice . BRONZE BUTLER uses credential theft tools such as Mimikatz and WCE to steal authentication information from the memory of compromised hosts .", "spans": {"MALWARE: Cerberus": [[0, 8]], "THREAT_ACTOR: SectorJ04": [[63, 72]], "THREAT_ACTOR: BRONZE BUTLER": [[302, 315]], "MALWARE: Mimikatz": [[352, 360]], "MALWARE: WCE": [[365, 368]]}, "info": {"id": "cyberner_stix_test_000596", "source": "cyberner_stix_test"}}
+{"text": "The adware mimics these two apps to look legitimate and avoid suspicion – and thus stay on the affected device for as long as possible . In the last few weeks , FormBook was seen downloading other malware families such as NanoCore . Clearly the author has a real interest in North Korea , with 3 of the 4 campaigns are linked to North Korea .", "spans": {"MALWARE: FormBook": [[161, 169]], "MALWARE: NanoCore": [[222, 230]]}, "info": {"id": "cyberner_stix_test_000597", "source": "cyberner_stix_test"}}
+{"text": "It then terminates the main thread .", "spans": {}, "info": {"id": "cyberner_stix_test_000598", "source": "cyberner_stix_test"}}
+{"text": "7/7/2016 , 1:50 PM Security experts have documented a disturbing spike in a particularly virulent family of Android malware , with more than 10 million handsets infected and more than 286,000 of them in the US . Lazarus group could have been active since late 2016 , was used in a recent campaign targeting financial institutions using watering hole attacks . APT33 : 8.26.21.120 [REDACTED].ddns.net . A Cl0p representative confirmed that they had been testing the vulnerability since July 2021 and that they had decided to deploy it over the Memorial Day weekend .", "spans": {"SYSTEM: Android": [[108, 115]], "THREAT_ACTOR: Lazarus group": [[212, 225]], "ORGANIZATION: financial institutions": [[307, 329]], "THREAT_ACTOR: APT33": [[360, 365]], "IP_ADDRESS: 8.26.21.120": [[368, 379]], "DOMAIN: [REDACTED].ddns.net": [[380, 399]], "THREAT_ACTOR: Cl0p": [[404, 408]]}, "info": {"id": "cyberner_stix_test_000599", "source": "cyberner_stix_test"}}
+{"text": "We recommend reading Marion 's report \" Shooting Elephants \" , a complementary piece of work regarding the Babar malware . This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx .", "spans": {"TOOL: Babar malware": [[107, 120]], "FILEPATH: Trump's_Attack_on_Syria_English.docx": [[172, 208]]}, "info": {"id": "cyberner_stix_test_000600", "source": "cyberner_stix_test"}}
+{"text": "Disguised as Google related app , the core part of malware exploits various known Android vulnerabilities and automatically replaces installed apps on the device with malicious versions without the user ’ s interaction . targeted attacks . Gamma Group has been accused of selling its products to authoritarian regimes that can use the technology to both track dissidents and conduct foreign espionage over the internet . Magic Hound malware has communicated with its C2 server over TCP ports 4443 and 10151 using HTTP.[22][23 ]", "spans": {"ORGANIZATION: Google": [[13, 19]], "VULNERABILITY: Android vulnerabilities": [[82, 105]], "THREAT_ACTOR: Gamma Group": [[240, 251]], "MALWARE: Magic Hound malware": [[421, 440]]}, "info": {"id": "cyberner_stix_test_000601", "source": "cyberner_stix_test"}}
+{"text": "Intercept Call - Triggers on incoming and outgoing calls . Equation is regarded as one of the most technically adept espionage groups and the release of a trove of its tools had a major impact , with many attackers rushing to deploy the malware and exploits disclosed . The group has shown interest in prominent figures in the United Nations , as well as opposition bloggers , activists , regional news correspondents , and think tanks .", "spans": {"THREAT_ACTOR: Equation": [[59, 67]], "TOOL: trove": [[155, 160]], "TOOL: think tanks": [[424, 435]]}, "info": {"id": "cyberner_stix_test_000602", "source": "cyberner_stix_test"}}
+{"text": "“ When I use a word , ” Humpty Dumpty said , in rather a scornful tone , “ it means just what I choose it to mean—neither more nor less. ” – Through the Looking Glass , Lewis Carroll FireEye recently published a blog covering the tactics , techniques , and procedures ( TTPs ) for the “ TRITON actor ” when preparing to deploy the TRITON S-MAL/TRISIS malware framework in 2017 .", "spans": {"ORGANIZATION: Looking Glass": [[153, 166]], "ORGANIZATION: FireEye": [[183, 190]], "MALWARE: TRITON": [[287, 293]], "MALWARE: TRITON S-MAL/TRISIS": [[331, 350]]}, "info": {"id": "cyberner_stix_test_000603", "source": "cyberner_stix_test"}}
+{"text": "Persistency Watch-Dog The application contains protection against its own removal . We are however only aware of one instance - the exploitation of CVE-2013-0640 to deploy MiniDuke - where we believe the exploited vulnerability was a zero-day at the time that the group acquired the exploit . MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call \" POWERSTATS \" .", "spans": {"VULNERABILITY: CVE-2013-0640": [[148, 161]], "TOOL: MiniDuke": [[172, 180]], "VULNERABILITY: zero-day": [[234, 242]], "THREAT_ACTOR: group": [[264, 269]], "MALWARE: PowerShell-based first stage backdoor": [[362, 399]], "MALWARE: POWERSTATS": [[410, 420]]}, "info": {"id": "cyberner_stix_test_000604", "source": "cyberner_stix_test"}}
+{"text": "Uses RijndaelManaged instead of AES for encryption . ( with ECB mode , which is considered weak ) .", "spans": {}, "info": {"id": "cyberner_stix_test_000605", "source": "cyberner_stix_test"}}
+{"text": "Based on these factors , there is considerably more evidence supporting the hypothesis that the GRIM SPIDER threat actors are Russian speakers and not North Korean . It is also possible that ScarCruft deployed another zero day exploit , CVE-2016-0147 , which was patched in April .", "spans": {"THREAT_ACTOR: ScarCruft": [[191, 200]], "VULNERABILITY: zero day": [[218, 226]], "VULNERABILITY: exploit": [[227, 234]], "VULNERABILITY: CVE-2016-0147": [[237, 250]]}, "info": {"id": "cyberner_stix_test_000606", "source": "cyberner_stix_test"}}
+{"text": "Just like the previous modules , it contains multiple strings in Italian . This module monitors a wide range of device activities including application installation / remove / update , phone restart and battery charge . Leviathan is a cyber espionage group that has been active since at least 2013 .", "spans": {"MALWARE: module": [[80, 86]], "THREAT_ACTOR: Leviathan": [[220, 229]]}, "info": {"id": "cyberner_stix_test_000607", "source": "cyberner_stix_test"}}
+{"text": "The first version of Project Spy ( detected by Trend Micro as AndroidOS_SpyAgent.HRXB ) had the following capabilities : Collect device and system information ( i.e. , IMEI , device ID , manufacturer , model and phone number ) , location information , contacts stored , and call logs Collect and send SMS Take pictures via the camera Upload recorded MP4 files Monitor calls Searching further , we also found another sample that could be the second version of Project Spy . Just a few months later , in February 2015 , we announced the discovery of Carbanak , a cyber-criminal gang that used custom malware and APT techniques to steal millions of dollars while infecting hundreds of financial institutions in at least 30 countries . to identify each next block for unflattening . In those instances , the malicious was actually embedded in the Google Tag Manager library itself , which is very clever and difficult to detect .", "spans": {"MALWARE: Project Spy": [[21, 32]], "ORGANIZATION: Trend Micro": [[47, 58]], "VULNERABILITY: Carbanak": [[548, 556]], "THREAT_ACTOR: cyber-criminal gang": [[561, 580]], "ORGANIZATION: financial institutions": [[682, 704]]}, "info": {"id": "cyberner_stix_test_000608", "source": "cyberner_stix_test"}}
+{"text": "There are more indications as well , such as names of objects , files etc .", "spans": {}, "info": {"id": "cyberner_stix_test_000609", "source": "cyberner_stix_test"}}
+{"text": "Reverse shell payload from update_dev.zip Exploit payload At the same time , we found an important payload binary that is trying to exploit several known vulnerabilities and escalate privileges . RedDrip Team (formerly SkyEye Team) has been to OceanLotus to keep track of high strength , groupactivity , found it in the near future to Indochinese Peninsula countries since 2019 On April 1 , 2019 , RedDrip discovered a Vietnamese file name Hop dong sungroup.rar in the process of daily monitoring the attack activities of the OceanLotus . Moafee is a threat group that appears to operate from the Guandong Province of China .", "spans": {"THREAT_ACTOR: OceanLotus": [[244, 254], [526, 536]], "ORGANIZATION: RedDrip": [[398, 405]], "THREAT_ACTOR: Moafee": [[539, 545]]}, "info": {"id": "cyberner_stix_test_000610", "source": "cyberner_stix_test"}}
+{"text": "Always keep the \" Unknown Sources '' option disabled in the Android device . Ke3chang behind the attacks seemed to have a particular interest in Slovakia , where a big portion of the discovered malware samples was detected; Croatia , the Czech Republic and other countries were also affected . Ke3chang is a threat group attributed to actors operating out of China .", "spans": {"SYSTEM: Android": [[60, 67]], "THREAT_ACTOR: Ke3chang": [[77, 85], [294, 302]]}, "info": {"id": "cyberner_stix_test_000611", "source": "cyberner_stix_test"}}
+{"text": "EventBot uses multiple methods to exploit accessibility events for webinjects and other information stealing purposes . Our technical analysis of the malware used in these attacks showed close ties to BS2005 backdoors from operation Ke3chang , and to a related TidePool malware family discovered by Palo Alto Networks in 2016 that targeted Indian embassies across the globe . Since at least 2014 , APT32 , also known as the OceanLotus Group , has targeted foreign corporations with investments in Vietnam , foreign governments , journalists , and Vietnamese dissidents .", "spans": {"MALWARE: EventBot": [[0, 8]], "MALWARE: malware": [[150, 157]], "MALWARE: BS2005 backdoors": [[201, 217]], "MALWARE: TidePool malware": [[261, 277]], "ORGANIZATION: Palo Alto": [[299, 308]], "THREAT_ACTOR: APT32": [[398, 403]], "THREAT_ACTOR: OceanLotus Group": [[424, 440]], "ORGANIZATION: foreign corporations": [[456, 476]], "ORGANIZATION: foreign governments": [[507, 526]], "ORGANIZATION: journalists": [[529, 540]], "ORGANIZATION: dissidents": [[558, 568]]}, "info": {"id": "cyberner_stix_test_000612", "source": "cyberner_stix_test"}}
+{"text": "Infection Chain As with our earlier reports in late March , the attack chain involves diverting internet traffic to attacker-specified domains by compromising and overwriting the router ’ s DNS settings . Donot attacked government agencies , aiming for classified intelligence . This new script performs a ping to “ www[.cloudflare[.com ” for three times with a delay of 3000ms , testing the connectivity of the victim machine .", "spans": {"THREAT_ACTOR: Donot": [[205, 210]], "ORGANIZATION: government agencies": [[220, 239]], "DOMAIN: www[.cloudflare[.com": [[316, 336]]}, "info": {"id": "cyberner_stix_test_000613", "source": "cyberner_stix_test"}}
+{"text": "In all other cases , we believe the group simply repurposed publicly available exploits or proofs of concept .", "spans": {}, "info": {"id": "cyberner_stix_test_000614", "source": "cyberner_stix_test"}}
+{"text": "On the 23rd of October 2014 , Leviathan Security Group published a blog post describing a malicious Tor exit node they had found .", "spans": {"ORGANIZATION: Leviathan Security Group": [[30, 54]], "TOOL: Tor": [[100, 103]]}, "info": {"id": "cyberner_stix_test_000615", "source": "cyberner_stix_test"}}
+{"text": "As an example , specific CIA malware revealed in Year Zero is able to penetrate , infest and control both the Android phone and iPhone software that runs or has run presidential Twitter accounts . The operation against the Tibetan Parliamentarians illustrates the continued use of malicious attachments in the form of documents bearing exploits .", "spans": {"THREAT_ACTOR: CIA": [[25, 28]], "TOOL: malware": [[29, 36]], "ORGANIZATION: Tibetan Parliamentarians": [[223, 247]], "FILEPATH: malicious attachments": [[281, 302]], "MALWARE: documents bearing exploits": [[318, 344]]}, "info": {"id": "cyberner_stix_test_000616", "source": "cyberner_stix_test"}}
+{"text": "More recently , we have seen Bread-related apps trying to hide malicious code in a native library shipped with the APK . After the publication of the original report , these sites were taken offline despite the fact that one agent was even updated a six days prior to our post ( the \" Khuai \" application ) . any of the RAT commands in the zxshell.dll . There are several indicators of compromise that organizations should monitor .", "spans": {"MALWARE: Bread-related": [[29, 42]], "TOOL: Khuai": [[285, 290]], "TOOL: RAT": [[320, 323]], "FILEPATH: zxshell.dll": [[340, 351]]}, "info": {"id": "cyberner_stix_test_000617", "source": "cyberner_stix_test"}}
+{"text": "First , there is a small dropper , then a large second stage payload that contains multiple binaries ( where most of the surveillance functionality is implemented ) , and finally a third stage which typically uses the DirtyCOW exploit ( CVE-2016-5195 ) to obtain root . Since 2013 Carbanak has successfully gained access to networks of more than 50 banks and 5 payment systems . MuddyWater has engaged in prolific spear phishing of government and defense entities in Central and Southwest Asia .", "spans": {"VULNERABILITY: DirtyCOW exploit": [[218, 234]], "VULNERABILITY: CVE-2016-5195": [[237, 250]], "VULNERABILITY: Carbanak": [[281, 289]], "ORGANIZATION: banks": [[349, 354]], "ORGANIZATION: payment systems": [[361, 376]], "THREAT_ACTOR: MuddyWater": [[379, 389]], "ORGANIZATION: defense entities": [[447, 463]]}, "info": {"id": "cyberner_stix_test_000618", "source": "cyberner_stix_test"}}
+{"text": "The first example of this is in the onStart function , where the malware looks for the string “ Emulator ” and a x86 processor model . One of the domains used by FIN7 in their 2018 campaign of spear phishing contained more than 130 email HackOrges , leading us to think that more than 130 companies had been targeted by the end of 2018 . Three months after the Olympics-themed attacks , FireEye observed a new BS2005 campaign labeled \" newtiger \" , which is possibly a reference to an older 2010 campaign labeled \" tiger \" .", "spans": {"THREAT_ACTOR: FIN7": [[162, 166]], "ORGANIZATION: FireEye": [[387, 394]]}, "info": {"id": "cyberner_stix_test_000619", "source": "cyberner_stix_test"}}
+{"text": "This file requires the target to attempt to open the .lnk file , which redirects the user to a Windows Scripting Component ( .wsc ) file , hosted on an adversary-controlled microblogging page . The configuration file then loads the Trochilus payload into memory by injecting it into a valid system process .", "spans": {"MALWARE: .lnk file": [[53, 62]], "FILEPATH: configuration file": [[198, 216]]}, "info": {"id": "cyberner_stix_test_000620", "source": "cyberner_stix_test"}}
+{"text": "One involves drive-by downloads , possibly on booby-trapped porn sites . WannaCry utilizes EternalBlue by crafting a custom SMB session request with hard-coded values based on the target system . APT33 : 64.251.19.217 [REDACTED].myftp.org . The encrypted files contain a marker string 0x666 followed by the data appended by the ransomware .", "spans": {"TOOL: WannaCry": [[73, 81]], "VULNERABILITY: EternalBlue": [[91, 102]], "TOOL: SMB": [[124, 127]], "THREAT_ACTOR: APT33": [[196, 201]], "IP_ADDRESS: 64.251.19.217": [[204, 217]], "DOMAIN: [REDACTED].myftp.org": [[218, 238]]}, "info": {"id": "cyberner_stix_test_000621", "source": "cyberner_stix_test"}}
+{"text": "these characteristics all highlight the likelihood that VOODOO BEAR operates in alignment with Russian state interests . This week the experts at FireEye discovered that a group of Chinese-based hackers called admin@338 had sent multiple MH370-themed spear phishing emails , the attackers targeted government officials in Asia-Pacific , it is likely for cyber espionage purpose .", "spans": {"THREAT_ACTOR: VOODOO BEAR": [[56, 67]], "ORGANIZATION: FireEye": [[146, 153]], "THREAT_ACTOR: admin@338": [[210, 219]], "TOOL: emails": [[266, 272]], "THREAT_ACTOR: attackers": [[279, 288]], "ORGANIZATION: government officials": [[298, 318]], "THREAT_ACTOR: cyber espionage": [[354, 369]]}, "info": {"id": "cyberner_stix_test_000622", "source": "cyberner_stix_test"}}
+{"text": "Patchwork ( also known as Dropping Elephant ) is a cyberespionage group whose targets included diplomatic and government agencies as well as businesses . The fieldwork generated extensive data that allowed us to examine Tibetan information security practices , as well as capture real-time evidence of malware that had penetrated Tibetan computer systems .", "spans": {"THREAT_ACTOR: Patchwork": [[0, 9]], "THREAT_ACTOR: Dropping Elephant": [[26, 43]], "THREAT_ACTOR: cyberespionage group": [[51, 71]], "ORGANIZATION: diplomatic": [[95, 105]], "ORGANIZATION: government agencies": [[110, 129]], "ORGANIZATION: businesses": [[141, 151]], "ORGANIZATION: Tibetan information security practices": [[220, 258]], "ORGANIZATION: Tibetan": [[330, 337]]}, "info": {"id": "cyberner_stix_test_000623", "source": "cyberner_stix_test"}}
+{"text": "In this blog post , we describe Chrysaor , a newly discovered family of spyware that was used in a targeted attack on a small number of Android devices , and how investigations like this help Google protect Android users from a variety of threats . Researching the hacker handle MagicCoder results in references to the Iranian hacking forum Ashiyane as well as defacements by the Iranian hacker group Sun Army . APT33 : 192.119.15.38 [REDACTED].ddns.net . None Ensure X - Forwarded - For header is configured to log true external IP addresses for request to proxied services .", "spans": {"MALWARE: Chrysaor": [[32, 40]], "SYSTEM: Android": [[136, 143], [207, 214]], "ORGANIZATION: Google": [[192, 198]], "THREAT_ACTOR: hacker": [[265, 271]], "THREAT_ACTOR: Ashiyane": [[341, 349]], "THREAT_ACTOR: hacker group": [[388, 400]], "THREAT_ACTOR: Sun Army": [[401, 409]], "THREAT_ACTOR: APT33": [[412, 417]], "IP_ADDRESS: 192.119.15.38": [[420, 433]], "DOMAIN: [REDACTED].ddns.net": [[434, 453]]}, "info": {"id": "cyberner_stix_test_000624", "source": "cyberner_stix_test"}}
+{"text": "How did it work ? Microsoft Analytics shows that Winnti has been used in intrusions carried out throughout Asia , Europe , Oceania , the Middle East , and the United States in the last six months ( Figure 1 ) . Careful research , however , allowed the identification of some of the attackers ’ victims : East Asian governments , Taiwanese electronics manufacturers , A telecommunications company . In fact , this chain also leads to NetSupport RAT .", "spans": {"ORGANIZATION: Microsoft Analytics": [[18, 37]], "TOOL: Winnti": [[49, 55]], "TOOL: NetSupport RAT": [[433, 447]]}, "info": {"id": "cyberner_stix_test_000625", "source": "cyberner_stix_test"}}
+{"text": "MD5 : 43fad2d62bc23ffdc6d301571135222c .", "spans": {"FILEPATH: 43fad2d62bc23ffdc6d301571135222c": [[6, 38]]}, "info": {"id": "cyberner_stix_test_000626", "source": "cyberner_stix_test"}}
+{"text": "Payments are made to a specific Bitcoin account , but we haven ’ t identified any payments so far . However , some phishing emails were sent to bank employees in more than 25 countries of Central and Western Europe , Africa and Asia including : Kyrgyzstan , Armenia , Georgia , Serbia , Germany , Latvia , Czech Republic , Romania , Kenya , Israel , Cyprus , Greece , Turkey , Taiwan , Malaysia , Switzerland , Vietnam , Austria , Uzbekistan , Great Britain , Hong Kong , and others . To deliver their malware , the cyber criminals use spearphishing emails with various types of attachments : MS Office documents or spreadsheet files exploiting some known vulnerability like CVE-2017-11882 , or documents with Ole2Link and SCT . Monitor for changes made to windows registry keys and/or values that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {"SYSTEM: Bitcoin": [[32, 39]], "ORGANIZATION: bank employees": [[144, 158]], "TOOL: emails": [[550, 556]], "ORGANIZATION: MS": [[593, 595]], "TOOL: Office": [[596, 602]], "VULNERABILITY: CVE-2017-11882": [[675, 689]], "VULNERABILITY: Ole2Link": [[710, 718]], "VULNERABILITY: SCT": [[723, 726]]}, "info": {"id": "cyberner_stix_test_000627", "source": "cyberner_stix_test"}}
+{"text": "These domains were used by the Dukes in campaigns involving many of their different malware toolsets all the way until 2014 .", "spans": {"THREAT_ACTOR: Dukes": [[31, 36]]}, "info": {"id": "cyberner_stix_test_000628", "source": "cyberner_stix_test"}}
+{"text": "Suckfly has a number of hacktools and malware varieties at its disposal : Back door , Keylogger , Port scanner , Misc. tool , Exploit , Credential dumper , Privilage escalation .", "spans": {"THREAT_ACTOR: Suckfly": [[0, 7]], "TOOL: Back door": [[74, 83]], "TOOL: Keylogger": [[86, 95]], "TOOL: Port scanner": [[98, 110]], "TOOL: Misc.": [[113, 118]], "TOOL: Exploit": [[126, 133]], "TOOL: dumper": [[147, 153]], "VULNERABILITY: Privilage escalation": [[156, 176]]}, "info": {"id": "cyberner_stix_test_000629", "source": "cyberner_stix_test"}}
+{"text": "It is used to remotely control web servers , and has been used in many attacks against Australian web hosting providers . Our experts have found that cybercriminals are actively focusing on SMBs , and giving particular attention to accountants .", "spans": {"ORGANIZATION: hosting providers": [[102, 119]], "MALWARE: SMBs": [[190, 194]], "ORGANIZATION: accountants": [[232, 243]]}, "info": {"id": "cyberner_stix_test_000630", "source": "cyberner_stix_test"}}
+{"text": "Information gathered from the email account provides a lot of the victims ’ personal data , including messages from IM applications . Working with U.S. government partners , DHS and FBI identified Internet Protocol ( IP ) addresses and other indicators of compromise ( IOCs ) associated with a remote administration tool ( RAT ) used by the North Korean government—commonly known as FALLCHILL . At this point , the attackers ceased activity while maintaining access to the network until February 21 . We have observed CADDYWIPER deployed across several verticals in Ukraine , including the government and financial sectors , throughout Russia ’s invasion of Ukraine .", "spans": {"ORGANIZATION: government": [[152, 162], [590, 600]], "ORGANIZATION: DHS": [[174, 177]], "ORGANIZATION: FBI": [[182, 185]], "TOOL: remote administration tool": [[294, 320]], "TOOL: RAT": [[323, 326]], "TOOL: FALLCHILL": [[383, 392]], "TOOL: CADDYWIPER": [[518, 528]], "ORGANIZATION: financial sectors": [[605, 622]], "THREAT_ACTOR: Russia ’s invasion of Ukraine .": [[636, 667]]}, "info": {"id": "cyberner_stix_test_000631", "source": "cyberner_stix_test"}}
+{"text": "This variant of Zebrocy is functionally very similar to the Delphi based payloads discussed in our previous publication on Sofacy attacks using Zebrocy earlier this year .", "spans": {"MALWARE: Zebrocy": [[16, 23], [144, 151]], "TOOL: Delphi": [[60, 66]], "THREAT_ACTOR: Sofacy": [[123, 129]]}, "info": {"id": "cyberner_stix_test_000632", "source": "cyberner_stix_test"}}
+{"text": "Charger SHA256 hash : 58eb6c368e129b17559bdeacb3aed4d9a5d3596f774cf5ed3fdcf51775232ba0 Infostealer , Keylogger , and Ransomware in One : Anubis Targets More than 250 Android Applications October 29 , 2021 The Cofense Phishing Defense Center uncovered a phishing campaign that specifically targets users of Android devices that could result in compromise if unsigned Android applications are permitted on the device . Given its use in more advanced social engineering campaigns against women 's rights activists , the label seem particularly apt . It is possible that the CopyPaste operators were influenced by open-source publications and do not have any ties with FIN7 . In our Google Analytics platform , we will see the data as : In our demo the DP will result in page view of Which will be decoded from base64 as : The source of the problem is that the CSP rule system is n’t granular enough .", "spans": {"MALWARE: Anubis": [[137, 143]], "SYSTEM: Android": [[166, 173], [306, 313], [366, 373]], "ORGANIZATION: Cofense Phishing Defense Center": [[209, 240]], "ORGANIZATION: social engineering campaigns": [[448, 476]], "ORGANIZATION: women 's rights activists": [[485, 510]], "THREAT_ACTOR: CopyPaste": [[571, 580]], "THREAT_ACTOR: FIN7": [[665, 669]], "SYSTEM: Google Analytics platform": [[679, 704]], "SYSTEM: CSP rule system": [[857, 872]]}, "info": {"id": "cyberner_stix_test_000633", "source": "cyberner_stix_test"}}
+{"text": "these lines instead : Data Collection and Exfiltration As mentioned , mike.jar equips the spyware with extensive collection capabilities , including : Retrieve a list of installed applications . In this case , the attackers maintained a presence on the target 's network for nearly six months between September 2016 and March 2017 . JhoneRAT : https://drive.google.com/uc?export=download&id=1d-toE89QnN5ZhuNZIc2iF4-cbKWtk0FD . This newest edition of the malware includes novel documents containing macros that extract the embedded package once opened and execute it once the document closes instead of having the victim click on a video link as before .", "spans": {"MALWARE: JhoneRAT": [[333, 341]], "DOMAIN: https://drive.google.com/uc?export=download&id=1d-toE89QnN5ZhuNZIc2iF4-cbKWtk0FD": [[344, 424]], "MALWARE: malware": [[454, 461]]}, "info": {"id": "cyberner_stix_test_000634", "source": "cyberner_stix_test"}}
+{"text": "Philadelphia ransomware has been circulating since September 2016 .", "spans": {"MALWARE: Philadelphia": [[0, 12]]}, "info": {"id": "cyberner_stix_test_000635", "source": "cyberner_stix_test"}}
+{"text": "Distribution / Infection When this campaign started at the start of 2018 , the malware ( \" GlanceLove '' , \" WinkChat '' ) was distributed by the perpetrators mainly via fake Facebook profiles , attempting to seduce IDF soldiers to socialize on a different platform ( their malware ) . In the investigations Mandiant has conducted , it appeared that APT29 deployed POSHSPY as a secondary backdoor for use if they lost access to their primary backdoors . It should be noted that the file name was changed throughout this campaign . The attacks reportedly use social engineering to create Trojan email campaigns customdesigned for their victims , the article stated .", "spans": {"MALWARE: GlanceLove": [[91, 101]], "MALWARE: WinkChat": [[109, 117]], "SYSTEM: Facebook": [[175, 183]], "ORGANIZATION: Mandiant": [[308, 316]], "THREAT_ACTOR: APT29": [[350, 355]], "TOOL: POSHSPY": [[365, 372]]}, "info": {"id": "cyberner_stix_test_000636", "source": "cyberner_stix_test"}}
+{"text": "We believe the formation of the second botnet began in August 2014 and continued until January 2015 .", "spans": {}, "info": {"id": "cyberner_stix_test_000637", "source": "cyberner_stix_test"}}
+{"text": "Their findings pointed to what appears to be the initial point of compromise the attackers used : a document containing a malicious macro that , when approved to execute , enabled C2 communications to the attacker ’s server and remote shell via PowerShell .", "spans": {"TOOL: PowerShell": [[245, 255]]}, "info": {"id": "cyberner_stix_test_000638", "source": "cyberner_stix_test"}}
+{"text": "The first known sample of the CosmicDuke toolset was compiled on the 16th of January 2010 .", "spans": {"MALWARE: CosmicDuke": [[30, 40]]}, "info": {"id": "cyberner_stix_test_000639", "source": "cyberner_stix_test"}}
+{"text": "Audit transaction logs regularly for suspicious activity .", "spans": {}, "info": {"id": "cyberner_stix_test_000640", "source": "cyberner_stix_test"}}
+{"text": "Stealing Facebook credentials using fake Facebook activity is something we did n't observe in Spynote/Spymax versions but was seen in this spyware . Over the past three years , Filensfer has been deployed against organizations in Luxembourg , Sweden , Italy , the UK , and the U.S . The group has targeted a variety of industries , including financial , government , energy , chemical , and telecommunications , and has largely focused its operations within the Middle East .", "spans": {"ORGANIZATION: Facebook": [[9, 17], [41, 49]], "MALWARE: Spynote/Spymax": [[94, 108]], "MALWARE: Filensfer": [[177, 186]], "ORGANIZATION: financial": [[342, 351]], "ORGANIZATION: government": [[354, 364]], "ORGANIZATION: energy": [[367, 373]], "ORGANIZATION: chemical": [[376, 384]], "ORGANIZATION: telecommunications": [[391, 409]]}, "info": {"id": "cyberner_stix_test_000641", "source": "cyberner_stix_test"}}
+{"text": "The stolen parameters follow : ID IMSI IMEI Phone number Operator AID Model Brand Version Build Battery percentage Wi-Fi connection state Wake time Are logs enabled ? Transparent Tribe has been active for several years and conducting suspected intelligence collection operations against South Asian political and military targets . In early November 2018 , CrowdStrike observed activity from the HELIX KITTEN adversary at a customer in the telecommunications vertical .", "spans": {"ORGANIZATION: political": [[299, 308]], "ORGANIZATION: military": [[313, 321]], "ORGANIZATION: CrowdStrike": [[357, 368]], "THREAT_ACTOR: HELIX KITTEN": [[396, 408]], "ORGANIZATION: telecommunications": [[440, 458]]}, "info": {"id": "cyberner_stix_test_000642", "source": "cyberner_stix_test"}}
+{"text": "The ACCESS_SUPERUSER may have been removed because it was deprecated upon the release of Android 5.0 Lollipop which happened in 2014 . It's unclear how Cadelle infects its targets with Backdoor.Cadelspy . In June 2014, Arbor Networks published an article describing the RIPTIDE backdoor and its C2 infrastructure in great depth . Metamorfo has communicated with hosts over raw TCP on port 9999.[24 ]", "spans": {"SYSTEM: Android 5.0": [[89, 100]], "SYSTEM: Lollipop": [[101, 109]], "TOOL: Backdoor.Cadelspy": [[185, 202]], "ORGANIZATION: Arbor": [[219, 224]], "MALWARE: RIPTIDE backdoor": [[270, 286]], "TOOL: C2": [[295, 297]], "MALWARE: Metamorfo": [[330, 339]]}, "info": {"id": "cyberner_stix_test_000643", "source": "cyberner_stix_test"}}
+{"text": "Falcon Intelligence has analyzed this malware and can confirm the overlap between BitPaymer/FriedEx and Dridex malware . Earlier this month , we caught another zero-day Adobe Flash Player exploits deployed in targeted attacks .", "spans": {"ORGANIZATION: Falcon Intelligence": [[0, 19]], "TOOL: BitPaymer/FriedEx": [[82, 99]], "TOOL: Dridex malware": [[104, 118]], "VULNERABILITY: zero-day": [[160, 168]], "TOOL: Adobe Flash Player": [[169, 187]]}, "info": {"id": "cyberner_stix_test_000644", "source": "cyberner_stix_test"}}
+{"text": "After the review , the process is the same as above . APT16 actors sent spear phishing emails to two Taiwanese media organizations . The data will eventually be written to disk and the malware sets the next query action to D in order to request the next chunk of . “ It appears to be the email address Will used for his profiles , ” the IT director replied .", "spans": {"THREAT_ACTOR: APT16 actors": [[54, 66]], "ORGANIZATION: media organizations": [[111, 130]], "THREAT_ACTOR: Will": [[302, 306]], "ORGANIZATION: IT director": [[337, 348]]}, "info": {"id": "cyberner_stix_test_000645", "source": "cyberner_stix_test"}}
+{"text": "RoomTap : silently answers a telephone call and stays connected in the background , allowing the caller to hear conversations within the range of the phone 's microphone . Known targets of the Leviathan have been involved in the maritime industry , and research institutes , academic organizations , and private firms in the United States . In the first three variants , the code was not recompiled , but the configuration data was edited in the DLL file itself . Once an actor was able to successfully achieve session hijacking , the threat actor performed actions including host and network reconnaissance of the victim environment , credential harvesting , and lateral movement via RDP .", "spans": {"THREAT_ACTOR: Leviathan": [[193, 202]], "ORGANIZATION: maritime industry": [[229, 246]], "ORGANIZATION: research institutes": [[253, 272]], "ORGANIZATION: academic organizations": [[275, 297]], "ORGANIZATION: private firms": [[304, 317]], "TOOL: DLL": [[446, 449]]}, "info": {"id": "cyberner_stix_test_000646", "source": "cyberner_stix_test"}}
+{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability . the targets of the hacking group were in the automotive .", "spans": {"ORGANIZATION: security firm": [[17, 30]], "VULNERABILITY: Adobe Reader vulnerability": [[153, 179]], "ORGANIZATION: automotive": [[227, 237]]}, "info": {"id": "cyberner_stix_test_000647", "source": "cyberner_stix_test"}}
+{"text": "Because TA505 is such a significant part of the email threat landscape , this blog provides a retrospective on the shifting malware , payloads , and campaigns associated with this actor .", "spans": {"THREAT_ACTOR: TA505": [[8, 13]], "TOOL: email": [[48, 53]]}, "info": {"id": "cyberner_stix_test_000648", "source": "cyberner_stix_test"}}
+{"text": "This malicious program spreads via SMS spam and from compromised legitimate sites that redirect mobile users to a malicious resource . The Tropic Trooper threat actor group has been known to target governments and organizations in the Asia Pacific region for at least six years . That these samples , in addition to having been found at these universities , contain campaign IDs matching the universities ’ names and use C&C URLs containing the universities ’ names are good indications that this campaign is highly targeted . 8.8 Management of technical vulnerabilities – prioritizing the mitigation and patching of vulnerabilities based on their potential and current risk of abuse requires identifying the assessed severity of a vulnerability and how this may change .", "spans": {"THREAT_ACTOR: Tropic Trooper threat actor group": [[139, 172]], "ORGANIZATION: governments": [[198, 209]], "TOOL: C&C": [[421, 424]]}, "info": {"id": "cyberner_stix_test_000649", "source": "cyberner_stix_test"}}
+{"text": "In our test , this command was the value 3 . APT35 typically targets U.S. and the Middle Eastern military , diplomatic and government personnel , organizations in the media , energy and defense industrial base ( DIB ) , and engineering , business services and telecommunications sectors . The first two bytes of that array specify the relative offsets to the key and IV respectively . Furthermore , our analysis of the activity suggests Russia would be capable of developing similar capabilities against other SCADA systems and programming languages beyond MicroSCADA and SCIL .", "spans": {"THREAT_ACTOR: APT35": [[45, 50]], "ORGANIZATION: military": [[97, 105]], "ORGANIZATION: diplomatic": [[108, 118]], "ORGANIZATION: government personnel": [[123, 143]], "ORGANIZATION: organizations": [[146, 159]], "ORGANIZATION: media": [[167, 172]], "ORGANIZATION: energy": [[175, 181]], "ORGANIZATION: defense industrial base": [[186, 209]], "ORGANIZATION: DIB": [[212, 215]], "ORGANIZATION: engineering": [[224, 235]], "ORGANIZATION: business services": [[238, 255]], "ORGANIZATION: telecommunications sectors": [[260, 286]], "THREAT_ACTOR: Russia": [[437, 443]], "SYSTEM: SCADA systems": [[510, 523]], "SYSTEM: programming languages": [[528, 549]], "SYSTEM: MicroSCADA": [[557, 567]], "SYSTEM: SCIL": [[572, 576]]}, "info": {"id": "cyberner_stix_test_000650", "source": "cyberner_stix_test"}}
+{"text": "Even without capabilities to exploit a device , the packages were able to exfiltrate the following types of data using documented APIs : Contacts Audio recordings Photos Videos GPS location Device information In addition , the packages offered a feature to perform remote audio recording . The group 's capabilities are more than the much discussed CVE-2012-0158 exploits over the past few years . In this latest activity , BlackWater first added an obfuscated Visual Basic for Applications ( VBA ) script to establish persistence as a registry key .", "spans": {"SYSTEM: GPS": [[177, 180]], "THREAT_ACTOR: group": [[294, 299]], "VULNERABILITY: CVE-2012-0158": [[349, 362]], "TOOL: Visual Basic for Applications": [[461, 490]], "TOOL: VBA": [[493, 496]]}, "info": {"id": "cyberner_stix_test_000651", "source": "cyberner_stix_test"}}
+{"text": "They used the RasMan ( Remote Access Connection Manager ) Windows service to register the next payload with a persistence mechanism .", "spans": {"TOOL: RasMan": [[14, 20]], "TOOL: Remote Access Connection Manager": [[23, 55]], "SYSTEM: Windows": [[58, 65]]}, "info": {"id": "cyberner_stix_test_000652", "source": "cyberner_stix_test"}}
+{"text": "Files using simple PHP-based web shells were also used to attack systems with weak SSH and Telnet credentials .", "spans": {"TOOL: PHP-based": [[19, 28]]}, "info": {"id": "cyberner_stix_test_000653", "source": "cyberner_stix_test"}}
+{"text": "In the image below , the function recursively collects all the text data from the child nodes of each accessibility node . The espionage group , which according to the U.S. Department of Homeland Security ( DHS ) and the Federal Bureau of Investigation ( FBI ) is linked to the Russian government , returned to low-key intelligence-gathering operations during 2017 and into 2018 , targeting a range of military and government targets in Europe and South America . In September 2015 , our anti-targeted attack technologies caught a previously unknown attack .", "spans": {"THREAT_ACTOR: espionage group": [[127, 142]], "ORGANIZATION: Department of Homeland Security": [[173, 204]], "ORGANIZATION: DHS": [[207, 210]], "ORGANIZATION: FBI": [[255, 258]], "ORGANIZATION: military": [[402, 410]], "ORGANIZATION: government": [[415, 425]]}, "info": {"id": "cyberner_stix_test_000654", "source": "cyberner_stix_test"}}
+{"text": "Recent blogs by the Zscaler research team explain how some variants of Android malware are exploiting the popularity of this game and tricking Android users into downloading a fake version . The tool was written by sta of Thyssenkrupp , because the industrial giant—company number eleven—had been spied on by Winnti . Gallmaker used lure documents attempt to exploit the Microsoft Office Dynamic Data Exchange ( DDE ) protocol in order to gain access to victim machines .", "spans": {"ORGANIZATION: Zscaler": [[20, 27]], "MALWARE: Android": [[71, 78]], "SYSTEM: Android": [[143, 150]], "TOOL: Thyssenkrupp": [[222, 234]], "THREAT_ACTOR: Winnti": [[309, 315]], "THREAT_ACTOR: Gallmaker": [[318, 327]], "VULNERABILITY: exploit": [[359, 366]], "TOOL: Microsoft Office Dynamic Data Exchange": [[371, 409]], "TOOL: DDE": [[412, 415]]}, "info": {"id": "cyberner_stix_test_000655", "source": "cyberner_stix_test"}}
+{"text": "In April , 2018 , the 360 Core Security takes the lead in capturing the APT-C-06 group’s new APT attack using 0-day vulnerabilities (CVE-2018-8174) in the wild . APT32 actors continue to deliver the malicious attachments via spear-phishing emails .", "spans": {"ORGANIZATION: 360 Core Security": [[22, 39]], "THREAT_ACTOR: APT-C-06": [[72, 80]], "VULNERABILITY: (CVE-2018-8174)": [[132, 147]], "THREAT_ACTOR: APT32": [[162, 167]], "FILEPATH: malicious attachments": [[199, 220]], "TOOL: emails": [[240, 246]]}, "info": {"id": "cyberner_stix_test_000656", "source": "cyberner_stix_test"}}
+{"text": "UNDER ACTIVE DEVELOPMENT An analysis of new FakeSpy samples to old ones showed code discrepancies and new features . This threat actor stole suspected of stealing €13 million from Bank of Valetta , Malta earlier this year . This attack used the crisis in Syria as a lure to deliver malware to its targets .", "spans": {"MALWARE: FakeSpy": [[44, 51]], "THREAT_ACTOR: threat actor": [[122, 134]], "ORGANIZATION: Bank": [[180, 184]]}, "info": {"id": "cyberner_stix_test_000657", "source": "cyberner_stix_test"}}
+{"text": "This report describes the details and type of operations carried out by Carbanak that focuses on financial industry , such as payment providers , retail industry and PR companies . For years , Turla has relied , among other impersonations , on fake Flash installers to compromise victims .", "spans": {"VULNERABILITY: Carbanak": [[72, 80]], "ORGANIZATION: financial industry": [[97, 115]], "ORGANIZATION: payment providers": [[126, 143]], "ORGANIZATION: retail industry": [[146, 161]], "ORGANIZATION: PR companies": [[166, 178]], "THREAT_ACTOR: Turla": [[193, 198]], "MALWARE: fake Flash installers": [[244, 265]]}, "info": {"id": "cyberner_stix_test_000658", "source": "cyberner_stix_test"}}
+{"text": "Cadelle 's threats are capable of opening a back door and stealing information from victims' computers . CTU researchers have observed TG-3390 compromising a target organization 's externally and internally accessible assets , such as an OWA server , and adding redirect code to point internal users to an external website that hosts an exploit and delivers malware .", "spans": {"ORGANIZATION: CTU": [[105, 108]], "THREAT_ACTOR: TG-3390": [[135, 142]], "VULNERABILITY: exploit": [[337, 344]]}, "info": {"id": "cyberner_stix_test_000659", "source": "cyberner_stix_test"}}
+{"text": "Its data-stealing capabilities include collecting SMSs after receiving an SMS-related broadcast event and covertly recording phone calls . Our previous post on Sofacy's 2017 activity stepped away from the previously covered headline buzz presenting their association with previously known political hacks and interest in Europe and the US , and examines their under-reported ongoing activity in middle east , central asia , and now a shift in targeting further east , including China , along with an overlap surprise . TektonIT RMS acts as a remote administration tool , allowing the attacker to gain complete access to the victim machine .", "spans": {"THREAT_ACTOR: Sofacy's": [[160, 168]], "TOOL: TektonIT": [[519, 527]], "TOOL: RMS": [[528, 531]]}, "info": {"id": "cyberner_stix_test_000660", "source": "cyberner_stix_test"}}
+{"text": "This seems confusing as FireEye earlier publicly declared the “ TRITON actor ” as a discrete entity , linked to a Russian research institution , and christened it as “ TEMP.Veles ” .", "spans": {"ORGANIZATION: FireEye": [[24, 31]], "MALWARE: TRITON": [[64, 70]], "THREAT_ACTOR: TEMP.Veles": [[168, 178]]}, "info": {"id": "cyberner_stix_test_000661", "source": "cyberner_stix_test"}}
+{"text": "This sample only includes Dalvik bytecode and resources without any native libraries . After performing investigations on the classified victims , we find the attacker targets big companies and government agencies in Colombia . Its detection and removal can be difficult due to the various techniques used to conceal its presence , such as disabling the host anti-virus , masking its installation on a system with a valid service name , and by masking outbound traffic as originating from a web browser . Recognizing and stopping the above malicious JavaScript request requires advanced visibility solutions that can detect the access and exfiltration of sensitive user data ( in this case the user ’s email address and password ) .", "spans": {"ORGANIZATION: government agencies": [[194, 213]], "MALWARE: malicious JavaScript request": [[540, 568]]}, "info": {"id": "cyberner_stix_test_000662", "source": "cyberner_stix_test"}}
+{"text": "Its dropper family finished integration with Bundle Feng Shui and campaign C & C infrastructure was shifted to AWS cloud . In 2013 , Rapid7 reported on a series of relatively amateur attacks against Pakistani targets . Dexphot : 72acaf9ff8a43c68416884a3fff3b23e749b4bb8fb39e16f9976643360ed391f . FireEye detects this activity across our platforms .", "spans": {"SYSTEM: AWS": [[111, 114]], "ORGANIZATION: Rapid7": [[133, 139]], "MALWARE: Dexphot": [[219, 226]], "FILEPATH: 72acaf9ff8a43c68416884a3fff3b23e749b4bb8fb39e16f9976643360ed391f": [[229, 293]], "ORGANIZATION: FireEye": [[296, 303]]}, "info": {"id": "cyberner_stix_test_000663", "source": "cyberner_stix_test"}}
+{"text": "The adversaries have used this technique to allow PlugX and HttpBrowser to persist on a system .", "spans": {"MALWARE: PlugX": [[50, 55]], "MALWARE: HttpBrowser": [[60, 71]]}, "info": {"id": "cyberner_stix_test_000664", "source": "cyberner_stix_test"}}
+{"text": "We see WolfRAT specifically targeting a highly popular encrypted chat app in Asia , Line , which suggests that even a careful user with some awareness around end-to-end encryption chats would still be at the mercy of WolfRAT and it 's prying eyes . We encountered the first document exploit called \" THAM luan - GD - NCKH2.doc \" a few days ago , which appears to be leveraging some vulnerabilities patched with MS12-060 . Most recently , FireEye observed HIGHTIDE at multiple Taiwan-based organizations and the suspected APT12 WATERSPOUT backdoor at a Japan-based electronics company . On June 22 , @AnFam17 spotted the same fake browser update leveraging URL shortcuts .", "spans": {"MALWARE: WolfRAT": [[7, 14], [217, 224]], "SYSTEM: Line": [[84, 88]], "MALWARE: THAM luan - GD -": [[300, 316]], "MALWARE: NCKH2.doc": [[317, 326]], "TOOL: MS12-060": [[411, 419]], "ORGANIZATION: FireEye": [[438, 445]], "MALWARE: HIGHTIDE": [[455, 463]], "THREAT_ACTOR: APT12": [[521, 526]], "MALWARE: WATERSPOUT backdoor": [[527, 546]], "ORGANIZATION: @AnFam17": [[599, 607]]}, "info": {"id": "cyberner_stix_test_000665", "source": "cyberner_stix_test"}}
+{"text": "The base64-encoded image is then uploaded to an image recognition service . Bellingcat also reported the domain had been used previously to host potential decoy documents as detailed in VirusTotal here using hxxp://voguextra.com/decoy.doc . Its principal duties are to create the ZxShell main DLL in “ c:\\Windows\\System32\\commhlp32.dll ” and to install the Kernel “ Load Image Notify routine ” . We provide at - risk organizations with the following discovery methods to conduct threat hunts for tactics , techniques , and procedures ( TTPs ) implemented derived from the toolset : • Establish collection and aggregation of host - based logs for crown jewels systems such as human - machine interfaces ( HMI ) , engineering workstations ( EWS ) , and OPC client servers within their environments and review logs for the evidence of Python script or unauthorized code execution on these systems .", "spans": {"ORGANIZATION: Bellingcat": [[76, 86]], "MALWARE: decoy documents": [[155, 170]], "MALWARE: hxxp://voguextra.com/decoy.doc": [[208, 238]], "MALWARE: ZxShell": [[280, 287]], "TOOL: DLL": [[293, 296]], "FILEPATH: c:\\Windows\\System32\\commhlp32.dll": [[302, 335]], "TOOL: Load Image Notify routine": [[366, 391]], "ORGANIZATION: risk organizations": [[412, 430]], "SYSTEM: human - machine interfaces ( HMI": [[675, 707]], "SYSTEM: engineering workstations": [[712, 736]], "SYSTEM: EWS": [[739, 742]], "SYSTEM: OPC client servers within their environments": [[751, 795]]}, "info": {"id": "cyberner_stix_test_000666", "source": "cyberner_stix_test"}}
+{"text": "At this stage , the malware gathers information about the infected computer . \" Buhgalter \" means \" accountant \" in Russian .", "spans": {}, "info": {"id": "cyberner_stix_test_000667", "source": "cyberner_stix_test"}}
+{"text": "The MiniDuke samples that were spread using these exploits were compiled on the 20th of February , after the exploit was already publicly known .", "spans": {"MALWARE: MiniDuke": [[4, 12]]}, "info": {"id": "cyberner_stix_test_000668", "source": "cyberner_stix_test"}}
+{"text": "] 190:8822 61 [ . The Sofacy threat group continues to target government organizations in the EU , US , and former Soviet states to deliver the Zebrocy tool as a payload . The alternate text can easily be observed in the body of the office document . In each case , CrowdStrike reviewed the relevant logs and determined there was no evidence of exploitation of CVE-2022 - 41040 for initial access .", "spans": {"THREAT_ACTOR: Sofacy threat group": [[22, 41]], "ORGANIZATION: government organizations": [[62, 86]], "TOOL: Zebrocy tool": [[144, 156]], "VULNERABILITY: CVE-2022 - 41040": [[361, 377]]}, "info": {"id": "cyberner_stix_test_000669", "source": "cyberner_stix_test"}}
+{"text": "The embedded SWF extracts the domain from the C2 URL passed to it and uses it to craft a URL to get the server ’s ‘ crossdomain.xml ’ file in order to obtain permissions to load additional Flash objects from the C2 domain .", "spans": {"TOOL: SWF": [[13, 16]], "TOOL: C2": [[46, 48], [212, 214]], "FILEPATH: crossdomain.xml": [[116, 131]], "TOOL: Flash": [[189, 194]]}, "info": {"id": "cyberner_stix_test_000670", "source": "cyberner_stix_test"}}
+{"text": "To make this data harvesting operation flexible , SWAnalytics equips the ability to receive and process configuration files from a remote Command-and-Control . The group still uses the Badnews malware , a backdoor with information-stealing and file-executing capabilities , albeit updated with a slight modification in the encryption routine at the end of 2017 , when they added Blowfish encryption on top of their custom encryption described in our former Patchwork blogpost .", "spans": {"MALWARE: SWAnalytics": [[50, 61]], "MALWARE: Badnews": [[185, 192]], "MALWARE: malware": [[193, 200]], "THREAT_ACTOR: Patchwork": [[457, 466]]}, "info": {"id": "cyberner_stix_test_000671", "source": "cyberner_stix_test"}}
+{"text": "Release_Time : 2018-11-20", "spans": {}, "info": {"id": "cyberner_stix_test_000672", "source": "cyberner_stix_test"}}
+{"text": "DHS recommends that organizations upgrade these applications to the latest version and patch level .", "spans": {"ORGANIZATION: DHS": [[0, 3]]}, "info": {"id": "cyberner_stix_test_000673", "source": "cyberner_stix_test"}}
+{"text": "As soon as a user tries to open the app , it launches a fake notification and soon the notification as well as the app icon disappears . The techniques and modules employed by EvilGnome — that is the use of SFX , persistence with task scheduler and the deployment of information stealing tools—remind us of Gamaredon Group’s Windows tools . Upon execution , an embedded configuration is decoded from the data section using a simple XOR cipher .", "spans": {"THREAT_ACTOR: EvilGnome": [[176, 185]], "TOOL: SFX": [[207, 210]], "MALWARE: Windows tools": [[325, 338]]}, "info": {"id": "cyberner_stix_test_000674", "source": "cyberner_stix_test"}}
+{"text": "During the past few months , APT34 has been able to quickly incorporate exploits for at least two publicly vulnerabilities ( CVE-2017-0199 and CVE-2017-11882 ) to target organizations in the Middle East . In 2010 HBGary investigated an information security incident related to the Winnti group at one of HBGary 's customers – an American video game company .", "spans": {"THREAT_ACTOR: APT34": [[29, 34]], "VULNERABILITY: CVE-2017-0199": [[125, 138]], "VULNERABILITY: CVE-2017-11882": [[143, 157]], "ORGANIZATION: HBGary": [[213, 219], [304, 310]], "MALWARE: Winnti": [[281, 287]], "ORGANIZATION: American video game company": [[329, 356]]}, "info": {"id": "cyberner_stix_test_000675", "source": "cyberner_stix_test"}}
+{"text": "A second method the threat actor used to maintain access across the compromised assets was through the deployment of the PoisonIvy RAT ( PIVY ) . The threat is likely targeting employees of various Palestinian government agencies , security services , Palestinian students , and those affiliated with the Fatah political party .", "spans": {"THREAT_ACTOR: threat actor": [[20, 32]], "TOOL: PoisonIvy RAT": [[121, 134]], "TOOL: PIVY": [[137, 141]], "ORGANIZATION: employees": [[177, 186]], "ORGANIZATION: government agencies": [[210, 229]], "ORGANIZATION: security services": [[232, 249]], "ORGANIZATION: students": [[264, 272]], "ORGANIZATION: Fatah political party": [[305, 326]]}, "info": {"id": "cyberner_stix_test_000676", "source": "cyberner_stix_test"}}
+{"text": "Naturally , this resulted in the introduction of malware for mobile platforms , especially Android devices , including Cerberus , Xhelper and the Anubis Banking Trojan . According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability . Our report will detail the most recent campaigns conducted by APT10 , including the sustained targeting of MSPs , which we have named Operation Cloud Hopper , and the targeting of a number of Japanese institutions .", "spans": {"SYSTEM: Android": [[91, 98]], "MALWARE: Cerberus": [[119, 127]], "MALWARE: Xhelper": [[130, 137]], "MALWARE: Anubis": [[146, 152]], "ORGANIZATION: security firm": [[187, 200]], "ORGANIZATION: military officials": [[233, 251]], "VULNERABILITY: Adobe Reader vulnerability": [[323, 349]], "THREAT_ACTOR: APT10": [[414, 419]], "ORGANIZATION: MSPs": [[459, 463]], "ORGANIZATION: institutions": [[553, 565]]}, "info": {"id": "cyberner_stix_test_000677", "source": "cyberner_stix_test"}}
+{"text": "The second parameter is a constant string “ POST ” , and the third parameter is a series of key-value pairs to be sent , assembled at runtime . The mydomain1110.com domain did not appear to reuse any of the previously observed WHOIS data artifacts , but did still give a geolocation of Tehran in addition to the use of an email address linked to other domains thematically similar to the know command and control domains and are potentially related . Gamaredon : 86977a785f361d4f26eb3e189293c0e30871de3c93b19653c26a31dd4ed068cc . According to Kaspersky telemetry , targeted organizations included political bodies in Europe .", "spans": {"THREAT_ACTOR: Gamaredon": [[451, 460]], "FILEPATH: 86977a785f361d4f26eb3e189293c0e30871de3c93b19653c26a31dd4ed068cc": [[463, 527]], "ORGANIZATION: Kaspersky": [[543, 552]], "ORGANIZATION: political bodies": [[597, 613]]}, "info": {"id": "cyberner_stix_test_000678", "source": "cyberner_stix_test"}}
+{"text": "In 2019 , Group-IB also observed the use of a new fileless PowerShell loader called Ivoke . We had previously observed this author name in use once before , in the very first ThreeDollars document we collected that we had reported on in August 2017 .", "spans": {"ORGANIZATION: Group-IB": [[10, 18]], "MALWARE: Ivoke": [[84, 89]], "FILEPATH: ThreeDollars document": [[175, 196]]}, "info": {"id": "cyberner_stix_test_000679", "source": "cyberner_stix_test"}}
+{"text": "Version # 4 : April 2020 — Domain : nampriknum.net Following the same pattern , this version has some added features and others , which were not in use , removed . On Tuesday , Arbor Networks said that it has new leads on a credential stealing remote access Trojan ( RAT ) called Ismdoor , possibly used by Greenbug to steal credentials on Shamoon 's behalf . This backdoor sent the following callback traffic to video.csmcpr.com . Dynamic Resolution During the SolarWinds Compromise , APT29 used dynamic DNS resolution to construct and resolve to randomly - generated subdomains for C2.[12 ]", "spans": {"ORGANIZATION: Arbor Networks": [[177, 191]], "TOOL: Trojan": [[258, 264]], "TOOL: RAT": [[267, 270]], "TOOL: Ismdoor": [[280, 287]], "DOMAIN: video.csmcpr.com": [[413, 429]], "THREAT_ACTOR: SolarWinds Compromise": [[462, 483]], "THREAT_ACTOR: APT29": [[486, 491]]}, "info": {"id": "cyberner_stix_test_000680", "source": "cyberner_stix_test"}}
+{"text": "In some cases , the Dukes appear to have used previously compromised victims to send new spear-phishing emails to other targets .", "spans": {"THREAT_ACTOR: Dukes": [[20, 25]], "TOOL: emails": [[104, 110]]}, "info": {"id": "cyberner_stix_test_000681", "source": "cyberner_stix_test"}}
+{"text": "The tsm binary then runs in the background , forwarding a series of error messages to /dev/null to keep the code running , ensuring the continuous execution of the code referenced with a set of parameters /tmp/up.txt .", "spans": {"FILEPATH: /tmp/up.txt": [[205, 216]]}, "info": {"id": "cyberner_stix_test_000682", "source": "cyberner_stix_test"}}
+{"text": "To make the Twitoor botnet ’ s communication more resilient , botnet designers took various steps like encrypting their messages , using complex topologies of the C & C network – or using innovative means for communication , among them the use of social networks . For over eighteen months from March 2017 until November 2018 , Scattered Canary’s frequent enterprise-focused credential phishing campaigns almost exclusively targeted businesses in the United States and Canada . We would like to add some strong facts that link some attacks on banks to Lazarus , and share some of our own findings as well as shed some light on the recent TTPs used by the attacker , including some yet unpublished details from the attack in Europe in 2017 .", "spans": {"MALWARE: Twitoor": [[12, 19]], "THREAT_ACTOR: Scattered Canary’s": [[328, 346]], "ORGANIZATION: banks": [[543, 548]], "THREAT_ACTOR: Lazarus": [[552, 559]], "THREAT_ACTOR: attacker": [[655, 663]]}, "info": {"id": "cyberner_stix_test_000683", "source": "cyberner_stix_test"}}
+{"text": "Analysis of the email header data showed that the sender address was spoofed and did not originate from IHSMarkit at all .", "spans": {"TOOL: email": [[16, 21]], "ORGANIZATION: IHSMarkit": [[104, 113]]}, "info": {"id": "cyberner_stix_test_000684", "source": "cyberner_stix_test"}}
+{"text": "Often the app description on the Play Store would reference some SMS messages the targets would supposedly receive leading them to the Play Store page . In July 2017 , we observed an attack on a Middle Eastern technology organization that was also targeted by the OilRig campaign in August 2016 . Take a screenshot and upload it to ImgBB . The Malwarebytes Threat Intelligence team is a highly skilled group of malware analysts .", "spans": {"SYSTEM: Play Store": [[33, 43], [135, 145]], "ORGANIZATION: technology organization": [[210, 233]], "TOOL: ImgBB": [[332, 337]], "ORGANIZATION: Malwarebytes Threat Intelligence team": [[344, 381]]}, "info": {"id": "cyberner_stix_test_000685", "source": "cyberner_stix_test"}}
+{"text": "In this post , we show how Google Play Protect has defended against a well organized , persistent attacker and share examples of their techniques . According to cyber security researchers , Anchor Panda , who work directly for the Chinese PLA Navy , likely remains active . The browser process always performs outgoing connections and the firewall should n��t block them . Whoever hacked Ashley Madison had access to all employee emails , but they only released Biderman ’s messages — three years worth .", "spans": {"SYSTEM: Google Play Protect": [[27, 46]], "TOOL: firewall": [[339, 347]], "ORGANIZATION: Ashley Madison": [[387, 401]], "ORGANIZATION: Biderman ’s": [[461, 472]]}, "info": {"id": "cyberner_stix_test_000686", "source": "cyberner_stix_test"}}
+{"text": "While the BastionSolution variant simply retrieves commands from a hard-coded C&C server controlled by the Dukes , the OneDriveSolution utilizes Microsoft ’s OneDrive cloud storage service for communicating with its masters , making it significantly harder for defenders to notice the traffic and block the communication channel .", "spans": {"MALWARE: BastionSolution": [[10, 25]], "TOOL: C&C": [[78, 81]], "THREAT_ACTOR: Dukes": [[107, 112]], "MALWARE: OneDriveSolution": [[119, 135]], "ORGANIZATION: Microsoft": [[145, 154]], "TOOL: OneDrive": [[158, 166]]}, "info": {"id": "cyberner_stix_test_000687", "source": "cyberner_stix_test"}}
+{"text": "To date these have included the conflict in Syria , NATO-Ukraine relations , the European Union refugee and migrant crisis , the 2016 Olympics and Paralympics Russian athlete doping scandal , public accusations regarding Russian state-sponsored hacking , and the 2016 U.S. presidential election .", "spans": {"ORGANIZATION: European Union": [[81, 95]], "ORGANIZATION: Olympics": [[134, 142]], "ORGANIZATION: Paralympics": [[147, 158]]}, "info": {"id": "cyberner_stix_test_000688", "source": "cyberner_stix_test"}}
+{"text": "] 132:28844 61 [ . All of the available evidence however does in our opinion suggest that the group operates on behalf of the Russian Federation . The image below is the main function that is being called which in turns calls the function responsible for injecting the embedded PE file . This rule was designed to match the decoded URI of any incoming request with the regex , so when the decoded URI matches this regex , the request is dropped .", "spans": {"THREAT_ACTOR: group": [[94, 99]], "TOOL: embedded PE file": [[269, 285]]}, "info": {"id": "cyberner_stix_test_000689", "source": "cyberner_stix_test"}}
+{"text": "Both the Google Play Store pages and the decoys of the malicious apps are in Italian . In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch . The second will create the persistence and , finally , the last one to be started is the main cycle for the RAT . Financial extrinsic Theft of personally identifiable information PII that is then monetized is a classic example of financial motivation of cyberattacks .", "spans": {"SYSTEM: Google Play Store": [[9, 26]], "THREAT_ACTOR: APT34": [[106, 111]], "VULNERABILITY: Microsoft Office vulnerability": [[126, 156]], "VULNERABILITY: CVE-2017-11882": [[157, 171]], "TOOL: POWRUNER": [[182, 190]], "TOOL: BONDUPDATER": [[195, 206]], "ORGANIZATION: Microsoft": [[230, 239]], "TOOL: RAT": [[365, 368]], "ORGANIZATION: cyberattacks": [[511, 523]]}, "info": {"id": "cyberner_stix_test_000690", "source": "cyberner_stix_test"}}
+{"text": "In one case from 2013 , the target was sent a malicious document through a spear phishing email message . In February 2015 , Kaspersky Lab 's Global Research and Analysis Team ( GReAT ) released its research into the Carbanak campaign targeting financial institutions .", "spans": {"MALWARE: malicious document": [[46, 64]], "ORGANIZATION: Kaspersky Lab": [[125, 138]], "ORGANIZATION: GReAT": [[178, 183]], "ORGANIZATION: financial institutions": [[245, 267]]}, "info": {"id": "cyberner_stix_test_000691", "source": "cyberner_stix_test"}}
+{"text": "Due to this change , the fundamental compromise mechanism is different as the payload is executed in a standalone mode .", "spans": {}, "info": {"id": "cyberner_stix_test_000692", "source": "cyberner_stix_test"}}
+{"text": "If KeyBoy is a single component of a larger espionage toolkit , the developers may have realized that this older , static-key based , configuration encoding algorithm was inadvertently providing a link between disparate components of their malware suite . We initially became aware of Careto when we observed attempts to exploit a vulnerability in our products to make the malware \" invisible \" in the system .", "spans": {"TOOL: KeyBoy": [[3, 9]], "TOOL: configuration encoding algorithm": [[134, 166]], "FILEPATH: Careto": [[285, 291]], "VULNERABILITY: exploit": [[321, 328]]}, "info": {"id": "cyberner_stix_test_000693", "source": "cyberner_stix_test"}}
+{"text": "The reality is that the RAT permissions can be implemented just with the permissions declared on the manifest , thus there is no need for higher permissions . The affected organizations we were able to identify are mostly based in the Middle East . The blog highlighted that the backdoor was utilized in campaigns from March 2011 till May 2014 . MoonWind communicates over ports 80 , 443 , 53 , and 8080 via raw sockets instead of the protocols usually associated with the ports.[25 ] njRAT has used port 1177 for HTTP C2 communications.[26 ] During Operation Wocao , the threat actors used uncommon high ports for its backdoor C2 , including ports 25667 and 47000.[27 ]", "spans": {"MALWARE: MoonWind": [[346, 354]], "MALWARE: njRAT": [[485, 490]], "SYSTEM: HTTP C2 communications.[26": [[514, 540]], "THREAT_ACTOR: threat actors": [[572, 585]], "SYSTEM: backdoor C2": [[619, 630]]}, "info": {"id": "cyberner_stix_test_000694", "source": "cyberner_stix_test"}}
+{"text": "This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . Wild Neutron 's attack took advantage of a Java zero-day exploit and used hacked forums as watering holes .", "spans": {"MALWARE: Microsoft Word attachment": [[80, 105]], "VULNERABILITY: CVE-2017-0199": [[138, 151]], "TOOL: ZeroT Trojan": [[166, 178]], "TOOL: PlugX Remote Access Trojan": [[210, 236]], "TOOL: RAT": [[239, 242]], "THREAT_ACTOR: Wild Neutron": [[247, 259]], "TOOL: Java": [[290, 294]], "VULNERABILITY: zero-day": [[295, 303]], "VULNERABILITY: exploit": [[304, 311]]}, "info": {"id": "cyberner_stix_test_000695", "source": "cyberner_stix_test"}}
+{"text": "] com ’ as an ad-related SDK . APT39 's focus on the widespread theft of personal information sets it apart from other Iranian groups FireEye tracks , which have been linked to influence operations , disruptive attacks , and other threats . It has conducted attacks on similar organizations in Saudi Arabia , likely because of the access that those organizations have .", "spans": {"THREAT_ACTOR: APT39": [[31, 36]], "THREAT_ACTOR: groups": [[127, 133]], "ORGANIZATION: FireEye": [[134, 141]]}, "info": {"id": "cyberner_stix_test_000696", "source": "cyberner_stix_test"}}
+{"text": "An updated library name is generated by calculating the md5sum of several device properties , while concatenating the build model twice in case of an update to the library . Moving through the infection process , NetWitness Endpoint detects the initial exploit CVE-2017-1182 in action as the Microsoft Equation Editor , 'EQNEDT32.exe' , scores high for potentially malicious activity . Since at least 2013 , the Iranian threat group FireEye tracks as APT33 has carried out a Cyber Espionage operation to collect information from defense , aerospace and petrochemical organizations .", "spans": {"VULNERABILITY: CVE-2017-1182": [[261, 274]], "MALWARE: Microsoft Equation Editor": [[292, 317]], "MALWARE: 'EQNEDT32.exe'": [[320, 334]], "ORGANIZATION: FireEye": [[433, 440]], "THREAT_ACTOR: APT33": [[451, 456]], "ORGANIZATION: defense": [[529, 536]], "ORGANIZATION: aerospace": [[539, 548]], "ORGANIZATION: petrochemical organizations": [[553, 580]]}, "info": {"id": "cyberner_stix_test_000697", "source": "cyberner_stix_test"}}
+{"text": "As with many other attackers who use spear-phishing to infect victims , Scarlet Mimic makes heavy use of \" decoy \" files . All of them lie in ranges of the Jilin Province Network and Liaoning Province Network , in China .", "spans": {"THREAT_ACTOR: attackers": [[19, 28]], "THREAT_ACTOR: Scarlet Mimic": [[72, 85]]}, "info": {"id": "cyberner_stix_test_000698", "source": "cyberner_stix_test"}}
+{"text": "Code improvements , new capabilities , anti-emulation techniques , and new , global targets all suggest that this malware is well-maintained by its authors and continues to evolve . \bCTU researchers observed likely unsuccessful phishing campaigns being followed by highly targeted spearphishing and social engineering attacks from a threat actor using the name Mia Ash . In this instance , Symantec identified the specific PowerShell commands used by Gallmaker as being suspicious , leading to the discovery of this new campaign .", "spans": {"ORGANIZATION: \bCTU": [[182, 186]], "THREAT_ACTOR: Mia Ash": [[361, 368]], "ORGANIZATION: Symantec": [[390, 398]], "MALWARE: PowerShell commands": [[423, 442]], "THREAT_ACTOR: Gallmaker": [[451, 460]]}, "info": {"id": "cyberner_stix_test_000699", "source": "cyberner_stix_test"}}
+{"text": "Once on the device , as installed by a duped user , the TrickMo component opens and sends an intent to start the accessibility settings activity , coercing the user to grant it with accessibility permissions . We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations . The payload embedded within the ISMInjector sample delivered in this attack is a variant of the ISMAgent backdoor that we had discussed in detail in our blog discussing a targeted attack on a Saudi Arabian technology company .", "spans": {"MALWARE: TrickMo": [[56, 63]], "MALWARE: them": [[232, 236]], "MALWARE: ISMInjector sample": [[405, 423]], "MALWARE: ISMAgent backdoor": [[469, 486]], "ORGANIZATION: technology company": [[579, 597]]}, "info": {"id": "cyberner_stix_test_000700", "source": "cyberner_stix_test"}}
+{"text": "This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . Lurk uses a form of steganography : that's where one file is hidden aACT inside another file of a completely different sort , such as an image , audio , or video file .", "spans": {"MALWARE: Microsoft Word attachment": [[80, 105]], "VULNERABILITY: CVE-2017-0199": [[138, 151]], "TOOL: ZeroT Trojan": [[166, 178]], "TOOL: PlugX Remote Access Trojan": [[210, 236]], "TOOL: RAT": [[239, 242]], "MALWARE: Lurk": [[247, 251]]}, "info": {"id": "cyberner_stix_test_000701", "source": "cyberner_stix_test"}}
+{"text": "An interesting difference we found in this newest campaign was that the attacks using Zebrocy cast a far wider net within the target organization : the attackers sent phishing emails to a an exponentially larger number of individuals .", "spans": {"MALWARE: Zebrocy": [[86, 93]], "TOOL: emails": [[176, 182]]}, "info": {"id": "cyberner_stix_test_000702", "source": "cyberner_stix_test"}}
+{"text": "In such cases , utilizing purely technical approaches for differentiation ( an issue I lightly touched on in a recent post ) becomes problematic , especially when trying to define attribution to specific , “ who-based ” entities ( such as a Russian research institute ) .", "spans": {}, "info": {"id": "cyberner_stix_test_000703", "source": "cyberner_stix_test"}}
+{"text": "As noted earlier , the stolen certificates Symantec identified in this investigation were used to sign both hacking tools and malware .", "spans": {"ORGANIZATION: Symantec": [[43, 51]]}, "info": {"id": "cyberner_stix_test_000704", "source": "cyberner_stix_test"}}
+{"text": "In another similarity between both variants , Dowenks assesses the victim ’s external IP using an HTTP request to .", "spans": {"MALWARE: Dowenks": [[46, 53]], "TOOL: HTTP request": [[98, 110]]}, "info": {"id": "cyberner_stix_test_000705", "source": "cyberner_stix_test"}}
+{"text": "3ee3a973c62ba5bd9eab595a7c94b7a26827c5fa5b21964d511ab58903929ec5 47449a612697ad99a6fbd6e02a84e957557371151f2b034a411ebb10496648c8 48a7dd672931e408662d2b5e1abcd6ef00097b8ffe3814f0d2799dd6fd74bd88 824ad333320cbb7873dc49e61c14f749b0e0d88723635524463f2e6f56ea133a Meanwhile , parallel work at Dragos ( my employer , where I have performed significant work on the activity described above ) uncovered similar conclusions concerning TTPs and behaviors , for both the 2017 event and subsequent activity in other industrial sectors . In part two of this research , we examined the Pierogi B-ACT S-MAL campaign . The Loader usage is to perform a lot of Antidebug , AntiVM and Antiemulation checks to make it harder for automated analysis and inject the core module .", "spans": {"ORGANIZATION: Dragos": [[289, 295]], "ORGANIZATION: industrial sectors": [[505, 523]], "TOOL: Loader": [[608, 614]], "TOOL: Antidebug": [[644, 653]], "TOOL: AntiVM": [[656, 662]], "TOOL: Antiemulation": [[667, 680]]}, "info": {"id": "cyberner_stix_test_000706", "source": "cyberner_stix_test"}}
+{"text": "Quick , easy access to sensitive data on mobile devices connected to enterprises and government agencies around the globe is extremely attractive to cybercriminals and hacktivists . Ransomware that has been publicly named \" WannaCry \" , \" WCry \" or \" WanaCrypt0r \" ( based on strings in the binary and encrypted files ) has spread to at least 74 countries as of Friday 12 May 2017 , reportedly targeting Russia initially , and spreading to telecommunications , shipping , car manufacturers , universities and health care industries , among others . APT33 : 64.251.19.217 [REDACTED].myftp.org . STRATOFEAR also contains strings that are used to report a module ’s location .", "spans": {"TOOL: WannaCry": [[224, 232]], "TOOL: WCry": [[239, 243]], "TOOL: WanaCrypt0r": [[251, 262]], "ORGANIZATION: telecommunications": [[440, 458]], "ORGANIZATION: shipping": [[461, 469]], "ORGANIZATION: car manufacturers": [[472, 489]], "ORGANIZATION: universities": [[492, 504]], "ORGANIZATION: health care industries": [[509, 531]], "THREAT_ACTOR: APT33": [[549, 554]], "IP_ADDRESS: 64.251.19.217": [[557, 570]], "DOMAIN: [REDACTED].myftp.org": [[571, 591]], "MALWARE: STRATOFEAR": [[594, 604]]}, "info": {"id": "cyberner_stix_test_000707", "source": "cyberner_stix_test"}}
+{"text": "This component can be instructed by the C&C server to download and execute arbitrary modules , and it is these modules that provide CozyDuke with its vast array of functionality .", "spans": {"TOOL: C&C": [[40, 43]], "MALWARE: CozyDuke": [[132, 140]]}, "info": {"id": "cyberner_stix_test_000708", "source": "cyberner_stix_test"}}
+{"text": "Volatility 's procdump command was used to dump the executable from memory .", "spans": {"TOOL: Volatility": [[0, 10]]}, "info": {"id": "cyberner_stix_test_000709", "source": "cyberner_stix_test"}}
+{"text": "If a device isn ’ t rooted , it downloads from the server an exploit pack and executes it to obtain root on device . The DLL exploited another previously unknown vulnerability ( designated CVE-2015-2546 ) in the Windows kernel , which enabled it to elevate privileges for the Word executable and subsequently install a backdoor through the application . Its targets include the military organizations and governments of countries with national interests in the South China Sea , including some within the U.S. defense industrial base .", "spans": {"TOOL: DLL": [[121, 124]], "VULNERABILITY: CVE-2015-2546": [[189, 202]], "TOOL: Word": [[276, 280]], "ORGANIZATION: military organizations": [[378, 400]], "ORGANIZATION: governments": [[405, 416]], "ORGANIZATION: defense industrial base": [[510, 533]]}, "info": {"id": "cyberner_stix_test_000710", "source": "cyberner_stix_test"}}
+{"text": "CNIIHM has at least two research divisions that are experienced in critical infrastructure , enterprise safety , and the development of weapons/military equipment :", "spans": {"ORGANIZATION: CNIIHM": [[0, 6]]}, "info": {"id": "cyberner_stix_test_000711", "source": "cyberner_stix_test"}}
+{"text": "These malicious modules report to the attackers about every step they are going to make . El Machete is one of these threats that was first publicly disclosed and named by Kaspersky here . From our unique vantage point responding to victims , we tracked APT1 back to four large networks in Shanghai , two of which are allocated directly to the Pudong New Area . The page hxxp://[c2_hostname]/groups / business - principles.html is used as an starting point for the attack .", "spans": {"ORGANIZATION: Kaspersky": [[172, 181]], "THREAT_ACTOR: APT1": [[254, 258]]}, "info": {"id": "cyberner_stix_test_000712", "source": "cyberner_stix_test"}}
+{"text": "We then discuss how centralized response options , provided as enhancements to Windows Defender ATP with the Windows 10 Creators Update , can be used to quickly stop threats , including stopping command and control ( C&C ) communication and preventing existing implants from installing additional components or from moving laterally to other computers on the network .", "spans": {"TOOL: centralized response options": [[20, 48]], "TOOL: Windows Defender ATP": [[79, 99]], "SYSTEM: the Windows 10 Creators Update": [[105, 135]]}, "info": {"id": "cyberner_stix_test_000713", "source": "cyberner_stix_test"}}
+{"text": "RECEIVE_SMS - allow the application to receive text messages . As can be observed in the illustration above , the makeself script is instructed to run ./setup.sh after unpacking . The Lotus Blossom largely targets military or government , with some cases of higher education and high tech companies .", "spans": {"MALWARE: makeself script": [[114, 129]], "MALWARE: ./setup.sh": [[151, 161]], "THREAT_ACTOR: Lotus Blossom": [[184, 197]], "ORGANIZATION: military": [[214, 222]], "ORGANIZATION: government": [[226, 236]], "ORGANIZATION: higher education": [[258, 274]], "ORGANIZATION: high tech companies": [[279, 298]]}, "info": {"id": "cyberner_stix_test_000714", "source": "cyberner_stix_test"}}
+{"text": "in the background . In recent OilRig attacks , the threat actors purport to be legitimate service providers offering service and technical troubleshooting as a social engineering theme in their spear-phishing attacks . For a better comprehension we will be considering only one macro and in the specific case we will analyze “ wordMacros.txt ” ones . After encryption , the malware attempts to run the following command to delete volume shadow backup copies \"", "spans": {"THREAT_ACTOR: threat actors": [[51, 64]], "ORGANIZATION: legitimate service providers": [[79, 107]], "ORGANIZATION: social engineering": [[160, 178]], "TOOL: macro": [[278, 283]], "FILEPATH: wordMacros.txt": [[326, 340]], "MALWARE: malware": [[373, 380]]}, "info": {"id": "cyberner_stix_test_000715", "source": "cyberner_stix_test"}}
+{"text": "Once the victim finished downloading the file and executed it , the wrapper would infect the victim ’s computer with OnionDuke before executing the original legitimate executable .", "spans": {"MALWARE: OnionDuke": [[117, 126]]}, "info": {"id": "cyberner_stix_test_000716", "source": "cyberner_stix_test"}}
+{"text": "Figure 3 . It appears that the group values hardcoded into the malware is associated with the targeted organization , as several are Saudi Arabian organizations within the telecommunications and defense industries . However , the introduction of a .Net component is a novelty compared to previous Pterodon samples . • Unauthorized network connections to MSSQL servers ( TCP/1433 ) and irregular or unauthorized authentication .", "spans": {"THREAT_ACTOR: group": [[31, 36]], "ORGANIZATION: telecommunications": [[172, 190]], "ORGANIZATION: defense industries": [[195, 213]], "TOOL: .Net": [[248, 252]], "MALWARE: Pterodon": [[297, 305]]}, "info": {"id": "cyberner_stix_test_000717", "source": "cyberner_stix_test"}}
+{"text": "HenBox checks whether this execution is its first by using Android ’ s shared preferences feature to persist XML key-value pair data . Unlike other observed Chinese espionage operators , APT41 conducts explicit financially motivated activity , which has included the use of tools that are otherwise exclusively used in campaigns supporting state interests . Over the past two years , Russia appears to have increasingly leveraged APT28 to conduct information operations commensurate with broader strategic military doctrine .", "spans": {"MALWARE: HenBox": [[0, 6]], "SYSTEM: Android": [[59, 66]], "THREAT_ACTOR: APT41": [[187, 192]], "ORGANIZATION: financially": [[211, 222]], "THREAT_ACTOR: APT28": [[430, 435]]}, "info": {"id": "cyberner_stix_test_000718", "source": "cyberner_stix_test"}}
+{"text": ") Following is the snippet of code in these older Exodus One samples showing the connection to the Command & Control : Below is the almost identical composition of the request to the Command & Control server in mike.jar ( also containing the path 7e661733-e332-429a-a7e2-23649f27690f ) : To further corroborate the connection of the Exodus spyware with eSurv , the domain attiva.exodus.esurv.it resolves to the IP 212.47.242.236 which , according to In our most recent analysis , we attributed the intrusion activity that led to the deployment of TRITON to a Russian government-owned technical research institute in Moscow . In addition to spy features , the backdoor also implements a few checks to ensure it is running in a safe environment . The new documentary , The Ashley Madison Affair , begins airing today on Hulu in the United States and on Disney+ in the United Kingdom .", "spans": {"MALWARE: Exodus One": [[50, 60]], "MALWARE: Exodus spyware": [[333, 347]], "TOOL: TRITON": [[547, 553]], "MALWARE: backdoor": [[659, 667]], "ORGANIZATION: The Ashley Madison Affair": [[767, 792]], "ORGANIZATION: Hulu": [[818, 822]], "ORGANIZATION: Disney+": [[851, 858]]}, "info": {"id": "cyberner_stix_test_000719", "source": "cyberner_stix_test"}}
+{"text": "Actors Still Exploiting SharePoint Vulnerability to Attack Middle East Government Organizations .", "spans": {"TOOL: SharePoint": [[24, 34]]}, "info": {"id": "cyberner_stix_test_000720", "source": "cyberner_stix_test"}}
+{"text": "Talos assess with high confidence that this campaign is targeting Australian financial institutions based on several factors . APT10 has been observed to exfiltrate stolen intellectual property via the MSPs , hence evading local network defences . OceanLotus : background.ristians.com:8531 11b4 . Copies of the site at archive.org show it was the work of someone calling themselves “ The Chaos Creator . ”", "spans": {"ORGANIZATION: Talos": [[0, 5]], "THREAT_ACTOR: APT10": [[127, 132]], "ORGANIZATION: MSPs": [[202, 206]], "THREAT_ACTOR: OceanLotus": [[248, 258]], "DOMAIN: background.ristians.com:8531": [[261, 289]], "THREAT_ACTOR: The Chaos Creator": [[384, 401]]}, "info": {"id": "cyberner_stix_test_000721", "source": "cyberner_stix_test"}}
+{"text": "In reality , this downloaded app is a fake app that asks for credentials and Android permissions ( including camera and phone permissions ) , resulting in the user being bombarded with advertisements . Gamaredon Group has been active since at least 2013 , and has targeted individuals likely involved with the Ukrainian government . This modification likely serves to simplify the operator ’s sample configuration process by not having to denote specific ports to hide .", "spans": {"SYSTEM: Android": [[77, 84]], "THREAT_ACTOR: Gamaredon Group": [[202, 217]], "ORGANIZATION: Ukrainian government": [[310, 330]]}, "info": {"id": "cyberner_stix_test_000722", "source": "cyberner_stix_test"}}
+{"text": "The method of delivery has changed over time as the attackers have changed targets .", "spans": {}, "info": {"id": "cyberner_stix_test_000724", "source": "cyberner_stix_test"}}
+{"text": "Not only do they have overlapping areas of responsibility , but also rarely share intelligence and even occasionally steal sources from each other and compromise operations .", "spans": {}, "info": {"id": "cyberner_stix_test_000725", "source": "cyberner_stix_test"}}
+{"text": "This exploit is triggered when a potential victim browses to a malicious page using Internet Explorer , which can allow the attacker to execute code with the same privileges as the currently logged-in user .", "spans": {"TOOL: Internet Explorer": [[84, 101]]}, "info": {"id": "cyberner_stix_test_000726", "source": "cyberner_stix_test"}}
+{"text": "INDEX MNEMONIC DESCRIPTION 0x0 JMP Special obfuscated conditional Jump ( always taken or always ignored ) 0x1 JMP Jump to a function ( same as opcode 0x10 ) 0x2 CALL Call to the function pointed by the internal VM value 0x3 CALL Optimized CALL function ( like the 0x1E opcode of the 32-bit VM ) 0x4 EXEC Execute code and move to the next packet 0x5 JMP Jump to an internal function 0x6 NOP No operation , move to the The OilRig group conducts operations primarily in the Middle East , targeting financial , government , energy , chemical , telecommunications and other industries . After obtaining the size , the malware will allocate an appropriate memory buffer and proceed to decode the remaining payload byte by byte . “ n.bat ” , which likely runs the native scilc.exe utility", "spans": {"THREAT_ACTOR: OilRig group": [[421, 433]], "ORGANIZATION: financial": [[495, 504]], "ORGANIZATION: government": [[507, 517]], "ORGANIZATION: energy": [[520, 526]], "ORGANIZATION: chemical": [[529, 537]], "ORGANIZATION: telecommunications": [[540, 558]]}, "info": {"id": "cyberner_stix_test_000727", "source": "cyberner_stix_test"}}
+{"text": "This request is only made upon installation , but there is no guarantee that it will be installed . APT10 has , in the past , primarily been known for its targeting of government and US defence industrial base organisations , with the earliest known date of its activity being in December 2009 . Operation ShadowHammer . At this time , it is unknown how Sandworm gained initial access to the victim .", "spans": {"THREAT_ACTOR: APT10": [[100, 105]], "ORGANIZATION: government": [[168, 178]], "THREAT_ACTOR: Sandworm": [[354, 362]]}, "info": {"id": "cyberner_stix_test_000728", "source": "cyberner_stix_test"}}
+{"text": "Since at least 2013 , the Iranian threat group that FireEye tracks as APT33 has carried out a cyber espionage operation to collect information from defense , aerospace and petrochemical organizations . Resecurity says that IRIDIUM \" has hit more than 200 government agencies , oil and gas companies , and technology companies including Citrix .", "spans": {"THREAT_ACTOR: threat group": [[34, 46]], "ORGANIZATION: FireEye": [[52, 59]], "THREAT_ACTOR: APT33": [[70, 75]], "ORGANIZATION: defense": [[148, 155]], "ORGANIZATION: aerospace": [[158, 167]], "ORGANIZATION: petrochemical organizations": [[172, 199]], "ORGANIZATION: Resecurity": [[202, 212]], "ORGANIZATION: government agencies": [[255, 274]], "ORGANIZATION: oil": [[277, 280]], "ORGANIZATION: gas companies": [[285, 298]], "ORGANIZATION: technology companies": [[305, 325]], "ORGANIZATION: Citrix": [[336, 342]]}, "info": {"id": "cyberner_stix_test_000729", "source": "cyberner_stix_test"}}
+{"text": "As mentioned previously , the beaconing is done every 60 seconds . We found new variants of the Powermud backdoor , a new backdoor ( Backdoor.Powemuddy ) , and custom tools for stealing passwords , creating reverse shells , privilege escalation , and the use of the native Windows cabinet creation tool , makecab.exe , probably for compressing stolen data to be uploaded . DDKONG Plugin : Compile Date and Time : 2017-02-17 08:33:45 AM . Therefore , having access to such code allows threat actors with minimum programming knowledge to modify and compile their own ransomware variants .", "spans": {"TOOL: Powermud backdoor": [[96, 113]], "MALWARE: Backdoor.Powemuddy": [[133, 151]], "TOOL: custom tools": [[160, 172]], "MALWARE: makecab.exe": [[305, 316]], "MALWARE: DDKONG": [[373, 379]]}, "info": {"id": "cyberner_stix_test_000730", "source": "cyberner_stix_test"}}
+{"text": "Twelve hours after the victim initially connected to the publicly available Wi-Fi network , APT28 logged into the machine with stolen credentials .", "spans": {"TOOL: Wi-Fi network": [[76, 89]], "THREAT_ACTOR: APT28": [[92, 97]]}, "info": {"id": "cyberner_stix_test_000731", "source": "cyberner_stix_test"}}
+{"text": "They will leverage legitimate remote access solutions for entry and valid system administrator tools for lateral movement , if possible .", "spans": {}, "info": {"id": "cyberner_stix_test_000732", "source": "cyberner_stix_test"}}
+{"text": "Manifest activity declaration Class list inside the dex file The main malware classes are packed , to a point where the class defined in the manifest has a handler for the MAIN category that does not exist in the DEX file . APT10 ( MenuPass Group ) is a Chinese cyber espionage group that FireEye has tracked since 2009 . It should be noted that the numbers are also highly influenced by the distribution of Kaspersky users around the world . The U.S. government is taking additional measures to fight against ransomware attacks through methods such as hacking cybercriminals back .", "spans": {"THREAT_ACTOR: APT10": [[224, 229]], "THREAT_ACTOR: MenuPass Group": [[232, 246]], "THREAT_ACTOR: cyber espionage group": [[262, 283]], "ORGANIZATION: FireEye": [[289, 296]], "ORGANIZATION: Kaspersky": [[408, 417]], "ORGANIZATION: U.S. government": [[447, 462]]}, "info": {"id": "cyberner_stix_test_000733", "source": "cyberner_stix_test"}}
+{"text": "] ru/7 * * * * * 3 ” or “ % USERNAME % , accept 25,000 on Youla youla-protect [ . While reviewing a 2015 report⁵ of a Winnti intrusion at a Vietnamese gaming company , we identified a small cluster of Winnti⁶ samples designed specifically for Linux⁷ . The different versions contain copy/pasted code from previous versions .", "spans": {"THREAT_ACTOR: Winnti": [[118, 124]], "ORGANIZATION: Vietnamese gaming company": [[140, 165]], "THREAT_ACTOR: Winnti⁶": [[201, 208]]}, "info": {"id": "cyberner_stix_test_000734", "source": "cyberner_stix_test"}}
+{"text": "While it lacks more advanced functionality like screen capturing , it is still able to carry out most tasks desired by threat actors : exfiltration of files , ability to download and execute additional payloads , and gain remote shell access . Due to these changes without a new date string , we believe the date codes are used for campaign tracking rather than a Bookworm build identifier .", "spans": {"THREAT_ACTOR: threat actors": [[119, 132]], "FILEPATH: date string": [[279, 290]], "FILEPATH: date codes": [[308, 318]], "MALWARE: Bookworm": [[364, 372]]}, "info": {"id": "cyberner_stix_test_000735", "source": "cyberner_stix_test"}}
+{"text": "] biz adminloader [ . The group’s financially motivated activity has primarily focused on the video game industry , where APT41 has manipulated virtual currencies and even attempted to deploy ransomware . FireEye assesses that APT32 leverages a unique suite of fully-featured malware , in conjunction with commercially-available tools , to conduct targeted operations that are aligned with Vietnamese state interests .", "spans": {"ORGANIZATION: video game industry": [[94, 113]], "THREAT_ACTOR: APT41": [[122, 127]], "ORGANIZATION: FireEye": [[205, 212]], "THREAT_ACTOR: APT32": [[227, 232]]}, "info": {"id": "cyberner_stix_test_000736", "source": "cyberner_stix_test"}}
+{"text": "The background service uses the reflection technique ( a feature that allows the inspection and modification of Java-based programs ’ internal properties ) to invoke the method com.Loader.start in the payload . In the latest attack , Donot group is targeting Pakistani businessman working in China . The “ -p ” parameter , indeed , specify the password of the archive to be extracted .", "spans": {"THREAT_ACTOR: Donot group": [[234, 245]], "ORGANIZATION: Pakistani businessman": [[259, 280]]}, "info": {"id": "cyberner_stix_test_000737", "source": "cyberner_stix_test"}}
+{"text": "Cobalt Strike download location : 116.93.154.250 .", "spans": {"TOOL: Cobalt Strike": [[0, 13]], "IP_ADDRESS: 116.93.154.250": [[34, 48]]}, "info": {"id": "cyberner_stix_test_000738", "source": "cyberner_stix_test"}}
+{"text": "After the February campaigns , MiniDuke activity appeared to quiet down , although it did not fully stop , for the rest of 2013 .", "spans": {"MALWARE: MiniDuke": [[31, 39]]}, "info": {"id": "cyberner_stix_test_000739", "source": "cyberner_stix_test"}}
+{"text": "Location of the c2 infrastructure .", "spans": {"TOOL: c2": [[16, 18]]}, "info": {"id": "cyberner_stix_test_000740", "source": "cyberner_stix_test"}}
+{"text": "This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . The Axiom group has been presented as an advanced Chinese threat actor carrying out cyber-espionage attacks against a whole range of different industries .", "spans": {"MALWARE: Microsoft Word attachment": [[80, 105]], "VULNERABILITY: CVE-2017-0199": [[138, 151]], "TOOL: ZeroT Trojan": [[166, 178]], "TOOL: PlugX Remote Access Trojan": [[210, 236]], "TOOL: RAT": [[239, 242]], "THREAT_ACTOR: Axiom": [[251, 256]]}, "info": {"id": "cyberner_stix_test_000741", "source": "cyberner_stix_test"}}
+{"text": "This extracted information is concatenated together to make a single variable .", "spans": {}, "info": {"id": "cyberner_stix_test_000742", "source": "cyberner_stix_test"}}
+{"text": "From our analysis , it is apparent that TrickMo is designed to help TrickBot break the most recent methods of TAN-based authentication . APT38 , in particular , is strongly distinguishable because of its specific focus on financial institutions and operations that attempt to use SWIFT fraud to steal millions of dollars at a time . The attacks targeted high-profile targets , including government and commercial organizations .", "spans": {"MALWARE: TrickMo": [[40, 47]], "MALWARE: TrickBot": [[68, 76]], "THREAT_ACTOR: APT38": [[137, 142]], "ORGANIZATION: financial institutions": [[222, 244]], "TOOL: SWIFT": [[280, 285]], "ORGANIZATION: government": [[387, 397]], "ORGANIZATION: commercial organizations": [[402, 426]]}, "info": {"id": "cyberner_stix_test_000743", "source": "cyberner_stix_test"}}
+{"text": "Proofpoint researchers have observed a well-known Russian-speaking APT actor usually referred to as Turla using a new .NET/MSIL dropper for an existing backdoor called JS/KopiLuwak . Both attachments are malicious Word documents that attempt to exploit the Windows OLE Automation Array Remote Code Execution Vulnerability tracked by CVE-2014-6332 .", "spans": {"ORGANIZATION: Proofpoint": [[0, 10]], "THREAT_ACTOR: Turla": [[100, 105]], "TOOL: dropper": [[128, 135]], "MALWARE: JS/KopiLuwak": [[168, 180]], "FILEPATH: malicious Word documents": [[204, 228]], "VULNERABILITY: exploit": [[245, 252]], "SYSTEM: Windows": [[257, 264]], "TOOL: OLE Automation Array Remote Code Execution": [[265, 307]], "VULNERABILITY: Vulnerability": [[308, 321]], "VULNERABILITY: CVE-2014-6332": [[333, 346]]}, "info": {"id": "cyberner_stix_test_000744", "source": "cyberner_stix_test"}}
+{"text": "Accessing the same malicious site would redirect its user to another malicious website ( hxxp : //apple-icloud [ . APT1 has used and steadily modified BISCUIT since as early as 2007 and continues to use it presently . If no directory or lock file is found, Glimpse creates . While a top attack vector for Cuba is the exploitation of known vulnerabilities , the actors techniques also include phishing campaigns , compromised credentials , and remote desktop protocol exploits .", "spans": {"THREAT_ACTOR: APT1": [[115, 119]], "TOOL: BISCUIT": [[151, 158]], "MALWARE: Glimpse": [[257, 264]]}, "info": {"id": "cyberner_stix_test_000745", "source": "cyberner_stix_test"}}
+{"text": "These attackers can potentially grab sensitive online banking information and other personal data , and even provided support for multifactor authentication and OTP . Confucius targeted a particular set of individuals in South Asian countries , such as military personnel and businessmen , among others .", "spans": {"THREAT_ACTOR: attackers": [[6, 15]], "ORGANIZATION: banking": [[54, 61]], "ORGANIZATION: military personnel": [[253, 271]], "ORGANIZATION: businessmen": [[276, 287]]}, "info": {"id": "cyberner_stix_test_000746", "source": "cyberner_stix_test"}}
+{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id58729 [ . The next step for the actor was to build MitM servers that impersonated legitimate services to capture user credentials . Some analysts track APT19 S-APT and Deep Panda as the same group , but it is unclear from open source information if the groups are the same .", "spans": {"THREAT_ACTOR: actor": [[86, 91]], "TOOL: MitM servers": [[105, 117]], "THREAT_ACTOR: track APT19 S-APT and Deep Panda": [[200, 232]]}, "info": {"id": "cyberner_stix_test_000747", "source": "cyberner_stix_test"}}
+{"text": "One of the side effects of this packer is the inability of Android Studio IDE to debug the code . Moafee may have chosen its targets based on the rich resources of South China Sea region – the world 's second business sea-lane , according to Wikipedia – including rare earth metals , crude oil , and natural gas . We’ve also created a tool which can be run to determine if your computer has been one of the surgically selected targets of this attack . Regardless of the cause , these leaks are having a significant effect on the threat landscape , making it easier for novice or unskilled actors to develop their own ransomware variants without much effort or knowledge .", "spans": {"SYSTEM: Android Studio IDE": [[59, 77]], "THREAT_ACTOR: Moafee": [[98, 104]], "ORGANIZATION: oil": [[290, 293]], "ORGANIZATION: gas": [[308, 311]]}, "info": {"id": "cyberner_stix_test_000748", "source": "cyberner_stix_test"}}
+{"text": "The Leviathan generally emailed Microsoft Excel documents with malicious macros to US universities with military interests , most frequently related to the Navy . We decoded the data section and found not only the account and password , but that it also fingerprinted the user ’s browser and system information .", "spans": {"THREAT_ACTOR: Leviathan": [[4, 13]], "ORGANIZATION: universities": [[86, 98]], "ORGANIZATION: military": [[104, 112]], "ORGANIZATION: Navy": [[156, 160]]}, "info": {"id": "cyberner_stix_test_000749", "source": "cyberner_stix_test"}}
+{"text": "Internet users should keep on securing their activities with good security solutions for both computers and mobile devices. ” Hashes : E5212D4416486AF42E7ED1F58A526AEF77BE89BE A9891222232145581FE8D0D483EDB4B18836BCFC AFF9F39A6CA5D68C599B30012D79DA29E2672C6E Insidious Android malware gives up all malicious features but one to gain stealth ESET researchers detect a new way of misusing Accessibility Three years ago , the Sednit group unleashed new components targeting victims in various countries in the Middle East and Central Asia . The design of KiloAlfa is broken down into two basic components : the persistence functionality and the keylogging functionality .", "spans": {"SYSTEM: Android": [[268, 275]], "ORGANIZATION: ESET": [[340, 344]], "THREAT_ACTOR: Sednit": [[422, 428]], "MALWARE: KiloAlfa": [[551, 559]], "MALWARE: keylogging functionality": [[641, 665]]}, "info": {"id": "cyberner_stix_test_000750", "source": "cyberner_stix_test"}}
+{"text": "This finding indicates the group's effectiveness at maintaining long-term access to a targeted network .", "spans": {}, "info": {"id": "cyberner_stix_test_000751", "source": "cyberner_stix_test"}}
+{"text": "The threat actors tend to install malware on a large proportion of hosts during their intrusions .", "spans": {}, "info": {"id": "cyberner_stix_test_000752", "source": "cyberner_stix_test"}}
+{"text": "Winnti is no exception , and so , during Winnti ’s installation process , Windows Defender ATP is able to raise behavioral alerts .", "spans": {"MALWARE: Winnti": [[0, 6], [41, 47]], "TOOL: Windows Defender ATP": [[74, 94]]}, "info": {"id": "cyberner_stix_test_000753", "source": "cyberner_stix_test"}}
+{"text": "Allows an application to read from external storage . Such attacks highlight the need for caution before downloading files from unknown sources and enabling macro for files from unknown sources . While Naikon shares some characteristics with APT30 , the two groups do not appear to be exact matches .", "spans": {"MALWARE: attacks": [[59, 66]], "THREAT_ACTOR: Naikon": [[202, 208]], "THREAT_ACTOR: APT30": [[242, 247]]}, "info": {"id": "cyberner_stix_test_000754", "source": "cyberner_stix_test"}}
+{"text": "In addition to official banking applications , the target list includes 111 other global financial applications for banking and credit card management , money transfers , and cryptocurrency wallets and exchanges . And the dropper execute the iassvcs.exe to make a side loading and make the persistence . The Magic Hound attack campaign is an active and persistent espionage motivated adversary operating in the Middle East region .", "spans": {"MALWARE: dropper": [[222, 229]], "MALWARE: iassvcs.exe": [[242, 253]]}, "info": {"id": "cyberner_stix_test_000755", "source": "cyberner_stix_test"}}
+{"text": "It steals logins and passwords to online banking accounts by substituting he window displayed by the bank application . We also observed exploits against older ( patched ) vulnerabilities , social engineering techniques and watering hole strategies in these attacks . This group is sophisticated , well funded , and exclusively targets high profile organizations with high value intellectual property in the manufacturing , industrial , aerospace , defense , and media sector . None PIEHOP is a disruption tool written in Python and packaged with PyInstaller that is capable of connecting to a user - supplied remote MSSQL server for uploading files and issuing remote commands to a RTU .", "spans": {"ORGANIZATION: social engineering": [[190, 208]], "TOOL: PIEHOP": [[483, 489]], "TOOL: disruption tool": [[495, 510]], "TOOL: Python": [[522, 528]], "TOOL: PyInstaller": [[547, 558]], "SYSTEM: MSSQL server": [[617, 629]], "SYSTEM: RTU": [[683, 686]]}, "info": {"id": "cyberner_stix_test_000756", "source": "cyberner_stix_test"}}
+{"text": "The malware can execute a variety of arbitrary commands , including ( for example ) intercepting or sending text messages without the user ’ s knowledge , obtaining a copy of the victim ’ s Address Book , or call or text message logs , or sending phone network feature codes ( also known as USSD codes ) . APT38 shares malware code and other development resources with TEMP.Hermit North Korean cyber espionage activity , although we consider APT38 . Opaque predicate is a programming term that refers to decision making where there is actually only one path . Compromise usually refers to insider threats .", "spans": {"SYSTEM: Address Book": [[190, 202]], "THREAT_ACTOR: APT38": [[306, 311], [442, 447]], "THREAT_ACTOR: TEMP.Hermit": [[369, 380]]}, "info": {"id": "cyberner_stix_test_000757", "source": "cyberner_stix_test"}}
+{"text": "This leads us to believe that their attack attempts are likely still succeeding , even with the wealth of threat intelligence available in the public domain .", "spans": {}, "info": {"id": "cyberner_stix_test_000758", "source": "cyberner_stix_test"}}
+{"text": "It is the first plain stage that does not employ a VM or obfuscation . FireEye has identified APT35 operations dating back to 2014 . Windows converts the .png pixel RGBA value to an ARGB encoding via the GdpiBitmapGetPixel API . Notably , the main function contains logic flaws that cause it to only be able to connect to an MSSQL server and upload ( LIGHTWORK ) to it , before immediately attempting to clean itself up .", "spans": {"ORGANIZATION: FireEye": [[71, 78]], "THREAT_ACTOR: APT35": [[94, 99]], "SYSTEM: Windows": [[133, 140]], "TOOL: GdpiBitmapGetPixel API": [[204, 226]]}, "info": {"id": "cyberner_stix_test_000759", "source": "cyberner_stix_test"}}
+{"text": "Enterprise and government employees all use these devices in their day-to-day work , which means IT and security leaders within these organizations must prioritize mobile in their security strategies . Conversely , LokiBot and Agent Tesla are new malware tools . The registry value contains the plugin file name . This can lead to a ransom situation where hackers demand money from the company in exchange for not releasing their data onto the internet or for unlocking their systems .", "spans": {"TOOL: LokiBot": [[215, 222]], "TOOL: Agent Tesla": [[227, 238]]}, "info": {"id": "cyberner_stix_test_000760", "source": "cyberner_stix_test"}}
+{"text": "This sample , like the early PinchDuke samples , appears to already be a “ fully-grown ” sample , which is why we believe GeminiDuke was under development by the autumn of 2008 .", "spans": {"MALWARE: PinchDuke": [[29, 38]], "MALWARE: GeminiDuke": [[122, 132]]}, "info": {"id": "cyberner_stix_test_000761", "source": "cyberner_stix_test"}}
+{"text": "System operators should follow these secure logging practices .", "spans": {}, "info": {"id": "cyberner_stix_test_000762", "source": "cyberner_stix_test"}}
+{"text": "Extract events from the Calendar app . Additionally , Starloader was also observed deploying additional tools used by the attackers , such as credential dumpers and keyloggers . New Cyber Espionage Campaigns Targeting Palestinians - Part 2 : The Discovery of the New , Mysterious Pierogi backdoor . When the marital infidelity website AshleyMadison.com learned in July 2015 that hackers were threatening to publish data stolen from 37 million users , the company ’s then - CEO Noel Biderman was quick to point the finger at an unnamed former contractor .", "spans": {"SYSTEM: Calendar app": [[24, 36]], "TOOL: Starloader": [[54, 64]], "TOOL: credential dumpers": [[142, 160]], "TOOL: keyloggers": [[165, 175]], "MALWARE: Pierogi backdoor": [[280, 296]], "ORGANIZATION: AshleyMadison.com": [[335, 352]], "ORGANIZATION: Noel Biderman": [[477, 490]], "ORGANIZATION: unnamed former contractor": [[527, 552]]}, "info": {"id": "cyberner_stix_test_000763", "source": "cyberner_stix_test"}}
+{"text": "Early versions of the Android application used infrastructure which belonged to a company named Connexxa S.R.L . The leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting over a 100 financial institutions worldwide has been arrested in Alicante , Spain , after a complex investigation conducted by the Spanish National Police . The threat group in this recently observed campaign – TEMP.Zagros – weaponized their malware using the following techniques .", "spans": {"SYSTEM: Android": [[22, 29]], "ORGANIZATION: Connexxa S.R.L .": [[96, 112]], "THREAT_ACTOR: crime gang": [[131, 141]], "VULNERABILITY: Carbanak": [[153, 161]], "ORGANIZATION: financial institutions": [[210, 232]]}, "info": {"id": "cyberner_stix_test_000764", "source": "cyberner_stix_test"}}
+{"text": "Obtaining credentials through fabricated Google App authorization and Oauth access requests that allow the group to bypass two-factor authentication and other security measures .", "spans": {"ORGANIZATION: Google": [[41, 47]]}, "info": {"id": "cyberner_stix_test_000765", "source": "cyberner_stix_test"}}
+{"text": "When the document was opened in Word , PLATINUM exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer . The group had also targeted three different telecoms operators , all based in Southeast Asia .", "spans": {"TOOL: Word": [[32, 36]], "THREAT_ACTOR: PLATINUM": [[39, 47]], "VULNERABILITY: CVE-2015-2545": [[153, 166]], "THREAT_ACTOR: attacker": [[200, 208]], "ORGANIZATION: telecoms operators": [[326, 344]]}, "info": {"id": "cyberner_stix_test_000766", "source": "cyberner_stix_test"}}
+{"text": "] net , at the time of writing . Winnti is attacking companies in Japan , France , the U.S. and Germany . On November 26 , 2015 , a suspected China-based APT16 sent Japanese defense policy-themed spear phishing emails to multiple Japanese financial and high-tech companies .", "spans": {"THREAT_ACTOR: Winnti": [[33, 39]], "THREAT_ACTOR: APT16": [[154, 159]], "TOOL: emails": [[211, 217]], "ORGANIZATION: financial": [[239, 248]], "ORGANIZATION: high-tech companies": [[253, 272]]}, "info": {"id": "cyberner_stix_test_000767", "source": "cyberner_stix_test"}}
+{"text": "Finding the web shells inaccessible , the adversaries search google.co.jp for remote access solutions .", "spans": {"TOOL: web shells": [[12, 22]], "DOMAIN: google.co.jp": [[61, 73]]}, "info": {"id": "cyberner_stix_test_000768", "source": "cyberner_stix_test"}}
+{"text": "After achieving root access the app tries to replace the framework.jar file on the system partition . Historically , Nitro is known for targeted spear phishing campaigns and using Poison Ivy malware , which was not seen in these attacks . A different group , known as admin@338 , used LOWBALL malware during its Hong Kong activity . # 147 : The dangers of \" Mercenary \" groups and the spyware they create Upcoming events where you can find Talos “ Most prevalent malware files ” is taking a break this week for maintenance .", "spans": {"TOOL: Poison Ivy malware": [[180, 198]], "EMAIL: admin@338": [[268, 277]], "MALWARE: LOWBALL": [[285, 292]], "THREAT_ACTOR: Mercenary \" groups": [[358, 376]], "ORGANIZATION: Talos": [[440, 445]]}, "info": {"id": "cyberner_stix_test_000769", "source": "cyberner_stix_test"}}
+{"text": "Beginning in the Spring of 2016 , APT28 sent spear-phishing emails to political targets including members of the Democratic National Committee ( DNC ) .", "spans": {"THREAT_ACTOR: APT28": [[34, 39]], "TOOL: emails": [[60, 66]], "ORGANIZATION: Democratic National Committee": [[113, 142]], "ORGANIZATION: DNC": [[145, 148]]}, "info": {"id": "cyberner_stix_test_000770", "source": "cyberner_stix_test"}}
+{"text": "The payload contains an exploit for the unpatched local privilege escalation vulnerability CVE-2015-1701 in Microsoft Windows .", "spans": {"VULNERABILITY: CVE-2015-1701": [[91, 104]], "ORGANIZATION: Microsoft": [[108, 117]], "SYSTEM: Windows": [[118, 125]]}, "info": {"id": "cyberner_stix_test_000771", "source": "cyberner_stix_test"}}
+{"text": "] com , which resolved to the IP address 222.239.91 [ . The latter is especially notable because APT41 has repeatedly returned to targeting the video game industry and we believe these activities were formative in the group’s later espionage operations . In 2015 and 2016 , two Vietnamese media outlets were targeted with malware that FireEye assesses to be unique to APT32 .", "spans": {"THREAT_ACTOR: APT41": [[97, 102]], "ORGANIZATION: video game industry": [[144, 163]], "ORGANIZATION: media": [[289, 294]], "ORGANIZATION: FireEye": [[335, 342]], "THREAT_ACTOR: APT32": [[368, 373]]}, "info": {"id": "cyberner_stix_test_000772", "source": "cyberner_stix_test"}}
+{"text": "THURSDAY , OCTOBER 11 , 2018 GPlayed Trojan - .Net playing with Google Market Introduction In a world where everything is always connected , and mobile devices are involved in individuals ' day-to-day lives more and more often , malicious actors are seeing increased opportunities to attack these devices . The campaign targeting accountants in the Balkans shows some similarities with a campaign aimed at Ukrainian notaries reported in 2016 . APT33 may possibly be looking to gain insights on Saudi Arabia 's military aviation capabilities to enhance Iran 's domestic aviation capabilities or to support Iran 's military and strategic decision making vis a vis Saudi Arabia .", "spans": {"MALWARE: GPlayed": [[29, 36]], "ORGANIZATION: Google": [[64, 70]], "THREAT_ACTOR: APT33": [[444, 449]], "ORGANIZATION: military": [[613, 621]]}, "info": {"id": "cyberner_stix_test_000773", "source": "cyberner_stix_test"}}
+{"text": "] com/api/ads/ which is used for obtaining a link to APK file . The group has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems . Seedworm likely functions as a cyber espionage group to secure actionable intelligence that could benefit their sponsor 's interests .", "spans": {"THREAT_ACTOR: group": [[68, 73]], "VULNERABILITY: zero-day vulnerability": [[129, 151]], "THREAT_ACTOR: Seedworm": [[311, 319]]}, "info": {"id": "cyberner_stix_test_000774", "source": "cyberner_stix_test"}}
+{"text": "The dropper automatically decrypts and installs its core malware APK which later conducts malicious patching and app updates . Due to these changes without a new date string , we believe the date codes are used for campaign tracking rather than a Bookworm build identifier . We gave the threat the name “ Dexphot , ” based on certain characteristics of the malware code . Device Registration APT29 has enrolled a device in MFA to an Azure AD environment following a successful password guessing attack against a dormant account .", "spans": {"MALWARE: date string": [[162, 173]], "MALWARE: date codes": [[191, 201]], "TOOL: Bookworm": [[247, 255]], "MALWARE: Dexphot": [[305, 312]], "THREAT_ACTOR: Device Registration APT29": [[372, 397]]}, "info": {"id": "cyberner_stix_test_000775", "source": "cyberner_stix_test"}}
+{"text": "Based on the ScarCruft’s recent activities , Kaspersky strongly believes that this ScarCruft group is likely to continue to evolve . The analyzed RTF files share the same object dimension (objw2180\\objh300) used to track the RTF weaponizer in our previous report , however , the sample was not exploiting CVE-2017-11882 or CVE-2018-0802 . After further analysis , it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft ’s Equation Editor ( EQNEDT32 ) .", "spans": {"THREAT_ACTOR: ScarCruft’s": [[13, 24]], "ORGANIZATION: Kaspersky": [[45, 54]], "THREAT_ACTOR: ScarCruft": [[83, 92]], "FILEPATH: sample": [[279, 285]], "VULNERABILITY: CVE-2017-11882": [[305, 319]], "VULNERABILITY: CVE-2018-0802": [[323, 336]], "FILEPATH: RTF files": [[391, 400]], "VULNERABILITY: CVE-2018-0798": [[421, 434]], "ORGANIZATION: Microsoft": [[452, 461]], "TOOL: Equation Editor": [[465, 480]], "TOOL: EQNEDT32": [[483, 491]]}, "info": {"id": "cyberner_stix_test_000776", "source": "cyberner_stix_test"}}
+{"text": "Both malware have similar targets .", "spans": {"MALWARE: malware": [[5, 12]]}, "info": {"id": "cyberner_stix_test_000777", "source": "cyberner_stix_test"}}
+{"text": "The user needs to press the \" close '' button to finish the installation . FIN7 is a threat actor group that is financially motivated with targets in the restaurant , services and financial sectors . Pivoting off the filename and directory , we discovered a similar VBS script used by the Rancor actors that might give us some clues on what the contents of tmp.vbs would resemble . To say ransomware gangs have been unkind to the US in the past year is an understatement .", "spans": {"THREAT_ACTOR: FIN7": [[75, 79]], "THREAT_ACTOR: threat actor group": [[85, 103]], "ORGANIZATION: restaurant": [[154, 164]], "ORGANIZATION: services": [[167, 175]], "ORGANIZATION: financial sectors": [[180, 197]], "THREAT_ACTOR: Rancor": [[289, 295]], "FILEPATH: tmp.vbs": [[357, 364]], "ORGANIZATION: ransomware gangs": [[389, 405]]}, "info": {"id": "cyberner_stix_test_000778", "source": "cyberner_stix_test"}}
+{"text": "The connection between the two campaigns remains unclear , and it is possible that one borrowed code from the other , knowingly or unknowingly . The Winnti and Axiom group names were created by Kaspersky Lab and Symantec , respectively , for their 2013/2014 reports on the original group . This function is at the core of the RAT ’s network communication . Other interesting anomalies in June include 47 attacks on the Manufacturing industry ( which usually averages around 20 attacks a month ) and notable increases in attacks on Switzerland ( 14 ) and Brazil ( 13 ) , both of which are normally attacked only two or three times a month .", "spans": {"THREAT_ACTOR: Winnti": [[149, 155]], "THREAT_ACTOR: group": [[166, 171]], "ORGANIZATION: Kaspersky Lab": [[194, 207]], "ORGANIZATION: Symantec": [[212, 220]], "TOOL: RAT": [[326, 329]], "ORGANIZATION: Manufacturing industry": [[419, 441]]}, "info": {"id": "cyberner_stix_test_000779", "source": "cyberner_stix_test"}}
+{"text": "It is evident that the ultimate goal of this program is to steal information . Wapack labs also observed a similar sample targeting Japan in November . Such an obfuscation method makes it difficult to spot it in the code . Additional protections with context to your specific environment and threat data are available from the Firewall Management Center .", "spans": {"ORGANIZATION: Wapack": [[79, 85]]}, "info": {"id": "cyberner_stix_test_000780", "source": "cyberner_stix_test"}}
+{"text": "At some point during 2013 , the Sofacy group expanded its arsenal and added more backdoors and tools , including CORESHELL , SPLM ( aka Xagent , aka CHOPSTICK ) , JHUHUGIT ( which is built with code from the Carberp sources ) , AZZY ( aka ADVSTORESHELL , NETUI , EVILTOSS , and spans across four to five generations ) and a few others .", "spans": {"THREAT_ACTOR: Sofacy": [[32, 38]], "TOOL: CORESHELL": [[113, 122]], "MALWARE: SPLM": [[125, 129]], "MALWARE: Xagent": [[136, 142]], "MALWARE: CHOPSTICK": [[149, 158]], "MALWARE: JHUHUGIT": [[163, 171]], "MALWARE: Carberp": [[208, 215]], "MALWARE: AZZY": [[228, 232]], "MALWARE: ADVSTORESHELL": [[239, 252]], "MALWARE: NETUI": [[255, 260]], "MALWARE: EVILTOSS": [[263, 271]]}, "info": {"id": "cyberner_stix_test_000781", "source": "cyberner_stix_test"}}
+{"text": "The configuration of Quasar is stored in the Settings object , which is encrypted with a password which is itself stored unencrypted .", "spans": {"MALWARE: Quasar": [[21, 27]]}, "info": {"id": "cyberner_stix_test_000782", "source": "cyberner_stix_test"}}
+{"text": "This posting is a follow-up of my previous work on this subject in", "spans": {}, "info": {"id": "cyberner_stix_test_000783", "source": "cyberner_stix_test"}}
+{"text": "The attacker gained access to the victim’s internet-accessible Citrix systems and authenticated to them from networks associated with low-cost VPN providers owned by VPN Consumer Network . For example , Bisonal malware in 2012 used send() and recv() APIs to communicate with its C2. This Bisonal variant used in the latest attack communicates with one of the following hard-coded C2 addresses by using the HTTP POST method on TCP PROT 443 .", "spans": {"THREAT_ACTOR: attacker": [[4, 12]], "TOOL: Citrix": [[63, 69]], "THREAT_ACTOR: Bisonal malware": [[203, 218]], "FILEPATH: Bisonal": [[288, 295]], "TOOL: C2": [[380, 382]]}, "info": {"id": "cyberner_stix_test_000784", "source": "cyberner_stix_test"}}
+{"text": "Additional Insights on Shamoon2 .", "spans": {"MALWARE: Shamoon2": [[23, 31]]}, "info": {"id": "cyberner_stix_test_000785", "source": "cyberner_stix_test"}}
+{"text": "We observed legitimate exfiltrated files of the following types of data : Contact information Compressed recorded audio in the Adaptive Multi-Rate ( amr ) file format Images captured from the device camera Images stored on both internal device and SDCard storage that are listed in the MediaStore Device geolocation information SMS content Chrome browser search history and bookmarks Call log information Cell tower information Device network metadata ; such as phone number , device software version , network country , network operator , SIM country , SIM operator , SIM serial , IMSI , voice mail number , phone If the hypothesis is correct and the Turla threat group is using Kazuar , we believe they may be using it as a replacement for Carbon and its derivatives . Subsequently , it calls the FreeLibrary function to free its own DLL buffer located at its original address . • new UK and US intelligence suggests Russia was behind an operation targeting commercial communications company Viasat in Ukraine • incident on 24 February caused outages for several thousand Ukrainian customers , and impacted windfarms and internet users in central Europe • cyber security leaders from the 5 Eyes , EU and other international allies meet at the NCSC ’s Cyber UK conference in Newport today to discuss shared threats Russia has been behind a series of cyber - attacks since the start of the renewed invasion of Ukraine , the EU , UK , US and other allies have announced today ( 10 May ) .", "spans": {"THREAT_ACTOR: Turla": [[652, 657]], "TOOL: Kazuar": [[680, 686]], "TOOL: Carbon": [[742, 748]], "TOOL: DLL": [[836, 839]], "ORGANIZATION: UK and US intelligence": [[887, 909]], "ORGANIZATION: commercial communications company Viasat": [[960, 1000]], "ORGANIZATION: windfarms": [[1109, 1118]], "ORGANIZATION: internet users": [[1123, 1137]], "ORGANIZATION: cyber security leaders": [[1158, 1180]], "ORGANIZATION: 5 Eyes": [[1190, 1196]], "ORGANIZATION: EU": [[1199, 1201]], "ORGANIZATION: international allies": [[1212, 1232]], "ORGANIZATION: NCSC ’s Cyber UK conference": [[1245, 1272]], "THREAT_ACTOR: threats Russia": [[1308, 1322]]}, "info": {"id": "cyberner_stix_test_000786", "source": "cyberner_stix_test"}}
+{"text": "The Perkele Android Trojan not only attacks Russian users but also clients of several European banks . Turla merely uses the Adobe brand to trick users into downloading the malware . There are a lot of versions available in the underground market . Evernote is a popular app in the healthcare community for data sharing files , notes , schedules , etc . across phones and other devices .", "spans": {"MALWARE: Perkele": [[4, 11]], "THREAT_ACTOR: Turla": [[103, 108]], "TOOL: Evernote": [[249, 257]], "ORGANIZATION: healthcare community": [[282, 302]]}, "info": {"id": "cyberner_stix_test_000787", "source": "cyberner_stix_test"}}
+{"text": "] com also resolved to the same IP address , suggesting that these two domains are associated with the same threat actors . APT41 often relies on spear-phishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims . APT32 operations are characterized through deployment of signature malware payloads including WINDSHIELD , KOMPROGO , SOUNDBITE , and PHOREAL .", "spans": {"THREAT_ACTOR: APT41": [[124, 129]], "THREAT_ACTOR: APT32": [[260, 265]], "MALWARE: WINDSHIELD": [[354, 364]], "MALWARE: KOMPROGO": [[367, 375]], "MALWARE: SOUNDBITE": [[378, 387]], "MALWARE: PHOREAL": [[394, 401]]}, "info": {"id": "cyberner_stix_test_000788", "source": "cyberner_stix_test"}}
+{"text": "Meanwhile , connectivity to the Windows Defender ATP service is maintained .", "spans": {"SYSTEM: Windows": [[32, 39]]}, "info": {"id": "cyberner_stix_test_000789", "source": "cyberner_stix_test"}}
+{"text": "It is a text file that may contain the following configuration parameters :", "spans": {}, "info": {"id": "cyberner_stix_test_000790", "source": "cyberner_stix_test"}}
+{"text": "This information can give the attacker access to personal and business bank accounts , personal and business data , and more . X-Force IRIS determined that the More_eggs backdoor later downloaded additional files , including a signed binary shellcode loader and a signed Dynamic Link Library (DLL) , as described below , to create a reverse shell and connect to a remote host . The Poison Ivy builder kit allows attackers to customize and build their own PIVY server , which is delivered as mobile code to a target that has been compromised , typically using social engineering .", "spans": {"ORGANIZATION: X-Force IRIS": [[127, 139]], "MALWARE: More_eggs backdoor": [[160, 178]], "MALWARE: Poison Ivy": [[382, 392]], "THREAT_ACTOR: attackers": [[412, 421]], "ORGANIZATION: social engineering": [[559, 577]]}, "info": {"id": "cyberner_stix_test_000791", "source": "cyberner_stix_test"}}
+{"text": "Then , it traverses the filesystem of the volume looking for files .", "spans": {}, "info": {"id": "cyberner_stix_test_000792", "source": "cyberner_stix_test"}}
+{"text": "However , the threat actors' ability to reuse these assets and credentials , sometimes weeks or months after the initial compromise , indicates the group is disciplined and well organized .", "spans": {}, "info": {"id": "cyberner_stix_test_000793", "source": "cyberner_stix_test"}}
+{"text": "XENOTIME rose to prominence in December 2017 when Dragos and FireEye jointly published details of TRISIS destructive malware targeting Schneider Electric ’s Triconex safety instrumented system .", "spans": {"THREAT_ACTOR: XENOTIME": [[0, 8]], "ORGANIZATION: Dragos": [[50, 56]], "ORGANIZATION: FireEye": [[61, 68]], "MALWARE: TRISIS": [[98, 104]], "ORGANIZATION: Schneider Electric": [[135, 153]], "TOOL: Triconex": [[157, 165]]}, "info": {"id": "cyberner_stix_test_000794", "source": "cyberner_stix_test"}}
+{"text": "Once again , it does n't seem to actually be in use . In October 2015 the Callisto Group targeted a handful of individuals with phishing emails that attempted to obtain the target 's webmail credentials . The MD5 of the exploit document was e009b95ff7b69cbbebc538b2c5728b11 . They have also utilized AADInternals PowerShell Modules to access the API .003 Compromise Accounts : Cloud Accounts APT29 has used residential proxies , including Azure Virtual Machines , to obfuscate their access to victim environments .", "spans": {"FILEPATH: e009b95ff7b69cbbebc538b2c5728b11": [[241, 273]], "THREAT_ACTOR: Cloud Accounts APT29": [[377, 397]], "SYSTEM: residential proxies": [[407, 426]], "SYSTEM: Azure Virtual Machines": [[439, 461]]}, "info": {"id": "cyberner_stix_test_000795", "source": "cyberner_stix_test"}}
+{"text": "It appears that Sofacy may have used an open-source tool called Luckystrike to generate the delivery document and/or the macro used in this attack .", "spans": {"THREAT_ACTOR: Sofacy": [[16, 22]], "TOOL: Luckystrike": [[64, 75]], "TOOL: macro": [[121, 126]]}, "info": {"id": "cyberner_stix_test_000796", "source": "cyberner_stix_test"}}
+{"text": "By “ all ” we mean all security mechanisms guarding the official Android app store ( including the detection engines of the members of the App Defense Alliance ) and all security vendors participating in the VirusTotal program ( see Figure 1 ) . Since we published out last report on SLUB , the backdoor has been updated and several improvements were implemented . These tools often lay the groundwork for further malicious activity , such as the targeting of antivirus capabilities and the disabling of firewalls , both of which are very fundamental defensive measures .", "spans": {"SYSTEM: Android app store": [[65, 82]], "ORGANIZATION: App Defense Alliance": [[139, 159]], "ORGANIZATION: VirusTotal": [[208, 218]], "ORGANIZATION: we": [[252, 254]], "THREAT_ACTOR: SLUB": [[284, 288]], "TOOL: backdoor": [[295, 303]]}, "info": {"id": "cyberner_stix_test_000797", "source": "cyberner_stix_test"}}
+{"text": "For example , ORat uses a WMI event consumer to maintain its presence on a compromised host .", "spans": {"MALWARE: ORat": [[14, 18]], "TOOL: WMI": [[26, 29]]}, "info": {"id": "cyberner_stix_test_000798", "source": "cyberner_stix_test"}}
+{"text": "The document , when opened , used an embedded ActiveX control to download a JavaScript file from a remote site that used a previously unknown vulnerability in some versions of Windows ( later designated CVE-2013-7331 ) to read information about the browser 's installed components . Armed with this information about the malware and living off the land tactics being used by this group of attackers whom we named Thrip , we broadened our search to see if we could find similar patterns that indicated Thrip had been targeting other organizations .", "spans": {"TOOL: ActiveX control": [[46, 61]], "MALWARE: JavaScript file": [[76, 91]], "VULNERABILITY: CVE-2013-7331": [[203, 216]]}, "info": {"id": "cyberner_stix_test_000799", "source": "cyberner_stix_test"}}
+{"text": "EventBot Logcat from the infected device Logcat from the infected device . Insikt Group analysis of network metadata to and from the VPN endpoint IPs revealed consistent connectivity to Citrix-hosted infrastructure from all eight VPN endpoint IPs starting on August 17 , 2018 — the same date the first authenticated login to Visma’s network was made using stolen credentials . APT33 leverages a mix of public and non-public tools and often conducts spear-phishing operations using a built-in phishing module from \" ALFA TEaM Shell \" , a publicly available web shell .", "spans": {"MALWARE: EventBot": [[0, 8]], "THREAT_ACTOR: Insikt Group": [[75, 87]], "MALWARE: Citrix-hosted": [[186, 199]], "THREAT_ACTOR: APT33": [[377, 382]], "MALWARE: public and non-public tools": [[402, 429]], "MALWARE: ALFA TEaM Shell": [[515, 530]], "MALWARE: publicly available web shell": [[537, 565]]}, "info": {"id": "cyberner_stix_test_000800", "source": "cyberner_stix_test"}}
+{"text": "The recovered shared SSL certificate , obtained by a public internet-wide scanning initiative , at the time had the following attributes :", "spans": {}, "info": {"id": "cyberner_stix_test_000801", "source": "cyberner_stix_test"}}
+{"text": "The dotted arrows represent the use of a particular C2 server by a specific app to send information and fetch instructions . APT34 are involved in long-term cyber espionage operations largely focused on the Middle East . The author of the document asks to enable editing in English and in Arabic . Such non - native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post - intrusion cleanup process .", "spans": {"THREAT_ACTOR: APT34": [[125, 130]]}, "info": {"id": "cyberner_stix_test_000802", "source": "cyberner_stix_test"}}
+{"text": "The folders seem to contain information about the company 's development documentation , artificial intelligence model , web security software , and antivirus software base code . The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates .", "spans": {"TOOL: folders": [[4, 11]], "THREAT_ACTOR: PassCV group": [[184, 196]]}, "info": {"id": "cyberner_stix_test_000803", "source": "cyberner_stix_test"}}
+{"text": "Malware code showing loading of decrypted dex file Figure 12 . APT15 then used a tool known as RemoteExec ( similar to Microsoft . It connects to its command and control server at 194.5.98.85 on port . Take the case of a research and development firm .", "spans": {"THREAT_ACTOR: APT15": [[63, 68]], "TOOL: RemoteExec": [[95, 105]], "ORGANIZATION: Microsoft": [[119, 128]], "IP_ADDRESS: 194.5.98.85": [[180, 191]], "ORGANIZATION: research and development firm": [[221, 250]]}, "info": {"id": "cyberner_stix_test_000804", "source": "cyberner_stix_test"}}
+{"text": "Threat actors can register subdomains through the hosting provider and use the provider ’ s services for a short-period campaign . The actor then made subtle modifications to the file and uploaded the newly created file to the same popular antivirus testing website in order to determine how to evade detection . The “ ExcelMyMacros.txt ” and “ wordMacros.txt ” files contain further macro script , described next . k 32 Base64 characters , referred to as Access key in the ransom note", "spans": {"THREAT_ACTOR: actor": [[135, 140]], "FILEPATH: ExcelMyMacros.txt": [[319, 336]], "FILEPATH: wordMacros.txt": [[345, 359]]}, "info": {"id": "cyberner_stix_test_000805", "source": "cyberner_stix_test"}}
+{"text": "It ’ s possible the threat actors use this list to find running antivirus or banking applications . We also identified another sample of ThreeDollars , created on January 15 , 2017 with the file name strategy preparation.dot . CTU researchers have observed NICKEL ACADEMY ( Lazarus ) copying and pasting job descriptions from online recruitment sites in previous campaigns .", "spans": {"TOOL: ThreeDollars": [[137, 149]], "MALWARE: preparation.dot": [[209, 224]], "ORGANIZATION: CTU": [[227, 230]], "THREAT_ACTOR: NICKEL ACADEMY": [[257, 271]], "THREAT_ACTOR: Lazarus": [[274, 281]]}, "info": {"id": "cyberner_stix_test_000806", "source": "cyberner_stix_test"}}
+{"text": "Check code for emulators As part of its defense , the malware payload first checks for emulators to prevent analysis on sandboxes . Both Moafee and DragonOK favor spear-phishing emails as an attack vector , often employing a decoy to deceive the victim . If you discover that you have been targeted by this operation , please e-mail us at : shadowhammer@kaspersky.com . Instead , it ’s likely that Royal is simply testing a new encryptor — especially considering that BlackSuit was used in just two attacks last month — and that this lull can be explained as more or less of a research period for them .", "spans": {"THREAT_ACTOR: Moafee": [[137, 143]], "THREAT_ACTOR: DragonOK": [[148, 156]], "TOOL: e-mail": [[326, 332]], "MALWARE: Royal": [[398, 403]], "TOOL: new encryptor": [[424, 437]], "MALWARE: BlackSuit": [[468, 477]]}, "info": {"id": "cyberner_stix_test_000807", "source": "cyberner_stix_test"}}
+{"text": "This figure demonstrates the following interesting information : The time range when threat actors distributed RuMMS on those shared-hosting websites is from January 2016 to March 2016 . Join us in a live webinar as we discuss this threat group whom we assess to be working on behalf of the Iranian Government , with a mission that would benefit nation-state geopolitical and economic needs . The author blurred the content and asks the user to enable editing to see the content . Legacy Task Name QcWBX Command to Run C:\\Windows\\msserver.exe", "spans": {"MALWARE: RuMMS": [[111, 116]], "THREAT_ACTOR: threat group": [[232, 244]], "ORGANIZATION: Iranian Government": [[291, 309]], "ORGANIZATION: nation-state geopolitical": [[346, 371]], "ORGANIZATION: economic": [[376, 384]]}, "info": {"id": "cyberner_stix_test_000808", "source": "cyberner_stix_test"}}
+{"text": "] 759383 [ . Their evolving and modified SPLM , CHOPSTICK , XAgent code is a long-standing part of Sofacy activity , however much of it is changing . In this campaign the attackers used a MS Word document ( .doc format ) to deliver the initial stages . None Use of open source libraries for protocol implementation : The availability of open source projects that implement OT protocols can lower the barrier of entry for actors attempting to interact with OT devices .", "spans": {"TOOL: SPLM": [[41, 45]], "TOOL: CHOPSTICK": [[48, 57]], "TOOL: XAgent": [[60, 66]], "TOOL: MS Word": [[188, 195]], "FILEPATH: .doc": [[207, 211]], "TOOL: open source libraries for protocol implementation": [[265, 314]], "TOOL: open source projects that implement OT protocols": [[337, 385]]}, "info": {"id": "cyberner_stix_test_000809", "source": "cyberner_stix_test"}}
+{"text": "IoCs C & C 100.51.100.00 108.62.118.131 172.81.134.165 172.86.120.207 185.212.128.152 185.212.128.192 185.61.000.108 185.61.138.108 185.61.138.37 188.209.52.101 5.206.225.57 alr992.date avito-app.pw backfround2.pw background1.xyz blacksolider93.com blass9g087.com brekelter2.com broplar3hf.xyz buy-youla.ru LuckyMouse activity detected by Palo Alto involved the attackers installing web shells on SharePoint servers to compromise government organizations in the Middle East . This implies that the malware targeted the same people as the previous version and they are designed to work together .", "spans": {"THREAT_ACTOR: LuckyMouse": [[307, 317]], "ORGANIZATION: Palo Alto": [[339, 348]], "TOOL: web shells": [[383, 393]], "ORGANIZATION: government organizations": [[430, 454]]}, "info": {"id": "cyberner_stix_test_000810", "source": "cyberner_stix_test"}}
+{"text": "We found evidence that Suckfly used hacktools to move latterly and escalate privileges .", "spans": {"THREAT_ACTOR: Suckfly": [[23, 30]]}, "info": {"id": "cyberner_stix_test_000811", "source": "cyberner_stix_test"}}
+{"text": "BLOCKER_STOP – block display of all HTML pages . To better understand how the adversary was operating and what other actions they had performed , CTU researchers examined cmd.exe and its supporting processes to uncover additional command line artifacts . Commands found in a readme text that was stored in a ZIP archive together with the hacktool THC Hydra in Leafminer 's tool arsenal represent online dictionary attacks on Microsoft Exchange and Remote Desktop Protocol services of regional government servers in Saudi Arabia .", "spans": {"ORGANIZATION: CTU": [[146, 149]], "MALWARE: cmd.exe": [[171, 178]], "MALWARE: THC Hydra": [[347, 356]], "THREAT_ACTOR: Leafminer": [[360, 369]], "ORGANIZATION: Microsoft": [[425, 434]]}, "info": {"id": "cyberner_stix_test_000812", "source": "cyberner_stix_test"}}
+{"text": "We still know surprisingly few specifics about the Dukes group ’s activities during 2012 .", "spans": {"THREAT_ACTOR: Dukes": [[51, 56]]}, "info": {"id": "cyberner_stix_test_000813", "source": "cyberner_stix_test"}}
+{"text": "While we know the attackers used a custom dropper to install the back door , we do not know the delivery vector .", "spans": {}, "info": {"id": "cyberner_stix_test_000814", "source": "cyberner_stix_test"}}
+{"text": "The basic idea is to hook the voice call process in mediaserver . We have no evidence of compromises against banks in Western Europe or United States , but it should be noted that the attackers methods could be utilized against banks outside of Russia as well . . Given the evolving state of ransomware payout demands , government regulations are already underway to help public and private companies prevent and respond to ransomware attacks .", "spans": {"ORGANIZATION: banks": [[109, 114], [228, 233]], "THREAT_ACTOR: attackers": [[184, 193]], "ORGANIZATION: public and private companies": [[372, 400]]}, "info": {"id": "cyberner_stix_test_000815", "source": "cyberner_stix_test"}}
+{"text": "Once the C2 connection is established , malware used by the Rocke group downloads shell script named as \" a7 \" to the victim machine . Wild Neutron 's tools include a password harvesting trojan , a reverse-shell backdoor and customized implementations of OpenSSH , WMIC and SMB .", "spans": {"THREAT_ACTOR: Rocke": [[60, 65]], "TOOL: a7": [[106, 108]], "THREAT_ACTOR: Wild Neutron": [[135, 147]], "MALWARE: password harvesting trojan": [[167, 193]], "MALWARE: reverse-shell backdoor": [[198, 220]], "MALWARE: customized implementations of OpenSSH": [[225, 262]], "MALWARE: WMIC": [[265, 269]], "MALWARE: SMB": [[274, 277]]}, "info": {"id": "cyberner_stix_test_000816", "source": "cyberner_stix_test"}}
+{"text": "] ml/mms3/download_3.php IP addresses 78.46.201.36 88.99.170.84 88.99.227.26 94.130.106.117 88.99.174.200 88.99.189.31 Hash 369fcf48c1eb982088c22f86672add10cae967af82613bee6fb8a3669603dc48 b2d4fcf03c7a8bf135fbd3073bea450e2e6661ad8ef2ab2058a3c04f81fc3f3e The attackers appeared to be Chinese-speaking and targeted mainly top-level government agencies and civil and military organizations in countries such as the Philippines , Malaysia , Cambodia , Indonesia , Vietnam , Myanmar , Singapore , Nepal , Thailand , Laos and China . Rancor : 0D61D9BAAB9927BB484F3E60384FDB6A3709CA74BC6175AB16B220A68F2B349E . The 2015 and 2016 Ukraine blackout events each featured several discrete disruptive events against the OT environment ( e.g. , disabling UPS systems , bricking serial - to - ethernet converters , conducting a DoS attack against a SIPROTEC relay , wiping OT systems , etc . ) .", "spans": {"THREAT_ACTOR: attackers": [[258, 267]], "ORGANIZATION: government agencies": [[330, 349]], "ORGANIZATION: civil and military organizations": [[354, 386]], "THREAT_ACTOR: Rancor": [[528, 534]], "FILEPATH: 0D61D9BAAB9927BB484F3E60384FDB6A3709CA74BC6175AB16B220A68F2B349E": [[537, 601]]}, "info": {"id": "cyberner_stix_test_000817", "source": "cyberner_stix_test"}}
+{"text": "Facebook page managed by the C & C domain registrant uses the same base domain name ( minigameshouse ) and phone number as the registered malicious C & C used by the Ashas adware Of interest is that on the Minigameshouse Facebook page , the malicious developer promotes a slew of games beyond the Ashas family for download on both Google Play and the App Store . FireEye Labs recently identified a previously unobserved version of Ploutus , dubbed Ploutus-D , that interacts with KAL’s Kalignite multivendor ATM platform . Feedback from our Smart Protection Network revealed that apart from attacks in North America ( mainly the U.S. ) , Europe , and South America , the campaign also noticeably affected enterprises in Taiwan , Hong Kong , China , and Bahrain .", "spans": {"ORGANIZATION: Facebook": [[0, 8], [221, 229]], "MALWARE: Ashas": [[166, 171], [297, 302]], "SYSTEM: Google Play": [[331, 342]], "SYSTEM: App Store": [[351, 360]], "ORGANIZATION: FireEye": [[363, 370]], "MALWARE: Ploutus": [[431, 438]], "MALWARE: Ploutus-D": [[448, 457]], "ORGANIZATION: Smart Protection Network": [[541, 565]], "ORGANIZATION: enterprises": [[705, 716]]}, "info": {"id": "cyberner_stix_test_000818", "source": "cyberner_stix_test"}}
+{"text": "The timer triggers additional thread which makes a request to the server . APT28 spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware . The MuddyWater attacks are primarily against Middle Eastern nations .", "spans": {"THREAT_ACTOR: APT28": [[75, 80]], "VULNERABILITY: Flash exploits": [[124, 138]], "TOOL: Carberp": [[156, 163]], "TOOL: JHUHUGIT downloaders": [[170, 190]]}, "info": {"id": "cyberner_stix_test_000819", "source": "cyberner_stix_test"}}
+{"text": "The Android malware Android.Oldboot is almost impossible to remove , not even with formatting your device . Contextually relevant emails are sent to specific targets with attached documents that are packed with exploit code and Trojan horse programmes designed to take advantage of vulnerabilities in software installed on the target 's computer . A backdoor is software that allows an intruder to send commands to the system remotely . The PE file also appeared to be a modification of the Miniduke 's main backdoor module that uses the same Twitter URL as the Java payload .", "spans": {"SYSTEM: Android": [[4, 11]], "MALWARE: Android.Oldboot": [[20, 35]], "MALWARE: documents": [[180, 189]], "MALWARE: Miniduke 's main backdoor module": [[491, 523]], "MALWARE: Java payload": [[562, 574]]}, "info": {"id": "cyberner_stix_test_000820", "source": "cyberner_stix_test"}}
+{"text": "This report provides a technical overview of a BREXIT-themed lure Microsoft Office document that is used to drop a Delphi version of the Zekapab first-stage malware which has been previously reported by iDefense analysts .", "spans": {"ORGANIZATION: Microsoft": [[66, 75]], "ORGANIZATION: Office": [[76, 82]], "TOOL: Delphi": [[115, 121]], "MALWARE: Zekapab": [[137, 144]], "ORGANIZATION: iDefense": [[203, 211]]}, "info": {"id": "cyberner_stix_test_000821", "source": "cyberner_stix_test"}}
+{"text": "Earlier SPLM activity deployed 32-bit modules over unencrypted http ( and sometimes smtp ) sessions .", "spans": {"MALWARE: SPLM": [[8, 12]]}, "info": {"id": "cyberner_stix_test_000822", "source": "cyberner_stix_test"}}
+{"text": "CVE-2016-1019 : Adobe Flash Player 21.0.0.197 Vulnerability .", "spans": {"VULNERABILITY: CVE-2016-1019": [[0, 13]], "TOOL: Adobe Flash Player": [[16, 34]]}, "info": {"id": "cyberner_stix_test_000823", "source": "cyberner_stix_test"}}
+{"text": "Recent DRIDEX activity began following a disclosure on April 7 , 2017 . The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": {"ORGANIZATION: specific individuals": [[155, 175]], "VULNERABILITY: zero-day": [[216, 224]]}, "info": {"id": "cyberner_stix_test_000824", "source": "cyberner_stix_test"}}
+{"text": "The exploit installs Silence’s loader , designed to download backdoors and other malicious programs . After this , the App Store on the system will be removed , followed by a full screen fake OS X update screen .", "spans": {"VULNERABILITY: exploit": [[4, 11]], "THREAT_ACTOR: Silence’s": [[21, 30]], "TOOL: App Store": [[119, 128]], "SYSTEM: OS X": [[192, 196]]}, "info": {"id": "cyberner_stix_test_000825", "source": "cyberner_stix_test"}}
+{"text": "The Charming Kitten' focus appears to be individuals of interest to Iran in the fields of academic research . Unit 42 published a blog at the beginning of May titled \" Prince of Persia \" , in which we described the discovery of a decade-long campaign using a formerly unknown malware family , Infy , that targeted government and industry interests worldwide .", "spans": {"THREAT_ACTOR: Charming Kitten'": [[4, 20]], "ORGANIZATION: academic research": [[90, 107]], "ORGANIZATION: Unit 42": [[110, 117]], "MALWARE: Infy": [[293, 297]], "ORGANIZATION: government": [[314, 324]], "ORGANIZATION: industry": [[329, 337]]}, "info": {"id": "cyberner_stix_test_000826", "source": "cyberner_stix_test"}}
+{"text": "Technical details Please note that our research is not about the legitimate Netflix app on Google Play . The threat actor’s emails usually contain a picture or a link without a malicious payload and are sent out to a huge recipient database of up to 85 , 000 users . We have no evidence of compromises against banks in Western Europe or United States , but it should be noted that the attackers methods could be utilized against banks outside of Russia as well .", "spans": {"SYSTEM: Netflix app": [[76, 87]], "SYSTEM: Google Play": [[91, 102]], "THREAT_ACTOR: actor’s": [[116, 123]], "MALWARE: malicious payload": [[177, 194]], "ORGANIZATION: users": [[259, 264]], "ORGANIZATION: banks": [[310, 315], [429, 434]], "THREAT_ACTOR: attackers": [[385, 394]]}, "info": {"id": "cyberner_stix_test_000827", "source": "cyberner_stix_test"}}
+{"text": "Luckystrike , which was presented at DerbyCon 6 in September 2016 , is a Microsoft PowerShell based tool that generates malicious delivery documents by allowing a user to add a macro to an Excel or Word document to execute an embedded payload .", "spans": {"TOOL: Luckystrike": [[0, 11]], "ORGANIZATION: DerbyCon": [[37, 45]], "ORGANIZATION: Microsoft": [[73, 82]], "TOOL: PowerShell": [[83, 93]], "TOOL: macro": [[177, 182]], "TOOL: Excel": [[189, 194]], "TOOL: Word": [[198, 202]]}, "info": {"id": "cyberner_stix_test_000828", "source": "cyberner_stix_test"}}
+{"text": "Our research shows fresh developments in the malware ’ s code and sophistication , as well as an expansion to target Europe and North America . We also observed MuddyWater’s use of multiple open source post-exploitation tools , which they deployed after successfully compromising a target . There are many articles and researches online about APT15 and their activities , the most recent one by NCC Group .", "spans": {"THREAT_ACTOR: MuddyWater’s": [[161, 173]], "TOOL: post-exploitation tools": [[202, 225]], "THREAT_ACTOR: APT15": [[343, 348]], "ORGANIZATION: NCC Group": [[395, 404]]}, "info": {"id": "cyberner_stix_test_000829", "source": "cyberner_stix_test"}}
+{"text": "The following factors show the level of sophistication and reveals the attackers intention to remain stealthy and to gain long-term access by evading anti-virus , sandbox and security monitoring at both the desktop and network levels .", "spans": {}, "info": {"id": "cyberner_stix_test_000830", "source": "cyberner_stix_test"}}
+{"text": "User must scroll to page three of the document , which will run the DealersChoice Flash object ;", "spans": {"TOOL: DealersChoice": [[68, 81]], "TOOL: Flash": [[82, 87]]}, "info": {"id": "cyberner_stix_test_000831", "source": "cyberner_stix_test"}}
+{"text": "encoded . APT38 is a financially motivated group linked to North Korean cyber espionage operators , renown for attempting to steal hundreds of millions of dollars from financial institutions and their brazen use of destructive malware . Blackfly began with a campaign to steal certificates , which were later used to sign malware used in targeted attacks .", "spans": {"THREAT_ACTOR: APT38": [[10, 15]], "THREAT_ACTOR: group": [[43, 48]], "THREAT_ACTOR: cyber espionage operators": [[72, 97]], "ORGANIZATION: financial institutions": [[168, 190]], "THREAT_ACTOR: Blackfly": [[237, 245]]}, "info": {"id": "cyberner_stix_test_000832", "source": "cyberner_stix_test"}}
+{"text": "Figure 4 shows the download prompt for this fake app ; an English translation follows . In another case , the attackers were able to compromise NetNod , a non-profit , independent internet infrastructure organization based in Sweden . PLATINUM is an activity group that has targeted victims since at least 2009 .", "spans": {"THREAT_ACTOR: attackers": [[110, 119]], "THREAT_ACTOR: PLATINUM": [[235, 243]]}, "info": {"id": "cyberner_stix_test_000833", "source": "cyberner_stix_test"}}
+{"text": "The earliest activity we have been able to definitively attribute to the Dukes are two PinchDuke campaigns from November 2008 .", "spans": {"THREAT_ACTOR: Dukes": [[73, 78]], "MALWARE: PinchDuke": [[87, 96]]}, "info": {"id": "cyberner_stix_test_000834", "source": "cyberner_stix_test"}}
+{"text": "Both adversaries engage in extensive political and economic espionage for the benefit of the government of the Russian Federation and are believed to be closely linked to the Russian government ’s powerful and highly capable intelligence services .", "spans": {}, "info": {"id": "cyberner_stix_test_000835", "source": "cyberner_stix_test"}}
+{"text": "Based on the organization website , it also proposes services and developed zero-day vulnerabilities to test their own products : Zero-day research from lokd.com We can see that the organization owner still has an interest in Android devices . This event significantly affected the Russian cybercriminal world as the gang had stolen hundreds of millions of rubles during a few years of activity , and was considered a \" leader \" among cybercriminals . In order for the malware to survive rebooting , it normally creates the following registry run key : HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run . Fake browser updates are a very common decoy used by malware authors .", "spans": {"VULNERABILITY: zero-day vulnerabilities": [[76, 100]], "ORGANIZATION: lokd.com": [[153, 161]], "SYSTEM: Android": [[226, 233]]}, "info": {"id": "cyberner_stix_test_000836", "source": "cyberner_stix_test"}}
+{"text": "] comlagertha-lothbrok [ . Prior to the distribution of new versions of the agent , the Infy developers appear to consistently conduct tests from local hosts , which indicates that the control and maintenance of the software occurs in the Khorasan Razavi province of Iran , potentially in the city of Mashhad . However , we believe that the hundreds of FQDNs within these zones were created for the purpose of APT1 intrusions . ( Note : these themes are not unique to APT1 or even APT in general . ) The news-themed zones include the names of well-known news media outlets such as CNN , Yahoo and Reuters . By analyzing field data we see a gap in the implementation of CSP , and even for sites that do use it correctly , this creates an open window to exfiltrate data .", "spans": {"TOOL: Infy": [[88, 92]], "TOOL: FQDNs": [[353, 358]], "THREAT_ACTOR: APT1": [[410, 414], [468, 472]], "ORGANIZATION: CNN": [[581, 584]], "ORGANIZATION: Yahoo": [[587, 592]], "ORGANIZATION: Reuters": [[597, 604]], "VULNERABILITY: a gap in the implementation of CSP": [[638, 672]], "SYSTEM: sites": [[688, 693]]}, "info": {"id": "cyberner_stix_test_000837", "source": "cyberner_stix_test"}}
+{"text": "Since we identified these attacks in the early stages , we have not been able to conclusively determine what STRONTIUM ’s ultimate objectives were in these intrusions .", "spans": {"THREAT_ACTOR: STRONTIUM": [[109, 118]]}, "info": {"id": "cyberner_stix_test_000838", "source": "cyberner_stix_test"}}
+{"text": "As seen from the code in Figure 5 , the commands RuMMS supports right now include : install_true : to modify app preference to indicate that the C2 server received the victim device ’ s status . In addition to these instances , multiple Qatari organizations were the subject to spear phishing attacks carrying Helminth samples earlier this year . This new RAT is dropped to the victims via malicious Microsoft Office B-IDTY I-TOOL docume S-TOOLnts . It will then attempt to wipe the physical drive partition itself .", "spans": {"MALWARE: RuMMS": [[49, 54]], "ORGANIZATION: Qatari organizations": [[237, 257]], "TOOL: Helminth samples": [[310, 326]], "TOOL: RAT": [[356, 359]], "TOOL: Microsoft": [[400, 409]]}, "info": {"id": "cyberner_stix_test_000839", "source": "cyberner_stix_test"}}
+{"text": "The group also uses the all.bat batch script to collect all files stored on a specific user's desktop .", "spans": {"FILEPATH: all.bat": [[24, 31]]}, "info": {"id": "cyberner_stix_test_000840", "source": "cyberner_stix_test"}}
+{"text": "Moreover , the Trojan intercepts SMS from the bank that contain one-time passwords and information about the balance of the linked bank card . They then identify the Exchange server and attempt to install the OwaAuth web shell . Save for a few iteration updates , combinations from previous deployments , and using the routines repetitively for every campaign , we found very little changes in the group ’s toolkit , which allowed various honeypots across the Eastern European region to detect many of the sent binaries . The NCSC also assesses that it is almost certain Russia was responsible for the subsequent cyber - attack impacting Viasat on 24 February .", "spans": {"TOOL: OwaAuth web shell": [[209, 226]], "MALWARE: honeypots": [[439, 448]], "ORGANIZATION: NCSC": [[526, 530]], "THREAT_ACTOR: Russia": [[571, 577]], "THREAT_ACTOR: subsequent cyber - attack": [[602, 627]], "ORGANIZATION: Viasat": [[638, 644]]}, "info": {"id": "cyberner_stix_test_000841", "source": "cyberner_stix_test"}}
+{"text": ". During this time they were able to steal digital certificates from South Korean companies and launch attacks against Indian and Saudi Arabian government organizations . Employee-entitlements-2020.doc : What makes COSMICENERGY unique is that based on our analysis , a contractor may have developed it as a red teaming tool for simulated power disruption exercises hosted by Rostelecom - Solar , a Russian cyber security company .", "spans": {"ORGANIZATION: companies": [[82, 91]], "ORGANIZATION: government organizations": [[144, 168]], "FILEPATH: Employee-entitlements-2020.doc": [[171, 201]], "MALWARE: COSMICENERGY": [[215, 227]], "ORGANIZATION: Rostelecom - Solar": [[375, 393]], "ORGANIZATION: Russian cyber security company": [[398, 428]]}, "info": {"id": "cyberner_stix_test_000842", "source": "cyberner_stix_test"}}
+{"text": "We judge that CNIIHM likely possesses the necessary institutional knowledge and personnel to assist in the orchestration and development of TRITON and TEMP.Veles operations .", "spans": {"ORGANIZATION: CNIIHM": [[14, 20]], "MALWARE: TRITON": [[140, 146]], "THREAT_ACTOR: TEMP.Veles": [[151, 161]]}, "info": {"id": "cyberner_stix_test_000843", "source": "cyberner_stix_test"}}
+{"text": "Also , the botnet IDs increment over time as they are submitted . We believe the iOS malware gets installed on already compromised systems , and it is very similar to next stage SEDNIT malware we have found for Microsoft Windows’ systems . The report specifies the Magic Hound targeted political , military and defense industry in the US , UK and Israel .", "spans": {"ORGANIZATION: We": [[66, 68]], "MALWARE: SEDNIT": [[178, 184]], "ORGANIZATION: political": [[286, 295]], "ORGANIZATION: military": [[298, 306]], "ORGANIZATION: defense industry": [[311, 327]]}, "info": {"id": "cyberner_stix_test_000844", "source": "cyberner_stix_test"}}
+{"text": "In this case , \" AU '' is the code shown , which is Australia . During our analysis of victim networks , we were able to observe APT10 once again initiate a retooling cycle in late 2016 . Of course , there might be other samples out there with different MAC addresses in their list . Monitor and analyze traffic patterns and packet inspection associated to protocol(s ) , leveraging SSL / TLS inspection for encrypted traffic , that do not follow the expected protocol standards and traffic flows ( e.g extraneous packets that do not belong to established flows , gratuitous or anomalous traffic patterns , anomalous syntax , or structure ) .", "spans": {"THREAT_ACTOR: APT10": [[129, 134]]}, "info": {"id": "cyberner_stix_test_000845", "source": "cyberner_stix_test"}}
+{"text": "After collecting the changed PIN code , it is sent back to the C2 . The link to the final payload of KerrDown was still active during the time of analysis and hence we were able to download a copy which turned out to be a variant of Cobalt Strike Beacon . COBALT GYPSY has used spearphishing to target telecommunications , government , defense , oil , and financial services organizations based in or affiliated with the MENA region , identifying individual victims through social media sites .", "spans": {"MALWARE: KerrDown": [[101, 109]], "ORGANIZATION: we": [[165, 167]], "THREAT_ACTOR: COBALT GYPSY": [[256, 268]], "ORGANIZATION: telecommunications": [[302, 320]], "ORGANIZATION: government": [[323, 333]], "ORGANIZATION: defense": [[336, 343]], "ORGANIZATION: oil": [[346, 349]], "ORGANIZATION: financial services organizations": [[356, 388]], "ORGANIZATION: individual victims": [[447, 465]], "ORGANIZATION: social media": [[474, 486]]}, "info": {"id": "cyberner_stix_test_000846", "source": "cyberner_stix_test"}}
+{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . In the case of Octopus , DustSquad used Delphi as their programming language of choice , which is unusual for such an actor .", "spans": {"VULNERABILITY: Carbanak": [[20, 28]], "THREAT_ACTOR: criminals": [[95, 104]], "ORGANIZATION: financial industry": [[145, 163]], "ORGANIZATION: customers": [[187, 196]], "MALWARE: Octopus": [[214, 221]]}, "info": {"id": "cyberner_stix_test_000847", "source": "cyberner_stix_test"}}
+{"text": "They are interested in users of remote banking systems ( RBS ) , mainly in Russia and neighboring countries . The attacks we attribute to Scarlet Mimic have primarily targeted Uyghur and Tibetan activists as well as those who are interested in their causes .", "spans": {"THREAT_ACTOR: Scarlet Mimic": [[138, 151]], "ORGANIZATION: Uyghur": [[176, 182]], "ORGANIZATION: Tibetan activists": [[187, 204]]}, "info": {"id": "cyberner_stix_test_000848", "source": "cyberner_stix_test"}}
+{"text": "To achieve this , “ Agent Smith ” utilizes a series of 1-day vulnerabilities , which allows any application to run an activity inside a system application , even if this activity is not exported . Estimating the damages is challenging , but as we learned , the criminals are siphoning off assets in transactions that do not exceed $15,000 each . The ZIP archive usually contains three files : the loader DLL , an encrypted data file ( usually named bin.dat ) , and , often , one clean unrelated DLL , which is likely included to mislead detection . FakeSG has different browser templates depending on which browser the victim is running .", "spans": {"MALWARE: Agent Smith": [[20, 31]], "VULNERABILITY: 1-day vulnerabilities": [[55, 76]], "TOOL: the loader DLL": [[393, 407]], "FILEPATH: bin.dat": [[449, 456]], "TOOL: clean unrelated DLL": [[479, 498]]}, "info": {"id": "cyberner_stix_test_000849", "source": "cyberner_stix_test"}}
+{"text": "Hacking Team Spying Tool Listens to Calls By : Trend Micro July 21 , 2015 Following news that iOS devices are at risk of spyware related to the Hacking Team , the saga continues into the Android sphere . While investigating a 2016 intrusion , Secureworks identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization . The original implementation calls the optblock_t : :f unc callback function in MMAT_LOCOPT ( local optimization and graphing are complete ) Today ’s announcement comes as cyber security leaders from the 5 Eyes , EU and international allies meet at the NCSC ’s Cyber UK conference in Newport to discuss the cyber threats facing the world .", "spans": {"ORGANIZATION: Hacking Team": [[0, 12], [144, 156]], "ORGANIZATION: Trend Micro": [[47, 58]], "SYSTEM: iOS": [[94, 97]], "SYSTEM: Android": [[187, 194]], "ORGANIZATION: Secureworks": [[243, 254]], "THREAT_ACTOR: BRONZE BUTLER": [[266, 279]], "VULNERABILITY: CVE-2016-7836": [[346, 359]], "TOOL: optblock_t : :f unc": [[484, 503]], "TOOL: MMAT_LOCOPT": [[525, 536]], "ORGANIZATION: cyber security leaders": [[617, 639]], "ORGANIZATION: 5 Eyes": [[649, 655]], "ORGANIZATION: EU": [[658, 660]], "ORGANIZATION: international allies": [[665, 685]], "ORGANIZATION: NCSC ’s Cyber UK conference": [[698, 725]]}, "info": {"id": "cyberner_stix_test_000850", "source": "cyberner_stix_test"}}
+{"text": "After fundamental reconnaissance , the malware operator implanted the delivered payload by manually using the following commands :", "spans": {}, "info": {"id": "cyberner_stix_test_000851", "source": "cyberner_stix_test"}}
+{"text": "PittyTiger has also been seen using Heartbleed vulnerability in order to directly get valid credentials . A new version of ShimRat was built on the 7th of September , uploaded to the server and only days later used in a new campaign .", "spans": {"THREAT_ACTOR: PittyTiger": [[0, 10]], "VULNERABILITY: Heartbleed vulnerability": [[36, 60]], "MALWARE: ShimRat": [[123, 130]]}, "info": {"id": "cyberner_stix_test_000852", "source": "cyberner_stix_test"}}
+{"text": "This assertion of time zone is also supported by timestamps found in many GeminiDuke samples , which similarly suggest the group work in the Moscow Standard Time timezone , as further detailed in the section on the technical analysis of GeminiDuke .", "spans": {"MALWARE: GeminiDuke": [[74, 84], [237, 247]], "TOOL: Standard Time": [[148, 161]]}, "info": {"id": "cyberner_stix_test_000853", "source": "cyberner_stix_test"}}
+{"text": "This RAT records all the calls and stores the recording to an “ .amr ” file . We observed the admin@338 upload a second stage malware , known as BUBBLEWRAP ( also known as Backdoor.APT.FakeWinHTTPHelper ) to their Dropbox account along with the following command . For security purposes , Morphisec is not revealing these names . We have seen this algorithm deployed by other groups before , either as a standalone encryption algorithm or as part of a more custom approach .", "spans": {"THREAT_ACTOR: admin@338": [[94, 103]], "TOOL: BUBBLEWRAP": [[145, 155]], "TOOL: Backdoor.APT.FakeWinHTTPHelper": [[172, 202]], "ORGANIZATION: Morphisec": [[289, 298]]}, "info": {"id": "cyberner_stix_test_000854", "source": "cyberner_stix_test"}}
+{"text": "During our analysis , we were unable to coerce the C2 into providing a malicious SWF or payload .", "spans": {"TOOL: C2": [[51, 53]], "TOOL: SWF": [[81, 84]]}, "info": {"id": "cyberner_stix_test_000855", "source": "cyberner_stix_test"}}
+{"text": "To confirm our suspicions , we generated a malicious Excel file with Luckystrike and compared its macro to the macro found within Sofacy ’s delivery document .", "spans": {"TOOL: Excel": [[53, 58]], "TOOL: Luckystrike": [[69, 80]], "TOOL: macro": [[98, 103], [111, 116]], "THREAT_ACTOR: Sofacy": [[130, 136]]}, "info": {"id": "cyberner_stix_test_000856", "source": "cyberner_stix_test"}}
+{"text": "Other common functionalities include executing commands received from the attacker , taking screenshots of the victim 's device , fetching locations , stealing SMS messages and most common features that every spyware may poses . This IP is very interesting because it connects with tele.zyns.com and old infrastructures used by chinese APT or DDOS Chinese team against the ancient soviet republics . OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014 .", "spans": {"THREAT_ACTOR: chinese APT": [[328, 339]], "ORGANIZATION: ancient soviet republics": [[373, 397]], "THREAT_ACTOR: OilRig": [[400, 406]]}, "info": {"id": "cyberner_stix_test_000857", "source": "cyberner_stix_test"}}
+{"text": "Russian cyber espionage actors use zero-day exploits in addition to less complex measures . Further tracking of the Lazarus’s activities has enabled Kaspersky researchers to discover a new operation , active since at least November 2018 , which utilizes PowerShell to control Windows systems and Mac OS malware to target Apple customers .", "spans": {"THREAT_ACTOR: Lazarus’s": [[116, 125]], "ORGANIZATION: Kaspersky": [[149, 158]], "MALWARE: PowerShell": [[254, 264]], "SYSTEM: Windows": [[276, 283]], "ORGANIZATION: Apple customers": [[321, 336]]}, "info": {"id": "cyberner_stix_test_000858", "source": "cyberner_stix_test"}}
+{"text": "This technique is precise and praiseworthy – yet at the same time , appears so rigorous as to impose limitations on the ability to dynamically adjust and adapt to emerging adversary activity . ( Or for that matter , even categorize otherwise well-known historical actors operating to the present day , such as Turla . ) FireEye ’s methodology may have particular limitations in instances where adversaries ( such as XENOTIME and presumably TEMP.Veles ) rely upon extensive use of publicly-available , commonly-used tools with limited amounts of customization .", "spans": {"THREAT_ACTOR: Turla": [[310, 315]], "ORGANIZATION: FireEye": [[320, 327]], "THREAT_ACTOR: XENOTIME": [[416, 424]], "THREAT_ACTOR: TEMP.Veles": [[440, 450]]}, "info": {"id": "cyberner_stix_test_000859", "source": "cyberner_stix_test"}}
+{"text": "The Trojan can also leverage keylogging to broaden the attack scope . Backdoors are installed in infected systems and SectorJ04 also distributed email stealers , botnet malware and ransomware through those backdoors . REDBALDKNIGHT , also known as BRONZE BUTLER and Tick , is a cyberespionage group known to target Japan such as government agencies as well as those in biotechnology , electronics manufacturing , and industrial chemistry .", "spans": {"THREAT_ACTOR: SectorJ04": [[118, 127]], "TOOL: backdoors": [[206, 215]], "THREAT_ACTOR: REDBALDKNIGHT": [[218, 231]], "THREAT_ACTOR: BRONZE BUTLER": [[248, 261]], "THREAT_ACTOR: Tick": [[266, 270]], "ORGANIZATION: government agencies": [[329, 348]], "ORGANIZATION: biotechnology": [[369, 382]], "ORGANIZATION: electronics manufacturing": [[385, 410]], "ORGANIZATION: industrial chemistry": [[417, 437]]}, "info": {"id": "cyberner_stix_test_000860", "source": "cyberner_stix_test"}}
+{"text": "TA505 almost exclusively hosts malware in this way , although they vary the means of installing their final payloads on victim machines .", "spans": {"THREAT_ACTOR: TA505": [[0, 5]]}, "info": {"id": "cyberner_stix_test_000861", "source": "cyberner_stix_test"}}
+{"text": "Although the developers of Bookworm have included only keylogging functionality in Bookworm as a core ability , as suggested in Table 1 , several of the embedded DLLs provide Leader with cryptographic and hashing functions , while others support Leader 's ability to communicate with its C2 server . As noted in our previous blog on Buhtrap , this gang has been actively targeting Russian businesses , mostly through spear-phishing .", "spans": {"TOOL: Bookworm": [[27, 35], [83, 91]], "TOOL: Leader": [[246, 252]], "ORGANIZATION: businesses": [[389, 399]]}, "info": {"id": "cyberner_stix_test_000862", "source": "cyberner_stix_test"}}
+{"text": "The Marcher banking malware uses two main attack vectors . Like PLEAD , Shrouded Crossbow uses spear-phishing emails with backdoor-laden attachments that utilize the RTLO technique and accompanied by decoy documents . In the malware , if a domain is configured , it will retrieve domain.tld / . Designed to guard against XSS attacks , CSP helps control which domains can be accessed as part of a page and therefore restricts which domains to share data with .", "spans": {"MALWARE: Marcher": [[4, 11]], "TOOL: RTLO technique": [[166, 180]], "MALWARE: decoy documents": [[200, 215]], "FILEPATH: domain.tld": [[280, 290]], "THREAT_ACTOR: XSS attacks": [[321, 332]], "ORGANIZATION: CSP": [[335, 338]]}, "info": {"id": "cyberner_stix_test_000863", "source": "cyberner_stix_test"}}
+{"text": "Trojan.Linux.SSHBRUTE.B : 620635aa9685249c87ead1bb0ad25b096714a0073cfd38a615c5eb63c3761976 .", "spans": {"MALWARE: Trojan.Linux.SSHBRUTE.B": [[0, 23]], "FILEPATH: 620635aa9685249c87ead1bb0ad25b096714a0073cfd38a615c5eb63c3761976": [[26, 90]]}, "info": {"id": "cyberner_stix_test_000864", "source": "cyberner_stix_test"}}
+{"text": "msconf.exe is the main module that provides control of the implant and reverse shell feature . Among the targets of this campaign is the International Trade Union Confederation (ITUC) . RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries .", "spans": {"ORGANIZATION: Trade Union Confederation": [[151, 176]], "THREAT_ACTOR: RTM": [[186, 189]]}, "info": {"id": "cyberner_stix_test_000865", "source": "cyberner_stix_test"}}
+{"text": "The initial powershell agent POC i created can bypass the AV including Kaspersky , Trendmicro .", "spans": {"TOOL: powershell": [[12, 22]], "TOOL: POC": [[29, 32]], "TOOL: AV": [[58, 60]], "TOOL: Kaspersky": [[71, 80]], "TOOL: Trendmicro": [[83, 93]]}, "info": {"id": "cyberner_stix_test_000866", "source": "cyberner_stix_test"}}
+{"text": "This lockdown screen includes two parts : A WebView containing a background picture loaded from a predefined URL . Instead , OurMine had managed to alter WikiLeaks 's DNS records ( held by a third-party registrar ) to direct anyone who tried to visit wikileaks.org to visit a different IP address which definitely wasn't under the control of Julian Assange and his cronies . The Remsec malware used by Strider has a modular design .", "spans": {"THREAT_ACTOR: OurMine": [[125, 132]], "ORGANIZATION: WikiLeaks": [[154, 163]], "MALWARE: Remsec": [[379, 385]], "MALWARE: malware": [[386, 393]], "THREAT_ACTOR: Strider": [[402, 409]]}, "info": {"id": "cyberner_stix_test_000867", "source": "cyberner_stix_test"}}
+{"text": "If a user visits the profile host website and allows the installer to download , the iOS system will go directly to the “ Install Profile ” page ( which shows a verified safety certificate ) , and then request the users ’ passcode for the last step of installation . Between November 26 , 2015 , and December 1 , 2015 , known and suspected China-based APT16 launched several spear phishing attacks targeting Japan and Taiwan in the high-tech , government services , media and financial services industries . In our sample traffic, the TXT resource record returned contained: . The constant integers are obfuscated using structures and loops to get the right offset .", "spans": {"SYSTEM: iOS": [[85, 88]], "THREAT_ACTOR: APT16": [[352, 357]], "ORGANIZATION: high-tech": [[432, 441]], "ORGANIZATION: government services": [[444, 463]], "ORGANIZATION: media": [[466, 471]], "ORGANIZATION: financial services industries": [[476, 505]]}, "info": {"id": "cyberner_stix_test_000868", "source": "cyberner_stix_test"}}
+{"text": "System : Presence of the following artifacts .", "spans": {}, "info": {"id": "cyberner_stix_test_000869", "source": "cyberner_stix_test"}}
+{"text": "The spyware also appears to have an additional payload stored under the /res/raw/ directory . Gaza Cybergang has been seen employing phishing , with several chained stages to evade detection and extend command and control server lifetimes . While the outbound communication mechanisms are well documented , less attention has been paid to a feature of recent versions of Winnti we came across in the Linux variant ( as well as Windows ) that allows the operators to initiate a connection directly to an infected host , without requiring a connection to a control server .", "spans": {"THREAT_ACTOR: Gaza Cybergang": [[94, 108]], "MALWARE: Winnti": [[371, 377]], "SYSTEM: Linux": [[400, 405]], "SYSTEM: Windows": [[427, 434]]}, "info": {"id": "cyberner_stix_test_000870", "source": "cyberner_stix_test"}}
+{"text": "Targeted individuals that enabled macros in a malicious Microsoft Word document may have been infected with Poison Ivy , a popular remote access tool ( RAT ) that has been used for nearly a decade for key logging , screen and video capture , file transfers , password theft , system administration , traffic relaying , and more .", "spans": {"MALWARE: macros in a malicious Microsoft Word document": [[34, 79]], "MALWARE: Poison Ivy": [[108, 118]], "TOOL: remote access tool": [[131, 149]], "TOOL: RAT": [[152, 155]]}, "info": {"id": "cyberner_stix_test_000871", "source": "cyberner_stix_test"}}
+{"text": "DanaBot is a Trojan that includes banking site web injections and stealer functions . PLEAD uses spear-phishing emails to deliver and install their backdoor , either as an attachment or through links to cloud storage services .", "spans": {"TOOL: DanaBot": [[0, 7]], "TOOL: Trojan": [[13, 19]], "TOOL: emails": [[112, 118]], "MALWARE: cloud storage services": [[203, 225]]}, "info": {"id": "cyberner_stix_test_000872", "source": "cyberner_stix_test"}}
+{"text": "Seeing as the system loader of the DEX files ( ART ) fully ignores everything that goes after the data section , the patcher writes all of its resources right there . For now , we can call RTM one of the most active financial Trojans . The password to this archive is within the MSI package . As a result , we decided to call this variant FakeSG .", "spans": {"TOOL: RTM": [[189, 192]], "ORGANIZATION: financial": [[216, 225]], "TOOL: MSI": [[279, 282]]}, "info": {"id": "cyberner_stix_test_000873", "source": "cyberner_stix_test"}}
+{"text": "Gobelin Panda , a.k.a Goblin Panda , is a group that has been identified by CrowdStrike as a Chinese threat actor . They are a very , very persistent group , ” says Costin Raiu , who has been watching Winnti since 2011 .", "spans": {"THREAT_ACTOR: Gobelin Panda": [[0, 13]], "THREAT_ACTOR: Goblin Panda": [[22, 34]], "ORGANIZATION: CrowdStrike": [[76, 87]], "ORGANIZATION: Costin Raiu": [[165, 176]], "THREAT_ACTOR: Winnti": [[201, 207]]}, "info": {"id": "cyberner_stix_test_000874", "source": "cyberner_stix_test"}}
+{"text": "With the capabilities of showing out-of-scope ads , exposing the user to other applications , and opening a URL in a browser , ‘ SimBad ’ acts now as an Adware , but already has the infrastructure to evolve into a much larger threat . While the group has not yet demonstrated an ICS capability , RASPITE 's recent targeting focus and methodology are clear indicators of necessary activity for initial intrusion operations into an IT network to prepare the way for later potential ICS events . Ongoing activity from attack groups like TA459 who consistently target individuals specializing in particular LOCs of research and expertise further complicate an already difficult security situation for organizations dealing with more traditional malware threats , phishing campaigns , and socially engineered threats every day .", "spans": {"MALWARE: SimBad": [[129, 135]], "THREAT_ACTOR: group": [[245, 250]], "TOOL: ICS": [[279, 282], [480, 483]], "THREAT_ACTOR: RASPITE": [[296, 303]], "ORGANIZATION: IT": [[430, 432]], "THREAT_ACTOR: TA459": [[534, 539]]}, "info": {"id": "cyberner_stix_test_000875", "source": "cyberner_stix_test"}}
+{"text": "Report_URL : https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/", "spans": {}, "info": {"id": "cyberner_stix_test_000876", "source": "cyberner_stix_test"}}
+{"text": "However , in order to block Janus abuse , app developers need to sign their apps with the new scheme so that Android framework security component could conduct integrity checks with enhanced features . Back in February , we noted the similarities between the Patchwork and Confucius groups and found that , in addition to the similarities in their malware code , both groups primarily went after targets in South Asia . The URLs used for hosting all follow a similar pattern . This was likely to establish both persistence and secondary access , as in other environments .", "spans": {"VULNERABILITY: Janus": [[28, 33]], "SYSTEM: Android": [[109, 116]], "THREAT_ACTOR: Patchwork": [[259, 268]], "THREAT_ACTOR: Confucius groups": [[273, 289]]}, "info": {"id": "cyberner_stix_test_000877", "source": "cyberner_stix_test"}}
+{"text": "These are then uploaded to the C & C HTTP server . APT33 may possibly be looking to gain insights on Saudi Arabia 's military aviation capabilities to enhance Iran 's domestic aviation capabilities or to support Iran 's military and strategic decision making vis a vis Saudi Arabia . The main tool used in this campaign is an updated version of the Remexi malware, publicly reported by Symantec back in 2015 . They work to bypass traditional security barriers on the Android operating system and provide a variety of information stealing , surveillance and remote access capabilities .", "spans": {"THREAT_ACTOR: APT33": [[51, 56]], "ORGANIZATION: military": [[220, 228]], "MALWARE: Remexi": [[349, 355]], "ORGANIZATION: Symantec": [[386, 394]], "SYSTEM: Android operating system": [[467, 491]]}, "info": {"id": "cyberner_stix_test_000878", "source": "cyberner_stix_test"}}
+{"text": "The stylistic differences between CozyDuke and its older siblings are further exemplified by the way it was coded .", "spans": {"MALWARE: CozyDuke": [[34, 42]]}, "info": {"id": "cyberner_stix_test_000879", "source": "cyberner_stix_test"}}
+{"text": "Lookout has shared information about this family with Apple , and they have revoked the affected certificates . The actors attempted to exploit CVE-2014-6332 using a slightly modified version of the proof-of-concept ( POC ) code to install a Trojan called Emissary , which is related to the Operation Lotus Blossom campaign . Based on these observations , as well as MuddyWater 's history of targeting Turkey-based entities , we assess with moderate confidence that this campaign is associated with the MuddyWater threat actor group .", "spans": {"ORGANIZATION: Lookout": [[0, 7]], "ORGANIZATION: Apple": [[54, 59]], "THREAT_ACTOR: actors": [[116, 122]], "VULNERABILITY: CVE-2014-6332": [[144, 157]], "TOOL: Emissary": [[256, 264]], "THREAT_ACTOR: MuddyWater": [[367, 377], [503, 513]]}, "info": {"id": "cyberner_stix_test_000880", "source": "cyberner_stix_test"}}
+{"text": "With these event handlers created , the ActionScript starts by gathering system data from the flash.system.Capabilities.serverString property ( just like in the original DealersChoice.B samples ) and issues an HTTP GET with the system data as a parameter to the C2 URL that was passed as an argument to the embedded SWF when it was initially loaded .", "spans": {"TOOL: ActionScript": [[40, 52]], "FILEPATH: DealersChoice.B": [[170, 185]], "TOOL: C2": [[262, 264]], "TOOL: SWF": [[316, 319]]}, "info": {"id": "cyberner_stix_test_000881", "source": "cyberner_stix_test"}}
+{"text": "It has been modified to drop a separate C&C helper , ( md5: 8C4D896957C36EC4ABEB07B2802268B9 ) as “ tf394kv.dll “ .", "spans": {"TOOL: C&C": [[40, 43]], "FILEPATH: 8C4D896957C36EC4ABEB07B2802268B9": [[60, 92]], "FILEPATH: tf394kv.dll": [[100, 111]]}, "info": {"id": "cyberner_stix_test_000882", "source": "cyberner_stix_test"}}
+{"text": "HammerDuke is however interesting because it is written in .NET , and even more so because of its occasional use of Twitter as a C&C communication channel .", "spans": {"MALWARE: HammerDuke": [[0, 10]], "TOOL: .NET": [[59, 63]], "TOOL: Twitter": [[116, 123]], "THREAT_ACTOR: C&C": [[129, 132]]}, "info": {"id": "cyberner_stix_test_000883", "source": "cyberner_stix_test"}}
+{"text": "Some of the techniques used by Slingshot , such as the exploitation of legitimate , yet vulnerable drivers has been seen before in other malware , such as White and Grey Lambert . Despite the initial perception that the maldoc sample was intended for ICS or OT staff , LYCEUM has not demonstrated an interest in those environments .", "spans": {"TOOL: Slingshot": [[31, 40]], "TOOL: White": [[155, 160]], "TOOL: Grey Lambert": [[165, 177]], "MALWARE: maldoc": [[220, 226]], "ORGANIZATION: ICS": [[251, 254]], "ORGANIZATION: OT staff": [[258, 266]], "THREAT_ACTOR: LYCEUM": [[269, 275]]}, "info": {"id": "cyberner_stix_test_000884", "source": "cyberner_stix_test"}}
+{"text": "In this latest incident , Transparent Tribe registered a fake news domain , timesofindiaa.in , on May 18 , 2016 , and then used it to send spear phishing emails to Indian government officials on the same day . One of the favorite methods used by the Pitty Tiger group to infect users is to use a Microsoft Office Word document which exploits a specific vulnerability ( CVE-2012-0158 ) .", "spans": {"ORGANIZATION: government officials": [[171, 191]], "THREAT_ACTOR: Pitty Tiger group": [[250, 267]], "FILEPATH: Microsoft Office Word document": [[296, 326]], "VULNERABILITY: CVE-2012-0158": [[369, 382]]}, "info": {"id": "cyberner_stix_test_000885", "source": "cyberner_stix_test"}}
+{"text": "AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products . In this latest activity , BlackWater first added an obfuscated Visual Basic for Applications ( VBA ) script to establish persistence as a registry key . The technique is described by MITRE S-SECTEAM ATT&CK IDT1084 . The actors appear to target victims in Kuwait , as the ransom note demands payment in Kuwaiti dinar before translating that sum to its U.S. dollar equivalent in Bitcoin .", "spans": {"ORGANIZATION: Cisco": [[80, 85]], "TOOL: Visual Basic for Applications": [[169, 198]], "TOOL: VBA": [[201, 204]], "TOOL: MITRE S-SECTEAM ATT&CK IDT1084": [[289, 319]], "ORGANIZATION: Kuwait": [[361, 367]]}, "info": {"id": "cyberner_stix_test_000886", "source": "cyberner_stix_test"}}
+{"text": "CLOUDDUKE : First known activity June 2015 , Most recent known activity Summer 2015 , Other names MiniDionis , CloudLook , C&C communication methods HTTP(S) , Microsoft OneDrive , Known toolset components Downloader , Loader , Two backdoor variants .", "spans": {"MALWARE: CLOUDDUKE": [[0, 9]], "MALWARE: MiniDionis": [[98, 108]], "MALWARE: CloudLook": [[111, 120]], "TOOL: C&C": [[123, 126]], "ORGANIZATION: Microsoft": [[159, 168]], "TOOL: OneDrive": [[169, 177]], "TOOL: Downloader": [[205, 215]], "TOOL: Loader": [[218, 224]]}, "info": {"id": "cyberner_stix_test_000887", "source": "cyberner_stix_test"}}
+{"text": "The Pastebin userid matched with the email ID mentioned by this individual in the YouTube video description section .", "spans": {"TOOL: Pastebin": [[4, 12]], "TOOL: email": [[37, 42]], "ORGANIZATION: YouTube": [[82, 89]]}, "info": {"id": "cyberner_stix_test_000888", "source": "cyberner_stix_test"}}
+{"text": "This functionality can be seen in Figure 6 . Beginning in March 2016 , Buckeye began using a variant of DoublePulsar (Backdoor.Doublepulsar) , a backdoor that was subsequently released by the Shadow Brokers in 2017 . Sandworm Team : Quedagh , VOODOO BEAR .", "spans": {"THREAT_ACTOR: Buckeye": [[71, 78]], "THREAT_ACTOR: Shadow Brokers": [[192, 206]], "THREAT_ACTOR: Sandworm Team": [[217, 230]], "THREAT_ACTOR: Quedagh": [[233, 240]], "THREAT_ACTOR: VOODOO BEAR": [[243, 254]]}, "info": {"id": "cyberner_stix_test_000889", "source": "cyberner_stix_test"}}
+{"text": "In addition , we did not see traces of the Smali injection . However , as the shift in targets occurred before the source code leak , we assess with high confidence that the same people behind the first Buhtrap malware attacks against businesses and banks are also involved in targeting governmental institutions . The Konni malware was disguised as a North Korean news item in a weaponized documents ( the name of the document was “ Why North Korea slams South Korea ’s recent defense talks with U.S-Japan.zip ” ) This is not the first time we have seen an overlap of ScarCruft and DarkHotel actors .", "spans": {"THREAT_ACTOR: Buhtrap": [[203, 210]], "ORGANIZATION: businesses": [[235, 245]], "ORGANIZATION: banks": [[250, 255]], "ORGANIZATION: governmental institutions": [[287, 312]], "MALWARE: Konni": [[319, 324]], "FILEPATH: U.S-Japan.zip": [[497, 510]], "THREAT_ACTOR: ScarCruft": [[569, 578]], "THREAT_ACTOR: DarkHotel": [[583, 592]]}, "info": {"id": "cyberner_stix_test_000890", "source": "cyberner_stix_test"}}
+{"text": "During the final update installation process , it relies on the Janus vulnerability to bypass Android ’ s APK integrity checks . These images were associated with the Bookworm campaign code \" 20150905 \" . In the months that followed , we closely tracked the threat and witnessed the attackers upgrade the malware , target new processes , and work around defensive measures . They have also utilized AADInternals PowerShell Modules to access the API .003 Compromise Accounts : Cloud Accounts APT29 has used residential proxies , including Azure Virtual Machines , to obfuscate their access to victim environments .", "spans": {"VULNERABILITY: Janus": [[64, 69]], "SYSTEM: Android": [[94, 101]], "THREAT_ACTOR: Cloud Accounts APT29": [[476, 496]], "SYSTEM: residential proxies": [[506, 525]], "SYSTEM: Azure Virtual Machines": [[538, 560]]}, "info": {"id": "cyberner_stix_test_000891", "source": "cyberner_stix_test"}}
+{"text": "Reusing our deobfuscation tool and some other tricks , we have been able to reverse and analyze these opcodes and map them to a finite list that can be used later to automate the analysis process with some scripting . Lotus Blossom targeted the government , higher education , and high tech companies . Perhaps that’s the reason multiple groups target software developers : compromising the vendor results in a botnet as popular as the software that is hacked . But on Mar. 5 , 2014 , Harrison committed suicide by shooting himself in the head with a handgun .", "spans": {"THREAT_ACTOR: Lotus Blossom": [[218, 231]], "ORGANIZATION: government": [[245, 255]], "ORGANIZATION: higher education": [[258, 274]], "ORGANIZATION: high tech companies": [[281, 300]], "ORGANIZATION: Harrison": [[485, 493]]}, "info": {"id": "cyberner_stix_test_000892", "source": "cyberner_stix_test"}}
+{"text": "The developer simply has to register and receive a unique ID for his applications . This suggests to us that Thrip 's motives go beyond spying and may also include disruption . In contrast , the variants we described in our white paper did n’t even have that module embedded . Now , there are some key differences to note in the newest versions of Foudre", "spans": {"THREAT_ACTOR: Foudre": [[348, 354]]}, "info": {"id": "cyberner_stix_test_000893", "source": "cyberner_stix_test"}}
+{"text": "In this attack , the targets are lured to open a document or a link attached to an email .", "spans": {"TOOL: email": [[83, 88]]}, "info": {"id": "cyberner_stix_test_000894", "source": "cyberner_stix_test"}}
+{"text": "The actor uses the Awen webshell to run various commands to do an initial discovery on the system and network , including user accounts ( T1033 and T1087 ) , files and folders ( T1083 ) , privileged groups ( T1069 ) , remote systems ( T1018 ) and network configuration ( T1016 ) .", "spans": {"TOOL: Awen": [[19, 23]]}, "info": {"id": "cyberner_stix_test_000895", "source": "cyberner_stix_test"}}
+{"text": "It may even allow them to sell ad space directly to application developers . In 2016 , Group-IB identified 10 attacks conducted by MoneyTaker ; 6 attacks on banks in the US , 1 attack on a US service provider , 1 attack on a bank in the UK and 2 attacks on Russian banks . Based on the email address naming convention and message subject , the threat actors may have tried to make the message appear to be a legitimate communication from the Democratic Progressive Party ( DPP ) , Taiwan ’s opposition party . To me , simply asking critical infrastructure to consider these factors as part of their normal processes seems like a non - issue , but the U.S. Appeals Court has put a hold on this rule for the time being ( though it did n’t give a precise reason at the time of its ruling ) .", "spans": {"ORGANIZATION: Group-IB": [[87, 95]], "ORGANIZATION: banks": [[157, 162], [265, 270]], "ORGANIZATION: service provider": [[192, 208]], "ORGANIZATION: bank": [[225, 229]], "TOOL: email": [[286, 291]], "ORGANIZATION: critical infrastructure": [[532, 555]], "ORGANIZATION: U.S. Appeals Court": [[651, 669]]}, "info": {"id": "cyberner_stix_test_000896", "source": "cyberner_stix_test"}}
+{"text": "First off , it registers the infected device in the administrative panel by sending a GET request to the relative address gate.php ( in later versions gating.php ) with the ID ( device identifier generated by the setPsuedoID function in a pseudo-random way based on the device IMEI ) and screen ( shows if the device is active , possible values are “ on ” , “ off ” , “ none ” ) parameters . In April 2015 , FireEye uncovered the malicious efforts of APT30 , a suspected China-based threat group . The malware author changed the malware architecture , this version is divided in two binaries: conhote.dll , winnit.exe .", "spans": {"ORGANIZATION: FireEye": [[408, 415]], "THREAT_ACTOR: APT30": [[451, 456]], "FILEPATH: conhote.dll": [[593, 604]], "FILEPATH: winnit.exe": [[607, 617]]}, "info": {"id": "cyberner_stix_test_000897", "source": "cyberner_stix_test"}}
+{"text": "PUTTER PANDA are a determined adversary group who have been operating for several years , conducting intelligence-gathering operations with a significant focus on the space sector . Initial reports about HIGHNOON and its variants reported publicly as Winnti dating back to at least 2013 indicated the tool was exclusive to a single group , contributing to significant conflation across multiple distinct espionage operations .", "spans": {"THREAT_ACTOR: PUTTER PANDA": [[0, 12]], "THREAT_ACTOR: group": [[40, 45]], "ORGANIZATION: space sector": [[167, 179]], "FILEPATH: HIGHNOON": [[204, 212]], "THREAT_ACTOR: Winnti": [[251, 257]]}, "info": {"id": "cyberner_stix_test_000898", "source": "cyberner_stix_test"}}
+{"text": "The threat actors behind the Sea Turtle campaign were successful in compromising entities by manipulating and falsifying DNS records at various levels in the domain name space . The archive in Mac OS X looks like this :", "spans": {"THREAT_ACTOR: threat actors": [[4, 17]], "SYSTEM: Mac OS X": [[193, 201]]}, "info": {"id": "cyberner_stix_test_000899", "source": "cyberner_stix_test"}}
+{"text": "Those three certificates were the only ones used in 2014 , making it likely that the other six were not compromised until 2015 .", "spans": {}, "info": {"id": "cyberner_stix_test_000900", "source": "cyberner_stix_test"}}
+{"text": "Attackers study the network by connecting to additional systems and locating critical servers .", "spans": {}, "info": {"id": "cyberner_stix_test_000901", "source": "cyberner_stix_test"}}
+{"text": "Suckfly isn’t the only attack group to use certificates to sign malware but they may be the most prolific collectors of them .", "spans": {"THREAT_ACTOR: Suckfly": [[0, 7]]}, "info": {"id": "cyberner_stix_test_000902", "source": "cyberner_stix_test"}}
+{"text": "It can save an SMS message on the device , marking with “ internal ” in the phone number field . The updated tool has only been seen in a handful of victim computers within organizational networks in Southeast Asia—PLATINUM is known to customize tools based on the network architecture of targeted organizations . Sowbug 's next move was to list any remote shared drives and then attempt to access remote shares owned by the specific government office they were targeting , again attempting to extract all Word documents .", "spans": {"THREAT_ACTOR: Sowbug": [[314, 320]], "ORGANIZATION: government office": [[434, 451]], "FILEPATH: Word documents": [[506, 520]]}, "info": {"id": "cyberner_stix_test_000903", "source": "cyberner_stix_test"}}
+{"text": "Overall , SofacyCarberp does initial reconnaissance by gathering system information and sending it to the C2 server prior to downloading additional tools to the system .", "spans": {"MALWARE: SofacyCarberp": [[10, 23]], "TOOL: C2": [[106, 108]]}, "info": {"id": "cyberner_stix_test_000904", "source": "cyberner_stix_test"}}
+{"text": "Curiously , the spear-phishing emails were strikingly similar to the e-fax themed spam usually seen spreading ransomware and other common crimeware .", "spans": {"TOOL: emails": [[31, 37]]}, "info": {"id": "cyberner_stix_test_000905", "source": "cyberner_stix_test"}}
+{"text": "brother.apk ( SHA256 : 422fec2e201600bb2ea3140951563f8c6fbd4f8279a04a164aca5e8e753c40e8 ) : The package name – com.android.system.certificate . In 2016 , an attack campaign by this group was recorded in early May that made use of an exploit for CVE-2016-4117 , a vulnerability in Adobe Flash Player , which at the time was both unknown and unpatched . We observed Moafee running HTRAN proxies on their multiple Command and Control ( C2 ) servers – all operated on CHINANET , and hosted in Guangdong Province .", "spans": {"SYSTEM: brother.apk": [[0, 11]], "THREAT_ACTOR: group": [[181, 186]], "VULNERABILITY: CVE-2016-4117": [[245, 258]], "THREAT_ACTOR: Moafee": [[364, 370]], "MALWARE: HTRAN": [[379, 384]], "TOOL: C2": [[433, 435]]}, "info": {"id": "cyberner_stix_test_000906", "source": "cyberner_stix_test"}}
+{"text": "This example code shows a JSON reply returned by the C & C server . Today Kaspersky Lab 's team of experts published a new research report about NetTraveler , which is a family of malicious programs used by APT actors to successfully compromise more than 350 high-profile victims in 40 countries . Compromising these Taiwanese news organizations would also allow the actors to gain access to informants or other protected sources , who might then be targeted for further intelligence collection or even retribution . ( Vox , USA Today )", "spans": {"ORGANIZATION: Kaspersky Lab": [[74, 87]], "TOOL: NetTraveler": [[145, 156]], "ORGANIZATION: Vox": [[519, 522]], "ORGANIZATION: USA Today": [[525, 534]]}, "info": {"id": "cyberner_stix_test_000907", "source": "cyberner_stix_test"}}
+{"text": "Our team was also able to test other commands in the lab either by tampering with the HTTP traffic from the C & C or by sending crafted SMS messages . APT38 is a financially motivated North Korean regime-backed group responsible for conducting destructive attacks against financial institutions , as well as some of the world 's largest cyber heists . Attackers have been known to distribute malicious files masquerading as the legitimate iviewers.dll file and then use DLL load hijacking to execute the malicious code and infect the computer .", "spans": {"THREAT_ACTOR: APT38": [[151, 156]], "THREAT_ACTOR: regime-backed group": [[197, 216]], "ORGANIZATION: financial institutions": [[272, 294]], "THREAT_ACTOR: cyber heists": [[337, 349]], "FILEPATH: malicious files": [[392, 407]], "MALWARE: iviewers.dll file": [[439, 456]], "MALWARE: DLL load hijacking": [[470, 488]]}, "info": {"id": "cyberner_stix_test_000908", "source": "cyberner_stix_test"}}
+{"text": "This is done using the ptrace syscall . Examples of notable Potao dissemination techniques , some of which were previously unseen , or at least relatively uncommon , include the use of highly-targeted spear-phishing SMS messages to drive potential victims to malware download sites and USB worm functionality that tricked the user into ' willingly ' executing the trojan . APT17 : 110.45.151.43 . The exploits are located in separate web pages .", "spans": {"TOOL: Potao": [[60, 65]], "THREAT_ACTOR: APT17": [[373, 378]], "IP_ADDRESS: 110.45.151.43": [[381, 394]]}, "info": {"id": "cyberner_stix_test_000909", "source": "cyberner_stix_test"}}
+{"text": "APRIL - MAY 2016 , Researchers at Trend Micro observed APT28 establish a fake CDU email server and launch phishing emails against CDU members in an attempt to obtain their email credentials and access their accounts .", "spans": {"THREAT_ACTOR: APT28": [[55, 60]], "ORGANIZATION: CDU": [[78, 81], [130, 133]], "TOOL: email": [[82, 87], [172, 177]], "TOOL: emails": [[115, 121]]}, "info": {"id": "cyberner_stix_test_000910", "source": "cyberner_stix_test"}}
+{"text": "Just a few months later , in February 2015 , we announced the discovery of Carbanak , a cyber-criminal gang that used custom malware and APT techniques to steal millions of dollars while infecting hundreds of financial institutions in at least 30 countries . Thursday 's Flash Player update patched 36 vulnerabilities in total including the zero day CVE-2016-4171 .", "spans": {"VULNERABILITY: Carbanak": [[75, 83]], "THREAT_ACTOR: cyber-criminal gang": [[88, 107]], "ORGANIZATION: financial institutions": [[209, 231]], "TOOL: Flash": [[271, 276]], "VULNERABILITY: zero day": [[341, 349]], "VULNERABILITY: CVE-2016-4171": [[350, 363]]}, "info": {"id": "cyberner_stix_test_000911", "source": "cyberner_stix_test"}}
+{"text": "The Spark campaign detailed in this blog demonstrates how the tense geopolitical climate in the Middle East is used by threat actors to lure victims and infect them with the Spark backdoor for cyber espionage purposes .", "spans": {"MALWARE: Spark": [[4, 9]], "MALWARE: Spark backdoor": [[174, 188]]}, "info": {"id": "cyberner_stix_test_000912", "source": "cyberner_stix_test"}}
+{"text": "It has been active for around one month . By March 2016 , one of Scattered Canary’s members had built enough trust with a romance victim—who we’ll call Jane—that she became a frequent source of new mule accounts for the group . In all of these incidents , the Lazarus utilized similar toolsets , including KillDisk that was executed on compromised machines .", "spans": {"THREAT_ACTOR: Scattered Canary’s": [[65, 83]], "THREAT_ACTOR: group": [[220, 225]], "THREAT_ACTOR: Lazarus": [[260, 267]], "MALWARE: KillDisk": [[306, 314]]}, "info": {"id": "cyberner_stix_test_000913", "source": "cyberner_stix_test"}}
+{"text": "In early May , the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE-2017-0199 . During these intrusions , LEAD 's objective was to steal sensitive data , including research materials , process documents , and project plans .", "spans": {"MALWARE: RTF attachments": [[44, 59]], "VULNERABILITY: CVE-2017-0199": [[124, 137]]}, "info": {"id": "cyberner_stix_test_000914", "source": "cyberner_stix_test"}}
+{"text": "This person ’s online activity shows significant links to CNIIHM .", "spans": {"ORGANIZATION: CNIIHM": [[58, 64]]}, "info": {"id": "cyberner_stix_test_000915", "source": "cyberner_stix_test"}}
+{"text": "Comparing strings from an old FakeSpy sample to a new one . FIN7 and Cobalt used decoy 302 HTTP redirections too , FIN7 on its GRIFFON C2s before January 2018 , and Cobalt , on its staging servers , similar to CopyPaste . which provides a range of services to UK Government .", "spans": {"MALWARE: FakeSpy": [[30, 37]], "THREAT_ACTOR: FIN7": [[60, 64], [115, 119]], "THREAT_ACTOR: Cobalt": [[69, 75]], "ORGANIZATION: UK Government": [[260, 273]]}, "info": {"id": "cyberner_stix_test_000916", "source": "cyberner_stix_test"}}
+{"text": "Forward incoming phone calls to intercept voice-based two-factor authentication . Last year , Microsoft researchers described Neodymium 's behavior as unusual : \" unlike many activity groups , which typically gather information for monetary gain or economic espionage , PROMETHIUM and NEODYMIUM appear to launch campaigns simply to gather information about certain individuals . Analyzing the content of “ templates.vbs ” it is possible to notice that it define a variable containing a URL like “ http://geticons.ddns.net/ADMIN-PC_E42CAF54//autoindex . ]php ” obtained from “ hxp://get-icons.ddns . ]net/ ” & NlnQCJG & “ _ ” & uRDEJCn & “ //autoindex . ]php ” , where “ NlnQCJG ” is the name that identifies the computer on the network and “ uRDEJCn ” is the serial number of drive in hexadecimal encoding . In October , U.S. Senator Elizabeth Warren and Representative Deborah Ross introduced the Ransom Disclosure Act , with the goal of better understanding how cybercriminals are operating .", "spans": {"ORGANIZATION: Microsoft": [[94, 103]], "THREAT_ACTOR: Neodymium": [[126, 135]], "THREAT_ACTOR: activity groups": [[175, 190]], "ORGANIZATION: economic": [[249, 257]], "THREAT_ACTOR: PROMETHIUM": [[270, 280]], "THREAT_ACTOR: NEODYMIUM": [[285, 294]], "FILEPATH: templates.vbs": [[406, 419]], "URL: http://geticons.ddns.net/ADMIN-PC_E42CAF54//autoindex .": [[496, 551]], "URL: hxp://get-icons.ddns . ]net/ ” & NlnQCJG & “ _ ” & uRDEJCn & “ //autoindex . ]php": [[575, 656]], "ORGANIZATION: U.S. Senator Elizabeth Warren": [[819, 848]], "ORGANIZATION: Representative Deborah Ross": [[853, 880]]}, "info": {"id": "cyberner_stix_test_000917", "source": "cyberner_stix_test"}}
+{"text": "PwC UK and BAE Systems assess it is highly likely that APT10 is a China-based threat actor with a focus on espionage and wide ranging information collection . In our most recent analysis , we attributed the intrusion activity that led to the deployment of TRITON to a Russian government-owned technical research institute in Moscow .", "spans": {"ORGANIZATION: PwC UK": [[0, 6]], "ORGANIZATION: BAE Systems": [[11, 22]], "THREAT_ACTOR: APT10": [[55, 60]], "THREAT_ACTOR: threat actor": [[78, 90]], "THREAT_ACTOR: espionage": [[107, 116]], "MALWARE: TRITON": [[256, 262]]}, "info": {"id": "cyberner_stix_test_000918", "source": "cyberner_stix_test"}}
+{"text": "On November 10 , 2015 , threat actors sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs . However , since they can inject code into the webpage , it means they have the ability to do this as well .", "spans": {"THREAT_ACTOR: threat actors": [[24, 37]], "ORGANIZATION: individual": [[72, 82]]}, "info": {"id": "cyberner_stix_test_000919", "source": "cyberner_stix_test"}}
+{"text": "Beginning in mid-January 2019 , TA542 distributed millions of Emotet-laden emails in both English and German . The police suspected Lurk of stealing nearly three billion rubles , using malicious software to systematically withdraw large sums of money from the accounts of commercial organizations , including banks .", "spans": {"MALWARE: Lurk": [[132, 136]], "ORGANIZATION: commercial organizations": [[272, 296]], "ORGANIZATION: banks": [[309, 314]]}, "info": {"id": "cyberner_stix_test_000920", "source": "cyberner_stix_test"}}
+{"text": "Lookout notified Google of the finding and Google removed the app immediately while also taking action on it in Google Play Protect . Variants of malware and tools used by HIDDEN COBRA actors include Destover and Hangman . No error or warning was prompted during the . Ideology is a motivation that makes the threat a little trickier .", "spans": {"ORGANIZATION: Lookout": [[0, 7]], "ORGANIZATION: Google": [[17, 23], [43, 49]], "SYSTEM: Google Play Protect": [[112, 131]], "THREAT_ACTOR: HIDDEN COBRA actors": [[172, 191]], "TOOL: Destover": [[200, 208]], "TOOL: Hangman": [[213, 220]]}, "info": {"id": "cyberner_stix_test_000921", "source": "cyberner_stix_test"}}
+{"text": "URL — update C & C address . The June 2017 sample of Clayslide contained the same OfficeServicesStatus.vbs file found in the ISMAgent Clayslide document , but instead of having the payload embedded in the macro as segregated base64 strings that would be concatenated , this variant obtained its payload from multiple cells within the \" Incompatible \" worksheet . CTU researchers also identified components in the custom C2 protocol being used which they have seen utilized by Nickel Academy ( Lazarus ) previously .", "spans": {"TOOL: Clayslide": [[53, 62]], "MALWARE: OfficeServicesStatus.vbs file": [[82, 111]], "TOOL: ISMAgent Clayslide document": [[125, 152]], "ORGANIZATION: CTU": [[363, 366]], "MALWARE: custom C2 protocol": [[413, 431]], "THREAT_ACTOR: Nickel Academy": [[476, 490]], "THREAT_ACTOR: Lazarus": [[493, 500]]}, "info": {"id": "cyberner_stix_test_000922", "source": "cyberner_stix_test"}}
+{"text": "If the command and control ( C2 ) server is taken down , the malicious operator can still recover the malware control by sending SMS messages directly to the infected devices . APT10 , a name originally coined by FireEye , is also referred to as Red Apollo by PwC UK , CVNX by BAE Systems , Stone Panda by CrowdStrike , and menuPass Team more broadly in the public domain . OceanLotus : 478cc5faadd99051a5ab48012c494a807c7782132ba4f33b9ad9229a696f6382 Loader #2 . Rhysida , a new ransomware gang claiming to be a \" cybersecurity team , \" has been in operation since May 17 , 2023 , making headlines for their high - profile attack against the Chilean Army .", "spans": {"THREAT_ACTOR: APT10": [[177, 182]], "ORGANIZATION: FireEye": [[213, 220]], "THREAT_ACTOR: Red Apollo": [[246, 256]], "ORGANIZATION: PwC UK": [[260, 266]], "THREAT_ACTOR: CVNX": [[269, 273]], "ORGANIZATION: BAE Systems": [[277, 288]], "THREAT_ACTOR: Stone Panda": [[291, 302]], "ORGANIZATION: CrowdStrike": [[306, 317]], "THREAT_ACTOR: menuPass Team": [[324, 337]], "THREAT_ACTOR: OceanLotus": [[374, 384]], "FILEPATH: 478cc5faadd99051a5ab48012c494a807c7782132ba4f33b9ad9229a696f6382": [[387, 451]], "THREAT_ACTOR: Rhysida": [[464, 471]], "ORGANIZATION: Chilean Army": [[643, 655]]}, "info": {"id": "cyberner_stix_test_000923", "source": "cyberner_stix_test"}}
+{"text": "PittyTiger could also use CVE-2014-1761 , which is more recent . In addition to banks , the MoneyTaker group has attacked law firms and also financial software vendors .", "spans": {"THREAT_ACTOR: PittyTiger": [[0, 10]], "VULNERABILITY: CVE-2014-1761": [[26, 39]], "ORGANIZATION: banks": [[80, 85]], "THREAT_ACTOR: MoneyTaker group": [[92, 108]], "ORGANIZATION: law firms": [[122, 131]]}, "info": {"id": "cyberner_stix_test_000924", "source": "cyberner_stix_test"}}
+{"text": "banking app used by the user . In November 2017 , Talos observed the Group123 , which included a new version of ROKRAT being used in the latest wave of attacks . As you can see the attacker has went to great lengths to disguise his service as a legitimate Antivirus Service by using the name 'Anti virus service.lnk' .", "spans": {"ORGANIZATION: Talos": [[50, 55]], "THREAT_ACTOR: Group123": [[69, 77]], "TOOL: Antivirus Service": [[256, 273]], "FILEPATH: 'Anti virus service.lnk'": [[292, 316]]}, "info": {"id": "cyberner_stix_test_000925", "source": "cyberner_stix_test"}}
+{"text": "In a surprising turn of events , in September 2013 a CosmicDuke campaign was observed targeting Russian speakers involved in the trade of illegal and controlled substances .", "spans": {"MALWARE: CosmicDuke": [[53, 63]]}, "info": {"id": "cyberner_stix_test_000926", "source": "cyberner_stix_test"}}
+{"text": "ALLANITE operations limit themselves to information gathering and have not demonstrated any disruptive or damaging capabilities . My understanding is FireEye labels entities where definitive attribution is not yet possible with the \" TEMP \" moniker ( hence , TEMP.Veles ) – yet in this case FireEye developed and deployed the label , then appeared to move aACT from it in subsequent reporting .", "spans": {"ORGANIZATION: FireEye": [[150, 157], [291, 298]], "THREAT_ACTOR: TEMP": [[234, 238]], "THREAT_ACTOR: TEMP.Veles": [[259, 269]]}, "info": {"id": "cyberner_stix_test_000927", "source": "cyberner_stix_test"}}
+{"text": "There was code to download a decoy document from the Internet and open it in a second winword.exe process using the Start-Process cmdlet . The computers of diplomats , military attachés , private assistants , secretaries to Prime Ministers , journalists and others are under the concealed control of unknown assailant (s ) .", "spans": {"MALWARE: winword.exe": [[86, 97]], "MALWARE: Start-Process": [[116, 129]], "MALWARE: cmdlet": [[130, 136]], "ORGANIZATION: diplomats": [[156, 165]], "ORGANIZATION: military attachés": [[168, 185]], "ORGANIZATION: private assistants": [[188, 206]], "ORGANIZATION: secretaries": [[209, 220]], "ORGANIZATION: Prime Ministers": [[224, 239]], "ORGANIZATION: journalists": [[242, 253]]}, "info": {"id": "cyberner_stix_test_000928", "source": "cyberner_stix_test"}}
+{"text": "CORESHELL :", "spans": {"MALWARE: CORESHELL": [[0, 9]]}, "info": {"id": "cyberner_stix_test_000929", "source": "cyberner_stix_test"}}
+{"text": "Attacks involving Marcher have become increasingly sophisticated , with documented cases involving multiple attack vectors and a variety of targeted financial services and communication platforms [ 1 ] [ 2 ] . According to ClearSky , the suspected Lazarus operatives looked to leverage a vulnerability in outdated WinRAR file-archiving software that hackers have been exploiting since it was disclosed last month . Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017 .", "spans": {"MALWARE: Marcher": [[18, 25]], "ORGANIZATION: ClearSky": [[223, 231]], "MALWARE: WinRAR": [[314, 320]], "THREAT_ACTOR: Leafminer": [[415, 424]], "ORGANIZATION: Middle East": [[524, 535]]}, "info": {"id": "cyberner_stix_test_000930", "source": "cyberner_stix_test"}}
+{"text": "Overview The malware was first detected on a Nexus 5 smartphone , and although the user attempted to remove the infected app , the malware reappeared on the same device shortly thereafter . The document , when opened , used an embedded ActiveX control to download a JavaScript file from a remote site that used a previously unknown vulnerability in some versions of Windows ( later designated CVE-2013-7331 ) to read information about the browser 's installed components . APT10 has , in the past , primarily been known for its targeting of government and US defence industrial base organisations , with the earliest known date of its activity being in December 2009 .", "spans": {"SYSTEM: Nexus 5": [[45, 52]], "TOOL: ActiveX control": [[236, 251]], "MALWARE: JavaScript file": [[266, 281]], "VULNERABILITY: CVE-2013-7331": [[393, 406]], "THREAT_ACTOR: APT10": [[473, 478]], "ORGANIZATION: government": [[541, 551]]}, "info": {"id": "cyberner_stix_test_000931", "source": "cyberner_stix_test"}}
+{"text": "The Microsoft Security Team is working on a fix for CVE-2015-1701 .", "spans": {"ORGANIZATION: Microsoft Security Team": [[4, 27]], "VULNERABILITY: CVE-2015-1701": [[52, 65]]}, "info": {"id": "cyberner_stix_test_000932", "source": "cyberner_stix_test"}}
+{"text": "Ginp ’ s unusual target selection is not just about its focus on Spanish banks but also the wide selection of targeted apps per bank . Rapid7’s investigation revealed the law firm was first targeted in late 2017 , followed by the apparel company a few months later , and finally , the Visma attack in August 2018 . In addition to the infrastructure , the attacker also shared code .", "spans": {"MALWARE: Ginp": [[0, 4]], "ORGANIZATION: Rapid7’s": [[135, 143]], "ORGANIZATION: law firm": [[171, 179]]}, "info": {"id": "cyberner_stix_test_000933", "source": "cyberner_stix_test"}}
+{"text": "Figure 8 . Interestingly , the targeted organization in the January 16 attack had already been targeted by the OilRig group a year ago on January 2017 . A WMIC command is executed to get this information on the targeted system . Mandiant identified sh3.exe as a utility suspected to run the Mimikatz LSADUMP command .", "spans": {"THREAT_ACTOR: OilRig group": [[111, 123]], "TOOL: WMIC": [[155, 159]], "TOOL: sh3.exe": [[249, 256]]}, "info": {"id": "cyberner_stix_test_000934", "source": "cyberner_stix_test"}}
+{"text": "The targeting of this individual suggests the actors are interested in breaching the French Ministry of Foreign Affairs itself or gaining insights into relations between France and Taiwan . Taidoor spoofed Taiwanese government email addresses to send out socially engineered emails in the Chinese language that typically leveraged Taiwan-themed issues .", "spans": {"ORGANIZATION: individual": [[22, 32]], "THREAT_ACTOR: actors": [[46, 52]], "ORGANIZATION: government": [[216, 226]], "TOOL: email": [[227, 232]], "TOOL: emails": [[275, 281]]}, "info": {"id": "cyberner_stix_test_000935", "source": "cyberner_stix_test"}}
+{"text": "It sends a smishing message to the entire contact list of the infected device along with the malicious link to the FakeSpy installation page . Consequently , the Linux malware ecosystem is plagued by financial driven crypto-miners and DDoS botnet tools which mostly target vulnerable servers . Ke3chang attackers have used spear-phishing emails .", "spans": {"MALWARE: FakeSpy": [[115, 122]], "ORGANIZATION: financial": [[200, 209]], "ORGANIZATION: vulnerable servers": [[273, 291]], "THREAT_ACTOR: Ke3chang": [[294, 302]], "THREAT_ACTOR: attackers": [[303, 312]], "TOOL: emails": [[338, 344]]}, "info": {"id": "cyberner_stix_test_000936", "source": "cyberner_stix_test"}}
+{"text": "In April 2019 , several national security organizations released alerts on CVE-2019-0604 exploitation , including the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security . As can be observed in the illustration above , the makeself script is instructed to run ./setup.sh after unpacking .", "spans": {"VULNERABILITY: CVE-2019-0604": [[75, 88]], "ORGANIZATION: Cyber Security Center": [[141, 162]], "ORGANIZATION: Canadian Center": [[171, 186]], "FILEPATH: makeself script": [[259, 274]], "FILEPATH: ./setup.sh": [[296, 306]]}, "info": {"id": "cyberner_stix_test_000937", "source": "cyberner_stix_test"}}
+{"text": "Our investigation showed that these attacks were targeted , and that the threat actor sought to steal communications data of specific individuals in various countries . The Infy malware was seen targeting Iranians again in June 2015 , when it was shared with researchers after being sent to a broadcast journalist at BBC Persian with a generic introduction and a PowerPoint presentation attached titled \" Nostalogy \" ( sic ) .", "spans": {"THREAT_ACTOR: threat actor": [[73, 85]], "ORGANIZATION: specific individuals": [[125, 145]], "MALWARE: Infy": [[173, 177]], "MALWARE: malware": [[178, 185]], "ORGANIZATION: Iranians": [[205, 213]], "ORGANIZATION: broadcast journalist": [[293, 313]], "ORGANIZATION: BBC Persian": [[317, 328]], "TOOL: PowerPoint": [[363, 373]]}, "info": {"id": "cyberner_stix_test_000938", "source": "cyberner_stix_test"}}
+{"text": "We would also like to mention that if you come across an app hiding it 's icon , always try to search for the app in your device settings ( by going to Settings - > Apps - > Search for icon that was hidden ) . The story continued in late 2016 , when we discovered a new , previously unknown backdoor that we named Okrum . Kimsuky : Velvet Chollima .", "spans": {"TOOL: backdoor": [[291, 299]], "TOOL: Okrum": [[314, 319]], "THREAT_ACTOR: Kimsuky": [[322, 329]], "THREAT_ACTOR: Velvet Chollima": [[332, 347]]}, "info": {"id": "cyberner_stix_test_000939", "source": "cyberner_stix_test"}}
+{"text": "In the summer of 2014 , BlackEnergy caught our attention when we noticed that samples of it were now tailored to target Ukrainian government institutions . The group previous activities against financial and policy organizations have largely focused on spear phishing emails written in English , destined for Western audiences .", "spans": {"THREAT_ACTOR: BlackEnergy": [[24, 35]], "ORGANIZATION: government institutions": [[130, 153]], "ORGANIZATION: financial": [[194, 203]], "ORGANIZATION: policy organizations": [[208, 228]], "TOOL: emails": [[268, 274]], "ORGANIZATION: audiences": [[317, 326]]}, "info": {"id": "cyberner_stix_test_000940", "source": "cyberner_stix_test"}}
+{"text": "As shown , the delivery of the next-stage malware is dependent on the information collected .", "spans": {}, "info": {"id": "cyberner_stix_test_000941", "source": "cyberner_stix_test"}}
+{"text": "Sometimes Patchwork send an MS PowerPoint document instead , which exploits CVE-2014-6352 . AA triggered an alert at a large telecoms operator in Southeast Asia .", "spans": {"THREAT_ACTOR: Patchwork": [[10, 19]], "MALWARE: MS PowerPoint document": [[28, 50]], "VULNERABILITY: CVE-2014-6352": [[76, 89]], "ORGANIZATION: telecoms operator": [[125, 142]]}, "info": {"id": "cyberner_stix_test_000942", "source": "cyberner_stix_test"}}
+{"text": "The FuzzBunch and DanderSpritz frameworks are designed to be flexible and to extend functionality and compatibility with other tools . While the machine is in isolation , SOC personnel can direct the infected machine to collect live investigation data , such as the DNS cache or security event logs , which they can use to verify alerts , assess the state of the intrusion , and support follow-up actions .", "spans": {"TOOL: FuzzBunch": [[4, 13]], "TOOL: DanderSpritz": [[18, 30]], "ORGANIZATION: SOC personnel": [[171, 184]]}, "info": {"id": "cyberner_stix_test_000943", "source": "cyberner_stix_test"}}
+{"text": "Custom Encryption Other variants have used custom-implemented encryption algorithms . APT5 has been active since at least 2007 . CA Clone user account . That 's because a new ransomware called BlackSuit had appeared which shared 98 percent of its code with the infamous Royal ransomware .", "spans": {"THREAT_ACTOR: APT5": [[86, 90]], "MALWARE: BlackSuit": [[193, 202]], "MALWARE: Royal ransomware": [[270, 286]]}, "info": {"id": "cyberner_stix_test_000944", "source": "cyberner_stix_test"}}
+{"text": "This research gives a rare look into the process improvements malware authors make when optimizing before launch . One e-mail carried a Microsoft PowerPoint file named \" thanks.pps \" ( VirusTotal ) , the other a Microsoft Word document named \" request.docx \" . Instead , the Spring Dragon group is known to have employed spearphish exploits , strategic web compromises , and watering holes attack .", "spans": {"MALWARE: Microsoft PowerPoint file": [[136, 161]], "MALWARE: thanks.pps": [[170, 180]], "MALWARE: Microsoft Word document": [[212, 235]], "MALWARE: request.docx": [[244, 256]], "THREAT_ACTOR: Spring Dragon group": [[275, 294]], "VULNERABILITY: exploits": [[332, 340]]}, "info": {"id": "cyberner_stix_test_000945", "source": "cyberner_stix_test"}}
+{"text": "eSurv 's logo is identical to the Command & Control server favicon . As part of their social engineering ploy , the Taidoor attackers attach a decoy document to their emails that , when opened , displays the contents of a legitimate document but executes a malicious payload in the background . Collects information about the infected machine . Cisco Secure Firewall ( formerly Next - Generation Firewall and Firepower NGFW ) appliances such as Threat Defense Virtual , Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat .", "spans": {"ORGANIZATION: eSurv": [[0, 5]], "ORGANIZATION: social engineering": [[86, 104]], "TOOL: Cisco Secure Firewall": [[345, 366]], "TOOL: Next - Generation Firewall and Firepower NGFW": [[378, 423]], "SYSTEM: Threat Defense Virtual": [[445, 467]], "SYSTEM: Adaptive Security Appliance": [[470, 497]], "SYSTEM: Meraki MX": [[502, 511]]}, "info": {"id": "cyberner_stix_test_000946", "source": "cyberner_stix_test"}}
+{"text": "In that case , we observed Buhtrap using a local privilege escalation exploit , CVE-2019-1132 , against one of its victims . In contrast to many other APT campaigns , which tend to rely heavily on spear phishing to gain victims , \" th3bug \" is known for compromising legitimate websites their intended visitors are likely to frequent .", "spans": {"THREAT_ACTOR: Buhtrap": [[27, 34]], "VULNERABILITY: CVE-2019-1132": [[80, 93]]}, "info": {"id": "cyberner_stix_test_000947", "source": "cyberner_stix_test"}}
+{"text": "For example , the DEX file is packed with garbage strings and/or operations , and contains a key to decipher the main executable file from the APK . POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 . WannaCry appends encrypted data files with the .WCRY extension , drops and executes a decryptor tool , and demands $300 or $600 USD ( via Bitcoin ) to decrypt the data .", "spans": {"TOOL: POWRUNER": [[149, 157]], "MALWARE: RTF file": [[190, 198]], "VULNERABILITY: CVE-2017-0199": [[214, 227]], "MALWARE: WannaCry": [[230, 238]], "FILEPATH: .WCRY": [[277, 282]], "TOOL: Bitcoin": [[368, 375]]}, "info": {"id": "cyberner_stix_test_000948", "source": "cyberner_stix_test"}}
+{"text": "An example of FinFisher ’ s spaghetti code is shown below . iDefense assesses with high confidence that this campaign is associated with the threat group DRAGONFISH ( also known as Lotus Blossom and Spring Dragon ) . cscsrv.dll dwmsvc.dll iassrv.dll mprsvc.dll nlasrv.dll powfsvc.dll racsvc.dll slcsvc.dll snmpsvc.dll sspisvc.dll . Indicators of compromise act as breadcrumbs that lead infosec and IT pros to detect malicious activity early in the attack sequence .", "spans": {"MALWARE: FinFisher": [[14, 23]], "ORGANIZATION: iDefense": [[60, 68]], "THREAT_ACTOR: threat group": [[141, 153]], "THREAT_ACTOR: DRAGONFISH": [[154, 164]], "THREAT_ACTOR: Lotus Blossom": [[181, 194]], "THREAT_ACTOR: Spring Dragon": [[199, 212]], "FILEPATH: cscsrv.dll": [[217, 227]], "FILEPATH: dwmsvc.dll": [[228, 238]], "FILEPATH: iassrv.dll": [[239, 249]], "FILEPATH: mprsvc.dll": [[250, 260]], "FILEPATH: nlasrv.dll": [[261, 271]], "FILEPATH: powfsvc.dll": [[272, 283]], "FILEPATH: racsvc.dll": [[284, 294]], "FILEPATH: slcsvc.dll": [[295, 305]], "FILEPATH: snmpsvc.dll": [[306, 317]], "FILEPATH: sspisvc.dll": [[318, 329]]}, "info": {"id": "cyberner_stix_test_000949", "source": "cyberner_stix_test"}}
+{"text": "ussd : to call a C2-specified phone number . APT34 uses a mix of public and non-public tools , often conducting spear phishing operations using compromised accounts , sometimes coupled with social engineering tactics . The campaign shows an actor that developed a homemade RAT that works in multiple layers hosted on cloud providers . There is evidence to suggest that in 2010 Harrison was directed to harass the owner of Ashleymadisonsucks.com into closing the site or selling the domain to Ashley Madison .", "spans": {"THREAT_ACTOR: APT34": [[45, 50]], "TOOL: public and non-public tools": [[65, 92]], "TOOL: compromised accounts": [[144, 164]], "ORGANIZATION: Harrison": [[377, 385]], "ORGANIZATION: Ashleymadisonsucks.com": [[422, 444]], "ORGANIZATION: Ashley Madison": [[492, 506]]}, "info": {"id": "cyberner_stix_test_000950", "source": "cyberner_stix_test"}}
+{"text": "Trojan architecture and capabilities This malware is written in .NET using the Xamarin environment for mobile applications . China Chopper is a tool that has been used by some state-sponsored actors such as Leviathan and Threat Group-3390 , but during our investigation we've seen actors with varying skill levels . APT33 's focus on aviation may indicate the group 's desire to gain insight into regional military aviation capabilities to enhance Iran 's aviation capabilities or to support Iran 's military and strategic decision making .", "spans": {"SYSTEM: .NET": [[64, 68]], "SYSTEM: Xamarin": [[79, 86]], "TOOL: China Chopper": [[125, 138]], "THREAT_ACTOR: Leviathan": [[207, 216]], "THREAT_ACTOR: Threat Group-3390": [[221, 238]], "THREAT_ACTOR: APT33": [[316, 321]], "ORGANIZATION: aviation": [[334, 342], [456, 464]], "ORGANIZATION: military": [[500, 508]]}, "info": {"id": "cyberner_stix_test_000951", "source": "cyberner_stix_test"}}
+{"text": "TG-3390 : 74.63.195.237 . 1cb4b74e9d030afbb18accf6ee2bfca1 MD5 hash HttpBrowser RAT dropper . b333b5d541a0488f4e710ae97c46d9c2 MD5 hash HttpBrowser RAT dropper . 86a05dcffe87caf7099dda44d9ec6b48 MD5 hash HttpBrowser RAT dropper . 93e40da0bd78bebe5e1b98c6324e9b5b MD5 hash HttpBrowser RAT dropper . f43d9c3e17e8480a36a62ef869212419 MD5 hash HttpBrowser RAT dropper . 57e85fc30502a925ffed16082718ec6c MD5 hash HttpBrowser RAT dropper . 4251aaf38a485b08d5562c6066370f09 MD5 hash HttpBrowser RAT dropper . bbfd1e703f55ce779b536b5646a0cdc1 MD5 hash HttpBrowser RAT dropper . 12a522cb96700c82dc964197adb57ddf MD5 hash HttpBrowser RAT dropper . 728e5700a401498d91fb83159beec834 MD5 hash HttpBrowser RAT dropper . 2bec1860499aae1dbcc92f48b276f998 MD5 hash HttpBrowser RAT dropper . 014122d7851fa8bf4070a8fc2acd5dc5 MD5 hash HttpBrowser RAT . 0ae996b31a2c3ed3f0bc14c7a96bea38 MD5 hash HttpBrowser RAT . 1a76681986f99b216d5c0f17ccff2a12 MD5 hash HttpBrowser RAT . 380c02b1fd93eb22028862117a2f19e3 MD5 hash HttpBrowser RAT . 40a9a22da928cbb70df48d5a3106d887 MD5 hash HttpBrowser RAT . 46cf2f9b4a4c35b62a32f28ac847c575 MD5 hash HttpBrowser RAT . 5436c3469cb1d87ea404e8989b28758d MD5 hash HttpBrowser RAT . 692cecc94ac440ec673dc69f37bc0409 MD5 hash HttpBrowser RAT .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "IP_ADDRESS: 74.63.195.237": [[10, 23]], "FILEPATH: 1cb4b74e9d030afbb18accf6ee2bfca1": [[26, 58]], "MALWARE: HttpBrowser": [[68, 79], [136, 147], [204, 215], [272, 283], [340, 351], [408, 419], [476, 487], [544, 555], [612, 623], [680, 691], [748, 759], [816, 827], [876, 887], [936, 947], [996, 1007], [1056, 1067], [1116, 1127], [1176, 1187], [1236, 1247]], "FILEPATH: b333b5d541a0488f4e710ae97c46d9c2": [[94, 126]], "FILEPATH: 86a05dcffe87caf7099dda44d9ec6b48": [[162, 194]], "FILEPATH: 93e40da0bd78bebe5e1b98c6324e9b5b": [[230, 262]], "FILEPATH: f43d9c3e17e8480a36a62ef869212419": [[298, 330]], "FILEPATH: 57e85fc30502a925ffed16082718ec6c": [[366, 398]], "FILEPATH: 4251aaf38a485b08d5562c6066370f09": [[434, 466]], "FILEPATH: bbfd1e703f55ce779b536b5646a0cdc1": [[502, 534]], "FILEPATH: 12a522cb96700c82dc964197adb57ddf": [[570, 602]], "FILEPATH: 728e5700a401498d91fb83159beec834": [[638, 670]], "FILEPATH: 2bec1860499aae1dbcc92f48b276f998": [[706, 738]], "FILEPATH: 014122d7851fa8bf4070a8fc2acd5dc5": [[774, 806]], "FILEPATH: 0ae996b31a2c3ed3f0bc14c7a96bea38": [[834, 866]], "FILEPATH: 1a76681986f99b216d5c0f17ccff2a12": [[894, 926]], "FILEPATH: 380c02b1fd93eb22028862117a2f19e3": [[954, 986]], "FILEPATH: 40a9a22da928cbb70df48d5a3106d887": [[1014, 1046]], "FILEPATH: 46cf2f9b4a4c35b62a32f28ac847c575": [[1074, 1106]], "FILEPATH: 5436c3469cb1d87ea404e8989b28758d": [[1134, 1166]], "FILEPATH: 692cecc94ac440ec673dc69f37bc0409": [[1194, 1226]]}, "info": {"id": "cyberner_stix_test_000952", "source": "cyberner_stix_test"}}
+{"text": "The most common of these , the 4H RAT and the 3PARA RAT , have been documented previously by CrowdStrike in previous CrowdStrike Intelligence reporting . RocketMan!” (probably a reference to Donald Trump’s nickname for Kim Jong Un) and MiamiBeach” serve as the first beacon messages from the victim to the control server .", "spans": {"TOOL: 4H RAT": [[31, 37]], "TOOL: 3PARA RAT": [[46, 55]], "ORGANIZATION: CrowdStrike": [[93, 104]], "ORGANIZATION: CrowdStrike Intelligence": [[117, 141]], "FILEPATH: RocketMan!”": [[154, 165]], "FILEPATH: MiamiBeach”": [[236, 247]]}, "info": {"id": "cyberner_stix_test_000953", "source": "cyberner_stix_test"}}
+{"text": "The toolset includes reams of documentation explaining how the cyber weapons work , as well as details about their use in highly classified intelligence operations abroad . The malware tools used by BLACKGEAR can be categorized into three categories : binders , downloaders and backdoors .", "spans": {"MALWARE: binders": [[252, 259]], "MALWARE: downloaders": [[262, 273]], "MALWARE: backdoors": [[278, 287]]}, "info": {"id": "cyberner_stix_test_000954", "source": "cyberner_stix_test"}}
+{"text": "During this period of CosmicDuke testing and development , the Duke authors also started experimenting with the use of privilege escalation vulnerabilities .", "spans": {"MALWARE: CosmicDuke": [[22, 32]], "THREAT_ACTOR: Duke": [[63, 67]]}, "info": {"id": "cyberner_stix_test_000955", "source": "cyberner_stix_test"}}
+{"text": "At the cost of possibly being overly verbose , following is the output of an nmap scan of the infected Android device from a laptop in the same local network , which further demonstrantes the availability of the same open TCP ports that we have mentioned thus far : Identification of eSurv Presence of Italian language At a first look , the first samples of the spyware we obtained did not show immediately evident connections to any company . We believe that Suckfly will continue to target organizations in India and similar organizations in other countries in order to provide economic insight to the organization behind Suckfly 's operations . A statement of the Ministry of Finance on civil and military employee benefits and salaries , discussing the conterversial issue Palestinian Authority employees that have not been paid or paid in full their salaries b33f22b967a5be0e886d479d47d6c9d35c6639d2ba2e14ffe42e7d2e5b11ad80 . The first suspicious activity from the threat actor involved the use of the gpresult command to dump the policy settings enforced on the computer for a specified user .", "spans": {"ORGANIZATION: eSurv": [[284, 289]], "ORGANIZATION: economic": [[580, 588]], "ORGANIZATION: Ministry of Finance": [[667, 686]], "ORGANIZATION: Palestinian Authority": [[777, 798]], "FILEPATH: b33f22b967a5be0e886d479d47d6c9d35c6639d2ba2e14ffe42e7d2e5b11ad80": [[864, 928]], "THREAT_ACTOR: threat actor": [[970, 982]]}, "info": {"id": "cyberner_stix_test_000956", "source": "cyberner_stix_test"}}
+{"text": "FireEye Labs recently identified a previously unobserved version of Ploutus , dubbed Ploutus-D , that interacts with KAL’s Kalignite multivendor ATM platform . Given our increased confidence that Bahamut was responsible for targeting of Qatari labor rights advocates and its focus on the foreign policy institutions other Gulf states , Bahamut 's interests are seemingly too expansive to be limited one sponsor or customer .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "MALWARE: Ploutus": [[68, 75]], "MALWARE: Ploutus-D": [[85, 94]], "ORGANIZATION: labor rights advocates": [[244, 266]], "ORGANIZATION: foreign policy institutions": [[288, 315]]}, "info": {"id": "cyberner_stix_test_000957", "source": "cyberner_stix_test"}}
+{"text": "] infoupload999 [ . Other samples were found bearing a compilation time as early as June 2012 and version 00002 . The person who registered “ hugesoft.org ” may add as many subdomains as they wish and controls the IP resolutions of these FQDNs . Monitor for changes made to files that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {"DOMAIN: hugesoft.org": [[142, 154]], "TOOL: FQDNs": [[238, 243]]}, "info": {"id": "cyberner_stix_test_000958", "source": "cyberner_stix_test"}}
+{"text": "The same subnet ( 87.236.215.0 / 24 ) also hosts several known or suspected APT28 domains .", "spans": {"DOMAIN: 87.236.215.0": [[18, 30]], "THREAT_ACTOR: APT28": [[76, 81]]}, "info": {"id": "cyberner_stix_test_000959", "source": "cyberner_stix_test"}}
+{"text": "Polish Government & Power Exchange websites :", "spans": {}, "info": {"id": "cyberner_stix_test_000960", "source": "cyberner_stix_test"}}
+{"text": "Once Chrysaor is installed , a remote operator is able to surveil the victim 's activities on the device and within the vicinity , leveraging microphone , camera , data collection , and logging and tracking application activities on communication apps such as phone and SMS . Some of the documents exploited CVE-2017-0199 to deliver the payload . Variable ( t ) used to determine the time to sleep in milliseconds before continuing the execution . However , com.docker.vmnat was removed from the system .", "spans": {"MALWARE: Chrysaor": [[5, 13]], "MALWARE: documents": [[288, 297]], "VULNERABILITY: CVE-2017-0199": [[308, 321]]}, "info": {"id": "cyberner_stix_test_000961", "source": "cyberner_stix_test"}}
+{"text": "This is a bit more complicated since the SMS commands are encrypted and encoded with base64 . APT33 registered multiple domains that masquerade as Saudi Arabian aviation companies and Western organizations that together have partnerships to provide training , maintenance and support for Saudi 's military and commercial fleet . activity originated from three separate IP addresses , all located in Chengdu , China .", "spans": {"THREAT_ACTOR: APT33": [[94, 99]], "ORGANIZATION: aviation companies": [[161, 179]]}, "info": {"id": "cyberner_stix_test_000962", "source": "cyberner_stix_test"}}
+{"text": "Again , GlobeImposter is not particularly innovative but TA505 elevated the ransomware from a regional variant to a major landscape feature during roughly six weeks of large campaigns .", "spans": {"MALWARE: GlobeImposter": [[8, 21]], "THREAT_ACTOR: TA505": [[57, 62]]}, "info": {"id": "cyberner_stix_test_000963", "source": "cyberner_stix_test"}}
+{"text": "There have been reports of real-time phishing in the wild as early as 2010 . The usefulness of flare-qdb can be seen in cases such as loops dealing with strings .", "spans": {"FILEPATH: flare-qdb": [[95, 104]]}, "info": {"id": "cyberner_stix_test_000964", "source": "cyberner_stix_test"}}
+{"text": "In addition , by using VBA2Graph , we were able to visualize the VBA call graph in the macros of each document . We assume that RunPow stands for run PowerShell , ” and triggers the PowerShell code embedded inside the .dll file .", "spans": {"MALWARE: VBA2Graph": [[23, 32]], "TOOL: PowerShell": [[150, 160], [182, 192]], "FILEPATH: .dll file": [[218, 227]]}, "info": {"id": "cyberner_stix_test_000965", "source": "cyberner_stix_test"}}
+{"text": "What was taken The actors behind ViperRAT seem to be particularly interested in image data . The developers refer to this tool by the name Kazuar , which is a Trojan written using the Microsoft.NET Framework that offers actors complete access to compromised systems targeted by its operator . The ZxShell service handler routine is only a stub : it responds to each service request code , doing nothing , and finally exits . Surprisingly enough , it does not take very long to get some information about Hack520 : someone with this handle runs a blog and a Twitter account ( with a handle close to Hack520 ) that is also directly linked to the blog .", "spans": {"MALWARE: ViperRAT": [[33, 41]], "TOOL: Kazuar": [[139, 145]], "MALWARE: ZxShell": [[297, 304]], "ORGANIZATION: Hack520": [[504, 511], [598, 605]]}, "info": {"id": "cyberner_stix_test_000966", "source": "cyberner_stix_test"}}
+{"text": "DarkPulsar is a very interesting administrative module for controlling a passive backdoor named ' sipauth32.tsp ' that provides remote control , belonging to this category . As in the past , these messages have been sent accounts believed to be fake and accounts compromised by Infy , including Kurdish activists that had previously been compromised by the Flying Kitten actor group .", "spans": {"TOOL: DarkPulsar": [[0, 10]], "TOOL: backdoor": [[81, 89]], "MALWARE: sipauth32.tsp": [[98, 111]], "ORGANIZATION: Kurdish activists": [[295, 312]], "THREAT_ACTOR: Flying Kitten actor group": [[357, 382]]}, "info": {"id": "cyberner_stix_test_000967", "source": "cyberner_stix_test"}}
+{"text": "It steals SMS messages and information about voice calls . The Intercept reported that there exists a 2011 presentation by Canada 's Communication Security Establishment ( CSE ) outlining the errors made by the Turla operators during their operations even though the tools they use are quite advanced . Winnti : hpqhvsei.dll . Identifying suspicious virtual desktop agent Windows Registry keys", "spans": {"ORGANIZATION: Canada 's Communication Security Establishment": [[123, 169]], "ORGANIZATION: CSE": [[172, 175]], "THREAT_ACTOR: Turla operators": [[211, 226]], "THREAT_ACTOR: Winnti": [[303, 309]], "FILEPATH: hpqhvsei.dll": [[312, 324]]}, "info": {"id": "cyberner_stix_test_000968", "source": "cyberner_stix_test"}}
+{"text": "The following method is declared in the DEX . Later that month , the same tactics and patterns were seen in attempts against an Iranian women 's activist – an individual commonly targeted by Iranian actors , such as Charming Kitten and the Sima campaign documented in our 2016 Black Hat talk . Being able to transfer and execute files on the infected system means the attacker can run any code they please . Following a three - month lull of activity , Cl0p returned with a vengeance in June and beat out LockBit as the month ’s most active ransomware gang .", "spans": {"ORGANIZATION: Iranian women 's activist": [[128, 153]], "ORGANIZATION: individual": [[159, 169]], "THREAT_ACTOR: Cl0p": [[453, 457]], "THREAT_ACTOR: LockBit": [[505, 512]]}, "info": {"id": "cyberner_stix_test_000969", "source": "cyberner_stix_test"}}
+{"text": "Among the artifacts hosted in GreedyAntd 's servers , we managed to find a single component not related to the same cryptojacking operation just previously discussed and leveraged by Pacha Group . Samples and resource names contained the family names of prominent Iranians , and several of these individuals received the malware located in their respective folder .", "spans": {"TOOL: GreedyAntd": [[30, 40]], "ORGANIZATION: Iranians": [[264, 272]]}, "info": {"id": "cyberner_stix_test_000970", "source": "cyberner_stix_test"}}
+{"text": "To make sure the trojan survives a device restart , it abuses already activated accessibility services that will launch the trojan right after start . On June 24 , we found another campaign targeting Lebanon with the ServHelper malware . McAfee Advanced Threat Research analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact .", "spans": {"MALWARE: ServHelper": [[217, 227]], "ORGANIZATION: McAfee Advanced Threat Research": [[238, 269]], "THREAT_ACTOR: Lazarus": [[382, 389]], "MALWARE: sophisticated": [[400, 413]], "MALWARE: malware": [[414, 421]]}, "info": {"id": "cyberner_stix_test_000971", "source": "cyberner_stix_test"}}
+{"text": "XLoader can also hijack accounts linked to financial or game-related apps installed on the affected device . The larger , 300kb+ SPLM backdoors deployed in 2016 and 2017 are not observed any longer at targets in 2018 . Together with the RMS executable , there is another file named “ settings.dat ” containing the custom configuration prepared by the attacker .", "spans": {"MALWARE: XLoader": [[0, 7]], "THREAT_ACTOR: SPLM": [[129, 133]], "TOOL: RMS": [[237, 240]], "FILEPATH: settings.dat": [[284, 296]]}, "info": {"id": "cyberner_stix_test_000972", "source": "cyberner_stix_test"}}
+{"text": "The Word document usually exploits CVE-2012-0158 . Thrip was using PsExec to move laterally between computers on the company 's network .", "spans": {"MALWARE: Word document": [[4, 17]], "VULNERABILITY: CVE-2012-0158": [[35, 48]], "MALWARE: PsExec": [[67, 73]]}, "info": {"id": "cyberner_stix_test_000973", "source": "cyberner_stix_test"}}
+{"text": "CrowdStrike observed Goblin Panda activity spike as tensions among South China Sea nations has risen . Raiu and his team have followed the digital tracks left behind by some of the Winnti hackers .", "spans": {"ORGANIZATION: CrowdStrike": [[0, 11]], "THREAT_ACTOR: Goblin Panda": [[21, 33]], "ORGANIZATION: Raiu": [[103, 107]], "THREAT_ACTOR: Winnti": [[181, 187]]}, "info": {"id": "cyberner_stix_test_000974", "source": "cyberner_stix_test"}}
+{"text": "The indicators are provided below , these indicators can be used by the organizations ( Government , Public and Private organizations ) to detect and investigate this attack campaign . 14b9d54f07f3facf1240c5ba89aa2410 ( googleupdate.exe ) . 2b0bd7e43c1f98f9db804011a54c11d6 ( malib.dll ) . feec4b571756e8c015c884cb5441166b ( msccvs.dll ) . 84d9d0524e14d9ab5f88bbce6d2d2582 ( officeupdate.exe ) . khanji.ddns.net 139.190.6.180 39.40.141.25 175.110.165.110 39.40.44.245 39.40.67.219 . http://pastebin.com/raw/5j4hc8gT http://pastebin.com/raw/6bwniBtB . 028caf3b1f5174ae092ecf435c1fccc2 7732d5349a0cfa1c3e4bcfa0c06949e4 9909f8558209449348a817f297429a48 63698ddbdff5be7d5a7ba7f31d0d592c 7c4e60685203b229a41ae65eba1a0e10 e2112439121f8ba9164668f54ca1c6af .", "spans": {"FILEPATH: 14b9d54f07f3facf1240c5ba89aa2410": [[185, 217]], "FILEPATH: googleupdate.exe": [[220, 236]], "FILEPATH: 2b0bd7e43c1f98f9db804011a54c11d6": [[241, 273]], "FILEPATH: malib.dll": [[276, 285]], "FILEPATH: feec4b571756e8c015c884cb5441166b": [[290, 322]], "FILEPATH: msccvs.dll": [[325, 335]], "FILEPATH: 84d9d0524e14d9ab5f88bbce6d2d2582": [[340, 372]], "FILEPATH: officeupdate.exe": [[375, 391]], "DOMAIN: khanji.ddns.net": [[396, 411]], "IP_ADDRESS: 139.190.6.180": [[412, 425]], "IP_ADDRESS: 39.40.141.25": [[426, 438]], "IP_ADDRESS: 175.110.165.110": [[439, 454]], "IP_ADDRESS: 39.40.44.245": [[455, 467]], "IP_ADDRESS: 39.40.67.219": [[468, 480]], "URL: http://pastebin.com/raw/5j4hc8gT": [[483, 515]], "URL: http://pastebin.com/raw/6bwniBtB": [[516, 548]], "FILEPATH: 028caf3b1f5174ae092ecf435c1fccc2": [[551, 583]], "FILEPATH: 7732d5349a0cfa1c3e4bcfa0c06949e4": [[584, 616]], "FILEPATH: 9909f8558209449348a817f297429a48": [[617, 649]], "FILEPATH: 63698ddbdff5be7d5a7ba7f31d0d592c": [[650, 682]], "FILEPATH: 7c4e60685203b229a41ae65eba1a0e10": [[683, 715]], "FILEPATH: e2112439121f8ba9164668f54ca1c6af": [[716, 748]]}, "info": {"id": "cyberner_stix_test_000975", "source": "cyberner_stix_test"}}
+{"text": "It sets particular parameters in relation to call details and a further service named calls takes the control as seen in Figure 5 . The Buckeye attack group had been active since at least 2009 , when it began mounting a string of espionage attacks , mainly against organizations based in the U.S . It also refers to malware of the same name ( Carbanak ) .", "spans": {"THREAT_ACTOR: Buckeye": [[136, 143]], "MALWARE: Carbanak": [[343, 351]]}, "info": {"id": "cyberner_stix_test_000976", "source": "cyberner_stix_test"}}
+{"text": "] com hxxp : //mailsa-wqw [ . Another attack group , Earworm ( aka Zebrocy ) , has been active since at least May 2016 and is involved in what appears to be intelligence gathering operations against military targets in Europe , Central Asia , and Eastern Asia . The IronDefense Network Traffic Analysis platform combines several behavioral detection methods alongside historical network information to detect the C2 techniques used by Glimpse and other . Adversaries may also use CLIs to install and run new software , including malicious tools that may be installed over the course of an operation .", "spans": {"THREAT_ACTOR: attack group": [[38, 50]], "THREAT_ACTOR: Earworm": [[53, 60]], "THREAT_ACTOR: Zebrocy": [[67, 74]], "TOOL: C2": [[413, 415]], "MALWARE: Glimpse": [[435, 442]]}, "info": {"id": "cyberner_stix_test_000977", "source": "cyberner_stix_test"}}
+{"text": "PittyTiger has also been seen using Heartbleed vulnerability in order to directly get valid credentials . Thrip was attempting to remotely install a previously unknown piece of malware ( Infostealer.Catchamas ) on computers within the victim 's network .", "spans": {"THREAT_ACTOR: PittyTiger": [[0, 10]], "VULNERABILITY: Heartbleed vulnerability": [[36, 60]], "MALWARE: Infostealer.Catchamas": [[187, 208]]}, "info": {"id": "cyberner_stix_test_000978", "source": "cyberner_stix_test"}}
+{"text": "Figure 4 shows the attackers ’ activity levels throughout the week .", "spans": {}, "info": {"id": "cyberner_stix_test_000979", "source": "cyberner_stix_test"}}
+{"text": "The organizations targeted by APT28 during 2017 and 2018 include :", "spans": {"THREAT_ACTOR: APT28": [[30, 35]]}, "info": {"id": "cyberner_stix_test_000980", "source": "cyberner_stix_test"}}
+{"text": "54594edbe9055517da2836199600f682dee07e6b405c6fe4b476627e8d184bfe 6e995d68c724f121d43ec2ff59bc4e536192360afa3beaec5646f01094f0b745 bbc268ca63eeb27e424fec1b3976bab550da304de18e29faff94d9057b1fa25a dc3dd9d75120934333496d0a4100252b419ee8fcdab5d74cf343bcb0306c9811 Regarding other groups , Kaspersky discovered new activity related to ZooPark , a cyber-espionage threat actor that has focused mainly on stealing data from Android devices . The .scr files drops two files: an executable and a library .", "spans": {"THREAT_ACTOR: groups": [[276, 282]], "ORGANIZATION: Kaspersky": [[285, 294]], "THREAT_ACTOR: ZooPark": [[330, 337]], "FILEPATH: .scr": [[439, 443]]}, "info": {"id": "cyberner_stix_test_000981", "source": "cyberner_stix_test"}}
+{"text": "Downeks has static encryption keys hardcoded in the code .", "spans": {"MALWARE: Downeks": [[0, 7]]}, "info": {"id": "cyberner_stix_test_000982", "source": "cyberner_stix_test"}}
+{"text": "Typically , we expect to see a decoy document saved to the system and later displayed to make the victim less suspicious of malicious activity ; however , in this case the document saved to the system was never displayed and does not contain any pertinent content to the Lion Air tragedy theme seen in the filename .", "spans": {"ORGANIZATION: Lion Air": [[271, 279]]}, "info": {"id": "cyberner_stix_test_000983", "source": "cyberner_stix_test"}}
+{"text": "Calls the specified USSD code openUrl Opens the specified URL in the WebView getSMS Gets all text messages from the infected device killMe Triggers the kill switch for the bot updateModule Updates the payload module Cerberus features Cerberus malware has the same capabilities as most other Android banking Trojans such as the use of overlay attacks , SMS control and contact list harvesting . SectorJ04 also used the Remote Manipulator System (RMS) RAT , a legitimate remote management software created in Russia . REDBALDKNIGHT , also known as BRONZE BUTLER and Tick , is a cyberespionage group known to target Japanese organizations such as government agencies ( including defense ) as well as those in biotechnology , electronics manufacturing , and industrial chemistry .", "spans": {"MALWARE: Cerberus": [[216, 224], [234, 242]], "SYSTEM: Android": [[291, 298]], "THREAT_ACTOR: SectorJ04": [[394, 403]], "TOOL: Remote Manipulator System": [[418, 443]], "THREAT_ACTOR: REDBALDKNIGHT": [[516, 529]], "THREAT_ACTOR: BRONZE BUTLER": [[546, 559]], "THREAT_ACTOR: Tick": [[564, 568]], "ORGANIZATION: government agencies": [[644, 663]], "ORGANIZATION: defense": [[676, 683]], "ORGANIZATION: biotechnology": [[706, 719]], "ORGANIZATION: electronics manufacturing": [[722, 747]], "ORGANIZATION: industrial chemistry": [[754, 774]]}, "info": {"id": "cyberner_stix_test_000984", "source": "cyberner_stix_test"}}
+{"text": "The counter to that argument however is that the value of stolen credentials from users in the countries with the highest percentage of OnionDuke bots ( Mongolia and India ) are among the lowest on underground markets . 2015 : The Dukes up the ante .", "spans": {"MALWARE: OnionDuke": [[136, 145]], "THREAT_ACTOR: Dukes": [[231, 236]]}, "info": {"id": "cyberner_stix_test_000985", "source": "cyberner_stix_test"}}
+{"text": "] com Backend server spy [ . 360 and Tuisec already identified some Gorgon Group members . the block update variable referred in the overview . Cybercriminals continue to identify and exploit an organizations weak spots and use common even basic techniques , including phishing or remote desktop protocol RDP to launch ransomware attacks , gain access to sensitive data , disrupt operations and , in some cases , put lives at risk .", "spans": {"ORGANIZATION: 360": [[29, 32]], "ORGANIZATION: Tuisec": [[37, 43]], "THREAT_ACTOR: Gorgon Group": [[68, 80]], "ORGANIZATION: members": [[81, 88]]}, "info": {"id": "cyberner_stix_test_000986", "source": "cyberner_stix_test"}}
+{"text": "Once Rockloader was installed , it downloaded Locky and , in some cases , Pony and Kegotip .", "spans": {"MALWARE: Rockloader": [[5, 15]], "MALWARE: Locky": [[46, 51]], "MALWARE: Pony": [[74, 78]], "MALWARE: Kegotip": [[83, 90]]}, "info": {"id": "cyberner_stix_test_000987", "source": "cyberner_stix_test"}}
+{"text": "This time , the group explored unpatched systems vulnerable to CVE-2016-8655 and Dirty COW exploit ( CVE-2016-5195 ) as attack vectors .", "spans": {"VULNERABILITY: CVE-2016-8655": [[63, 76]], "VULNERABILITY: Dirty COW": [[81, 90]], "VULNERABILITY: CVE-2016-5195": [[101, 114]]}, "info": {"id": "cyberner_stix_test_000988", "source": "cyberner_stix_test"}}
+{"text": "The full list of banking applications targeted is included in the appendix . The authors of that report identify three primary tools used in the campaigns attributed to Hidden Lynx : Trojan.Naid , Backdoor.Moudoor , and Backdoor.Hikit . Depending on placement , a Web shell can provide continued access to victims ' environments , re-infect victim systems , and facilitate lateral movement .", "spans": {"TOOL: Trojan.Naid": [[183, 194]], "MALWARE: Backdoor.Moudoor": [[197, 213]], "TOOL: Backdoor.Hikit": [[220, 234]], "TOOL: Web shell": [[264, 273]]}, "info": {"id": "cyberner_stix_test_000989", "source": "cyberner_stix_test"}}
+{"text": "] com/8 * * * * * 9 ” ( Fr . In all Mandiant investigations to date where the CARBANAK backdoor has been discovered , the activity has been attributed to the FIN7 threat group . The malware samples we analysed connected to only one URI: <c2-domain>/login.php .", "spans": {"ORGANIZATION: Mandiant": [[36, 44]], "THREAT_ACTOR: FIN7": [[158, 162]], "DOMAIN: <c2-domain>/login.php": [[237, 258]]}, "info": {"id": "cyberner_stix_test_000990", "source": "cyberner_stix_test"}}
+{"text": "It hides traces of its activity by masking the outgoing and incoming text messages and blocking calls and messages from numbers belonging to the bank . Thrip 's motive is likely espionage and its targets include those in the communications , geospatial imaging , and defense sectors , both in the United States and Southeast Asia . Keylogger ( used to capture passwords and other interesting data ) . By looking at the most likely perpetrators , we can ask who would be motivated to come after the company , what are the tactics , techniques and procedures and priorities , and what defenses are needed .", "spans": {"ORGANIZATION: communications": [[225, 239]], "ORGANIZATION: geospatial imaging": [[242, 260]], "ORGANIZATION: defense sectors": [[267, 282]], "TOOL: Keylogger": [[332, 341]], "THREAT_ACTOR: perpetrators": [[431, 443]]}, "info": {"id": "cyberner_stix_test_000991", "source": "cyberner_stix_test"}}
+{"text": "It also protects users and organizations from other mobile threats , such as mobile phishing , unsafe network connections , and unauthorized access to sensitive data . The current Ke3chang campaign leverages the BS2005 malware , while older activity from 2010 - 2011 leveraged BMW , followed by the MyWeb malware sporadically used in between . Testing in multiple versions is important , DarkRace is a new ransomware group first discovered by researcher S!Ri .", "spans": {"TOOL: BS2005 malware": [[212, 226]], "TOOL: BMW": [[277, 280]], "TOOL: MyWeb malware": [[299, 312]], "THREAT_ACTOR: DarkRace": [[388, 396]], "ORGANIZATION: S!Ri": [[454, 458]]}, "info": {"id": "cyberner_stix_test_000992", "source": "cyberner_stix_test"}}
+{"text": "This action registers code components to get notified when certain system events happen . There are many articles and researches online about APT15 and their activities , the most recent one by NCC Group ; although posted in March 2018 , it refers to a campaign in 2017 , both attributed to Chinese government affiliated groups . Only WinZip gave an explicit reason – the start of central directory of the ZIP was not . For this reason , it is impossible to prevent all crime through deterrence .", "spans": {"THREAT_ACTOR: APT15": [[142, 147]], "ORGANIZATION: NCC Group": [[194, 203]], "TOOL: WinZip": [[335, 341]]}, "info": {"id": "cyberner_stix_test_000993", "source": "cyberner_stix_test"}}
+{"text": "Based on the base64 encoded content posted in the Pastebin , userid associated with the Pastebin post was determined .", "spans": {"TOOL: base64 encoded content": [[13, 35]], "TOOL: Pastebin": [[50, 58], [88, 96]]}, "info": {"id": "cyberner_stix_test_000994", "source": "cyberner_stix_test"}}
+{"text": "Suckfly has the resources to develop malware , purchase infrastructure , and conduct targeted attacks for years while staying off the radar of security organizations .", "spans": {"THREAT_ACTOR: Suckfly": [[0, 7]]}, "info": {"id": "cyberner_stix_test_000995", "source": "cyberner_stix_test"}}
+{"text": "Chinese fabless semiconductor company Allwinner is a leading supplier of application processors that are used in many low-cost Android tablets , ARM-based PCs , set-top boxes , and other electronic devices worldwide . In a separate incident , CTU researchers identified a file named s.txt , which is consistent with the output of the Netview host-enumeration tool . Outlaw : 159.203.141.208 . The hosting services offered at secure[.]66[.]to are in fact hosting services rented to other companies worldwide .", "spans": {"ORGANIZATION: Allwinner": [[38, 47]], "SYSTEM: Android": [[127, 134]], "ORGANIZATION: ARM-based": [[145, 154]], "ORGANIZATION: CTU": [[243, 246]], "MALWARE: s.txt": [[283, 288]], "THREAT_ACTOR: Outlaw": [[366, 372]], "IP_ADDRESS: 159.203.141.208": [[375, 390]]}, "info": {"id": "cyberner_stix_test_000996", "source": "cyberner_stix_test"}}
+{"text": "~temp.docm and ~msdn.exe files to the system , the initial macro will load the ~temp.docm file as a Word Document object and attempts to run the function Proc1 in the Module1 macro within the ~temp.docm file .", "spans": {"FILEPATH: ~temp.docm": [[0, 10], [79, 89], [192, 202]], "FILEPATH: ~msdn.exe": [[15, 24]], "TOOL: macro": [[59, 64], [175, 180]], "TOOL: Word": [[100, 104]]}, "info": {"id": "cyberner_stix_test_000997", "source": "cyberner_stix_test"}}
+{"text": "The response contains some basic HTML and JavaScript . Several times , APT5 has targeted organizations and personnel based in Southeast Asia . This function is the supporting functionality for WinVNC . “ So good luck , I ’m sure we ’ll talk again soon , but for now , I ve got better things in the oven , ” Harrison wrote to Biderman after his employment contract with Ashley Madison was terminated .", "spans": {"THREAT_ACTOR: APT5": [[71, 75]], "ORGANIZATION: organizations": [[89, 102]], "ORGANIZATION: personnel": [[107, 116]], "TOOL: WinVNC": [[193, 199]], "THREAT_ACTOR: Harrison": [[307, 315]], "ORGANIZATION: Biderman": [[325, 333]], "ORGANIZATION: Ashley Madison": [[369, 383]]}, "info": {"id": "cyberner_stix_test_000998", "source": "cyberner_stix_test"}}
+{"text": "Therefore , by simulating fraudulent clicks , these developers are making money without requiring a user to click on an advertisement . The NetTraveler group has infected victims across multiple establishments in both the public and private sector including government institutions , embassies , the oil and gas industry , research centers , military contractors and activists . The actors likely sought information on the newspaper ’s sources in China , who could be silenced by the government . The report says the data was kept anonymous , but the companies could “ easily ” use the information to identify individuals or create targeted advertising for them .", "spans": {"ORGANIZATION: government institutions": [[258, 281]], "ORGANIZATION: embassies": [[284, 293]], "ORGANIZATION: oil and gas industry": [[300, 320]], "ORGANIZATION: military contractors": [[342, 362]], "ORGANIZATION: activists": [[367, 376]]}, "info": {"id": "cyberner_stix_test_000999", "source": "cyberner_stix_test"}}
+{"text": "The email address and country information drove us to a list of students attending a class at a Vietnamese university – corroborating the existence of the person under whose name the domain was registered . During the investigations , Mandiant observed that FIN7 used a custom shim database to patch both the 32-bit and 64-bit versions of services.exe with their CARBANAK payload . SHA256 : 44150350727e2a42f66d50015e98de462d362af8a9ae33d1f5124f1703179ab9 .", "spans": {"ORGANIZATION: Mandiant": [[235, 243]], "THREAT_ACTOR: FIN7": [[258, 262]], "MALWARE: services.exe": [[339, 351]], "TOOL: CARBANAK": [[363, 371]], "FILEPATH: 44150350727e2a42f66d50015e98de462d362af8a9ae33d1f5124f1703179ab9": [[391, 455]]}, "info": {"id": "cyberner_stix_test_001000", "source": "cyberner_stix_test"}}
+{"text": "Once this malware was detected on a device , Mobile Threat Prevention adjusted security policies on the Mobile Device Management solution ( MobileIron ) managing the affected devices automatically , thereby blocking enterprise access from the infected devices . In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload . In line with commonly used APT actor methodologies , the threat actor aligns its decoy documents to a topic of interest relevant to the recipient .", "spans": {"SYSTEM: Mobile Threat Prevention": [[45, 69]], "ORGANIZATION: government officials": [[290, 310]], "MALWARE: malicious Microsoft Word document": [[352, 385]], "VULNERABILITY: CVE-2012-0158": [[405, 418]], "THREAT_ACTOR: APT actor": [[490, 499]], "MALWARE: decoy documents": [[544, 559]]}, "info": {"id": "cyberner_stix_test_001001", "source": "cyberner_stix_test"}}
+{"text": "If the attackers were able to obtain one of these EPP keys , they would be able to modify any DNS records that were managed by that particular registrar . The operators used the HyperBro Trojan as their last-stage in-memory remote administration tool ( RAT ) .", "spans": {"THREAT_ACTOR: attackers": [[7, 16]], "MALWARE: HyperBro Trojan": [[178, 193]], "MALWARE: remote administration tool": [[224, 250]], "MALWARE: RAT": [[253, 256]]}, "info": {"id": "cyberner_stix_test_001002", "source": "cyberner_stix_test"}}
+{"text": "This app appears to have become unavailable on Google Play in March 2020 . Kaspersky Lab is releasing crucial Indicators of Compromise ( IOCs ) and other data to help organizations search for traces of these attack groups in their corporate networks . the block comparison variables are not assigned in the flattened blocks but rather the first blocks according to a condition . Geographically , most victims are located in Europe , specifically Italy .", "spans": {"SYSTEM: Google Play": [[47, 58]], "ORGANIZATION: Kaspersky Lab": [[75, 88]], "THREAT_ACTOR: attack groups": [[208, 221]]}, "info": {"id": "cyberner_stix_test_001003", "source": "cyberner_stix_test"}}
+{"text": "As “ Agent Smith ” uses a modular approach , and as stated earlier , the original loader extracts everything from the assets , the usage of the Janus vulnerability can only change the code of the original application , not the resources . They have different functions and ways of spreading , but the same purpose — to steal money from the accounts of businesses . When we first began our research , the batch script only checked for antivirus products from Avast and AVG . The tactics , techniques and procedures ( TTPs ) are very similar to those of SocGholish and it would be easy to think the two are related .", "spans": {"MALWARE: Agent Smith": [[5, 16]], "VULNERABILITY: Janus": [[144, 149]], "ORGANIZATION: businesses": [[352, 362]], "TOOL: Avast": [[458, 463]], "TOOL: AVG": [[468, 471]]}, "info": {"id": "cyberner_stix_test_001004", "source": "cyberner_stix_test"}}
+{"text": "Kaspersky believes both Shamoon and StoneDrill groups are aligned in their interests , but are two separate actors , which might also indicate two different groups working together .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "THREAT_ACTOR: Shamoon": [[24, 31]], "THREAT_ACTOR: StoneDrill": [[36, 46]]}, "info": {"id": "dnrti_test_000000", "source": "dnrti_test"}}
+{"text": "Indeed , Kaspersky started tracking the BlueNoroff actor a long time ago .", "spans": {"ORGANIZATION: Kaspersky": [[9, 18]], "THREAT_ACTOR: BlueNoroff": [[40, 50]]}, "info": {"id": "dnrti_test_000001", "source": "dnrti_test"}}
+{"text": "Eset‍ has published a report on the state-sponsored Russian turla apt group ‍.", "spans": {"ORGANIZATION: Eset‍": [[0, 5]], "THREAT_ACTOR: turla": [[60, 65]]}, "info": {"id": "dnrti_test_000002", "source": "dnrti_test"}}
+{"text": "It seems Eset has discovered and published on a new malware module created by Turla .", "spans": {"ORGANIZATION: Eset": [[9, 13]], "THREAT_ACTOR: Turla": [[78, 83]]}, "info": {"id": "dnrti_test_000003", "source": "dnrti_test"}}
+{"text": "The majority of NewsBeef targets that Kaspersky researchers have observed are located in SA .", "spans": {"THREAT_ACTOR: NewsBeef": [[16, 24]], "ORGANIZATION: Kaspersky": [[38, 47]]}, "info": {"id": "dnrti_test_000004", "source": "dnrti_test"}}
+{"text": "While not directly overlapping , this potential infrastructure link is interesting , as Vixen Panda has previously displayed TTPs similar to COMMENT PANDA , and has extensively targeted European entities .", "spans": {"THREAT_ACTOR: Vixen Panda": [[88, 99]], "THREAT_ACTOR: COMMENT PANDA": [[141, 154]]}, "info": {"id": "dnrti_test_000005", "source": "dnrti_test"}}
+{"text": "Given the evidence outlined above , CrowdStrike attributes the PUTTER PANDA group to PLA Unit 61486 within Shanghai , China with high confidence .", "spans": {"ORGANIZATION: CrowdStrike": [[36, 47]], "THREAT_ACTOR: PUTTER PANDA group": [[63, 81]], "THREAT_ACTOR: Unit 61486": [[89, 99]]}, "info": {"id": "dnrti_test_000006", "source": "dnrti_test"}}
+{"text": "Several RATs are used by PUTTER PANDA .", "spans": {"TOOL: RATs": [[8, 12]], "THREAT_ACTOR: PUTTER PANDA": [[25, 37]]}, "info": {"id": "dnrti_test_000007", "source": "dnrti_test"}}
+{"text": "The most common of these , the 4H RAT and the 3PARA RAT , have been documented previously by CrowdStrike in previous CrowdStrike Intelligence reporting .", "spans": {"TOOL: 4H RAT": [[31, 37]], "TOOL: 3PARA RAT": [[46, 55]], "ORGANIZATION: CrowdStrike": [[93, 104]], "ORGANIZATION: CrowdStrike Intelligence": [[117, 141]]}, "info": {"id": "dnrti_test_000008", "source": "dnrti_test"}}
+{"text": "This analysis will be revisited below , along with an examination of two other PUTTER PANDA tools : pngdowner and httpclient .", "spans": {"THREAT_ACTOR: PUTTER PANDA": [[79, 91]], "TOOL: pngdowner": [[100, 109]], "TOOL: httpclient": [[114, 124]]}, "info": {"id": "dnrti_test_000009", "source": "dnrti_test"}}
+{"text": "Other CrowdStrike reporting describes a dropper used by PUTTER PANDA to install the 4H RAT .", "spans": {"ORGANIZATION: CrowdStrike": [[6, 17]], "TOOL: dropper": [[40, 47]], "THREAT_ACTOR: PUTTER PANDA": [[56, 68]], "TOOL: 4H RAT": [[84, 90]]}, "info": {"id": "dnrti_test_000010", "source": "dnrti_test"}}
+{"text": "This dropper uses RC4 to decrypt an embedded payload from data in an embedded resource before writing the payload to disk and executing it .", "spans": {"TOOL: dropper": [[5, 12]], "TOOL: RC4": [[18, 21]]}, "info": {"id": "dnrti_test_000011", "source": "dnrti_test"}}
+{"text": "It contains a Word document in plaintext ( written to Bienvenue_a_Sahaja_Yoga_Toulouse.doc ) , along with an executable ( Update.exe ) and DLL ( McUpdate.dll ) .", "spans": {"MALWARE: Word document": [[14, 27]], "MALWARE: Bienvenue_a_Sahaja_Yoga_Toulouse.doc": [[54, 90]], "MALWARE: Update.exe": [[122, 132]], "MALWARE: McUpdate.dll": [[145, 157]]}, "info": {"id": "dnrti_test_000012", "source": "dnrti_test"}}
+{"text": "PUTTER PANDA are a determined adversary group who have been operating for several years , conducting intelligence-gathering operations with a significant focus on the space sector .", "spans": {"THREAT_ACTOR: PUTTER PANDA": [[0, 12]], "THREAT_ACTOR: group": [[40, 45]], "ORGANIZATION: space sector": [[167, 179]]}, "info": {"id": "dnrti_test_000013", "source": "dnrti_test"}}
+{"text": "Research presented in this report shows that the PUTTER PANDA operators are likely members of the 12th Bureau , 3rd General Staff Department ( GSD ) of the People 's Liberation Army ( PLA ) , operating from the unit 's headquarters in Shanghai with MUCD 61486 .", "spans": {"THREAT_ACTOR: PUTTER PANDA": [[49, 61]], "THREAT_ACTOR: operators": [[62, 71]], "THREAT_ACTOR: MUCD 61486": [[249, 259]]}, "info": {"id": "dnrti_test_000014", "source": "dnrti_test"}}
+{"text": "PUTTER PANDA is likely to continue to aggressively target Western entities that hold valuable information or intellectual property relevant to these interests .", "spans": {"THREAT_ACTOR: PUTTER PANDA": [[0, 12]]}, "info": {"id": "dnrti_test_000015", "source": "dnrti_test"}}
+{"text": "Mandiant 's APT1 report was the first to change the game , and paved the way for private security companies to expose advanced threat actors en masse .", "spans": {"ORGANIZATION: Mandiant": [[0, 8]], "THREAT_ACTOR: APT1": [[12, 16]], "ORGANIZATION: private security companies": [[81, 107]], "THREAT_ACTOR: threat actors": [[127, 140]]}, "info": {"id": "dnrti_test_000016", "source": "dnrti_test"}}
+{"text": "Mandianta 's APT1 report was the first to change the game , and paved the way for private security companies to expose advanced threat actors en masse .", "spans": {"ORGANIZATION: Mandianta": [[0, 9]], "THREAT_ACTOR: APT1": [[13, 17]], "ORGANIZATION: private security companies": [[82, 108]], "THREAT_ACTOR: threat actors": [[128, 141]]}, "info": {"id": "dnrti_test_000017", "source": "dnrti_test"}}
+{"text": "In 2014 , our colleagues at Crowdstrike wrote an exposé about a long-standing Chinese APT threat group they self-named Putter Panda , which Mandiant / FireEye refers to as APT2 .", "spans": {"ORGANIZATION: Crowdstrike": [[28, 39]], "THREAT_ACTOR: APT threat group": [[86, 102]], "THREAT_ACTOR: Putter Panda": [[119, 131]], "ORGANIZATION: Mandiant": [[140, 148]], "ORGANIZATION: FireEye": [[151, 158]], "THREAT_ACTOR: APT2": [[172, 176]]}, "info": {"id": "dnrti_test_000018", "source": "dnrti_test"}}
+{"text": "In 2014 , our colleagues at Crowdstrike wrote an expos about a long-standing Chinese APT threat group they self-named Putter Panda , which Mandiant / FireEye refers to as APT2 .", "spans": {"ORGANIZATION: Crowdstrike": [[28, 39]], "THREAT_ACTOR: APT threat group": [[85, 101]], "THREAT_ACTOR: Putter Panda": [[118, 130]], "ORGANIZATION: Mandiant": [[139, 147]], "ORGANIZATION: FireEye": [[150, 157]], "THREAT_ACTOR: APT2": [[171, 175]]}, "info": {"id": "dnrti_test_000019", "source": "dnrti_test"}}
+{"text": "This threat group attacked defense contractors and aerospace companies .", "spans": {"THREAT_ACTOR: threat group": [[5, 17]], "ORGANIZATION: defense contractors": [[27, 46]], "ORGANIZATION: aerospace companies": [[51, 70]]}, "info": {"id": "dnrti_test_000020", "source": "dnrti_test"}}
+{"text": "The document exploited CVE-2012-0158 and will decode and write an executable to disk upon infection .", "spans": {"VULNERABILITY: CVE-2012-0158": [[23, 36]]}, "info": {"id": "dnrti_test_000021", "source": "dnrti_test"}}
+{"text": "Unit 42 believes this group is previously unidentified and therefore have we have dubbed it \" RANCOR \" .", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "THREAT_ACTOR: group": [[22, 27]], "THREAT_ACTOR: RANCOR": [[94, 100]]}, "info": {"id": "dnrti_test_000022", "source": "dnrti_test"}}
+{"text": "The Rancor group 's attacks use two primary malware families which we describe in depth later in this blog and are naming DDKONG and PLAINTEE .", "spans": {"THREAT_ACTOR: Rancor group": [[4, 16]], "TOOL: DDKONG": [[122, 128]], "TOOL: PLAINTEE": [[133, 141]]}, "info": {"id": "dnrti_test_000023", "source": "dnrti_test"}}
+{"text": "We identified decoy files which indicate these attacks began with spear phishing messages but have not observed the actual messages .", "spans": {"MALWARE: decoy files": [[14, 25]]}, "info": {"id": "dnrti_test_000024", "source": "dnrti_test"}}
+{"text": "Based on this , we believe the Rancor attackers were targeting political entities .", "spans": {"THREAT_ACTOR: Rancor": [[31, 37]], "THREAT_ACTOR: attackers": [[38, 47]], "ORGANIZATION: political entities": [[63, 81]]}, "info": {"id": "dnrti_test_000025", "source": "dnrti_test"}}
+{"text": "Additionally , these decoy documents are hosted on legitimate websites including a government website belonging to the Cambodia Government and in at least once case , Facebook .", "spans": {"MALWARE: decoy documents": [[21, 36]], "ORGANIZATION: Cambodia Government": [[119, 138]], "ORGANIZATION: Facebook": [[167, 175]]}, "info": {"id": "dnrti_test_000026", "source": "dnrti_test"}}
+{"text": "Our Investigation into both clusters further showed that they were both involved in attacks targeting organizations in South East Asia .", "spans": {}, "info": {"id": "dnrti_test_000027", "source": "dnrti_test"}}
+{"text": "We observed DDKONG in use between February 2017 and the present , while PLAINTEE is a newer addition with the earliest known sample being observed in October 2017 .", "spans": {"TOOL: DDKONG": [[12, 18]], "TOOL: PLAINTEE": [[72, 80]]}, "info": {"id": "dnrti_test_000028", "source": "dnrti_test"}}
+{"text": "The RANCOR campaign represents a continued trend of targeted attacks against entities within the South East Asia region .", "spans": {}, "info": {"id": "dnrti_test_000029", "source": "dnrti_test"}}
+{"text": "They are interested in users of remote banking systems ( RBS ) , mainly in Russia and neighboring countries .", "spans": {}, "info": {"id": "dnrti_test_000030", "source": "dnrti_test"}}
+{"text": "That this group is mostly targeting businesses is apparent from the processes they are looking for on a compromised system .", "spans": {"THREAT_ACTOR: group": [[10, 15]]}, "info": {"id": "dnrti_test_000031", "source": "dnrti_test"}}
+{"text": "While both RTM and Buhtrap are looking for a quite similar process list , the infection vectors are quite different .", "spans": {"TOOL: RTM": [[11, 14]], "TOOL: Buhtrap": [[19, 26]]}, "info": {"id": "dnrti_test_000032", "source": "dnrti_test"}}
+{"text": "This group has used a large array of infection vectors , mostly revolving around drive-by downloads and spam .", "spans": {"THREAT_ACTOR: group": [[5, 10]]}, "info": {"id": "dnrti_test_000033", "source": "dnrti_test"}}
+{"text": "They are both targeting businesses using accounting software , are fingerprinting systems of interest similarly , are looking for smart card readers , and finally , they deploy an array of malicious tools to spy on their victims .", "spans": {}, "info": {"id": "dnrti_test_000034", "source": "dnrti_test"}}
+{"text": "In particular , we will focus on the samples SHA-1 AA0FA4584768CE9E16D67D8C529233E99FF1BBF0 and 48BC113EC8BA20B8B80CD5D4DA92051A19D1032B .", "spans": {}, "info": {"id": "dnrti_test_000035", "source": "dnrti_test"}}
+{"text": "Despite its known weaknesses , the RC4 algorithm is regularly used by malware authors .", "spans": {"TOOL: RC4": [[35, 38]]}, "info": {"id": "dnrti_test_000036", "source": "dnrti_test"}}
+{"text": "Based on the use of the relatively unique PLAINTEE malware , the malware 's use of the same file paths on in each cluster , and the similar targeting , we have grouped these attacks together under the RANCOR campaign moniker .", "spans": {"TOOL: PLAINTEE malware": [[42, 58]]}, "info": {"id": "dnrti_test_000037", "source": "dnrti_test"}}
+{"text": "Bdo is the Russian translation for RBS ( Remote Banking System ) so it is clear that RBS is a target for this malware .", "spans": {}, "info": {"id": "dnrti_test_000038", "source": "dnrti_test"}}
+{"text": "Other groups , such as Buhtrap , Corkow and Carbanak , were already known to target and successfully steal money from financial institutions and their customers in Russia .", "spans": {"THREAT_ACTOR: groups": [[6, 12]], "THREAT_ACTOR: Buhtrap": [[23, 30]], "THREAT_ACTOR: Corkow": [[33, 39]], "THREAT_ACTOR: Carbanak": [[44, 52]], "ORGANIZATION: financial institutions": [[118, 140]], "ORGANIZATION: customers": [[151, 160]]}, "info": {"id": "dnrti_test_000039", "source": "dnrti_test"}}
+{"text": "Our research on the RTM malware shows that the Russian banking system is still a target of choice for criminals .", "spans": {"TOOL: RTM malware": [[20, 31]], "THREAT_ACTOR: criminals": [[102, 111]]}, "info": {"id": "dnrti_test_000040", "source": "dnrti_test"}}
+{"text": "Since last week , iSIGHT Partners has worked to provide details on the power outage in Ukraine to our global customers .", "spans": {"ORGANIZATION: iSIGHT Partners": [[18, 33]], "ORGANIZATION: customers": [[109, 118]]}, "info": {"id": "dnrti_test_000041", "source": "dnrti_test"}}
+{"text": "Shortly after releasing information on their espionage operations , our friends at TrendMicro found evidence that the operators were not only conducting classic strategic espionage but targeting SCADA systems as well .", "spans": {"ORGANIZATION: TrendMicro": [[83, 93]], "THREAT_ACTOR: operators": [[118, 127]], "THREAT_ACTOR: espionage": [[171, 180]]}, "info": {"id": "dnrti_test_000042", "source": "dnrti_test"}}
+{"text": "iSiGHT has tracked Sandworm Team for some time - and we publicly reported on some of their activities in October 2014 , when we discovered their use of a zero-day exploit , CVE-2014-4114 .", "spans": {"ORGANIZATION: iSiGHT": [[0, 6]], "THREAT_ACTOR: Sandworm Team": [[19, 32]], "VULNERABILITY: zero-day exploit": [[154, 170]], "VULNERABILITY: CVE-2014-4114": [[173, 186]]}, "info": {"id": "dnrti_test_000043", "source": "dnrti_test"}}
+{"text": "Sandworm Team went to ground shortly after being exposed in October of 2014 , and malware with Dune references ( the genesis for the ' Sandworm ' moniker ) which we had previously used to track them disappeared entirely .", "spans": {"THREAT_ACTOR: Sandworm Team": [[0, 13]], "THREAT_ACTOR: Sandworm": [[135, 143]]}, "info": {"id": "dnrti_test_000044", "source": "dnrti_test"}}
+{"text": "However , the unique malware variant , BlackEnergy 3 , reemerged in Ukraine early in 2015 , where we had first found Sandworm Team .", "spans": {"MALWARE: BlackEnergy 3": [[39, 52]], "THREAT_ACTOR: Sandworm Team": [[117, 130]]}, "info": {"id": "dnrti_test_000045", "source": "dnrti_test"}}
+{"text": "iSiGHT Partners has tracked Sandworm Team for some time - and we publicly reported on some of their activities in October 2014 , when we discovered their use of a zero-day exploit , CVE-2014-4114 .", "spans": {"ORGANIZATION: iSiGHT Partners": [[0, 15]], "THREAT_ACTOR: Sandworm Team": [[28, 41]], "VULNERABILITY: zero-day exploit": [[163, 179]], "VULNERABILITY: CVE-2014-4114": [[182, 195]]}, "info": {"id": "dnrti_test_000046", "source": "dnrti_test"}}
+{"text": "SIGHT Partners is still collecting information on the mechanics of the power outage and what role the KillDisk malware played in the greater event .", "spans": {"ORGANIZATION: SIGHT Partners": [[0, 14]], "TOOL: KillDisk malware": [[102, 118]]}, "info": {"id": "dnrti_test_000047", "source": "dnrti_test"}}
+{"text": "Last week iSIGHT 's sources provided us with the same KillDisk malware published by Rob Lee of SANS and Dragos Security .", "spans": {"ORGANIZATION: iSIGHT": [[10, 16]], "TOOL: KillDisk malware": [[54, 70]], "ORGANIZATION: SANS": [[95, 99]], "ORGANIZATION: Dragos Security": [[104, 119]]}, "info": {"id": "dnrti_test_000048", "source": "dnrti_test"}}
+{"text": "The aggressive nature of Sandworm Team 's previous activity in Europe and the United States exposed their interest in targeting critical systems and indicated preparation for cyber attack .", "spans": {"THREAT_ACTOR: Sandworm Team": [[25, 38]]}, "info": {"id": "dnrti_test_000049", "source": "dnrti_test"}}
+{"text": "This year we are going to be releasing a monthly blog post introducing the \" Threat Actor of the Month \" , complete with detailed background information on that actor .", "spans": {"THREAT_ACTOR: Threat Actor": [[77, 89]], "THREAT_ACTOR: actor": [[161, 166]]}, "info": {"id": "dnrti_test_000050", "source": "dnrti_test"}}
+{"text": "VOODOO BEAR is a highly advanced adversary with a suspected nexus to the Russian Federation .", "spans": {"THREAT_ACTOR: VOODOO BEAR": [[0, 11]]}, "info": {"id": "dnrti_test_000051", "source": "dnrti_test"}}
+{"text": "Destructive malware used by VOODOO BEAR includes a wiper called PassKillDisk .", "spans": {"THREAT_ACTOR: VOODOO BEAR": [[28, 39]], "TOOL: PassKillDisk": [[64, 76]]}, "info": {"id": "dnrti_test_000052", "source": "dnrti_test"}}
+{"text": "Some tools used by this actor — specifically BlackEnergy and GCat — have been adapted from commodity malware .", "spans": {"THREAT_ACTOR: actor": [[24, 29]], "THREAT_ACTOR: BlackEnergy": [[45, 56]], "THREAT_ACTOR: GCat": [[61, 65]]}, "info": {"id": "dnrti_test_000053", "source": "dnrti_test"}}
+{"text": "This adversary has been identified leveraging custom-developed plugins for versions 2 and 3 of the commodity malware Black Energy to target entities associated with energy , industrial control systems and SCADA , government , and media for espionage and destructive purposes , since at least 2011 .", "spans": {"TOOL: Black Energy": [[117, 129]], "THREAT_ACTOR: espionage": [[240, 249]]}, "info": {"id": "dnrti_test_000054", "source": "dnrti_test"}}
+{"text": "A commonly observed element of implants from VOODOO BEAR — at least until this information was made public in late 2014 — were references in the malware to the 1965 science fiction novel Dune , by Frank Herbert .", "spans": {"THREAT_ACTOR: VOODOO BEAR": [[45, 56]]}, "info": {"id": "dnrti_test_000055", "source": "dnrti_test"}}
+{"text": "This adversary has been identified leveraging custom-developed plugins for versions 2 and 3 of the commodity malware Black Energy to target entities associated with energy , government , and media for espionage and destructive purposes , since at least 2011 .", "spans": {"TOOL: Black Energy": [[117, 129]], "THREAT_ACTOR: espionage": [[201, 210]]}, "info": {"id": "dnrti_test_000056", "source": "dnrti_test"}}
+{"text": "these characteristics all highlight the likelihood that VOODOO BEAR operates in alignment with Russian state interests .", "spans": {"THREAT_ACTOR: VOODOO BEAR": [[56, 67]]}, "info": {"id": "dnrti_test_000057", "source": "dnrti_test"}}
+{"text": "This adversary displays a particular focus on targeting entities in the Ukraine and is believed to be behind the Ukrainian energy sector attacks that caused widespread power outages in late 2015 .", "spans": {}, "info": {"id": "dnrti_test_000058", "source": "dnrti_test"}}
+{"text": "VOODOO BEAR appears to be integrated into an organization that also operates or tasks multiple pro-Russian hacktivist entities .", "spans": {"THREAT_ACTOR: VOODOO BEAR": [[0, 11]]}, "info": {"id": "dnrti_test_000059", "source": "dnrti_test"}}
+{"text": "In the summer of 2014 , BlackEnergy caught our attention when we noticed that samples of it were now tailored to target Ukrainian government institutions .", "spans": {"THREAT_ACTOR: BlackEnergy": [[24, 35]], "ORGANIZATION: government institutions": [[130, 153]]}, "info": {"id": "dnrti_test_000060", "source": "dnrti_test"}}
+{"text": "Related or not , one thing is certain : the actor ( s ) using these customized BlackEnergy malware are intent on stealing information from the targets .", "spans": {"THREAT_ACTOR: actor": [[44, 49]], "TOOL: BlackEnergy malware": [[79, 98]]}, "info": {"id": "dnrti_test_000061", "source": "dnrti_test"}}
+{"text": "In this paper we focus only on BlackEnergy samples known to be used specifically by the actors we identify as Quedagh , who seem to have a particular interest in political targets .", "spans": {"TOOL: BlackEnergy samples": [[31, 50]], "THREAT_ACTOR: actors": [[88, 94]], "THREAT_ACTOR: Quedagh": [[110, 117]]}, "info": {"id": "dnrti_test_000062", "source": "dnrti_test"}}
+{"text": "Special focus will be on the samples that were used in targeted attacks against Ukrainian government organizations earlier this year .", "spans": {"ORGANIZATION: government organizations": [[90, 114]]}, "info": {"id": "dnrti_test_000063", "source": "dnrti_test"}}
+{"text": "Although they may have started much earlier , the earliest BlackEnergy sample we could attribute to the Quedagh gang is from December 14 , 2010 .", "spans": {"TOOL: BlackEnergy sample": [[59, 77]], "THREAT_ACTOR: Quedagh gang": [[104, 116]]}, "info": {"id": "dnrti_test_000064", "source": "dnrti_test"}}
+{"text": "We warned our clients of new features suggesting an increased focus on European targets - though verification of targets was not possible at the time .", "spans": {}, "info": {"id": "dnrti_test_000065", "source": "dnrti_test"}}
+{"text": "Sandworm Team may have opted for a ' hide in plain sight ' approach to evade detections from rootkit scanners , such as GMER and RootkitRevealer , that checks for system anomalies .", "spans": {"THREAT_ACTOR: Sandworm Team": [[0, 13]]}, "info": {"id": "dnrti_test_000066", "source": "dnrti_test"}}
+{"text": "Table 3 ( above ) summarizes the commands supported by the variants used in the attack against Ukrainian government organizations .", "spans": {"ORGANIZATION: government organizations": [[105, 129]]}, "info": {"id": "dnrti_test_000067", "source": "dnrti_test"}}
+{"text": "In the summer of 2014 , we noted that certain samples of BlackEnergy malware began targeting Ukranian government organizations for information harvesting .", "spans": {"TOOL: BlackEnergy malware": [[57, 76]], "ORGANIZATION: government organizations": [[102, 126]]}, "info": {"id": "dnrti_test_000068", "source": "dnrti_test"}}
+{"text": "These samples were identified as being the work of one group , referred to in this document as \" Quedagh \" , which has a history of targeting political organizations .", "spans": {"THREAT_ACTOR: group": [[55, 60]], "THREAT_ACTOR: Quedagh": [[97, 104]], "ORGANIZATION: political organizations": [[142, 165]]}, "info": {"id": "dnrti_test_000069", "source": "dnrti_test"}}
+{"text": "The attacks we attribute to Scarlet Mimic have primarily targeted Uyghur and Tibetan activists as well as those who are interested in their causes .", "spans": {"THREAT_ACTOR: Scarlet Mimic": [[28, 41]], "ORGANIZATION: Uyghur": [[66, 72]], "ORGANIZATION: Tibetan activists": [[77, 94]]}, "info": {"id": "dnrti_test_000070", "source": "dnrti_test"}}
+{"text": "To infect individuals with access to the data the actors desire , Scarlet Mimic deploys both spear-phishing and watering hole ( strategic web compromise ) attacks .", "spans": {"THREAT_ACTOR: actors": [[50, 56]], "THREAT_ACTOR: Scarlet Mimic": [[66, 79]]}, "info": {"id": "dnrti_test_000071", "source": "dnrti_test"}}
+{"text": "As with many other attackers who use spear-phishing to infect victims , Scarlet Mimic makes heavy use of \" decoy \" files .", "spans": {"THREAT_ACTOR: attackers": [[19, 28]], "THREAT_ACTOR: Scarlet Mimic": [[72, 85]]}, "info": {"id": "dnrti_test_000072", "source": "dnrti_test"}}
+{"text": "The most recent Scarlet Mimic attacks we have identified were conducted in 2015 and suggest the group has a significant interest in both Muslim activists and those interested in critiques of the Russian government and Russian President Vladimir Putin .", "spans": {"THREAT_ACTOR: group": [[96, 101]], "ORGANIZATION: Muslim activists": [[137, 153]]}, "info": {"id": "dnrti_test_000073", "source": "dnrti_test"}}
+{"text": "Using these tactics Scarlet Mimic can directly target previously identified individuals ( spear phishing ) as well as unidentified individuals who are interested in a specific subject ( watering hole ) .", "spans": {"THREAT_ACTOR: Scarlet Mimic": [[20, 33]]}, "info": {"id": "dnrti_test_000074", "source": "dnrti_test"}}
+{"text": "This group has been conducting attacks for at least four years using a backdoor Trojan that has been under active development .", "spans": {"THREAT_ACTOR: group": [[5, 10]], "TOOL: backdoor Trojan": [[71, 86]]}, "info": {"id": "dnrti_test_000075", "source": "dnrti_test"}}
+{"text": "Based on analysis of the data and malware samples we have collected , Unit 42 believes the attacks described herein are the work of a group or set of cooperating groups who have a single mission , collecting information on minority groups who reside in and around northwestern China .", "spans": {"ORGANIZATION: Unit 42": [[70, 77]], "THREAT_ACTOR: group": [[134, 139]], "THREAT_ACTOR: groups": [[162, 168]], "ORGANIZATION: minority groups": [[223, 238]]}, "info": {"id": "dnrti_test_000076", "source": "dnrti_test"}}
+{"text": "Attacks launched by this group were publicly exposed on 2013 in a Trend Micro report about the FakeM Trojan .", "spans": {"THREAT_ACTOR: group": [[25, 30]], "ORGANIZATION: Trend Micro": [[66, 77]], "TOOL: FakeM Trojan": [[95, 107]]}, "info": {"id": "dnrti_test_000077", "source": "dnrti_test"}}
+{"text": "We will also provide detailed analysis of the latest variants of the malware they deploy ( known as FakeM ) as well as other associated tools that allow Scarlet Mimic to target Android and OS X devices .", "spans": {"TOOL: FakeM": [[100, 105]], "THREAT_ACTOR: Scarlet Mimic": [[153, 166]]}, "info": {"id": "dnrti_test_000078", "source": "dnrti_test"}}
+{"text": "In the past , Scarlet Mimic has primarily targeted individuals who belong to these minority groups as well as their supporters , but we've recently found evidence to indicate the group also targets individuals working inside government anti-terrorist organizations .", "spans": {"THREAT_ACTOR: Scarlet Mimic": [[14, 27]], "ORGANIZATION: minority groups": [[83, 98]], "ORGANIZATION: supporters": [[116, 126]], "THREAT_ACTOR: group": [[179, 184]], "ORGANIZATION: anti-terrorist organizations": [[236, 264]]}, "info": {"id": "dnrti_test_000079", "source": "dnrti_test"}}
+{"text": "We also know Scarlet Mimic uses a number of toolkits to create documents that contain exploit code to install the FakeM payload on a compromised system .", "spans": {"THREAT_ACTOR: Scarlet Mimic": [[13, 26]], "TOOL: FakeM": [[114, 119]]}, "info": {"id": "dnrti_test_000080", "source": "dnrti_test"}}
+{"text": "Unit 42 tracks the toolkits delivering FakeM under the names MNKit , WingD and Tran Duy Linh .", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "TOOL: FakeM": [[39, 44]], "TOOL: MNKit": [[61, 66]], "TOOL: WingD": [[69, 74]], "TOOL: Tran Duy Linh": [[79, 92]]}, "info": {"id": "dnrti_test_000081", "source": "dnrti_test"}}
+{"text": "In July of 2015 , we identified a full e-mail uploaded to an antivirus scanning service that carried a Scarlet Mimic exploit document .", "spans": {"VULNERABILITY: Scarlet Mimic exploit": [[103, 124]]}, "info": {"id": "dnrti_test_000082", "source": "dnrti_test"}}
+{"text": "We are aware of one case where Scarlet Mimic broke from the spear-phishing pattern described above .", "spans": {"THREAT_ACTOR: Scarlet Mimic": [[31, 44]]}, "info": {"id": "dnrti_test_000083", "source": "dnrti_test"}}
+{"text": "In 2013 , the group deployed a watering hole attack , also known as a strategic web compromise to infect victims with their backdoor .", "spans": {"THREAT_ACTOR: group": [[14, 19]]}, "info": {"id": "dnrti_test_000084", "source": "dnrti_test"}}
+{"text": "FakeM 's functional code is shellcode-based and requires another Trojan to load it into memory and execute it .", "spans": {"TOOL: FakeM": [[0, 5]]}, "info": {"id": "dnrti_test_000085", "source": "dnrti_test"}}
+{"text": "First discussed in January 2013 in a Trend Micro whitepaper , FakeM is a Trojan that uses separate modules to perform its functionality .", "spans": {"ORGANIZATION: Trend Micro": [[37, 48]], "TOOL: FakeM": [[62, 67]], "TOOL: Trojan": [[73, 79]]}, "info": {"id": "dnrti_test_000086", "source": "dnrti_test"}}
+{"text": "We end this section with a discussion on tools related to FakeM and used by Scarlet Mimic .", "spans": {"TOOL: FakeM": [[58, 63]], "THREAT_ACTOR: Scarlet Mimic": [[76, 89]]}, "info": {"id": "dnrti_test_000087", "source": "dnrti_test"}}
+{"text": "Microsoft patched this vulnerability in September 2012 , suggesting that this watering hole attack used an older vulnerability , which aligns with the threat groups continued use of older vulnerabilities in their spear-phishing efforts .", "spans": {"ORGANIZATION: Microsoft": [[0, 9]], "THREAT_ACTOR: threat groups": [[151, 164]]}, "info": {"id": "dnrti_test_000088", "source": "dnrti_test"}}
+{"text": "Microsoft patched this vulnerability in September 2012 , suggesting that this watering hole attack used an older vulnerability , which aligns with Scarlet Mimic continued use of older vulnerabilities in their spear-phishing efforts .", "spans": {"ORGANIZATION: Microsoft": [[0, 9]], "THREAT_ACTOR: Scarlet Mimic": [[147, 160]]}, "info": {"id": "dnrti_test_000089", "source": "dnrti_test"}}
+{"text": "Based on the timeline , it appears that the actors were actively developing several of the loaders at the same time from 2009 until the early months of 2014 .", "spans": {"THREAT_ACTOR: actors": [[44, 50]]}, "info": {"id": "dnrti_test_000090", "source": "dnrti_test"}}
+{"text": "Unit 42 tracks this mobile Trojan as MobileOrder , as the authors specifically refer to commands within the app as orders .", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "TOOL: mobile Trojan": [[20, 33]], "TOOL: MobileOrder": [[37, 48]]}, "info": {"id": "dnrti_test_000091", "source": "dnrti_test"}}
+{"text": "There are also infrastructure ties between some FakeM variants and older activity using Trojans such as Elirks , Poison Ivy , and BiFrost , which were used in attacks as old as 2009 .", "spans": {"TOOL: FakeM": [[48, 53]], "TOOL: Elirks": [[104, 110]], "TOOL: Poison Ivy": [[113, 123]]}, "info": {"id": "dnrti_test_000092", "source": "dnrti_test"}}
+{"text": "There is some infrastructure overlap in the C2 servers used by almost all of the FakeM variants , as well other Trojans such as MobileOrder , Psylo , and CallMe .", "spans": {"TOOL: FakeM": [[81, 86]], "TOOL: MobileOrder": [[128, 139]], "TOOL: Psylo": [[142, 147]], "TOOL: CallMe": [[154, 160]]}, "info": {"id": "dnrti_test_000093", "source": "dnrti_test"}}
+{"text": "Trend Micro published their analysis of the FakeM Trojan on January 17 , 2013 that discussed the original variant of FakeM .", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "TOOL: FakeM Trojan": [[44, 56]], "TOOL: FakeM": [[117, 122]]}, "info": {"id": "dnrti_test_000094", "source": "dnrti_test"}}
+{"text": "The primary source of data used in this analysis is Palo Alto Networks WildFire , which analyzes malware used in attacks across the world .", "spans": {"ORGANIZATION: Palo Alto Networks WildFire": [[52, 79]]}, "info": {"id": "dnrti_test_000095", "source": "dnrti_test"}}
+{"text": "Scarlet Mimic also uses the infamous HTRAN tool on at least some of their C2 servers .", "spans": {"THREAT_ACTOR: Scarlet Mimic": [[0, 13]], "TOOL: HTRAN tool": [[37, 47]]}, "info": {"id": "dnrti_test_000096", "source": "dnrti_test"}}
+{"text": "Scarlet Mimic primarily deploys spear-phishing e-mails to infect its targets , but was also responsible for a watering hole attack in 2013 .", "spans": {"THREAT_ACTOR: Scarlet Mimic": [[0, 13]]}, "info": {"id": "dnrti_test_000097", "source": "dnrti_test"}}
+{"text": "Kaspersky Lab has produced excellent research on Scarlet Mimic group .", "spans": {"ORGANIZATION: Kaspersky Lab": [[0, 13]], "THREAT_ACTOR: Scarlet Mimic group": [[49, 68]]}, "info": {"id": "dnrti_test_000098", "source": "dnrti_test"}}
+{"text": "Actors will run HTRAN on a server and configure their malware to interact with that server ; however , the actor will configure HTRAN to forward traffic to another server where the actual C2 server exists .", "spans": {"THREAT_ACTOR: Actors": [[0, 6]], "TOOL: HTRAN": [[16, 21], [128, 133]], "THREAT_ACTOR: actor": [[107, 112]]}, "info": {"id": "dnrti_test_000099", "source": "dnrti_test"}}
+{"text": "The information discovered by Unit 42 and shared here indicates Scarlet Mimic is likely a well-funded and skillfully resourced cyber adversary .", "spans": {"ORGANIZATION: Unit 42": [[30, 37]], "THREAT_ACTOR: Scarlet Mimic": [[64, 77]]}, "info": {"id": "dnrti_test_000100", "source": "dnrti_test"}}
+{"text": "Scarlet Mimic has carried out attacks using both spear-phishing and watering holes since at least 2009 with increasingly advanced malware , and has deployed malware to attack multiple operating systems and platforms .", "spans": {"THREAT_ACTOR: Scarlet Mimic": [[0, 13]]}, "info": {"id": "dnrti_test_000101", "source": "dnrti_test"}}
+{"text": "This time I'm going to focus on malicious CHM files used by Silence APT .", "spans": {"TOOL: CHM files": [[42, 51]], "THREAT_ACTOR: Silence APT": [[60, 71]]}, "info": {"id": "dnrti_test_000102", "source": "dnrti_test"}}
+{"text": "If you haven't heard about it for some reason , I would recommend to read this detailed report by Group-IB , as this APT attacks not only Russian banks , but also banks in more than 25 countries .", "spans": {"ORGANIZATION: Group-IB": [[98, 106]]}, "info": {"id": "dnrti_test_000103", "source": "dnrti_test"}}
+{"text": "The group primarily deploys spear-phishing e-mails to infect its targets , but was also responsible for a watering hole attack in 2013 .", "spans": {"THREAT_ACTOR: group": [[4, 9]]}, "info": {"id": "dnrti_test_000104", "source": "dnrti_test"}}
+{"text": "The group uses legitimate administration tools to fly under the radar in their post-exploitation phase , which makes detection of malicious activity , as well as attribution more complicated .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "TOOL: legitimate administration tools": [[15, 46]]}, "info": {"id": "dnrti_test_000105", "source": "dnrti_test"}}
+{"text": "On January 12 , 2016 , Cylance published a blog linking an exploit document to the group Mandiant refers to as APT2 and CrowdStrike as \" Putter Panda \" .", "spans": {"ORGANIZATION: Cylance": [[23, 30]], "ORGANIZATION: Mandiant": [[89, 97]], "THREAT_ACTOR: APT2": [[111, 115]], "ORGANIZATION: CrowdStrike": [[120, 131]], "THREAT_ACTOR: Putter Panda": [[137, 149]]}, "info": {"id": "dnrti_test_000106", "source": "dnrti_test"}}
+{"text": "In 2016 , Unit 42 launched an unprecedented analytic effort focused on developing a modern assessment of the size , scope and complexity of this threat .", "spans": {"ORGANIZATION: Unit 42": [[10, 17]]}, "info": {"id": "dnrti_test_000107", "source": "dnrti_test"}}
+{"text": "In 2014 , Unit 42 released a report titled \" 419 Evolution \" that documented one of the first known cases of Nigerian cybercriminals using malware for financial gain .", "spans": {"ORGANIZATION: Unit 42": [[10, 17]], "THREAT_ACTOR: cybercriminals": [[118, 132]]}, "info": {"id": "dnrti_test_000108", "source": "dnrti_test"}}
+{"text": "A few months later , in February 2017 , the FBI published a press release revising its estimates and stating that \" Since January 2015 , there has been a 1,300 percent increase in identified exposed losses , now totaling over $3 billion \" Recognizing the significance of this threat group , Unit 42 continues to track the evolution of Nigerian cybercrime under the code name SilverTerrier .", "spans": {"ORGANIZATION: FBI": [[44, 47]], "THREAT_ACTOR: threat group": [[276, 288]], "ORGANIZATION: Unit 42": [[291, 298]], "THREAT_ACTOR: SilverTerrier": [[375, 388]]}, "info": {"id": "dnrti_test_000109", "source": "dnrti_test"}}
+{"text": "In the 2016 Internet Crime Report published by the FBI , BEC was specifically highlighted as a \" Hot Topic \" , having been attributed to more than US$360 million in losses and gaining status as its own category of attack .", "spans": {"ORGANIZATION: FBI": [[51, 54]]}, "info": {"id": "dnrti_test_000110", "source": "dnrti_test"}}
+{"text": "Recognizing the significance of this threat group , Unit 42 continues to track the evolution of Nigerian cybercrime under the code name SilverTerrier .", "spans": {"THREAT_ACTOR: threat group": [[37, 49]], "ORGANIZATION: Unit 42": [[52, 59]], "THREAT_ACTOR: SilverTerrier": [[136, 149]]}, "info": {"id": "dnrti_test_000111", "source": "dnrti_test"}}
+{"text": "Pony is a fairly common malware family that has existed in various forms since 2012 , with our first indications of Nigerian use occurring in August 2014 .", "spans": {"TOOL: Pony": [[0, 4]]}, "info": {"id": "dnrti_test_000112", "source": "dnrti_test"}}
+{"text": "Of the four , KeyBase stands out due to its rapid rise in popularity , with a peak deployment of 160 samples per month and usage by 46 separate SilverTerrier actors , followed by a fairly rapid decline .", "spans": {"TOOL: KeyBase": [[14, 21]], "THREAT_ACTOR: SilverTerrier actors": [[144, 164]]}, "info": {"id": "dnrti_test_000113", "source": "dnrti_test"}}
+{"text": "NetWire , DarkComet , NanoCore , LuminosityLink , Remcos and Imminent Monitor are all designed to provide remote access to compromised systems .", "spans": {"TOOL: NetWire": [[0, 7]], "TOOL: DarkComet": [[10, 19]], "TOOL: NanoCore": [[22, 30]], "TOOL: LuminosityLink": [[33, 47]], "TOOL: Remcos": [[50, 56]], "TOOL: Imminent Monitor": [[61, 77]]}, "info": {"id": "dnrti_test_000114", "source": "dnrti_test"}}
+{"text": "Unit 42 analyzed the use of these six malware families and found that Nigerian actors are currently producing an average of 146 unique samples of malware per month ( see Figure 6 ) .", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "THREAT_ACTOR: actors": [[79, 85]]}, "info": {"id": "dnrti_test_000115", "source": "dnrti_test"}}
+{"text": "Given this requirement , SilverTerrier actors often rely on Dynamic DNS and virtual private servers to provide a layer of obfuscation to protect their identities .", "spans": {"THREAT_ACTOR: SilverTerrier actors": [[25, 45]], "TOOL: Dynamic DNS": [[60, 71]], "TOOL: virtual private servers": [[76, 99]]}, "info": {"id": "dnrti_test_000116", "source": "dnrti_test"}}
+{"text": "When using email scams , SilverTerrier actors preferred to use large target audiences , which maximized the likelihood of success with very little risk .", "spans": {"THREAT_ACTOR: SilverTerrier actors": [[25, 45]]}, "info": {"id": "dnrti_test_000117", "source": "dnrti_test"}}
+{"text": "Unit 42 tracks roughly 300 SilverTerrier actors who have registered a combined 11,600 domains over the past five years .", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "THREAT_ACTOR: SilverTerrier actors": [[27, 47]]}, "info": {"id": "dnrti_test_000118", "source": "dnrti_test"}}
+{"text": "To support the rapid growth and pace of malware distribution efforts , SilverTerrier actors are in constant need of domains to serve as C2 nodes .", "spans": {"THREAT_ACTOR: SilverTerrier actors": [[71, 91]]}, "info": {"id": "dnrti_test_000119", "source": "dnrti_test"}}
+{"text": "To that end , it is very unlikely that the United States government or Shell , a global energy company , would commission SilverTerrier actors to develop domains that impersonate their own legitimate websites and services .", "spans": {"ORGANIZATION: global energy company": [[81, 102]], "THREAT_ACTOR: SilverTerrier actors": [[122, 142]]}, "info": {"id": "dnrti_test_000120", "source": "dnrti_test"}}
+{"text": "The credentials they use to register their malware infrastructure are easily associated with their public social media accounts on Google® , Facebook® , MySpace® , Instagram® , and various dating and blogging sites .", "spans": {"ORGANIZATION: Google®": [[131, 138]], "ORGANIZATION: Facebook®": [[141, 150]], "ORGANIZATION: MySpace®": [[153, 161]], "ORGANIZATION: Instagram®": [[164, 174]], "ORGANIZATION: dating and blogging sites": [[189, 214]]}, "info": {"id": "dnrti_test_000121", "source": "dnrti_test"}}
+{"text": "Earlier this year , Cybereason identified an advanced , persistent attack targeting telecommunications providers that has been underway for years , soon after deploying into the environment .", "spans": {"ORGANIZATION: Cybereason": [[20, 30]], "ORGANIZATION: telecommunications providers": [[84, 112]]}, "info": {"id": "dnrti_test_000122", "source": "dnrti_test"}}
+{"text": "Based on the data available to us , Operation Soft Cell has been active since at least 2012 , though some evidence suggests even earlier activity by the threat actor against telecommunications providers .", "spans": {"THREAT_ACTOR: threat actor": [[153, 165]], "ORGANIZATION: telecommunications providers": [[174, 202]]}, "info": {"id": "dnrti_test_000123", "source": "dnrti_test"}}
+{"text": "Threat actors , especially those at the level of nation state , are seeking opportunities to attack these organizations , conducting elaborate , advanced operations to gain leverage , seize strategic assets , and collect information .", "spans": {"THREAT_ACTOR: Threat actors": [[0, 13]]}, "info": {"id": "dnrti_test_000124", "source": "dnrti_test"}}
+{"text": "The tools and techniques used throughout these attacks are consistent with several Chinese threat actors , such as APT10 , a threat actor believed to operate on behalf of the Chinese Ministry of State Security .", "spans": {"THREAT_ACTOR: threat actors": [[91, 104]], "THREAT_ACTOR: APT10": [[115, 120]], "THREAT_ACTOR: threat actor": [[125, 137]]}, "info": {"id": "dnrti_test_000125", "source": "dnrti_test"}}
+{"text": "The threat actor attempted to compromise critical assets , such as database servers , billing servers , and the active directory .", "spans": {"THREAT_ACTOR: threat actor": [[4, 16]]}, "info": {"id": "dnrti_test_000126", "source": "dnrti_test"}}
+{"text": "The attack began with a web shell running on a vulnerable , publicly-facing server , from which the attackers gathered information about the network and propagated across the network .", "spans": {"TOOL: web shell": [[24, 33]], "THREAT_ACTOR: attackers": [[100, 109]]}, "info": {"id": "dnrti_test_000127", "source": "dnrti_test"}}
+{"text": "The initial indicator of the attack was a malicious web shell that was detected on an IIS server , coming out of the w3wp.exe process .", "spans": {"MALWARE: w3wp.exe": [[117, 125]]}, "info": {"id": "dnrti_test_000128", "source": "dnrti_test"}}
+{"text": "An investigation of the web shell , later classified as a modified version of the China Chopper web shell , uncovered several attack phases and TTPs .", "spans": {"TOOL: China Chopper web shell": [[82, 105]]}, "info": {"id": "dnrti_test_000129", "source": "dnrti_test"}}
+{"text": "The threat actor was able to leverage the web shell to run reconnaissance commands , steal credentials , and deploy other tools .", "spans": {"THREAT_ACTOR: threat actor": [[4, 16]], "TOOL: web shell": [[42, 51]]}, "info": {"id": "dnrti_test_000130", "source": "dnrti_test"}}
+{"text": "The web shell parameters in this attack match to the China Chopper parameters , as described in FireEye 's analysis of China Chopper .", "spans": {"THREAT_ACTOR: China Chopper": [[53, 66], [119, 132]], "ORGANIZATION: FireEye": [[96, 103]]}, "info": {"id": "dnrti_test_000131", "source": "dnrti_test"}}
+{"text": "It is used to remotely control web servers , and has been used in many attacks against Australian web hosting providers .", "spans": {"ORGANIZATION: hosting providers": [[102, 119]]}, "info": {"id": "dnrti_test_000132", "source": "dnrti_test"}}
+{"text": "This tool has been used by several Chinese-affiliated threat actors , such as APT 27 and APT 40 .", "spans": {"THREAT_ACTOR: threat actors": [[54, 67]], "THREAT_ACTOR: APT 27": [[78, 84]], "THREAT_ACTOR: APT 40": [[89, 95]]}, "info": {"id": "dnrti_test_000133", "source": "dnrti_test"}}
+{"text": "The most common credential stealing tool used by the threat actor was a modified mimikatz that dumps NTLM hashes .", "spans": {"THREAT_ACTOR: threat actor": [[53, 65]], "TOOL: mimikatz": [[81, 89]]}, "info": {"id": "dnrti_test_000134", "source": "dnrti_test"}}
+{"text": "The threat actor relied on WMI and PsExec to move laterally and install their tools across multiple assets .", "spans": {"THREAT_ACTOR: threat actor": [[4, 16]], "TOOL: WMI": [[27, 30]], "TOOL: PsExec": [[35, 41]]}, "info": {"id": "dnrti_test_000135", "source": "dnrti_test"}}
+{"text": "Nbtscan has been used by APT10 in Operation Cloud Hopper to search for services of interest across the IT estate and footprint endpoints of interest .", "spans": {"TOOL: Nbtscan": [[0, 7]], "THREAT_ACTOR: APT10": [[25, 30]]}, "info": {"id": "dnrti_test_000136", "source": "dnrti_test"}}
+{"text": "A second method the threat actor used to maintain access across the compromised assets was through the deployment of the PoisonIvy RAT ( PIVY ) .", "spans": {"THREAT_ACTOR: threat actor": [[20, 32]], "TOOL: PoisonIvy RAT": [[121, 134]], "TOOL: PIVY": [[137, 141]]}, "info": {"id": "dnrti_test_000137", "source": "dnrti_test"}}
+{"text": "This infamous RAT has been associated with many different Chinese threat actors , including APT10 , APT1 , and DragonOK .", "spans": {"TOOL: RAT": [[14, 17]], "THREAT_ACTOR: threat actors": [[66, 79]], "THREAT_ACTOR: APT10": [[92, 97]], "THREAT_ACTOR: APT1": [[100, 104]], "THREAT_ACTOR: DragonOK": [[111, 119]]}, "info": {"id": "dnrti_test_000138", "source": "dnrti_test"}}
+{"text": "It is a powerful , multi-featured RAT that lets a threat actor take total control over a machine .", "spans": {"TOOL: multi-featured RAT": [[19, 37]], "THREAT_ACTOR: threat actor": [[50, 62]]}, "info": {"id": "dnrti_test_000139", "source": "dnrti_test"}}
+{"text": "In an attempt to hide the contents of the stolen data , the threat actor used winrar to compress and password-protect it .", "spans": {"THREAT_ACTOR: threat actor": [[60, 72]], "TOOL: winrar": [[78, 84]]}, "info": {"id": "dnrti_test_000140", "source": "dnrti_test"}}
+{"text": "The winrar binaries and compressed data were found mostly in the Recycle Bin folder , a TTP that was previously observed in APT10-related attacks , as well as others .", "spans": {"TOOL: winrar": [[4, 10]], "TOOL: Recycle Bin folder": [[65, 83]], "TOOL: TTP": [[88, 91]]}, "info": {"id": "dnrti_test_000141", "source": "dnrti_test"}}
+{"text": "This ' connection bouncer ' tool lets the threat actor redirect ports and connections between different networks and obfuscate C2 server traffic .", "spans": {"TOOL: connection bouncer": [[7, 25]], "THREAT_ACTOR: threat actor": [[42, 54]]}, "info": {"id": "dnrti_test_000142", "source": "dnrti_test"}}
+{"text": "In order to exfiltrate data from a network segment not connected to the Internet , the threat actor deployed a modified version of hTran .", "spans": {"THREAT_ACTOR: threat actor": [[87, 99]], "TOOL: hTran": [[131, 136]]}, "info": {"id": "dnrti_test_000143", "source": "dnrti_test"}}
+{"text": "There have been numerous reports of hTran being used by different Chinese threat actors , including : APT3 , APT27 and DragonOK .", "spans": {"TOOL: hTran": [[36, 41]], "THREAT_ACTOR: threat actors": [[74, 87]], "THREAT_ACTOR: APT3": [[102, 106]], "THREAT_ACTOR: APT27": [[109, 114]], "THREAT_ACTOR: DragonOK": [[119, 127]]}, "info": {"id": "dnrti_test_000144", "source": "dnrti_test"}}
+{"text": "The threat actor made some modifications to the original source code of hTran .", "spans": {"THREAT_ACTOR: threat actor": [[4, 16]], "TOOL: hTran": [[72, 77]]}, "info": {"id": "dnrti_test_000145", "source": "dnrti_test"}}
+{"text": "The threat actor had a specific pattern of behavior that allowed us to understand their modus operandi : they used one server with the same IP address for multiple operations .", "spans": {"THREAT_ACTOR: threat actor": [[4, 16]]}, "info": {"id": "dnrti_test_000146", "source": "dnrti_test"}}
+{"text": "There are previous reports of threat actors including APT10 and APT1 using dynamic DNS .", "spans": {"THREAT_ACTOR: threat actors": [[30, 43]], "THREAT_ACTOR: APT10": [[54, 59]], "THREAT_ACTOR: APT1": [[64, 68]], "TOOL: dynamic DNS": [[75, 86]]}, "info": {"id": "dnrti_test_000147", "source": "dnrti_test"}}
+{"text": "Our investigation showed that these attacks were targeted , and that the threat actor sought to steal communications data of specific individuals in various countries .", "spans": {"THREAT_ACTOR: threat actor": [[73, 85]], "ORGANIZATION: specific individuals": [[125, 145]]}, "info": {"id": "dnrti_test_000148", "source": "dnrti_test"}}
+{"text": "The data exfiltrated by this threat actor , in conjunction with the TTPs and tools used , allowed us to determine with a very high probability that the threat actor behind these malicious operations is backed by a nation state , and is affiliated with China .", "spans": {"THREAT_ACTOR: threat actor": [[29, 41], [152, 164]]}, "info": {"id": "dnrti_test_000149", "source": "dnrti_test"}}
+{"text": "Symantec saw the first evidence of Sowbug-related activity with the discovery in March 2017 of an entirely new piece of malware called Felismus used against a target in Southeast Asia .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "TOOL: Felismus": [[135, 143]]}, "info": {"id": "dnrti_test_000150", "source": "dnrti_test"}}
+{"text": "Symantec saw the first evidence of Sowbug group with the discovery in March 2017 of an entirely new piece of malware called Felismus used against a target in Southeast Asia .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: Sowbug group": [[35, 47]], "TOOL: Felismus": [[124, 132]]}, "info": {"id": "dnrti_test_000151", "source": "dnrti_test"}}
+{"text": "Symantec has also been able to connect earlier attack campaigns with Sowbug , demonstrating that it has been active since at least early-2015 and may have been operating even earlier .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: Sowbug": [[69, 75]]}, "info": {"id": "dnrti_test_000152", "source": "dnrti_test"}}
+{"text": "To date , Sowbug appears to be focused mainly on government entities in South America and Southeast Asia and has infiltrated organizations in Argentina , Brazil , Ecuador , Peru , Brunei and Malaysia .", "spans": {"THREAT_ACTOR: Sowbug": [[10, 16]], "ORGANIZATION: government entities": [[49, 68]], "ORGANIZATION: infiltrated organizations": [[113, 138]]}, "info": {"id": "dnrti_test_000153", "source": "dnrti_test"}}
+{"text": "For example , in a 2015 attack on one South American foreign ministry , the group appeared to be searching for very specific information .", "spans": {"THREAT_ACTOR: group": [[76, 81]]}, "info": {"id": "dnrti_test_000154", "source": "dnrti_test"}}
+{"text": "The first evidence of its intrusion dated from May 6 , 2015 but activity appeared to have begun in earnest on May 12 .", "spans": {}, "info": {"id": "dnrti_test_000155", "source": "dnrti_test"}}
+{"text": "In total , the attackers maintained a presence on the target 's network for four months between May and September 2015 .", "spans": {"THREAT_ACTOR: attackers": [[15, 24]]}, "info": {"id": "dnrti_test_000156", "source": "dnrti_test"}}
+{"text": "We have previously detected groups we suspect are affiliated with the North Korean government compromising electric utilities in South Korea , but these compromises did not lead to a disruption of the power supply .", "spans": {"THREAT_ACTOR: groups": [[28, 34]], "ORGANIZATION: government": [[83, 93]]}, "info": {"id": "dnrti_test_000157", "source": "dnrti_test"}}
+{"text": "Instead , sensitive KHNP documents were leaked by the actors as part of an effort to exaggerate the access they had and embarrass the South Korean Government , a technique we assess North Korea would turn to again in order to instill fear and/or meet domestic propaganda aims .", "spans": {"MALWARE: KHNP documents": [[20, 34]], "THREAT_ACTOR: actors": [[54, 60]], "ORGANIZATION: South Korean Government": [[134, 157]]}, "info": {"id": "dnrti_test_000158", "source": "dnrti_test"}}
+{"text": "North Korea linked hackers are among the most prolific nation-state threats , targeting not only the U.S. and South Korea but the global financial system and nations worldwide .", "spans": {}, "info": {"id": "dnrti_test_000159", "source": "dnrti_test"}}
+{"text": "FireEye has detected more than 20 cyber threat groups suspected to be sponsored by at least four other nation-states attempting to gain access to targets in the energy sector that could have been used to cause disruptions .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: groups": [[47, 53]]}, "info": {"id": "dnrti_test_000160", "source": "dnrti_test"}}
+{"text": "CapabilitiesFormBook is a data stealer , but not a full-fledged banker .", "spans": {"ORGANIZATION: banker": [[64, 70]]}, "info": {"id": "dnrti_test_000161", "source": "dnrti_test"}}
+{"text": "FormBook OverviewFormBook is a data stealer and form grabber that has been advertised in various hacking forums since early 2016 .", "spans": {"TOOL: FormBook OverviewFormBook": [[0, 25]]}, "info": {"id": "dnrti_test_000162", "source": "dnrti_test"}}
+{"text": "The malware may inject itself into browser processes and explorer.exe .", "spans": {"TOOL: malware": [[4, 11]], "MALWARE: explorer.exe": [[57, 69]]}, "info": {"id": "dnrti_test_000163", "source": "dnrti_test"}}
+{"text": "The attackers involved in these email campaigns leveraged a variety of distribution mechanisms to deliver the information stealing FormBook malware .", "spans": {"THREAT_ACTOR: attackers": [[4, 13]]}, "info": {"id": "dnrti_test_000164", "source": "dnrti_test"}}
+{"text": "Much of the activity was observed in the United States (Figure 11) , and the most targeted industry vertical was Aerospace/Defense Contractors (Figure 12) .", "spans": {}, "info": {"id": "dnrti_test_000165", "source": "dnrti_test"}}
+{"text": "In the last few weeks , FormBook was seen downloading other malware families such as NanoCore .", "spans": {"MALWARE: FormBook": [[24, 32]], "MALWARE: NanoCore": [[85, 93]]}, "info": {"id": "dnrti_test_000166", "source": "dnrti_test"}}
+{"text": "We have associated this campaign with APT19 , a group that we assess is composed of freelancers , with some degree of sponsorship by the Chinese government .", "spans": {"THREAT_ACTOR: APT19": [[38, 43]], "ORGANIZATION: Chinese": [[137, 144]], "ORGANIZATION: government": [[145, 155]]}, "info": {"id": "dnrti_test_000167", "source": "dnrti_test"}}
+{"text": "The vulnerability is bypassing most mitigations; however , as noted above , FireEye email and network products detect the malicious documents .", "spans": {"ORGANIZATION: FireEye": [[76, 83]], "MALWARE: malicious documents": [[122, 141]]}, "info": {"id": "dnrti_test_000168", "source": "dnrti_test"}}
+{"text": "We have previously observed APT19 steal data from law and investment firms for competitive economic purposes .", "spans": {"THREAT_ACTOR: APT19": [[28, 33]]}, "info": {"id": "dnrti_test_000169", "source": "dnrti_test"}}
+{"text": "Through the exploitation of the HTA handler vulnerability described in CVE-2017-1099 , the observed RTF attachments download .", "spans": {"VULNERABILITY: CVE-2017-1099": [[71, 84]], "MALWARE: RTF attachments": [[100, 115]]}, "info": {"id": "dnrti_test_000170", "source": "dnrti_test"}}
+{"text": "In early May , the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE-2017-0199 .", "spans": {"MALWARE: RTF attachments": [[44, 59]], "VULNERABILITY: CVE-2017-0199": [[124, 137]]}, "info": {"id": "dnrti_test_000171", "source": "dnrti_test"}}
+{"text": "Furthermore , there are indications that APT32 actors are targeting peripheral network security and technology infrastructure corporations .", "spans": {"THREAT_ACTOR: APT32": [[41, 46]]}, "info": {"id": "dnrti_test_000172", "source": "dnrti_test"}}
+{"text": "This focused intelligence and detection effort led to new external victim identifications as well as providing sufficient technical evidence to link twelve prior intrusions , consolidating four previously unrelated clusters of threat actor activity into FireEye’s newest named advanced persistent threat group: APT32 .", "spans": {"ORGANIZATION: FireEye’s": [[254, 263]], "THREAT_ACTOR: APT32": [[311, 316]]}, "info": {"id": "dnrti_test_000173", "source": "dnrti_test"}}
+{"text": "In mid-2016 , malware that FireEye believes to be unique to APT32 was detected on the networks of a global hospitality industry developer with plans to expand operations into Vietnam .", "spans": {"ORGANIZATION: mid-2016": [[3, 11]], "ORGANIZATION: FireEye": [[27, 34]], "THREAT_ACTOR: APT32": [[60, 65]]}, "info": {"id": "dnrti_test_000174", "source": "dnrti_test"}}
+{"text": "In March 2017 , in response to active targeting of FireEye clients , the team launched a Community Protection Event (CPE) – a coordinated effort between Mandiant incident responders , FireEye as a Service (FaaS) , FireEye iSight Intelligence , and FireEye product engineering – to protect all clients from APT32 activity .", "spans": {"ORGANIZATION: FireEye": [[51, 58], [184, 191], [248, 255]], "ORGANIZATION: Mandiant": [[153, 161]], "ORGANIZATION: FireEye iSight Intelligence": [[214, 241]], "THREAT_ACTOR: APT32": [[306, 311]]}, "info": {"id": "dnrti_test_000175", "source": "dnrti_test"}}
+{"text": "In their current campaign , APT32 has leveraged ActiveMime files that employ social engineering methods to entice the victim into enabling macros .", "spans": {"THREAT_ACTOR: APT32": [[28, 33]], "MALWARE: ActiveMime files": [[48, 64]]}, "info": {"id": "dnrti_test_000176", "source": "dnrti_test"}}
+{"text": "APT32 actors continue to deliver the malicious attachments via spear-phishing emails .", "spans": {"THREAT_ACTOR: APT32": [[0, 5]], "MALWARE: malicious attachments": [[37, 58]]}, "info": {"id": "dnrti_test_000177", "source": "dnrti_test"}}
+{"text": "APT19 leveraged Rich Text Format (RTF) and macro-enabled Microsoft Excel files to deliver their initial exploits .", "spans": {"THREAT_ACTOR: APT19": [[0, 5]], "MALWARE: Microsoft Excel files": [[57, 78]]}, "info": {"id": "dnrti_test_000178", "source": "dnrti_test"}}
+{"text": "In the following weeks , FireEye released threat intelligence products and updated malware profiles to customers while developing new detection techniques for APT32’s tools and phishing lures .", "spans": {"ORGANIZATION: FireEye": [[25, 32]], "THREAT_ACTOR: APT32’s": [[159, 166]]}, "info": {"id": "dnrti_test_000179", "source": "dnrti_test"}}
+{"text": "Also in 2014 , APT32 carried out an intrusion against a Western country’s national legislature .", "spans": {"THREAT_ACTOR: APT32": [[15, 20]]}, "info": {"id": "dnrti_test_000180", "source": "dnrti_test"}}
+{"text": "In 2015 , SkyEye Labs , the security research division of the Chinese firm Qihoo 360 , released a report detailing threat actors that were targeting Chinese public and private entities including government agencies , research institutes , maritime agencies , sea construction , and shipping enterprises .", "spans": {"ORGANIZATION: SkyEye Labs": [[10, 21]], "ORGANIZATION: Qihoo 360": [[75, 84]], "ORGANIZATION: government agencies": [[195, 214]], "ORGANIZATION: research institutes": [[217, 236]], "ORGANIZATION: maritime agencies": [[239, 256]], "ORGANIZATION: sea construction": [[259, 275]], "ORGANIZATION: shipping enterprises": [[282, 302]]}, "info": {"id": "dnrti_test_000181", "source": "dnrti_test"}}
+{"text": "In order to track who opened the phishing emails , viewed the links , and downloaded the attachments in real-time , APT32 used cloud-based email analytics software designed for sales organizations .", "spans": {"THREAT_ACTOR: APT32": [[116, 121]], "ORGANIZATION: sales organizations": [[177, 196]]}, "info": {"id": "dnrti_test_000182", "source": "dnrti_test"}}
+{"text": "Since at least 2014 , FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnama's manufacturing , consumer products , and hospitality sectors .", "spans": {"ORGANIZATION: FireEye": [[22, 29]], "THREAT_ACTOR: APT32": [[43, 48]], "ORGANIZATION: manufacturing": [[117, 130]], "ORGANIZATION: consumer products": [[133, 150]], "ORGANIZATION: hospitality sectors": [[157, 176]]}, "info": {"id": "dnrti_test_000183", "source": "dnrti_test"}}
+{"text": "Mandiant consultants suspect that APT32 was monitoring web logs to track the public IP address used to request remote images .", "spans": {"ORGANIZATION: Mandiant": [[0, 8]], "THREAT_ACTOR: APT32": [[34, 39]]}, "info": {"id": "dnrti_test_000184", "source": "dnrti_test"}}
+{"text": "APT32 often deploys these backdoors along with the commercially-available Cobalt Strike BEACON backdoor .", "spans": {"THREAT_ACTOR: APT32": [[0, 5]], "TOOL: backdoors": [[26, 35]], "THREAT_ACTOR: Cobalt Strike": [[74, 87]], "TOOL: BEACON": [[88, 94]], "TOOL: backdoor": [[95, 103]]}, "info": {"id": "dnrti_test_000185", "source": "dnrti_test"}}
+{"text": "The targeting of private sector interests by APT32 is notable and FireEye believes the actor poses significant risk to companies doing business in , or preparing to invest in , the country .", "spans": {"THREAT_ACTOR: APT32": [[45, 50]], "ORGANIZATION: FireEye": [[66, 73]]}, "info": {"id": "dnrti_test_000186", "source": "dnrti_test"}}
+{"text": "While the motivation for each APT32 private sector compromise varied – and in some cases was unknown – the unauthorized access could serve as a platform for law enforcement , intellectual property theft , or anticorruption measures that could ultimately erode the competitive advantage of targeted organizations .", "spans": {"THREAT_ACTOR: APT32": [[30, 35]]}, "info": {"id": "dnrti_test_000187", "source": "dnrti_test"}}
+{"text": "While actors from China , Iran , Russia , and North Korea remain the most active cyber espionage threats tracked and responded to by FireEye , APT32 reflects a growing host of new countries that have adopted this dynamic capability .", "spans": {"ORGANIZATION: FireEye": [[133, 140]], "THREAT_ACTOR: APT32": [[143, 148]]}, "info": {"id": "dnrti_test_000188", "source": "dnrti_test"}}
+{"text": "Several Mandiant investigations revealed that , after gaining access , APT32 regularly cleared select event log entries and heavily obfuscated their PowerShell-based tools and shellcode loaders with Daniel Bohannon’s Invoke-Obfuscation framework .", "spans": {"ORGANIZATION: Mandiant": [[8, 16]], "THREAT_ACTOR: APT32": [[71, 76]], "TOOL: PowerShell-based tools": [[149, 171]]}, "info": {"id": "dnrti_test_000189", "source": "dnrti_test"}}
+{"text": "Furthermore , APT32 continues to threaten political activism and free speech in Southeast Asia and the public sector worldwide .", "spans": {"THREAT_ACTOR: APT32": [[14, 19]], "ORGANIZATION: public sector": [[103, 116]]}, "info": {"id": "dnrti_test_000190", "source": "dnrti_test"}}
+{"text": "North Korea's Office 39 is involved in activities such as gold smuggling , counterfeiting foreign currency , and even operating restaurants .", "spans": {}, "info": {"id": "dnrti_test_000191", "source": "dnrti_test"}}
+{"text": "With these details , we will then draw some conclusions about the operators of CARBANAK .", "spans": {"THREAT_ACTOR: CARBANAK": [[79, 87]]}, "info": {"id": "dnrti_test_000192", "source": "dnrti_test"}}
+{"text": "Most of these data-stealing capabilities were present in the oldest variants of CARBANAK that we have seen and some were added over time .", "spans": {"MALWARE: CARBANAK": [[80, 88]]}, "info": {"id": "dnrti_test_000193", "source": "dnrti_test"}}
+{"text": "Since May 2017 , Mandiant experts observed North Korean actors target at least three South Korean cryptocurrency exchanges with the suspected intent of stealing funds .", "spans": {"ORGANIZATION: Mandiant": [[17, 25]]}, "info": {"id": "dnrti_test_000194", "source": "dnrti_test"}}
+{"text": "February saw three particularly interesting publications on the topic of macOS malware: a Trojan Cocoa application that sends system information including keychain data back to the attacker , a macOS version of APT28’s Xagent malware , and a new Trojan ransomware .", "spans": {"THREAT_ACTOR: attacker": [[181, 189]], "THREAT_ACTOR: APT28’s": [[211, 218]], "MALWARE: Trojan ransomware": [[246, 263]]}, "info": {"id": "dnrti_test_000195", "source": "dnrti_test"}}
+{"text": "Per a 2015 report from CitizenLab , Gamma Group licenses their software to clients and each client uses unique infrastructure , making it likely that the two documents are being used by a single client .", "spans": {"ORGANIZATION: CitizenLab": [[23, 33]], "THREAT_ACTOR: Gamma Group": [[36, 47]], "ORGANIZATION: infrastructure": [[111, 125]]}, "info": {"id": "dnrti_test_000196", "source": "dnrti_test"}}
+{"text": "As early as March 4 , 2017 , malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware .", "spans": {"MALWARE: malicious documents": [[29, 48]], "VULNERABILITY: CVE-2017-0199": [[60, 73]], "TOOL: LATENTBOT malware": [[99, 116]]}, "info": {"id": "dnrti_test_000197", "source": "dnrti_test"}}
+{"text": "LATENTBOT is a modular and highly obfuscated type of malware first discovered by FireEye iSIGHT intelligence in December 2015 .", "spans": {"TOOL: LATENTBOT": [[0, 9]], "ORGANIZATION: FireEye iSIGHT intelligence": [[81, 108]]}, "info": {"id": "dnrti_test_000198", "source": "dnrti_test"}}
+{"text": "It is capable of a variety of functions , including credential theft , hard drive and data wiping , disabling security software , and remote desktop functionality .", "spans": {}, "info": {"id": "dnrti_test_000199", "source": "dnrti_test"}}
+{"text": "Additionally , this incident exposes the global nature of cyber threats and the value of worldwide perspective – a cyber espionage incident targeting Russians can provide an opportunity to learn about and interdict crime against English speakers elsewhere .", "spans": {}, "info": {"id": "dnrti_test_000200", "source": "dnrti_test"}}
+{"text": "Recent DRIDEX activity began following a disclosure on April 7 , 2017 .", "spans": {}, "info": {"id": "dnrti_test_000201", "source": "dnrti_test"}}
+{"text": "This campaign primarily affected the government sector in the Middle East , U.S. , and Japan .", "spans": {"ORGANIZATION: government": [[37, 47]]}, "info": {"id": "dnrti_test_000202", "source": "dnrti_test"}}
+{"text": "FireEye believes that two actors – Turla and an unknown financially motivated actor – were using the first EPS zero-day CVE-2017-0261 , and APT28 was using the second EPS zero-day CVE-2017-0262 along with a new Escalation of Privilege (EOP) zero-day CVE-2017-0263 .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: actors": [[26, 32]], "VULNERABILITY: CVE-2017-0261": [[120, 133]], "THREAT_ACTOR: APT28": [[140, 145]], "VULNERABILITY: CVE-2017-0262": [[180, 193]], "VULNERABILITY: CVE-2017-0263": [[250, 263]]}, "info": {"id": "dnrti_test_000204", "source": "dnrti_test"}}
+{"text": "Turla and APT28 are Russian cyber espionage groups that have used these zero-days against European diplomatic and military entities .", "spans": {"THREAT_ACTOR: Turla": [[0, 5]], "THREAT_ACTOR: APT28": [[10, 15]]}, "info": {"id": "dnrti_test_000205", "source": "dnrti_test"}}
+{"text": "The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME .", "spans": {"MALWARE: st07383.en17.docx": [[12, 29]], "VULNERABILITY: CVE-2017-0001": [[80, 93]], "MALWARE: SHIRIME": [[199, 206]]}, "info": {"id": "dnrti_test_000206", "source": "dnrti_test"}}
+{"text": "This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx” .", "spans": {"MALWARE: document": [[34, 42]], "VULNERABILITY: Trump's_Attack_on_Syria_English.docx”": [[49, 86]]}, "info": {"id": "dnrti_test_000207", "source": "dnrti_test"}}
+{"text": "It is possible that CVE-2017-8759 was being used by additional actors .", "spans": {"VULNERABILITY: CVE-2017-8759": [[20, 33]], "THREAT_ACTOR: actors": [[63, 69]]}, "info": {"id": "dnrti_test_000208", "source": "dnrti_test"}}
+{"text": "Russian cyber espionage actors use zero-day exploits in addition to less complex measures .", "spans": {}, "info": {"id": "dnrti_test_000209", "source": "dnrti_test"}}
+{"text": "The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities .", "spans": {"VULNERABILITY: EternalBlue": [[20, 31]], "TOOL: Metasploit": [[43, 53]], "THREAT_ACTOR: actors": [[82, 88]]}, "info": {"id": "dnrti_test_000210", "source": "dnrti_test"}}
+{"text": "Given the release of sensitive victim data , extortion , and destruction of systems , FireEye considers FIN10 to be one of the most disruptive threat actors observed in the region so far .", "spans": {"ORGANIZATION: FireEye": [[86, 93]], "THREAT_ACTOR: FIN10": [[104, 109]]}, "info": {"id": "dnrti_test_000211", "source": "dnrti_test"}}
+{"text": "To install and register the malicious shim database on a system , FIN7 used a custom Base64 encoded PowerShell script , which ran the sdbinst.exe” utility to register a custom shim database file containing a patch onto a system .", "spans": {"THREAT_ACTOR: FIN7": [[66, 70]], "TOOL: PowerShell script": [[100, 117]], "MALWARE: sdbinst.exe”": [[134, 146]]}, "info": {"id": "dnrti_test_000212", "source": "dnrti_test"}}
+{"text": "During the investigations , Mandiant observed that FIN7 used a custom shim database to patch both the 32-bit and 64-bit versions of services.exe” with their CARBANAK payload .", "spans": {"ORGANIZATION: Mandiant": [[28, 36]], "THREAT_ACTOR: FIN7": [[51, 55]], "MALWARE: services.exe”": [[132, 145]], "TOOL: CARBANAK": [[157, 165]]}, "info": {"id": "dnrti_test_000213", "source": "dnrti_test"}}
+{"text": "FIN7 is a financially motivated intrusion set that selectively targets victims and uses spear phishing to distribute its malware .", "spans": {"THREAT_ACTOR: FIN7": [[0, 4]]}, "info": {"id": "dnrti_test_000214", "source": "dnrti_test"}}
+{"text": "During the investigations , Mandiant observed that FIN7 used a custom shim database to patch both the 32-bit and 64-bit versions of a??services.exea?? with their CARBANAK payload .", "spans": {"ORGANIZATION: Mandiant": [[28, 36]], "THREAT_ACTOR: FIN7": [[51, 55]], "TOOL: CARBANAK": [[162, 170]]}, "info": {"id": "dnrti_test_000215", "source": "dnrti_test"}}
+{"text": "CARBANAK malware has been used heavily by FIN7 in previous operations .", "spans": {"TOOL: CARBANAK": [[0, 8]], "THREAT_ACTOR: FIN7": [[42, 46]]}, "info": {"id": "dnrti_test_000216", "source": "dnrti_test"}}
+{"text": "We have not yet identified FIN7’s ultimate goal in this campaign , as we have either blocked the delivery of the malicious emails or our FaaS team detected and contained the attack early enough in the lifecycle before we observed any data targeting or theft .", "spans": {"THREAT_ACTOR: FIN7’s": [[27, 33]], "MALWARE: malicious emails": [[113, 129]]}, "info": {"id": "dnrti_test_000217", "source": "dnrti_test"}}
+{"text": "If the attackers are attempting to compromise persons involved in SEC filings due to their information access , they may ultimately be pursuing securities fraud or other investment abuse .", "spans": {"THREAT_ACTOR: attackers": [[7, 16]]}, "info": {"id": "dnrti_test_000218", "source": "dnrti_test"}}
+{"text": "The use of the CARBANAK malware in FIN7 operations also provides limited evidence that these campaigns are linked to previously observed CARBANAK operations leading to fraudulent banking transactions , ATM compromise , and other monetization schemes .", "spans": {"TOOL: CARBANAK malware": [[15, 31]], "THREAT_ACTOR: FIN7": [[35, 39]]}, "info": {"id": "dnrti_test_000219", "source": "dnrti_test"}}
+{"text": "Figure 1 shows a sample phishing email used by HawkEye operators in this latest campaign .", "spans": {"MALWARE: phishing email": [[24, 38]]}, "info": {"id": "dnrti_test_000220", "source": "dnrti_test"}}
+{"text": "The HawkEye malware is primarily used for credential theft and is often combined with additional tools to extract passwords from email and web browser applications .", "spans": {"TOOL: HawkEye malware": [[4, 19]]}, "info": {"id": "dnrti_test_000221", "source": "dnrti_test"}}
+{"text": "HawkEye is a versatile Trojan used by diverse actors for multiple purposes .", "spans": {"TOOL: HawkEye": [[0, 7]], "THREAT_ACTOR: actors": [[46, 52]]}, "info": {"id": "dnrti_test_000222", "source": "dnrti_test"}}
+{"text": "We have seen different HawkEye campaigns infecting organizations across many sectors globally , and stealing user credentials for diverse online services .", "spans": {"THREAT_ACTOR: HawkEye": [[23, 30]]}, "info": {"id": "dnrti_test_000223", "source": "dnrti_test"}}
+{"text": "Mandiant disclosed these vulnerabilities to Lenovo in May of 2016 .", "spans": {"ORGANIZATION: Mandiant": [[0, 8]]}, "info": {"id": "dnrti_test_000224", "source": "dnrti_test"}}
+{"text": "For our M-Trends 2017 report , we took a look at the incidents we investigated last year and provided a global and regional (the Americas , APAC and EMEA) analysis focused on attack trends , and defensive and emerging trends .", "spans": {"ORGANIZATION: M-Trends": [[8, 16]]}, "info": {"id": "dnrti_test_000225", "source": "dnrti_test"}}
+{"text": "As we noted in M-Trends 2016 , Mandiant’s Red Team can obtain access to domain administrator credentials within roughly three days of gaining initial access to an environment , so 99 days is still 96 days too long .", "spans": {"ORGANIZATION: M-Trends": [[15, 23]], "ORGANIZATION: Mandiant’s": [[31, 41]]}, "info": {"id": "dnrti_test_000226", "source": "dnrti_test"}}
+{"text": "On top of our analysis of recent trends , M-Trends 2017 contains insights from our FireEye as a Service (FaaS) teams for the second consecutive year .", "spans": {"ORGANIZATION: M-Trends": [[42, 50]], "ORGANIZATION: FireEye": [[83, 90]]}, "info": {"id": "dnrti_test_000227", "source": "dnrti_test"}}
+{"text": "In Figure 1 , which is based on FireEye Dynamic threat Intelligence (DTI) reports shared in March 2017 , we can see the regions affected by Magnitude EK activity during the last three months of 2016 and the first three months of 2017 .", "spans": {"ORGANIZATION: FireEye": [[32, 39]]}, "info": {"id": "dnrti_test_000228", "source": "dnrti_test"}}
+{"text": "Magnitude EK activity then fell off the radar until Oct. 15 , 2017 , when it came back and began focusing solely on South Korea .", "spans": {"TOOL: Magnitude EK": [[0, 12]]}, "info": {"id": "dnrti_test_000229", "source": "dnrti_test"}}
+{"text": "The Magnitude EK landing page consisted of CVE-2016-0189 , which was first reported by FireEye as being used in Neutrino Exploit Kit after it was patched .", "spans": {"TOOL: Magnitude EK": [[4, 16]], "VULNERABILITY: CVE-2016-0189": [[43, 56]], "ORGANIZATION: FireEye": [[87, 94]], "TOOL: Neutrino Exploit Kit": [[112, 132]]}, "info": {"id": "dnrti_test_000230", "source": "dnrti_test"}}
+{"text": "Throughout the final quarter of 2016 and first month of 2017 , FireEye Dynamic Threat Intelligence (DTI) observed consistent Magnitude EK hits from several customers , the majority of whom reside in the APAC region .", "spans": {"ORGANIZATION: FireEye": [[63, 70]], "TOOL: Magnitude EK": [[125, 137]]}, "info": {"id": "dnrti_test_000231", "source": "dnrti_test"}}
+{"text": "In January 2017 , new domain names appeared in the campaign hosted on a different IP location .", "spans": {}, "info": {"id": "dnrti_test_000232", "source": "dnrti_test"}}
+{"text": "Many groups leverage the regsvr32.exe application whitelisting bypass , including APT19 in their 2017 campaign against law firms .", "spans": {"MALWARE: regsvr32.exe": [[25, 37]], "THREAT_ACTOR: APT19": [[82, 87]], "ORGANIZATION: law firms": [[119, 128]]}, "info": {"id": "dnrti_test_000233", "source": "dnrti_test"}}
+{"text": "This trend continued until late September 2017 , when we saw Magnitude EK focus primarily on the APAC region , with a large chunk targeting South Korea .", "spans": {"TOOL: Magnitude EK": [[61, 73]]}, "info": {"id": "dnrti_test_000234", "source": "dnrti_test"}}
+{"text": "These ransomware payloads only seem to target Korean systems , since they won’t execute if the system language is not Korean .", "spans": {"TOOL: ransomware": [[6, 16]]}, "info": {"id": "dnrti_test_000235", "source": "dnrti_test"}}
+{"text": "The malware was initially distributed through a compromised software update system and then self-propagated through stolen credentials and SMB exploits , including the EternalBlue exploit used in the WannaCry attack from May 2017 .", "spans": {"MALWARE: malware": [[4, 11]], "TOOL: EternalBlue exploit": [[168, 187]], "THREAT_ACTOR: WannaCry": [[200, 208]]}, "info": {"id": "dnrti_test_000236", "source": "dnrti_test"}}
+{"text": "In our Revoke-Obfuscation white paper , first presented at Black Hat USA 2017 , we provide background on obfuscated PowerShell attacks seen in the wild , as well as defensive mitigation and logging best practices .", "spans": {"ORGANIZATION: Black Hat": [[59, 68]]}, "info": {"id": "dnrti_test_000237", "source": "dnrti_test"}}
+{"text": "The malware leverages an exploit , codenamed EternalBlue” , that was released by the Shadow Brokers on April 14 , 2017 .", "spans": {"VULNERABILITY: EternalBlue”": [[45, 57]], "THREAT_ACTOR: Shadow Brokers": [[85, 99]]}, "info": {"id": "dnrti_test_000238", "source": "dnrti_test"}}
+{"text": "The malware appends encrypted data files with the .WCRY extension , drops and executes a decryptor tool , and demands $300 or $600 USD (via Bitcoin) to decrypt the data .", "spans": {"MALWARE: malware": [[4, 11]], "MALWARE: .WCRY extension": [[50, 65]]}, "info": {"id": "dnrti_test_000239", "source": "dnrti_test"}}
+{"text": "The malware then builds two DLLs in memory – they are 32 and 64-bit DLLs that have identical functionality .", "spans": {"MALWARE: malware": [[4, 11]], "MALWARE: DLLs": [[28, 32]]}, "info": {"id": "dnrti_test_000240", "source": "dnrti_test"}}
+{"text": "The malware continues by creating a service named mssecsvc2.0 with a binary path pointing to the running module with the arguments -m security .", "spans": {"MALWARE: malware": [[4, 11]], "MALWARE: mssecsvc2.0": [[50, 61]]}, "info": {"id": "dnrti_test_000241", "source": "dnrti_test"}}
+{"text": "The malware then writes the R resource data to the file C:\\WINDOWS\\tasksche.exe .", "spans": {"MALWARE: malware": [[4, 11]], "MALWARE: file": [[51, 55]]}, "info": {"id": "dnrti_test_000242", "source": "dnrti_test"}}
+{"text": "The usefulness of flare-qdb can be seen in cases such as loops dealing with strings .", "spans": {"MALWARE: flare-qdb": [[18, 27]]}, "info": {"id": "dnrti_test_000243", "source": "dnrti_test"}}
+{"text": "Attaching with IDA Pro via WinDbg as in Figure 11 shows that the program counter points to the infinite loop written in memory allocated by flare-qdb .", "spans": {"MALWARE: IDA Pro": [[15, 22]], "MALWARE: WinDbg": [[27, 33]]}, "info": {"id": "dnrti_test_000244", "source": "dnrti_test"}}
+{"text": "We recently observed a resurgence of the same phishing campaign when our systems detected roughly 90 phony Apple-like domains that were registered from July 2016 to September 2016 .", "spans": {}, "info": {"id": "dnrti_test_000245", "source": "dnrti_test"}}
+{"text": "In this blog we provide insight into the tactics , techniques and procedures (TTPs) of a Brazilian cyber crime group that specializes in payment card fraud operations .", "spans": {"THREAT_ACTOR: crime group": [[105, 116]]}, "info": {"id": "dnrti_test_000246", "source": "dnrti_test"}}
+{"text": "The threat actors , observed by FireEye Labs , use a variety of different methods to either compromise or acquire already compromised payment card credentials , including sharing or purchasing dumps online , hacking vulnerable merchant websites and compromising payment card processing devices .", "spans": {"THREAT_ACTOR: actors": [[11, 17]], "ORGANIZATION: FireEye Labs": [[32, 44]]}, "info": {"id": "dnrti_test_000247", "source": "dnrti_test"}}
+{"text": "Once in their possession , the actors use these compromised payment card credentials to generate further card information .", "spans": {"THREAT_ACTOR: actors": [[31, 37]]}, "info": {"id": "dnrti_test_000248", "source": "dnrti_test"}}
+{"text": "The members of the group use a variety of tools , including CCleaner , on a daily basis to effectively remove any evidence of their operations .", "spans": {"THREAT_ACTOR: group": [[19, 24]], "TOOL: CCleaner": [[60, 68]]}, "info": {"id": "dnrti_test_000249", "source": "dnrti_test"}}
+{"text": "Another common step taken by threat actors is changing their system's MAC Address to avoid being uniquely identified .", "spans": {"THREAT_ACTOR: actors": [[36, 42]]}, "info": {"id": "dnrti_test_000250", "source": "dnrti_test"}}
+{"text": "For this purpose , these actors often use tools such as Technitium MAC Address Changer .", "spans": {"THREAT_ACTOR: actors": [[25, 31]], "TOOL: Technitium MAC Address Changer": [[56, 86]]}, "info": {"id": "dnrti_test_000251", "source": "dnrti_test"}}
+{"text": "We have observed these actors using Tor or proxy-based tools similar to Tor (e.g , UltraSurf , as seen in Figure 2) .", "spans": {"THREAT_ACTOR: actors": [[23, 29]], "TOOL: Tor": [[36, 39]], "TOOL: proxy-based tools": [[43, 60]]}, "info": {"id": "dnrti_test_000252", "source": "dnrti_test"}}
+{"text": "We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations .", "spans": {"MALWARE: them": [[22, 26]]}, "info": {"id": "dnrti_test_000253", "source": "dnrti_test"}}
+{"text": "Based on our observations , this group uses a variety of different methods to either compromise or acquire already compromised payment card credentials .", "spans": {"THREAT_ACTOR: group": [[33, 38]]}, "info": {"id": "dnrti_test_000254", "source": "dnrti_test"}}
+{"text": "Payment card dumps are commonly shared amongst Brazilian threat actors via social media forums such as Facebook , Skype , and web-based WhatsApp messenger .", "spans": {"THREAT_ACTOR: actors": [[64, 70]], "ORGANIZATION: social media forums": [[75, 94]]}, "info": {"id": "dnrti_test_000255", "source": "dnrti_test"}}
+{"text": "Similarly , the group takes advantage of freely available consolidations of email credentials , personal information , and other data shared in eCrime forums for fraud purposes .", "spans": {"THREAT_ACTOR: group": [[16, 21]], "TOOL: email credentials": [[76, 93]], "TOOL: personal information": [[96, 116]]}, "info": {"id": "dnrti_test_000256", "source": "dnrti_test"}}
+{"text": "These actors scan websites for vulnerabilities to exploit to illicitly access databases .", "spans": {"THREAT_ACTOR: actors": [[6, 12]]}, "info": {"id": "dnrti_test_000257", "source": "dnrti_test"}}
+{"text": "They most commonly target Brazilian merchants , though others use the same tactics to exploit entities outside Brazil .", "spans": {"THREAT_ACTOR: They": [[0, 4]]}, "info": {"id": "dnrti_test_000258", "source": "dnrti_test"}}
+{"text": "The group also uses the SQL injection (SQLi) tools Havij Advanced SQL Injection Tool and SQLi Dumper version 7.0 (Figure 4) to scan for and exploit vulnerabilities in targeted eCommerce sites .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "TOOL: SQL injection": [[24, 37]]}, "info": {"id": "dnrti_test_000259", "source": "dnrti_test"}}
+{"text": "At least eight sellers update the website as frequently as daily , offering newly obtained databases from the U.S .", "spans": {"THREAT_ACTOR: sellers": [[15, 22]]}, "info": {"id": "dnrti_test_000260", "source": "dnrti_test"}}
+{"text": "Once in possession of compromised payment card credentials , these actors use tools commonly known as card generators to generate new card numbers based on the compromised ones , creating additional opportunities for monetization .", "spans": {"TOOL: card credentials": [[42, 58]], "THREAT_ACTOR: actors": [[67, 73]]}, "info": {"id": "dnrti_test_000261", "source": "dnrti_test"}}
+{"text": "One bulk card-checking tool this group uses is Testador Amazon.com v1.1 (Figure 8). its name , this tool does not use Amazon’s website , but exploits an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability of a merchant website allowing the abuse of PayPal Payflow link functionality (Figure 9) .", "spans": {"TOOL: bulk card-checking": [[4, 22]], "THREAT_ACTOR: group": [[33, 38]], "TOOL: PayPal Payflow": [[261, 275]]}, "info": {"id": "dnrti_test_000262", "source": "dnrti_test"}}
+{"text": "Based on our observations of interactions in this channel , between May 2016 and June 2016 , malicious actors validated 2 , 987 cards from 62 countries , with the most coming from the U.S. (nearly half) , Brazil , and France .", "spans": {"THREAT_ACTOR: actors": [[103, 109]]}, "info": {"id": "dnrti_test_000263", "source": "dnrti_test"}}
+{"text": "The actors frequently use the stolen data to create cloned physical cards , which they use to attempt to withdraw funds from ATMs .", "spans": {"THREAT_ACTOR: actors": [[4, 10]]}, "info": {"id": "dnrti_test_000264", "source": "dnrti_test"}}
+{"text": "The group primarily uses the MSR 606 Software (Figure 12) and Hardware (Figure 13) to create cloned cards .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "TOOL: MSR 606 Software": [[29, 45]], "TOOL: Hardware": [[62, 70]]}, "info": {"id": "dnrti_test_000265", "source": "dnrti_test"}}
+{"text": "However , Brazilian actors commonly use several methods to do so , such as reselling cards they have created , paying bills with stolen cards in return for a portion of the bill's value and reselling illicitly obtained goods .", "spans": {"THREAT_ACTOR: actors": [[20, 26]]}, "info": {"id": "dnrti_test_000266", "source": "dnrti_test"}}
+{"text": "Some attacker tools were used to almost exclusively target organizations within APAC .", "spans": {"THREAT_ACTOR: attacker": [[5, 13]]}, "info": {"id": "dnrti_test_000267", "source": "dnrti_test"}}
+{"text": "In April 2015 , we uncovered the malicious efforts of APT30 , a suspected China-based threat group that has exploited the networks of governments and organizations across the region , targeting highly sensitive political , economic and military information .", "spans": {"THREAT_ACTOR: APT30": [[54, 59]], "ORGANIZATION: governments": [[134, 145]], "ORGANIZATION: organizations": [[150, 163]]}, "info": {"id": "dnrti_test_000268", "source": "dnrti_test"}}
+{"text": "The individuals using Hancitor malware also known by the name Chanitor are no exception and have taken three approaches to deliver the malware in order to ultimately steal data from their victims .", "spans": {"THREAT_ACTOR: individuals": [[4, 15]], "TOOL: Hancitor": [[22, 30]], "TOOL: Chanitor": [[62, 70]]}, "info": {"id": "dnrti_test_000269", "source": "dnrti_test"}}
+{"text": "We recently observed Hancitor attacks against some of our FireEye Exploit Guard customers .", "spans": {"THREAT_ACTOR: Hancitor": [[21, 29]], "ORGANIZATION: FireEye": [[58, 65]]}, "info": {"id": "dnrti_test_000270", "source": "dnrti_test"}}
+{"text": "The group has performed these activities at multiple locations across Brazil , possibly using multiple mules .", "spans": {"THREAT_ACTOR: group": [[4, 9]]}, "info": {"id": "dnrti_test_000271", "source": "dnrti_test"}}
+{"text": "Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control (C2) server .", "spans": {"MALWARE: Pony DLL": [[89, 97]], "MALWARE: Vawtrak": [[102, 109]]}, "info": {"id": "dnrti_test_000272", "source": "dnrti_test"}}
+{"text": "The attachment in these emails is a weaponized Microsoft Office document containing a malicious macro that – when enabled – leads to the download of Hancitor .", "spans": {"MALWARE: Hancitor": [[149, 157]]}, "info": {"id": "dnrti_test_000273", "source": "dnrti_test"}}
+{"text": "After the executable is executed , it downloads Pony and Vawtrak malware variants to steal data .", "spans": {"MALWARE: Pony": [[48, 52]], "MALWARE: Vawtrak": [[57, 64]]}, "info": {"id": "dnrti_test_000274", "source": "dnrti_test"}}
+{"text": "Upon execution , it will communicate with an attacker-controller website to download a variant of the Pony malware , pm.dll” along with a standard Vawtrak trojan .", "spans": {"MALWARE: Pony malware": [[102, 114]]}, "info": {"id": "dnrti_test_000275", "source": "dnrti_test"}}
+{"text": "In this blog , FireEye Labs dissects this new ATM malware that we have dubbed RIPPER (due to the project name ATMRIPPER” identified in the sample) and documents indicators that strongly suggest this piece of malware is the one used to steal from the ATMs at banks in Thailand .", "spans": {"ORGANIZATION: FireEye": [[15, 22]], "MALWARE: ATM malware": [[46, 57]], "MALWARE: RIPPER": [[78, 84]]}, "info": {"id": "dnrti_test_000276", "source": "dnrti_test"}}
+{"text": "RIPPER interacts with the ATM by inserting a specially manufactured ATM card with an EMV chip that serves as the authentication mechanism .", "spans": {"MALWARE: RIPPER": [[0, 6]]}, "info": {"id": "dnrti_test_000277", "source": "dnrti_test"}}
+{"text": "RIPPER will examine the contents of directories associated with the targeted ATM vendors and will replace legitimate executables with itself .", "spans": {"MALWARE: RIPPER": [[0, 6]], "ORGANIZATION: ATM vendors": [[77, 88]]}, "info": {"id": "dnrti_test_000278", "source": "dnrti_test"}}
+{"text": "Once a valid card with a malicious EMV chip is detected , RIPPER will instantiate a timer to allow a thief to control the machine .", "spans": {"MALWARE: RIPPER": [[58, 64]]}, "info": {"id": "dnrti_test_000279", "source": "dnrti_test"}}
+{"text": "This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices .", "spans": {"MALWARE: malware": [[5, 12]]}, "info": {"id": "dnrti_test_000280", "source": "dnrti_test"}}
+{"text": "From our trend analysis seen in Figure 3 , Locky ransomware started being delivered via DOCM format email attachments more extensively beginning in August .", "spans": {"MALWARE: Locky": [[43, 48]]}, "info": {"id": "dnrti_test_000281", "source": "dnrti_test"}}
+{"text": "Discovered for the first time in Mexico back in 2013 , Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message , a technique that had never been seen before .", "spans": {"MALWARE: Ploutus": [[55, 62]]}, "info": {"id": "dnrti_test_000282", "source": "dnrti_test"}}
+{"text": "FireEye Labs recently identified a previously unobserved version of Ploutus , dubbed Ploutus-D , that interacts with KAL’s Kalignite multivendor ATM platform .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "MALWARE: Ploutus": [[68, 75]], "MALWARE: Ploutus-D": [[85, 94]]}, "info": {"id": "dnrti_test_000283", "source": "dnrti_test"}}
+{"text": "The samples we identified target the ATM vendor Diebold .", "spans": {"MALWARE: samples": [[4, 11]], "ORGANIZATION: ATM vendor Diebold": [[37, 55]]}, "info": {"id": "dnrti_test_000284", "source": "dnrti_test"}}
+{"text": "This blog covers the changes , improvements , and Indicators of Compromise (IOC) of Ploutus-D in order to help financial organizations identify and defend against this threat .", "spans": {"MALWARE: Ploutus-D": [[84, 93]]}, "info": {"id": "dnrti_test_000285", "source": "dnrti_test"}}
+{"text": "Ploutus-D also allows the attackers to enter the amount to withdraw (billUnits – 4 digits) and the number of cycles (billCount – 2 digits) to repeat the dispensing operation (see Figure 10) .", "spans": {"MALWARE: Ploutus-D": [[0, 9]], "THREAT_ACTOR: attackers": [[26, 35]]}, "info": {"id": "dnrti_test_000286", "source": "dnrti_test"}}
+{"text": "Ploutus-D will load KXCashDispenserLib” library implemented by Kalignite Platform (K3A.Platform.dll) to interact with the XFS Manager and control the Dispenser (see Figure 13) .", "spans": {"MALWARE: Ploutus-D": [[0, 9]]}, "info": {"id": "dnrti_test_000287", "source": "dnrti_test"}}
+{"text": "Since Ploutus-D interacts with the Kalignite Platform , only minor modifications to the Ploutus-D code may be required to target different ATM vendors worldwide .", "spans": {"MALWARE: Ploutus-D": [[6, 15], [88, 97]], "ORGANIZATION: ATM vendors": [[139, 150]]}, "info": {"id": "dnrti_test_000288", "source": "dnrti_test"}}
+{"text": "Finally , Mandiant’s Devon Kerr and John Miller of FireEye iSIGHT Intelligence will expose the tactics of FIN7 , a financially motivated hacker group that FireEye tracked throughout 2016 .", "spans": {"ORGANIZATION: Mandiant’s": [[10, 20]], "ORGANIZATION: FireEye": [[51, 58], [155, 162]], "THREAT_ACTOR: FIN7": [[106, 110]]}, "info": {"id": "dnrti_test_000289", "source": "dnrti_test"}}
+{"text": "In mid-November , Mandiant , a FireEye company , responded to the first Shamoon 2.0 incident against an organization located in the Gulf states .", "spans": {"ORGANIZATION: Mandiant": [[18, 26]], "ORGANIZATION: FireEye": [[31, 38]]}, "info": {"id": "dnrti_test_000290", "source": "dnrti_test"}}
+{"text": "These attackers can potentially grab sensitive online banking information and other personal data , and even provided support for multifactor authentication and OTP .", "spans": {"THREAT_ACTOR: attackers": [[6, 15]]}, "info": {"id": "dnrti_test_000291", "source": "dnrti_test"}}
+{"text": "FireEye Labs detects this phishing attack and customers will be protected against the usage of these sites in possible future campaigns .", "spans": {"ORGANIZATION: FireEye": [[0, 7]]}, "info": {"id": "dnrti_test_000292", "source": "dnrti_test"}}
+{"text": "Our visibility into APT28’s operations , which date to at least 2007 , has allowed us to understand the group’s malware , operational changes and motivations .", "spans": {"THREAT_ACTOR: APT28’s": [[20, 27]]}, "info": {"id": "dnrti_test_000293", "source": "dnrti_test"}}
+{"text": "This intelligence has been critical to protecting and informing our clients , exposing this threat and strengthening our confidence in attributing APT28 to the Russian government .", "spans": {"THREAT_ACTOR: APT28": [[147, 152]], "ORGANIZATION: Russian government": [[160, 178]]}, "info": {"id": "dnrti_test_000294", "source": "dnrti_test"}}
+{"text": "The threat actors used two publicly available techniques , an AppLocker whitelisting bypass and a script to inject shellcode into the userinit.exe process .", "spans": {"THREAT_ACTOR: actors": [[11, 17]], "MALWARE: userinit.exe": [[134, 146]]}, "info": {"id": "dnrti_test_000295", "source": "dnrti_test"}}
+{"text": "The regsvr32.exe executable can be used to download a Windows Script Component file (SCT file) by passing the URL of the SCT file as an argument .", "spans": {"MALWARE: regsvr32.exe": [[4, 16]], "MALWARE: SCT file": [[121, 129]]}, "info": {"id": "dnrti_test_000296", "source": "dnrti_test"}}
+{"text": "We observed implementation of this bypass in the macro code to invoke regsvr32.exe , along with a URL passed to it which was hosting a malicious SCT file .", "spans": {"MALWARE: regsvr32.exe": [[70, 82]], "MALWARE: SCT file": [[145, 153]]}, "info": {"id": "dnrti_test_000297", "source": "dnrti_test"}}
+{"text": "There was code to download a decoy document from the Internet and open it in a second winword.exe process using the Start-Process cmdlet .", "spans": {"MALWARE: winword.exe": [[86, 97]], "MALWARE: Start-Process": [[116, 129]], "MALWARE: cmdlet": [[130, 136]]}, "info": {"id": "dnrti_test_000298", "source": "dnrti_test"}}
+{"text": "Ordnance will be able to immediately generate shellcode after users provide the IP and Port that the shellcode should connect to or listen on .", "spans": {"MALWARE: Ordnance": [[0, 8]], "MALWARE: shellcode": [[101, 110]]}, "info": {"id": "dnrti_test_000299", "source": "dnrti_test"}}
+{"text": "Therefore , the Stuxnet MOF file creation tool that the Shadow Brokers dropped on Friday is possibly the earliest technical evidence that NSA hackers and developers coded Stuxnet , as many suspect .", "spans": {"TOOL: Stuxnet MOF": [[16, 27]], "ORGANIZATION: NSA": [[138, 141]], "TOOL: Stuxnet": [[171, 178]]}, "info": {"id": "dnrti_test_000300", "source": "dnrti_test"}}
+{"text": "Of course , it 's also possible that whatever group The Shadow Brokers have exposed simply gained access to the Stuxnet tools secondhand , and reused them .", "spans": {"TOOL: Stuxnet tools": [[112, 125]]}, "info": {"id": "dnrti_test_000301", "source": "dnrti_test"}}
+{"text": "That post included download links for a slew of NSA hacking tools and exploits , many of which could be used to break into hardware firewall appliances , and in turn , corporate or government networks .", "spans": {"ORGANIZATION: NSA": [[48, 51]]}, "info": {"id": "dnrti_test_000302", "source": "dnrti_test"}}
+{"text": "Some hackers even went onto use the Cisco exploits in the wild .", "spans": {"VULNERABILITY: Cisco exploits": [[36, 50]]}, "info": {"id": "dnrti_test_000303", "source": "dnrti_test"}}
+{"text": "DanderSpritz consists entirely of plugins to gather intelligence , use exploits and examine already controlled machines .", "spans": {"TOOL: DanderSpritz": [[0, 12]]}, "info": {"id": "dnrti_test_000304", "source": "dnrti_test"}}
+{"text": "DarkPulsar is a very interesting administrative module for controlling a passive backdoor named ' sipauth32.tsp ' that provides remote control , belonging to this category .", "spans": {"TOOL: DarkPulsar": [[0, 10]], "TOOL: backdoor": [[81, 89]], "MALWARE: sipauth32.tsp": [[98, 111]]}, "info": {"id": "dnrti_test_000306", "source": "dnrti_test"}}
+{"text": "DanderSpritz is the framework for controlling infected machines , different from FuZZbuNch as the latter provides a limited toolkit for the post-exploitation stage with specific functions such as DisableSecurity and EnableSecurity for DarkPulsar .", "spans": {"TOOL: DanderSpritz": [[0, 12]], "TOOL: FuZZbuNch": [[81, 90]], "TOOL: DisableSecurity": [[196, 211]], "TOOL: EnableSecurity": [[216, 230]], "TOOL: DarkPulsar": [[235, 245]]}, "info": {"id": "dnrti_test_000307", "source": "dnrti_test"}}
+{"text": "PeddleCheap is a plugin of DanderSpritz which can be used to configure implants and connect to infected machines .", "spans": {"TOOL: PeddleCheap": [[0, 11]], "TOOL: DanderSpritz": [[27, 39]]}, "info": {"id": "dnrti_test_000308", "source": "dnrti_test"}}
+{"text": "The FuzzBunch and DanderSpritz frameworks are designed to be flexible and to extend functionality and compatibility with other tools .", "spans": {"TOOL: FuzzBunch": [[4, 13]], "TOOL: DanderSpritz": [[18, 30]]}, "info": {"id": "dnrti_test_000309", "source": "dnrti_test"}}
+{"text": "Each of them consists of a set of plugins designed for different tasks : while FuzzBunch plugins are responsible for reconnaissance and attacking a victim , plugins in the DanderSpritz framework are developed for managing already infected victims .", "spans": {"TOOL: FuzzBunch plugins": [[79, 96]], "TOOL: DanderSpritz": [[172, 184]]}, "info": {"id": "dnrti_test_000310", "source": "dnrti_test"}}
+{"text": "The leaked NSA documents and tools published in recent months by the mysterious Shadow Brokers group have provided rare insight into the clandestine digital espionage operations pursued by the spy agency over the past few years , including information on operations aimed at Iran and Russia .", "spans": {"ORGANIZATION: NSA": [[11, 14]], "ORGANIZATION: spy agency": [[193, 203]]}, "info": {"id": "dnrti_test_000311", "source": "dnrti_test"}}
+{"text": "Yet the document cache published April 8 provides evidence that the NSA had once launched a series of successful computer-based intrusions against multiple high-profile foreign targets , including the Office of the President of Iran and the Russian Federal Nuclear Center .", "spans": {"ORGANIZATION: NSA": [[68, 71]]}, "info": {"id": "dnrti_test_000312", "source": "dnrti_test"}}
+{"text": "The ShadowBrokers' latest dump of Equation Group hacks focuses on UNIX systems and GSM networks , and was accompanied by an open letter to President Trump .", "spans": {}, "info": {"id": "dnrti_test_000313", "source": "dnrti_test"}}
+{"text": "Numerous Windows hacking tools are also among the new batch of files the Shadow Brokers dumped Friday .", "spans": {"TOOL: Windows hacking tools": [[9, 30]]}, "info": {"id": "dnrti_test_000314", "source": "dnrti_test"}}
+{"text": "The leaked files show the NSA was allegedly targeting EastNets in Dubai , Belgium , and Egypt .", "spans": {"ORGANIZATION: NSA": [[26, 29]], "ORGANIZATION: EastNets": [[54, 62]]}, "info": {"id": "dnrti_test_000315", "source": "dnrti_test"}}
+{"text": "The files appear to include logs from 2013 that show the NSA was also targeting oil and investment companies across the Middle East .", "spans": {"ORGANIZATION: NSA": [[57, 60]], "ORGANIZATION: investment companies": [[88, 108]]}, "info": {"id": "dnrti_test_000316", "source": "dnrti_test"}}
+{"text": "According to Kaspersky , the Equation Group has more than 60 members and has been operating since at least 2001 .", "spans": {"ORGANIZATION: Kaspersky": [[13, 22]]}, "info": {"id": "dnrti_test_000317", "source": "dnrti_test"}}
+{"text": "The existence of the Equation Group was first posited in Feb. 2015 by researchers at Russian security firm Kaspersky Lab , which described it as one of the most sophisticated cyber attack teams in the world .", "spans": {"ORGANIZATION: security firm": [[93, 106]], "ORGANIZATION: Kaspersky Lab": [[107, 120]]}, "info": {"id": "dnrti_test_000318", "source": "dnrti_test"}}
+{"text": "Most of the Equation Group 's targets have been in Iran , Russia , Pakistan , Afghanistan , India , Syria , and Mali .", "spans": {"THREAT_ACTOR: Equation Group": [[12, 26]]}, "info": {"id": "dnrti_test_000319", "source": "dnrti_test"}}
+{"text": "According to Wikipedia , the CSS was formed in 1972 to integrate the NSA and the Service Cryptologic Elements ( SCE ) of the U.S armed forces .", "spans": {}, "info": {"id": "dnrti_test_000320", "source": "dnrti_test"}}
+{"text": "KrebsOnSecurity was first made aware of the metadata in the Shadow Brokers leak by Mike Poor , Rob Curtinseufert , and Larry Pesce .", "spans": {"ORGANIZATION: KrebsOnSecurity": [[0, 15]], "THREAT_ACTOR: Shadow Brokers": [[60, 74]]}, "info": {"id": "dnrti_test_000321", "source": "dnrti_test"}}
+{"text": "In their latest leak , they have released the UNITEDRAKE NSA exploit , which is a remote access and control tool that can remotely target Windows-based systems to capture desired information and transfer it to a server .", "spans": {"VULNERABILITY: UNITEDRAKE NSA exploit": [[46, 68]]}, "info": {"id": "dnrti_test_000322", "source": "dnrti_test"}}
+{"text": "The ShadowBrokers is a group of hackers known for leaking exclusive information about the National Security Agency – NSA 's hacking tools and tactics .", "spans": {"THREAT_ACTOR: ShadowBrokers": [[4, 17]], "ORGANIZATION: NSA": [[117, 120]]}, "info": {"id": "dnrti_test_000323", "source": "dnrti_test"}}
+{"text": "It captures information using plugins to compromise webcam and microphone output along with documenting log keystrokes , carrying out surveillance and access external drives .", "spans": {}, "info": {"id": "dnrti_test_000324", "source": "dnrti_test"}}
+{"text": "UNITEDRAKE is described as a \" fully extensible \" data collection tool that is specifically developed for Windows machines to allow operators the chance of controlling a device completely .", "spans": {"TOOL: UNITEDRAKE": [[0, 10]]}, "info": {"id": "dnrti_test_000325", "source": "dnrti_test"}}
+{"text": "On the other hand , ShadowBrokers group made headlines in 2016 when it claimed to have robbed various exploitation tools used by the NSA including the notorious ETERNALBLUE that was a vital component in the WannaCry ransomware campaign causing damages to systems worldwide .", "spans": {"ORGANIZATION: NSA": [[133, 136]], "VULNERABILITY: ETERNALBLUE": [[161, 172]]}, "info": {"id": "dnrti_test_000326", "source": "dnrti_test"}}
+{"text": "This turned out to be a malicious loader internally named ' Slingshot ' , part of a new , and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity .", "spans": {"TOOL: Slingshot": [[60, 69]], "TOOL: Project Sauron": [[143, 157]], "TOOL: Regin": [[162, 167]]}, "info": {"id": "dnrti_test_000327", "source": "dnrti_test"}}
+{"text": "One of them – ipv4.dll – has been placed by the APT with what is , in fact , a downloader for other malicious components .", "spans": {"MALWARE: ipv4.dll": [[14, 22]], "TOOL: downloader": [[79, 89]]}, "info": {"id": "dnrti_test_000328", "source": "dnrti_test"}}
+{"text": "To run its code in kernel mode in the most recent versions of operating systems , that have Driver Signature Enforcement , Slingshot loads signed vulnerable drivers and runs its own code through their vulnerabilities .", "spans": {"TOOL: Slingshot": [[123, 132]]}, "info": {"id": "dnrti_test_000329", "source": "dnrti_test"}}
+{"text": "During our research we also found a component called KPWS that turned out to be another downloader for Slingshot components .", "spans": {"TOOL: KPWS": [[53, 57]], "TOOL: Slingshot": [[103, 112]]}, "info": {"id": "dnrti_test_000330", "source": "dnrti_test"}}
+{"text": "Written in pure C language , Canhadr/Ndriver provides full access to the hard drive and operating memory despite device security restrictions , and carries out integrity control of various system components to avoid debugging and security detection .", "spans": {"MALWARE: Canhadr/Ndriver": [[29, 44]]}, "info": {"id": "dnrti_test_000331", "source": "dnrti_test"}}
+{"text": "The toolset includes reams of documentation explaining how the cyber weapons work , as well as details about their use in highly classified intelligence operations abroad .", "spans": {}, "info": {"id": "dnrti_test_000332", "source": "dnrti_test"}}
+{"text": "So far , researchers have seen around 100 victims of Slingshot and its related modules , located in Kenya , Yemen , Afghanistan , Libya , Congo , Jordan , Turkey , Iraq , Sudan , Somalia and Tanzania .", "spans": {"TOOL: Slingshot": [[53, 62]]}, "info": {"id": "dnrti_test_000333", "source": "dnrti_test"}}
+{"text": "Some of the techniques used by Slingshot , such as the exploitation of legitimate , yet vulnerable drivers has been seen before in other malware , such as White and Grey Lambert .", "spans": {"TOOL: Slingshot": [[31, 40]], "TOOL: White": [[155, 160]], "TOOL: Grey Lambert": [[165, 177]]}, "info": {"id": "dnrti_test_000334", "source": "dnrti_test"}}
+{"text": "Cylance tracks this threat group internally as ' Snake Wine ' .", "spans": {"ORGANIZATION: Cylance": [[0, 7]], "THREAT_ACTOR: Snake Wine": [[49, 59]]}, "info": {"id": "dnrti_test_000335", "source": "dnrti_test"}}
+{"text": "To date , all observed Snake Wine 's attacks were the result of spear phishing attempts against the victim organizations .", "spans": {"THREAT_ACTOR: Snake Wine": [[23, 33]]}, "info": {"id": "dnrti_test_000336", "source": "dnrti_test"}}
+{"text": "The Ham Backdoor functions primarily as a modular platform , which provides the attacker with the ability to directly download additional modules and execute them in memory from the command and control ( C2 ) server .", "spans": {"TOOL: Ham Backdoor": [[4, 16]]}, "info": {"id": "dnrti_test_000337", "source": "dnrti_test"}}
+{"text": "Based upon Cylance 's observations , the Tofu Backdoor was deployed in far fewer instances than the Ham Backdoor .", "spans": {"ORGANIZATION: Cylance": [[11, 18]], "TOOL: Tofu Backdoor": [[41, 54]], "TOOL: Ham Backdoor": [[100, 112]]}, "info": {"id": "dnrti_test_000338", "source": "dnrti_test"}}
+{"text": "This suggests that the Snake Wine group will likely continue to escalate their activity and persistently target both private and government entities within Japan .", "spans": {"ORGANIZATION: government entities": [[129, 148]]}, "info": {"id": "dnrti_test_000339", "source": "dnrti_test"}}
+{"text": "The group was first publicly disclosed by FireEye in this report .", "spans": {"ORGANIZATION: FireEye": [[42, 49]]}, "info": {"id": "dnrti_test_000340", "source": "dnrti_test"}}
+{"text": "MenuPass is a well-documented CN-APT group , whose roots go back to 2009 .", "spans": {"THREAT_ACTOR: MenuPass": [[0, 8]]}, "info": {"id": "dnrti_test_000341", "source": "dnrti_test"}}
+{"text": "Snake Wine was first publicly disclosed by FireEye in this report .", "spans": {"ORGANIZATION: FireEye": [[43, 50]]}, "info": {"id": "dnrti_test_000342", "source": "dnrti_test"}}
+{"text": "Although the MenuPass Group used mostly publicly available RATs , they were successful in penetrating a number of high value targets , so it is entirely possible this is indeed a continuation of past activity .", "spans": {"TOOL: publicly available RATs": [[40, 63]]}, "info": {"id": "dnrti_test_000343", "source": "dnrti_test"}}
+{"text": "Also of particular interest was the use of a domain hosting company that accepts BTC and was previously heavily leveraged by the well-known Russian group APT28 .", "spans": {"ORGANIZATION: domain hosting company": [[45, 67]], "THREAT_ACTOR: APT28": [[154, 159]]}, "info": {"id": "dnrti_test_000344", "source": "dnrti_test"}}
+{"text": "Germany 's Der Spiegel re-published the slide set with far less deletions recently , in January 2015 , and therefore gave a deeper insight about what CSEC actually says they have tracked down .", "spans": {"ORGANIZATION: Der Spiegel": [[11, 22]]}, "info": {"id": "dnrti_test_000345", "source": "dnrti_test"}}
+{"text": "According to slide 22 , \" CSEC assesses , with moderate certainty , SNOWGLOBE to be a state-sponsored Cyber Network Operation effort , put forth by a French intelligence agency \" .", "spans": {}, "info": {"id": "dnrti_test_000346", "source": "dnrti_test"}}
+{"text": "The information given dates back to 2011 and nothing else has been published since .", "spans": {}, "info": {"id": "dnrti_test_000347", "source": "dnrti_test"}}
+{"text": "Now that specific Babar samples have been identified and analyzed , there might be new information , also with regards to similarities or differences between the two Remote Administration Tools ( RATs ) EvilBunny and Babar .", "spans": {"TOOL: Babar samples": [[18, 31]], "TOOL: Remote Administration Tools": [[166, 193]], "TOOL: RATs": [[196, 200]], "TOOL: EvilBunny": [[203, 212]], "TOOL: Babar": [[217, 222]]}, "info": {"id": "dnrti_test_000348", "source": "dnrti_test"}}
+{"text": "We recommend reading Marion 's report \" Shooting Elephants \" , a complementary piece of work regarding the Babar malware .", "spans": {"TOOL: Babar malware": [[107, 120]]}, "info": {"id": "dnrti_test_000349", "source": "dnrti_test"}}
+{"text": "And finally , as every elephant , Babar has big ears and the malware is able to listen to conversations and log them by using the dsound and winmm libraries .", "spans": {"TOOL: Babar": [[34, 39]], "TOOL: dsound": [[130, 136]], "TOOL: winmm libraries": [[141, 156]]}, "info": {"id": "dnrti_test_000350", "source": "dnrti_test"}}
+{"text": "The G DATA SecurityLabs are convinced that the number of similarities identified between EvilBunny and Babar show that both malware families originate from the same developers .", "spans": {"ORGANIZATION: G DATA SecurityLabs": [[4, 23]], "TOOL: EvilBunny": [[89, 98]], "TOOL: Babar": [[103, 108]]}, "info": {"id": "dnrti_test_000351", "source": "dnrti_test"}}
+{"text": "TA542 , the primary actor behind Emotet , is known for the development of lures and malicious mail specific to given regions .", "spans": {"THREAT_ACTOR: TA542": [[0, 5]], "TOOL: Emotet": [[33, 39]]}, "info": {"id": "dnrti_test_000352", "source": "dnrti_test"}}
+{"text": "While discussions of threats in this region often focus on \" North America \" generally or just the United States , nearly 100 campaigns during this period were either specifically targeted at Canadian organizations or were customized for Canadian audiences .", "spans": {"ORGANIZATION: audiences": [[247, 256]]}, "info": {"id": "dnrti_test_000353", "source": "dnrti_test"}}
+{"text": "Emotet is a type of general-purpose malware that evolved from a well-known banking Trojan , \" Cridex \" , which was first discovered in 2014 .", "spans": {"TOOL: Emotet": [[0, 6]], "TOOL: banking Trojan": [[75, 89]], "TOOL: Cridex": [[94, 100]]}, "info": {"id": "dnrti_test_000354", "source": "dnrti_test"}}
+{"text": "Emotet activity in 2019 included several high-volume campaigns that collectively distributed tens of millions of messages primarily targeting the manufacturing and healthcare industries .", "spans": {}, "info": {"id": "dnrti_test_000356", "source": "dnrti_test"}}
+{"text": "Originally targeting Western European banks , Emotet has since been developed into a robust global botnet that is comprised of several modules , each of which equips Emotet with different spamming , email logging , information stealing , bank fraud , downloading , and DDoS , among others .", "spans": {"TOOL: Emotet": [[46, 52], [166, 172]]}, "info": {"id": "dnrti_test_000357", "source": "dnrti_test"}}
+{"text": "Originally targeting Western European banks , it has since been developed into a robust global botnet that is comprised of several modules , each of which equips Emotet with different spamming , email logging , information stealing , bank fraud , downloading , and DDoS , among others .", "spans": {"TOOL: Emotet": [[162, 168]]}, "info": {"id": "dnrti_test_000358", "source": "dnrti_test"}}
+{"text": "Beginning in mid-January 2019 , TA542 distributed millions of Emotet-laden emails in both English and German .", "spans": {}, "info": {"id": "dnrti_test_000359", "source": "dnrti_test"}}
+{"text": "DanaBot is a Trojan that includes banking site web injections and stealer functions .", "spans": {"TOOL: DanaBot": [[0, 7]], "TOOL: Trojan": [[13, 19]]}, "info": {"id": "dnrti_test_000360", "source": "dnrti_test"}}
+{"text": "Proofpoint researchers observed one DanaBot affiliate ( Affid 11 ) specifically targeting Canada with \" Canada Post \" themed lures between January 1 and May 1 , 2019 .", "spans": {"ORGANIZATION: Proofpoint": [[0, 10]], "TOOL: DanaBot": [[36, 43]], "ORGANIZATION: Canada Post": [[104, 115]]}, "info": {"id": "dnrti_test_000361", "source": "dnrti_test"}}
+{"text": "FormBook is a browser form stealer/keylogger that is under active development .", "spans": {"TOOL: FormBook": [[0, 8]], "TOOL: stealer/keylogger": [[27, 44]]}, "info": {"id": "dnrti_test_000362", "source": "dnrti_test"}}
+{"text": "While Canada-targeted threats are not new , Emotet in particular , with its frequent region-specific email campaigns , is bringing new attention to geo-targeting in Canada and beyond .", "spans": {"TOOL: Emotet": [[44, 50]]}, "info": {"id": "dnrti_test_000363", "source": "dnrti_test"}}
+{"text": "First observed in mid-2014 , this malware shared code with the Bugat ( aka Feodo ) banking Trojan .", "spans": {"MALWARE: Bugat": [[63, 68]], "TOOL: banking Trojan": [[83, 97]]}, "info": {"id": "dnrti_test_000364", "source": "dnrti_test"}}
+{"text": "MUMMY SPIDER is a criminal entity linked to the core development of the malware most commonly known as Emotet or Geodo .", "spans": {"THREAT_ACTOR: MUMMY SPIDER": [[0, 12]], "TOOL: Emotet": [[103, 109]], "TOOL: Geodo": [[113, 118]]}, "info": {"id": "dnrti_test_000365", "source": "dnrti_test"}}
+{"text": "After a 10 month hiatus , MUMMY SPIDER returned Emotet to operation in December 2016 but the latest variant is not deploying a banking Trojan module with web injects , it is currently acting as a ' loader ' delivering other malware packages .", "spans": {"THREAT_ACTOR: MUMMY SPIDER": [[26, 38]], "TOOL: Emotet": [[48, 54]], "TOOL: banking Trojan": [[127, 141]]}, "info": {"id": "dnrti_test_000366", "source": "dnrti_test"}}
+{"text": "The malware is also issuing commands to download and execute other malware families such as the banking Trojans Dridex and Qakbot .", "spans": {"TOOL: banking Trojans Dridex": [[96, 118]], "TOOL: Qakbot": [[123, 129]]}, "info": {"id": "dnrti_test_000367", "source": "dnrti_test"}}
+{"text": "It seems that the main objective of the attackers was information gathering from the infected computers .", "spans": {}, "info": {"id": "dnrti_test_000368", "source": "dnrti_test"}}
+{"text": "For the TeamViewer-based activities , we have traces in the past until September 2012 .", "spans": {}, "info": {"id": "dnrti_test_000369", "source": "dnrti_test"}}
+{"text": "In the actual targeted attack detected by the Hungarian National Security Agency , TeamSpy used components of the TeamViewer tool combined with other malware modules .", "spans": {"TOOL: TeamViewer tool": [[114, 129]], "TOOL: malware modules": [[150, 165]]}, "info": {"id": "dnrti_test_000370", "source": "dnrti_test"}}
+{"text": "In the actual targeted attack detected by the Hungarian National Security Agency , they used components of the TeamViewer tool combined with other malware modules .", "spans": {"TOOL: TeamViewer tool": [[111, 126]], "TOOL: malware modules": [[147, 162]]}, "info": {"id": "dnrti_test_000371", "source": "dnrti_test"}}
+{"text": "TeamViewer has also been used in the \" Sheldor \" attack campaign , which was detected between 2010 and 2011 , and which resulted in assets stolen at the value of $600k and $832k .", "spans": {"TOOL: TeamViewer": [[0, 10]]}, "info": {"id": "dnrti_test_000372", "source": "dnrti_test"}}
+{"text": "This match shows a direct relationship between Sheldor and TeamSpy , although we do not known if the connection is only at the tool level or at the operation level too .", "spans": {}, "info": {"id": "dnrti_test_000373", "source": "dnrti_test"}}
+{"text": "Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM , following our internal practice of assigning rogue actors chemical element names .", "spans": {"ORGANIZATION: Microsoft Threat Intelligence": [[0, 29]], "THREAT_ACTOR: TERBIUM": [[83, 90]]}, "info": {"id": "dnrti_test_000374", "source": "dnrti_test"}}
+{"text": "From the samples we collected , we can conclude that the same threat actor produced many individual malware modules during the last ten years .", "spans": {"TOOL: malware modules": [[100, 115]]}, "info": {"id": "dnrti_test_000375", "source": "dnrti_test"}}
+{"text": "Once TERBIUM has a foothold in the organization , its infection chain starts by writing an executable file to disk that contains all the components required to carry out the data-wiping operation .", "spans": {"THREAT_ACTOR: TERBIUM": [[5, 12]]}, "info": {"id": "dnrti_test_000376", "source": "dnrti_test"}}
+{"text": "Microsoft Threat Intelligence has observed that the malware used by TERBIUM , dubbed \" Depriz \" by Microsoft , reuses several components and techniques seen in the 2012 attacks , and has been highly customized for each targeted organization .", "spans": {"ORGANIZATION: Microsoft Threat Intelligence": [[0, 29]], "THREAT_ACTOR: TERBIUM": [[68, 75]], "THREAT_ACTOR: Depriz": [[87, 93]], "ORGANIZATION: Microsoft": [[99, 108]]}, "info": {"id": "dnrti_test_000377", "source": "dnrti_test"}}
+{"text": "Note : TERBIUM establishes a foothold throughout the organization and does not proceed with the destructive wiping operation until a specific date/time : November 17 , 2016 at 8:45 p.m .", "spans": {"THREAT_ACTOR: TERBIUM": [[7, 14]]}, "info": {"id": "dnrti_test_000378", "source": "dnrti_test"}}
+{"text": "Transparent Tribe has been active for several years and conducting suspected intelligence collection operations against South Asian political and military targets .", "spans": {}, "info": {"id": "dnrti_test_000379", "source": "dnrti_test"}}
+{"text": "We initially reported on this threat group and their UPDATESEE malware in our FireEye Intelligence Center in February 2016 .", "spans": {"TOOL: UPDATESEE malware": [[53, 70]], "ORGANIZATION: FireEye Intelligence": [[78, 98]]}, "info": {"id": "dnrti_test_000380", "source": "dnrti_test"}}
+{"text": "We initially reported on Transparent Tribe and their UPDATESEE malware in our FireEye Intelligence Center in February 2016 .", "spans": {"TOOL: UPDATESEE malware": [[53, 70]], "ORGANIZATION: FireEye Intelligence": [[78, 98]]}, "info": {"id": "dnrti_test_000381", "source": "dnrti_test"}}
+{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload .", "spans": {"ORGANIZATION: government officials": [[28, 48]], "MALWARE: malicious Microsoft Word document": [[90, 123]], "VULNERABILITY: CVE-2012-0158": [[143, 156]]}, "info": {"id": "dnrti_test_000382", "source": "dnrti_test"}}
+{"text": "In this latest incident , the group registered a fake news domain , timesofindiaa.in , on May 18 , 2016 , and then used it to send spear phishing emails to Indian government officials on the same day .", "spans": {"ORGANIZATION: government officials": [[163, 183]]}, "info": {"id": "dnrti_test_000383", "source": "dnrti_test"}}
+{"text": "Despite being an older vulnerability , many threat actors continue to leverage CVE-2012-0158 to exploit Microsoft Word .", "spans": {"VULNERABILITY: CVE-2012-0158": [[79, 92]], "MALWARE: Microsoft Word": [[104, 118]]}, "info": {"id": "dnrti_test_000384", "source": "dnrti_test"}}
+{"text": "In previous incidents involving this threat actor , we observed them using malicious documents hosted on websites about the Indian Army , instead of sending these documents directly as an email attachment .", "spans": {}, "info": {"id": "dnrti_test_000385", "source": "dnrti_test"}}
+{"text": "In this latest incident , Transparent Tribe registered a fake news domain , timesofindiaa.in , on May 18 , 2016 , and then used it to send spear phishing emails to Indian government officials on the same day .", "spans": {"ORGANIZATION: government officials": [[171, 191]]}, "info": {"id": "dnrti_test_000386", "source": "dnrti_test"}}
+{"text": "This exploit file made use of the same shellcode that we have observed Transparent Tribe use across a number of spear phishing incidents .", "spans": {}, "info": {"id": "dnrti_test_000387", "source": "dnrti_test"}}
+{"text": "The first time this happened was at the beginning of the month , when Proofpoint researchers blew the lid off a cyber-espionage campaign named Operation Transparent Tribe , which targeted the Indian embassies in Saudi Arabia and Kazakhstan .", "spans": {"ORGANIZATION: Proofpoint": [[70, 80]], "ORGANIZATION: embassies": [[199, 208]]}, "info": {"id": "dnrti_test_000388", "source": "dnrti_test"}}
+{"text": "Back in February 2016 , Indian army officials issued a warning against the usage of three apps , WeChat , SmeshApp , and Line , fearing that these apps collected too much information if installed on smartphones used by Indian army personnel .", "spans": {"ORGANIZATION: army officials": [[31, 45]], "TOOL: WeChat": [[97, 103]], "TOOL: SmeshApp": [[106, 114]], "TOOL: Line": [[121, 125]], "ORGANIZATION: army personnel": [[226, 240]]}, "info": {"id": "dnrti_test_000389", "source": "dnrti_test"}}
+{"text": "The May 2018 adversary spotlight is on MYTHIC LEOPARD , a Pakistan-based adversary with operations likely located in Karachi .", "spans": {"THREAT_ACTOR: MYTHIC LEOPARD": [[39, 53]]}, "info": {"id": "dnrti_test_000390", "source": "dnrti_test"}}
+{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability .", "spans": {"ORGANIZATION: security firm": [[17, 30]], "ORGANIZATION: military officials": [[63, 81]], "VULNERABILITY: Adobe Reader vulnerability": [[153, 179]]}, "info": {"id": "dnrti_test_000391", "source": "dnrti_test"}}
+{"text": "The CrowdStrike Falcon Intelligence™ team 's tracking of MYTHIC LEOPARD began in late 2016 , when evidence of an attack surfaced against a victim based in India and working in the hospitality sector .", "spans": {"ORGANIZATION: CrowdStrike Falcon Intelligence™": [[4, 36]], "ORGANIZATION: hospitality sector": [[180, 198]]}, "info": {"id": "dnrti_test_000392", "source": "dnrti_test"}}
+{"text": "Two binder tools — used to disguise custom executables as legitimate Microsoft implants — were discovered by Falcon Intelligence and linked to MYTHIC LEOPARD in July 2017 .", "spans": {"ORGANIZATION: Microsoft": [[69, 78]], "ORGANIZATION: Falcon Intelligence": [[109, 128]], "THREAT_ACTOR: MYTHIC LEOPARD": [[143, 157]]}, "info": {"id": "dnrti_test_000393", "source": "dnrti_test"}}
+{"text": "Falcon Intelligence has observed MYTHIC LEOPARD using this technique for several years to install multiple first-stage implants and downloaders , including the isqlmanager and Waizsar RAT malware families .", "spans": {"ORGANIZATION: Falcon Intelligence": [[0, 19]], "THREAT_ACTOR: MYTHIC LEOPARD": [[33, 47]], "TOOL: isqlmanager": [[160, 171]], "TOOL: Waizsar RAT malware families": [[176, 204]]}, "info": {"id": "dnrti_test_000394", "source": "dnrti_test"}}
+{"text": "Patchwork also uses the Delphi file stealer as a similarity with Urpage , which suggests the three groups are somehow related .", "spans": {"THREAT_ACTOR: Patchwork": [[0, 9]]}, "info": {"id": "dnrti_test_000395", "source": "dnrti_test"}}
+{"text": "Patchwork has also recently employed Android malware in its attacks , with its use of a customized version of AndroRAT .", "spans": {"THREAT_ACTOR: Patchwork": [[0, 9]], "TOOL: Android malware": [[37, 52]], "TOOL: AndroRAT": [[110, 118]]}, "info": {"id": "dnrti_test_000396", "source": "dnrti_test"}}
+{"text": "Trend Micro 's Mobile App Reputation Service ( MARS ) covers Android and iOS threats using leading sandbox and machine learning technologies .", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "TOOL: leading sandbox": [[91, 106]], "TOOL: machine learning technologies": [[111, 140]]}, "info": {"id": "dnrti_test_000397", "source": "dnrti_test"}}
+{"text": "Symantec researchers have discovered that this attack group , which we call Whitefly , has been operating since at least 2017 , has targeted organizations based mostly in Singapore across a wide variety of sectors , and is primarily interested in stealing large amounts of sensitive information .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: Whitefly": [[76, 84]]}, "info": {"id": "dnrti_test_000398", "source": "dnrti_test"}}
+{"text": "Whitefly compromises its victims using custom malware alongside open-source hacking tools and living off the land tactics , such as malicious PowerShell scripts .", "spans": {"THREAT_ACTOR: Whitefly": [[0, 8]], "TOOL: PowerShell scripts": [[142, 160]]}, "info": {"id": "dnrti_test_000399", "source": "dnrti_test"}}
+{"text": "From mid-2017 to mid-2018 , Whitefly launched targeted attacks against multiple organizations .", "spans": {"THREAT_ACTOR: Whitefly": [[28, 36]]}, "info": {"id": "dnrti_test_000400", "source": "dnrti_test"}}
+{"text": "While most of these organizations were based in Singapore , some were multinational organizations with a presence in Singapore .", "spans": {}, "info": {"id": "dnrti_test_000401", "source": "dnrti_test"}}
+{"text": "To date , Whitefly has attacked organizations in the healthcare , media , telecommunications , and engineering sectors .", "spans": {"THREAT_ACTOR: Whitefly": [[10, 18]], "ORGANIZATION: engineering sectors": [[99, 118]]}, "info": {"id": "dnrti_test_000402", "source": "dnrti_test"}}
+{"text": "Whitefly first infects its victims using a dropper in the form of a malicious.exe or .dll file that is disguised as a document or image .", "spans": {"THREAT_ACTOR: Whitefly": [[0, 8]], "TOOL: dropper": [[43, 50]], "MALWARE: malicious.exe": [[68, 81]], "MALWARE: .dll file": [[85, 94]]}, "info": {"id": "dnrti_test_000403", "source": "dnrti_test"}}
+{"text": "If opened , the dropper runs a loader known as Trojan.Vcrodat on the computer .", "spans": {"TOOL: dropper": [[16, 23]], "TOOL: Trojan.Vcrodat": [[47, 61]]}, "info": {"id": "dnrti_test_000404", "source": "dnrti_test"}}
+{"text": "Whitefly has consistently used a technique known as search order hijacking to run Vcrodat .", "spans": {"THREAT_ACTOR: Whitefly": [[0, 8]], "TOOL: search order hijacking": [[52, 74]], "TOOL: Vcrodat": [[82, 89]]}, "info": {"id": "dnrti_test_000405", "source": "dnrti_test"}}
+{"text": "Once executed , Vcrodat loads an encrypted payload on to the victim 's computer .", "spans": {"TOOL: Vcrodat": [[16, 23]]}, "info": {"id": "dnrti_test_000406", "source": "dnrti_test"}}
+{"text": "Whitefly rely heavily on tools such as Mimikatz to obtain credentials .", "spans": {"THREAT_ACTOR: Whitefly": [[0, 8]], "TOOL: Mimikatz": [[39, 47]]}, "info": {"id": "dnrti_test_000407", "source": "dnrti_test"}}
+{"text": "Using these credentials , the attackers are able to compromise more machines on the network and , from those machines , again obtain more credentials .", "spans": {"TOOL: credentials": [[12, 23]]}, "info": {"id": "dnrti_test_000408", "source": "dnrti_test"}}
+{"text": "Whitefly usually attempts to remain within a targeted organization for long periods of time—often months—in order to steal large volumes of information .", "spans": {"THREAT_ACTOR: Whitefly": [[0, 8]]}, "info": {"id": "dnrti_test_000409", "source": "dnrti_test"}}
+{"text": "In order to carry out this operation , it uses publicly available tools , including Mimikatz ( Hacktool.Mimikatz ) and an open-source tool that exploits a known Windows privilege escalation vulnerability ( CVE-2016-0051 ) on unpatched computers .", "spans": {"TOOL: publicly available tools": [[47, 71]], "TOOL: Mimikatz": [[84, 92]], "TOOL: Hacktool.Mimikatz": [[95, 112]], "VULNERABILITY: CVE-2016-0051": [[206, 219]]}, "info": {"id": "dnrti_test_000410", "source": "dnrti_test"}}
+{"text": "Like Vcrodat , Nibatad is also a loader that leverages search order hijacking , and downloads an encrypted payload to the infected computer .", "spans": {"TOOL: Vcrodat": [[5, 12]], "TOOL: Nibatad": [[15, 22]]}, "info": {"id": "dnrti_test_000411", "source": "dnrti_test"}}
+{"text": "Why Whitefly uses these two different loaders in some of its attacks remains unknown .", "spans": {"THREAT_ACTOR: Whitefly": [[4, 12]], "TOOL: loaders": [[38, 45]]}, "info": {"id": "dnrti_test_000412", "source": "dnrti_test"}}
+{"text": "While Vcrodat is delivered via the malicious dropper , we have yet to discover how Nibatad is delivered to the infected computer .", "spans": {"TOOL: Vcrodat": [[6, 13]], "TOOL: dropper": [[45, 52]], "TOOL: Nibatad": [[83, 90]]}, "info": {"id": "dnrti_test_000413", "source": "dnrti_test"}}
+{"text": "Between May 2017 and December 2018 , a multi-purpose command tool that has been used by Whitefly was also used in attacks against defense , telecoms , and energy targets in Southeast Asia and Russia .", "spans": {"THREAT_ACTOR: Whitefly": [[88, 96]]}, "info": {"id": "dnrti_test_000414", "source": "dnrti_test"}}
+{"text": "In another case , Vcrodat was also used in an attack on a UK-based organization in the hospitality sector .", "spans": {"TOOL: Vcrodat": [[18, 25]], "ORGANIZATION: hospitality sector": [[87, 105]]}, "info": {"id": "dnrti_test_000415", "source": "dnrti_test"}}
+{"text": "Whitefly is a highly adept group with a large arsenal of tools at its disposal , capable of penetrating targeted organizations and maintaining a long-term presence on their networks .", "spans": {"THREAT_ACTOR: Whitefly": [[0, 8]]}, "info": {"id": "dnrti_test_000416", "source": "dnrti_test"}}
+{"text": "WICKED PANDA has also targeted chemical and think tank sectors around the world .", "spans": {"ORGANIZATION: think tank": [[44, 54]]}, "info": {"id": "dnrti_test_000417", "source": "dnrti_test"}}
+{"text": "The WICKED PANDA adversary makes use of a number of open-source and custom tools to infect and move laterally in victim networks .", "spans": {"THREAT_ACTOR: WICKED PANDA": [[4, 16]], "TOOL: custom tools": [[68, 80]]}, "info": {"id": "dnrti_test_000418", "source": "dnrti_test"}}
+{"text": "WICKED PANDA refers to the targeted intrusion operations of the actor publicly known as \" Winnti \" , whereas WICKED SPIDER represents this group 's financially-motivated criminal activity .", "spans": {"THREAT_ACTOR: WICKED PANDA": [[0, 12]], "THREAT_ACTOR: WICKED SPIDER": [[109, 122]]}, "info": {"id": "dnrti_test_000419", "source": "dnrti_test"}}
+{"text": "WICKED SPIDER has been observed targeting technology companies in Germany , Indonesia , the Russian Federation , South Korea , Sweden , Thailand , Turkey , the United States , and elsewhere .", "spans": {"THREAT_ACTOR: WICKED SPIDER": [[0, 13]], "ORGANIZATION: technology companies": [[42, 62]]}, "info": {"id": "dnrti_test_000420", "source": "dnrti_test"}}
+{"text": "Subsequently , two additional articles ( here and here ) were released by Objective-See which provide an analysis of some validated WINDSHIFT samples targeting OSX systems .", "spans": {"ORGANIZATION: Objective-See": [[74, 87]], "TOOL: WINDSHIFT samples": [[132, 149]]}, "info": {"id": "dnrti_test_000421", "source": "dnrti_test"}}
+{"text": "Pivoting on specific file attributes and infrastructure indicators , Unit 42 was able to identify and correlate additional attacker activity and can now provide specific details on a targeted WINDSHIFT attack as it unfolded at a Middle Eastern government agency .", "spans": {"ORGANIZATION: Unit 42": [[69, 76]], "ORGANIZATION: government agency": [[244, 261]]}, "info": {"id": "dnrti_test_000422", "source": "dnrti_test"}}
+{"text": "The following is a summary of observed WINDSHIFT activity which targeted a Middle Eastern government agency .", "spans": {"ORGANIZATION: government agency": [[90, 107]]}, "info": {"id": "dnrti_test_000423", "source": "dnrti_test"}}
+{"text": "The WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware .", "spans": {"THREAT_ACTOR: WIZARD SPIDER threat group": [[4, 30]], "TOOL: TrickBot banking malware": [[67, 91]]}, "info": {"id": "dnrti_test_000424", "source": "dnrti_test"}}
+{"text": "Whitefly configures multiple C&C domains for each target .", "spans": {"THREAT_ACTOR: Whitefly": [[0, 8]]}, "info": {"id": "dnrti_test_000425", "source": "dnrti_test"}}
+{"text": "In some attacks , Whitefly has used a second piece of custom malware , Trojan.Nibatad .", "spans": {"TOOL: Trojan.Nibatad": [[71, 85]]}, "info": {"id": "dnrti_test_000426", "source": "dnrti_test"}}
+{"text": "LUNAR SPIDER had already introduced BokBot to the criminal market at the time Neverquest operations ceased , suggesting that the malware change may have been planned .", "spans": {"THREAT_ACTOR: LUNAR SPIDER": [[0, 12]], "TOOL: BokBot": [[36, 42]]}, "info": {"id": "dnrti_test_000427", "source": "dnrti_test"}}
+{"text": "Its origins can be traced back to the Storm Worm , a botnet that emerged in 2007 and was one of the earliest criminal malware infrastructures to leverage peer-to-peer technology .", "spans": {}, "info": {"id": "dnrti_test_000428", "source": "dnrti_test"}}
+{"text": "After the demise of Storm , it was replaced by another new botnet known as Waledac that also leveraged peer-to-peer communications .", "spans": {"TOOL: Waledac": [[75, 82]]}, "info": {"id": "dnrti_test_000429", "source": "dnrti_test"}}
+{"text": "Although BokBot has aided the distribution of TrickBot since 2017 , the development of custom TrickBot modules for the specific campaign has not been observed before .", "spans": {"TOOL: BokBot": [[9, 15]], "TOOL: TrickBot": [[46, 54]], "TOOL: TrickBot modules": [[94, 110]]}, "info": {"id": "dnrti_test_000430", "source": "dnrti_test"}}
+{"text": "Kelihos , like many others , implemented a sophisticated spam engine that automatically constructs spam messages from templates and additional inputs to avoid any patterns that can be used in filters .", "spans": {"TOOL: Kelihos": [[0, 7]]}, "info": {"id": "dnrti_test_000431", "source": "dnrti_test"}}
+{"text": "A second attack that targeted the host 154.46.32.129 started on March 14 , 2017 at 14:44:42 GMT .", "spans": {}, "info": {"id": "dnrti_test_000432", "source": "dnrti_test"}}
+{"text": "As shown within the timeline above , the WINDSHIFT activity observed by Unit 42 falls between January and May of 2018 .", "spans": {"ORGANIZATION: Unit 42": [[72, 79]]}, "info": {"id": "dnrti_test_000433", "source": "dnrti_test"}}
+{"text": "With the Kelihos spam botnet no longer in operation and Levashov behind bars , multiple criminal operators turned to different spam botnets to distribute their crimeware .", "spans": {"TOOL: Kelihos spam botnet": [[9, 28]]}, "info": {"id": "dnrti_test_000434", "source": "dnrti_test"}}
+{"text": "CraP2P has frequently been used to distribute other malware such as Locky and Dridex , but also supported large scale spam campaigns for dating advertisement and pump-and-dump scams after the demise of Kelihos .", "spans": {"MALWARE: CraP2P": [[0, 6]], "TOOL: Locky": [[68, 73]], "TOOL: Dridex": [[78, 84]]}, "info": {"id": "dnrti_test_000435", "source": "dnrti_test"}}
+{"text": "The first attack occurred in early January of 2018 with an inbound WINDTAIL sample ( the backdoor family used by WINDSHIFT ) originating from the remote IP address 109.235.51.110 to a single internal IP address within the government agency .", "spans": {"TOOL: WINDTAIL sample": [[67, 82]], "TOOL: WINDSHIFT": [[113, 122]], "ORGANIZATION: government agency": [[222, 239]]}, "info": {"id": "dnrti_test_000436", "source": "dnrti_test"}}
+{"text": "Unit 42 assesses with high confidence that both the IP address 185.25.50.189 and the domain domforworld.com is associated with WINDSHIFT activity .", "spans": {"ORGANIZATION: Unit 42": [[0, 7]]}, "info": {"id": "dnrti_test_000437", "source": "dnrti_test"}}
+{"text": "The CrowdStrike Falcon Intelligence team , which had been tracking Levashov as the adversary called ZOMBIE SPIDER , was able to help law enforcement seize control of the Kelihos botnet so that it could no longer be used by criminal actors .", "spans": {"ORGANIZATION: CrowdStrike Falcon Intelligence": [[4, 35]], "THREAT_ACTOR: ZOMBIE SPIDER": [[100, 113]]}, "info": {"id": "dnrti_test_000438", "source": "dnrti_test"}}
+{"text": "Over the past few years , Animal Farm has targeted a wide range of global organizations .", "spans": {"THREAT_ACTOR: Animal Farm": [[26, 37]]}, "info": {"id": "dnrti_test_000439", "source": "dnrti_test"}}
+{"text": "The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007 .", "spans": {}, "info": {"id": "dnrti_test_000440", "source": "dnrti_test"}}
+{"text": "Over the years Kaspersky is tracked multiple campaigns by the Animal Farm group .", "spans": {"ORGANIZATION: Kaspersky": [[15, 24]], "THREAT_ACTOR: Animal Farm group": [[62, 79]]}, "info": {"id": "dnrti_test_000441", "source": "dnrti_test"}}
+{"text": "Most recently , Animal Farm deployed the Casper Trojan via a watering-hole attack in Syria .", "spans": {"THREAT_ACTOR: Animal Farm": [[16, 27]], "TOOL: Casper Trojan": [[41, 54]]}, "info": {"id": "dnrti_test_000442", "source": "dnrti_test"}}
+{"text": "A full description of this zero-day attack can be found in this blog post by Kaspersky Lab 's Vyacheslav Zakorzhevsky .", "spans": {"ORGANIZATION: Kaspersky Lab": [[77, 90]]}, "info": {"id": "dnrti_test_000443", "source": "dnrti_test"}}
+{"text": "In addition to these , the Animal Farm attackers used at least one unknown , mysterious malware during an operation targeting computer users in Burkina Faso .", "spans": {"ORGANIZATION: users": [[135, 140]]}, "info": {"id": "dnrti_test_000444", "source": "dnrti_test"}}
+{"text": "The malware known as Tafacalou ( aka \" TFC \" , \" Transporter \" ) is perhaps of greatest interest here , because it acts as an entry point for the more sophisticated spy platforms Babar and Dino .", "spans": {"TOOL: Tafacalou": [[21, 30]], "TOOL: TFC": [[39, 42]], "TOOL: Transporter": [[49, 60]], "TOOL: Babar": [[179, 184]], "TOOL: Dino": [[189, 193]]}, "info": {"id": "dnrti_test_000445", "source": "dnrti_test"}}
+{"text": "Based on the Tafacalou infection logs , we observed that most of the victims are in the following countries : Syria , Iran , Malaysia , USA , China , Turkey , Netherlands , Germany , Great Britain , Russia , Sweden , Austria , Algeria , Israel , Iraq , Morocco , New Zealand , Ukraine .", "spans": {"TOOL: Tafacalou": [[13, 22]]}, "info": {"id": "dnrti_test_000446", "source": "dnrti_test"}}
+{"text": "In 2013 , both COSEINC and FireEye revealed attacks using Bisonal against Japanese organizations .", "spans": {"ORGANIZATION: COSEINC": [[15, 22]], "ORGANIZATION: FireEye": [[27, 34]], "TOOL: Bisonal": [[58, 65]]}, "info": {"id": "dnrti_test_000447", "source": "dnrti_test"}}
+{"text": "In October 2017 , AhnLab published a report called \" Operation Bitter Biscuit \" , an attack campaign against South Korea , Japan , India and Russia using Bisonal and its successors , Bioazih and Dexbia .", "spans": {"ORGANIZATION: AhnLab": [[18, 24]], "TOOL: Bisonal": [[154, 161]], "TOOL: Bioazih": [[183, 190]], "TOOL: Dexbia": [[195, 201]]}, "info": {"id": "dnrti_test_000448", "source": "dnrti_test"}}
+{"text": "We observed all these characteristics in the Bisonal 's attacks against both Russia and South Korea .", "spans": {"TOOL: Bisonal": [[45, 52]]}, "info": {"id": "dnrti_test_000449", "source": "dnrti_test"}}
+{"text": "The biggest number of Orangeworm 's victims are located in the U.S. , accounting for 17 percent of the infection rate by region .", "spans": {}, "info": {"id": "dnrti_test_000451", "source": "dnrti_test"}}
+{"text": "In the campaign that targeted Japan , Philippines , and Argentina on June 20 , we found what seems to be a new , undisclosed malware , which we named Gelup .", "spans": {"MALWARE: Gelup": [[150, 155]]}, "info": {"id": "dnrti_test_000452", "source": "dnrti_test"}}
+{"text": "Also , some code pieces are directly re-used in the analyzed campaigns , such as the i.cmd” and exit.exe” files , and , at the same time , some new components have been introduced , for instance the rtegre.exe” and the veter1605_MAPS_10cr0.exe” file .", "spans": {"MALWARE: i.cmd”": [[85, 91]], "MALWARE: exit.exe”": [[96, 105]], "MALWARE: rtegre.exe”": [[199, 210]], "MALWARE: veter1605_MAPS_10cr0.exe”": [[219, 244]]}, "info": {"id": "dnrti_test_000453", "source": "dnrti_test"}}
+{"text": "Neptun is installed on Microsoft Exchange servers and is designed to passively listen for commands from the attackers .", "spans": {"MALWARE: Neptun": [[0, 6]], "THREAT_ACTOR: attackers": [[108, 117]]}, "info": {"id": "dnrti_test_000454", "source": "dnrti_test"}}
+{"text": "The malware then uses WebDAV to upload the RAR archive to a Box account .", "spans": {"MALWARE: malware": [[4, 11]], "TOOL: WebDAV": [[22, 28]], "MALWARE: RAR archive": [[43, 54]]}, "info": {"id": "dnrti_test_000455", "source": "dnrti_test"}}
+{"text": "The PowerShell script will look at the architecture of the system to check which malicious DLL files should be downloaded .", "spans": {"TOOL: PowerShell script": [[4, 21]], "MALWARE: malicious DLL files": [[81, 100]]}, "info": {"id": "dnrti_test_000456", "source": "dnrti_test"}}
+{"text": "McAfee Advanced Threat research determines with confidence that Lazarus is the threat group behind this attack for the following reasons:Contacts an IP address / domain that was used to host a malicious document from a Lazarus previous campaign in 2017 .", "spans": {"ORGANIZATION: McAfee": [[0, 6]], "THREAT_ACTOR: Lazarus": [[64, 71], [219, 226]], "MALWARE: malicious document": [[193, 211]]}, "info": {"id": "dnrti_test_000457", "source": "dnrti_test"}}
+{"text": "According to security 360 Threat Intelligence Center , Goldmouse was observed deploying the nebulous njRAT backdoor .", "spans": {"ORGANIZATION: 360 Threat Intelligence Center": [[22, 52]], "MALWARE: njRAT backdoor": [[101, 115]]}, "info": {"id": "dnrti_test_000458", "source": "dnrti_test"}}
+{"text": "Additionally Kaspersky identified a new backdoor that we attribute with medium confidence to Turla .", "spans": {"ORGANIZATION: Kaspersky": [[13, 22]], "MALWARE: backdoor": [[40, 48]], "THREAT_ACTOR: Turla": [[93, 98]]}, "info": {"id": "dnrti_test_000459", "source": "dnrti_test"}}
+{"text": "Trend Micro also reported MuddyWater’s use of a new multi-stage PowerShell-based backdoor called POWERSTATS v3 .", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "THREAT_ACTOR: MuddyWater’s": [[26, 38]], "MALWARE: POWERSTATS v3": [[97, 110]]}, "info": {"id": "dnrti_test_000460", "source": "dnrti_test"}}
+{"text": "ESET recently analyzed a new Mac OS sample from the OceanLotus group that had been uploaded to VirusTotal .", "spans": {"ORGANIZATION: ESET": [[0, 4]], "MALWARE: sample": [[36, 42]], "THREAT_ACTOR: OceanLotus": [[52, 62]]}, "info": {"id": "dnrti_test_000461", "source": "dnrti_test"}}
+{"text": "Each of the spear phishing attacks contained links to .doc files , which were really RTF documents that attempt to exploit CVE-2017-8570 ( Composite Moniker ) .", "spans": {"TOOL: .doc files": [[54, 64]], "MALWARE: RTF documents": [[85, 98]], "VULNERABILITY: CVE-2017-8570": [[123, 136]], "VULNERABILITY: Composite": [[139, 148]], "VULNERABILITY: Moniker": [[149, 156]]}, "info": {"id": "dnrti_test_000462", "source": "dnrti_test"}}
+{"text": "At this point , the attackers know the user has opened the document and send another spear-phishing email , this time containing an MS Word document with an embedded executable .", "spans": {"THREAT_ACTOR: attackers": [[20, 29]], "MALWARE: MS Word document": [[132, 148]]}, "info": {"id": "dnrti_test_000463", "source": "dnrti_test"}}
+{"text": "The Word document usually exploits CVE-2012-0158 .", "spans": {"MALWARE: Word document": [[4, 17]], "VULNERABILITY: CVE-2012-0158": [[35, 48]]}, "info": {"id": "dnrti_test_000464", "source": "dnrti_test"}}
+{"text": "Sometimes the attackers send an MS PowerPoint document instead , which exploits CVE-2014-6352 .", "spans": {"THREAT_ACTOR: attackers": [[14, 23]], "MALWARE: MS PowerPoint document": [[32, 54]], "VULNERABILITY: CVE-2014-6352": [[80, 93]]}, "info": {"id": "dnrti_test_000465", "source": "dnrti_test"}}
+{"text": "Sometimes Patchwork send an MS PowerPoint document instead , which exploits CVE-2014-6352 .", "spans": {"THREAT_ACTOR: Patchwork": [[10, 19]], "MALWARE: MS PowerPoint document": [[28, 50]], "VULNERABILITY: CVE-2014-6352": [[76, 89]]}, "info": {"id": "dnrti_test_000466", "source": "dnrti_test"}}
+{"text": "The malicious documents seen in recent activity refer to a number of topics , including recent military promotions within the Pakistan Army , information related to the Pakistan Atomic Energy Commission , as well as Pakistan 's Ministry of the Interior .", "spans": {"MALWARE: malicious documents": [[4, 23]]}, "info": {"id": "dnrti_test_000467", "source": "dnrti_test"}}
+{"text": "The malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded EPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities .", "spans": {"ORGANIZATION: Unit 42": [[29, 36]], "MALWARE: EPS files": [[109, 118]], "VULNERABILITY: CVE-2015-2545": [[133, 146]], "VULNERABILITY: CVE-2017-0261": [[151, 164]]}, "info": {"id": "dnrti_test_000468", "source": "dnrti_test"}}
+{"text": "One of the favorite methods used by the Pitty Tiger group to infect users is to use a Microsoft Office Word document which exploits a specific vulnerability ( CVE-2012-0158 ) .", "spans": {"THREAT_ACTOR: Pitty Tiger group": [[40, 57]], "MALWARE: Microsoft Office Word document": [[86, 116]], "VULNERABILITY: CVE-2012-0158": [[159, 172]]}, "info": {"id": "dnrti_test_000469", "source": "dnrti_test"}}
+{"text": "This threat group uses a first-stage malware known as Backdoor.APT.Pgift ( aka Troj/ReRol.A ) , which is dropped via malicious documents and connects back to a C2 server .", "spans": {"THREAT_ACTOR: threat group": [[5, 17]], "MALWARE: Backdoor.APT.Pgift": [[54, 72]]}, "info": {"id": "dnrti_test_000470", "source": "dnrti_test"}}
+{"text": "Backdoor.APT.PittyTiger1.3 ( aka CT RAT ) – This malware is likely used as a second-stage backdoor .", "spans": {"MALWARE: Backdoor.APT.PittyTiger1.3": [[0, 26]], "TOOL: CT RAT": [[33, 39]], "TOOL: second-stage backdoor": [[77, 98]]}, "info": {"id": "dnrti_test_000471", "source": "dnrti_test"}}
+{"text": "We have observed the Enfal malware in use since 2011 and in conjunction with Backdoor.APT.Pgift as the payload of a malicious document used in spearphishing attacks .", "spans": {"TOOL: Enfal malware": [[21, 34]], "MALWARE: Backdoor.APT.Pgift": [[77, 95]]}, "info": {"id": "dnrti_test_000472", "source": "dnrti_test"}}
+{"text": "The document , when opened , used an embedded ActiveX control to download a JavaScript file from a remote site that used a previously unknown vulnerability in some versions of Windows ( later designated CVE-2013-7331 ) to read information about the browser 's installed components .", "spans": {"TOOL: ActiveX control": [[46, 61]], "MALWARE: JavaScript file": [[76, 91]], "VULNERABILITY: CVE-2013-7331": [[203, 216]]}, "info": {"id": "dnrti_test_000473", "source": "dnrti_test"}}
+{"text": "In one case from 2013 , the target was sent a malicious document through a spear phishing email message .", "spans": {"MALWARE: malicious document": [[46, 64]]}, "info": {"id": "dnrti_test_000474", "source": "dnrti_test"}}
+{"text": "At a high level , hot patching can transparently apply patches to executables and DLLs in actively running processes , which does not happen with traditional methods of code injection such as CreateRemoteThread or WriteProcessMemory .", "spans": {"MALWARE: CreateRemoteThread": [[192, 210]], "MALWARE: WriteProcessMemory": [[214, 232]]}, "info": {"id": "dnrti_test_000475", "source": "dnrti_test"}}
+{"text": "The new SOL protocol within the PLATINUM file-transfer tool makes use of the AMT Technology SDK 's Redirection Library API ( imrsdk.dll ) .", "spans": {"THREAT_ACTOR: PLATINUM": [[32, 40]], "TOOL: AMT Technology SDK": [[77, 95]], "TOOL: Redirection Library API": [[99, 122]], "MALWARE: imrsdk.dll": [[125, 135]]}, "info": {"id": "dnrti_test_000476", "source": "dnrti_test"}}
+{"text": "The two executables related to Hermes are bitsran.exe and RSW7B37.tmp .", "spans": {"TOOL: Hermes": [[31, 37]], "MALWARE: bitsran.exe": [[42, 53]], "MALWARE: RSW7B37.tmp": [[58, 69]]}, "info": {"id": "dnrti_test_000477", "source": "dnrti_test"}}
+{"text": "Proofpoint researchers have observed a well-known Russian-speaking APT actor usually referred to as Turla using a new .NET/MSIL dropper for an existing backdoor called JS/KopiLuwak .", "spans": {"ORGANIZATION: Proofpoint": [[0, 10]], "THREAT_ACTOR: Turla": [[100, 105]], "TOOL: dropper": [[128, 135]], "MALWARE: JS/KopiLuwak": [[168, 180]]}, "info": {"id": "dnrti_test_000478", "source": "dnrti_test"}}
+{"text": "However , over the last nine campaigns since Trend Micro‘s June report , TA505 also started using .ISO image attachments as the point of entry , as well as a .NET downloader , a new style for macro delivery , a newer version of ServHelper , and a .DLL variant of FlawedAmmyy downloader .", "spans": {"ORGANIZATION: Trend Micro‘s": [[45, 58]], "THREAT_ACTOR: TA505": [[73, 78]], "TOOL: .NET downloader": [[158, 173]], "TOOL: ServHelper": [[228, 238]], "MALWARE: .DLL variant": [[247, 259]]}, "info": {"id": "dnrti_test_000479", "source": "dnrti_test"}}
+{"text": "The first part of the campaign From Jan. 23 , 2018 , to Feb. 26 , 2018 used a macro-based document that dropped a VBS file and an INI file .", "spans": {"MALWARE: VBS file": [[114, 122]], "MALWARE: INI file": [[130, 138]]}, "info": {"id": "dnrti_test_000480", "source": "dnrti_test"}}
+{"text": "The INI file contains the Base64 encoded PowerShell command , which will be decoded and executed by PowerShell using the command line generated by the VBS file on execution using WScript.exe .", "spans": {"MALWARE: INI file": [[4, 12]], "TOOL: PowerShell": [[100, 110]], "MALWARE: VBS file": [[151, 159]], "MALWARE: WScript.exe": [[179, 190]]}, "info": {"id": "dnrti_test_000481", "source": "dnrti_test"}}
+{"text": "cmstp.exe system restart , cmstp.exe will be used to execute the SCT file indirectly through the INF file .", "spans": {"MALWARE: cmstp.exe": [[0, 9], [27, 36]], "MALWARE: SCT file": [[65, 73]], "MALWARE: INF file": [[97, 105]]}, "info": {"id": "dnrti_test_000482", "source": "dnrti_test"}}
+{"text": "The following are the three files:Defender.sct – The malicious JavaScript based scriptlet file .", "spans": {"MALWARE: files:Defender.sct": [[28, 46]], "MALWARE: scriptlet": [[80, 89]], "MALWARE: file": [[90, 94]]}, "info": {"id": "dnrti_test_000483", "source": "dnrti_test"}}
+{"text": "After all network derived IPs have been processed , the malware generates random IPs and uses the same combination of PingCastle and EternalBlue to spread to that host .", "spans": {"MALWARE: malware": [[56, 63]], "MALWARE: PingCastle": [[118, 128]], "MALWARE: EternalBlue": [[133, 144]]}, "info": {"id": "dnrti_test_000484", "source": "dnrti_test"}}
+{"text": "The document files exploit at least three known vulnerabilities in Microsoft Office , which we discuss in the Infection Techniques section .", "spans": {"MALWARE: document files": [[4, 18]], "VULNERABILITY: vulnerabilities": [[48, 63]]}, "info": {"id": "dnrti_test_000485", "source": "dnrti_test"}}
+{"text": "The malware may communicate with its command and control (C2) server over The Onion Router (Tor) network if configured to do so .", "spans": {"MALWARE: malware": [[4, 11]]}, "info": {"id": "dnrti_test_000486", "source": "dnrti_test"}}
+{"text": "This file is decrypted and injected into an instance of InstallUtiil.exe , and functions as a Tor anonymizer .", "spans": {"MALWARE: InstallUtiil.exe": [[56, 72]], "MALWARE: Tor": [[94, 97]], "MALWARE: anonymizer": [[98, 108]]}, "info": {"id": "dnrti_test_000487", "source": "dnrti_test"}}
+{"text": "Along with the executable , two binary files , inject.bin (malicious function code) and imain.bin (malicious control logic) , were deployed as the controller’s payload .", "spans": {"MALWARE: binary files": [[32, 44]], "MALWARE: imain.bin": [[88, 97]]}, "info": {"id": "dnrti_test_000488", "source": "dnrti_test"}}
+{"text": "This isn’t a bad thing as it shows a natural grouping of nodes that could be a good candidate to group to help simplify the overall graph and make analysis easier .", "spans": {"MALWARE: it": [[26, 28]]}, "info": {"id": "dnrti_test_000489", "source": "dnrti_test"}}
+{"text": "During our investigation into the activity , FireEye identified a direct overlap between BADRABBIT redirect sites and sites hosting a profiler we’ve been tracking as BACKSWING .", "spans": {"ORGANIZATION: FireEye": [[45, 52]], "MALWARE: BADRABBIT": [[89, 98]], "TOOL: BACKSWING": [[166, 175]]}, "info": {"id": "dnrti_test_000490", "source": "dnrti_test"}}
+{"text": "Incident Background Beginning on Oct. 24 at 08:00 UTC , FireEye detected and blocked attempts to infect multiple clients with a drive-by download masquerading as a Flash Update (install_flash_player.exe) that delivered a wormable variant of ransomware .", "spans": {"ORGANIZATION: FireEye": [[56, 63]], "MALWARE: (install_flash_player.exe)": [[177, 203]], "MALWARE: ransomware": [[241, 251]]}, "info": {"id": "dnrti_test_000491", "source": "dnrti_test"}}
+{"text": "Figure 3: BACKSWING Version 2Version 1:FireEye observed the first version of BACKSWING in late 2016 on websites belonging to a Czech Republic hospitality organization in addition to a government website in Montenegro .", "spans": {"ORGANIZATION: 1:FireEye": [[37, 46]], "MALWARE: BACKSWING": [[77, 86]], "ORGANIZATION: hospitality organization": [[142, 166]], "ORGANIZATION: government": [[184, 194]]}, "info": {"id": "dnrti_test_000492", "source": "dnrti_test"}}
+{"text": "While FireEye has not directly observed BACKSWING delivering BADRABBIT , BACKSWING was observed on multiple websites that were seen referring FireEye customers to 1dnscontrol.com , which hosted the BADRABBIT dropper .", "spans": {"ORGANIZATION: FireEye": [[6, 13], [142, 149]], "ORGANIZATION: BACKSWING": [[40, 49], [73, 82]], "MALWARE: BADRABBIT": [[61, 70]], "MALWARE: BADRABBIT dropper": [[198, 215]]}, "info": {"id": "dnrti_test_000493", "source": "dnrti_test"}}
+{"text": "Harvested credentials provided by an embedded Mimikatz executable facilitate the infection of other systems on the network .", "spans": {"MALWARE: Mimikatz": [[46, 54]]}, "info": {"id": "dnrti_test_000494", "source": "dnrti_test"}}
+{"text": "Like EternalPetya , infpub.dat determines if a specific file exists on the system and will exit if found .", "spans": {"MALWARE: infpub.dat": [[20, 30]], "MALWARE: specific file": [[47, 60]]}, "info": {"id": "dnrti_test_000495", "source": "dnrti_test"}}
+{"text": "This entry was posted on Mon Dec 04 12:00 EST 2017 and filed under Code , Reverse Engineering , Nick Harbour , and Incident Response .", "spans": {"MALWARE: entry": [[5, 10]], "TOOL: Reverse Engineering": [[74, 93]], "TOOL: Nick Harbour": [[96, 108]]}, "info": {"id": "dnrti_test_000496", "source": "dnrti_test"}}
+{"text": "This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": {"MALWARE: Microsoft Word attachment": [[80, 105]], "VULNERABILITY: CVE-2017-0199": [[138, 151]], "TOOL: ZeroT Trojan": [[166, 178]], "TOOL: PlugX Remote Access Trojan": [[210, 236]], "TOOL: RAT": [[239, 242]]}, "info": {"id": "dnrti_test_000497", "source": "dnrti_test"}}
+{"text": "This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": {"MALWARE: Microsoft Word attachment": [[84, 109]], "VULNERABILITY: CVE-2017-0199": [[142, 155]], "TOOL: ZeroT Trojan": [[170, 182]], "TOOL: PlugX Remote Access Trojan": [[214, 240]], "TOOL: RAT": [[243, 246]]}, "info": {"id": "dnrti_test_000498", "source": "dnrti_test"}}
+{"text": "Data from the early part of this year shows that the Taidoor attackers rampantly used malicious.DOC files to exploit a Microsoft Common Controls vulnerability , CVE-2012-0158 .", "spans": {"MALWARE: malicious.DOC": [[86, 99]], "VULNERABILITY: Microsoft Common Controls vulnerability": [[119, 158]], "VULNERABILITY: CVE-2012-0158": [[161, 174]]}, "info": {"id": "dnrti_test_000499", "source": "dnrti_test"}}
+{"text": "The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors .", "spans": {"MALWARE: documents": [[4, 13]], "VULNERABILITY: CVE-2012-0158": [[97, 110]], "VULNERABILITY: Microsoft Word vulnerabilities": [[166, 196]]}, "info": {"id": "dnrti_test_000500", "source": "dnrti_test"}}
+{"text": "If the document was delivered with macros instead of exploits ( CVE-2012-0158 , CVE-2013-3906 or CVE-2014-1761 ) , then the document contained instructions for enabling macros .", "spans": {"MALWARE: document": [[7, 15]], "VULNERABILITY: CVE-2012-0158": [[64, 77]], "VULNERABILITY: CVE-2013-3906": [[80, 93]], "VULNERABILITY: CVE-2014-1761": [[97, 110]]}, "info": {"id": "dnrti_test_000501", "source": "dnrti_test"}}
+{"text": "Lately , Patchwork has been sending multiple RTF files exploiting CVE-2017-8570 .", "spans": {"THREAT_ACTOR: Patchwork": [[9, 18]], "MALWARE: RTF files": [[45, 54]], "VULNERABILITY: CVE-2017-8570": [[66, 79]]}, "info": {"id": "dnrti_test_000502", "source": "dnrti_test"}}
+{"text": "The documents that exploit CVE2017-11882 download another payload — an HTML Application ( HTA ) file toting a malicious Visual Basic ( VBS ) script — from the server , which is executed accordingly by the command-line tool mshta.exe .", "spans": {"VULNERABILITY: CVE2017-11882": [[27, 40]], "TOOL: HTML Application": [[71, 87]], "MALWARE: HTA": [[90, 93]], "MALWARE: mshta.exe": [[223, 232]]}, "info": {"id": "dnrti_test_000503", "source": "dnrti_test"}}
+{"text": "Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit.MSWord.CVE-2010-333 , Exploit.Win32.CVE-2012-0158 .", "spans": {"ORGANIZATION: Kaspersky Lab": [[0, 13]], "VULNERABILITY: Microsoft Office exploits": [[37, 62]], "MALWARE: Exploit.MSWord.CVE-2010-333": [[110, 137]], "MALWARE: Exploit.Win32.CVE-2012-0158": [[140, 167]]}, "info": {"id": "dnrti_test_000504", "source": "dnrti_test"}}
+{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems .", "spans": {"MALWARE: files": [[4, 9]], "VULNERABILITY: Microsoft Office vulnerability": [[33, 63]], "VULNERABILITY: CVE-2012-0158": [[66, 79]]}, "info": {"id": "dnrti_test_000505", "source": "dnrti_test"}}
+{"text": "CVE-2017-0143 was also used by two other exploit tools—EternalRomance and EternalSynergy—that were released as part of the Shadow Brokers leak in April 2017 .", "spans": {"VULNERABILITY: CVE-2017-0143": [[0, 13]], "MALWARE: tools—EternalRomance": [[49, 69]], "MALWARE: EternalSynergy—that": [[74, 93]]}, "info": {"id": "dnrti_test_000506", "source": "dnrti_test"}}
+{"text": "this RTF exploits again the CVE-2017_1882 on eqnedt32.exe .", "spans": {"MALWARE: RTF": [[5, 8]], "VULNERABILITY: CVE-2017_1882": [[28, 41]], "MALWARE: eqnedt32.exe": [[45, 57]]}, "info": {"id": "dnrti_test_000507", "source": "dnrti_test"}}
+{"text": "The analyzed RTF files share the same object dimension (objw2180\\objh300) used to track the RTF weaponizer in our previous report , however , the sample was not exploiting CVE-2017-11882 or CVE-2018-0802 .", "spans": {"MALWARE: sample": [[146, 152]], "VULNERABILITY: CVE-2017-11882": [[172, 186]], "VULNERABILITY: CVE-2018-0802": [[190, 203]]}, "info": {"id": "dnrti_test_000508", "source": "dnrti_test"}}
+{"text": "After further analysis , it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft’s Equation Editor (EQNEDT32) .", "spans": {"MALWARE: RTF files": [[52, 61]], "VULNERABILITY: CVE-2018-0798": [[82, 95]]}, "info": {"id": "dnrti_test_000509", "source": "dnrti_test"}}
+{"text": "Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798 .", "spans": {"ORGANIZATION: Anomali": [[0, 7]], "MALWARE: ITW": [[86, 89]], "VULNERABILITY: CVE-2018-0798": [[117, 130]]}, "info": {"id": "dnrti_test_000510", "source": "dnrti_test"}}
+{"text": "Upon opening of the MS Word document , our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module , 'NavShExt.dll' , which is then injected into iexplore.exe to install the backdoor , begin collection , and activate command and control .", "spans": {"VULNERABILITY: CVE-2017-11882": [[66, 80]], "MALWARE: 'NavShExt.dll'": [[147, 161]], "MALWARE: iexplore.exe": [[192, 204]]}, "info": {"id": "dnrti_test_000511", "source": "dnrti_test"}}
+{"text": "Moving through the infection process , NetWitness Endpoint detects the initial exploit CVE-2017-1182 in action as the Microsoft Equation Editor , 'EQNEDT32.exe' , scores high for potentially malicious activity .", "spans": {"VULNERABILITY: CVE-2017-1182": [[87, 100]], "MALWARE: Microsoft Equation Editor": [[118, 143]], "MALWARE: 'EQNEDT32.exe'": [[146, 160]]}, "info": {"id": "dnrti_test_000512", "source": "dnrti_test"}}
+{"text": "In some of the latest samples of BalkanDoor detected in 2019 , the malware is distributed as an ACE archive , disguised as a RAR archive (i.e , not an executable file) , specially crafted to exploit the WinRAR ACE vulnerability CVE-2018-20250 .", "spans": {"MALWARE: BalkanDoor": [[33, 43]], "VULNERABILITY: CVE-2018-20250": [[228, 242]]}, "info": {"id": "dnrti_test_000513", "source": "dnrti_test"}}
+{"text": "The China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities CVE-2015-0062 , CVE-2015-1701 and CVE-2016-0099 to allow the attacker to modify other objects on the server .", "spans": {"MALWARE: China Chopper": [[4, 17]], "VULNERABILITY: CVE-2015-0062": [[146, 159]], "VULNERABILITY: CVE-2015-1701": [[162, 175]], "VULNERABILITY: CVE-2016-0099": [[180, 193]], "THREAT_ACTOR: attacker": [[207, 215]]}, "info": {"id": "dnrti_test_000514", "source": "dnrti_test"}}
+{"text": "The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content .", "spans": {"MALWARE: archive": [[14, 21]], "VULNERABILITY: vulnerability": [[82, 95]]}, "info": {"id": "dnrti_test_000515", "source": "dnrti_test"}}
+{"text": "PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": {"THREAT_ACTOR: PLATINUM": [[0, 8]], "ORGANIZATION: specific individuals": [[82, 102]], "VULNERABILITY: zero-day exploits": [[143, 160]]}, "info": {"id": "dnrti_test_000518", "source": "dnrti_test"}}
+{"text": "The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "ORGANIZATION: specific individuals": [[83, 103]], "VULNERABILITY: zero-day exploits": [[144, 161]]}, "info": {"id": "dnrti_test_000519", "source": "dnrti_test"}}
+{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": {"VULNERABILITY: Carbanak": [[20, 28]], "THREAT_ACTOR: criminals": [[95, 104]], "ORGANIZATION: customers": [[187, 196]]}, "info": {"id": "dnrti_test_000520", "source": "dnrti_test"}}
+{"text": "Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": {"VULNERABILITY: Carbanak": [[0, 8]], "ORGANIZATION: consumer": [[76, 84]], "TOOL: Carberp": [[176, 183]]}, "info": {"id": "dnrti_test_000521", "source": "dnrti_test"}}
+{"text": "However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers .", "spans": {"ORGANIZATION: CSIS": [[50, 54]], "VULNERABILITY: Carbanak": [[88, 96]], "ORGANIZATION: customers": [[126, 135]]}, "info": {"id": "dnrti_test_000522", "source": "dnrti_test"}}
+{"text": "PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 .", "spans": {"TOOL: PIVY": [[0, 4], [266, 270]], "ORGANIZATION: chemical makers": [[78, 93]], "ORGANIZATION: government agencies": [[96, 115]], "ORGANIZATION: defense contractors": [[118, 137]], "THREAT_ACTOR: attackers": [[208, 217]], "VULNERABILITY: zero-day vulnerability": [[225, 247]]}, "info": {"id": "dnrti_test_000523", "source": "dnrti_test"}}
+{"text": "Alternatively , it is also possible that APT41 injected malicious code into the package prior to compilation , circumventing the need to steal the code-signing certificate and compile it on their own .", "spans": {"THREAT_ACTOR: APT41": [[41, 46]]}, "info": {"id": "dnrti_test_000527", "source": "dnrti_test"}}
+{"text": "In these instances , APT41 leveraged TeamViewer to transfer malware into the compromised environment , although we do not have direct evidence of APT41 compromising TeamViewer .", "spans": {"THREAT_ACTOR: APT41": [[21, 26], [146, 151]], "TOOL: TeamViewer": [[37, 47]]}, "info": {"id": "dnrti_test_000528", "source": "dnrti_test"}}
+{"text": "APT41 has targeted payment services specializing in handling in-game transactions and real money transfer (RMT) purchases .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]]}, "info": {"id": "dnrti_test_000529", "source": "dnrti_test"}}
+{"text": "In some instances , APT41 leveraged POISONPLUG as a first-stage backdoor to deploy the HIGHNOON backdoor in the targeted environment .", "spans": {"THREAT_ACTOR: APT41": [[20, 25]], "TOOL: POISONPLUG": [[36, 46]], "TOOL: HIGHNOON": [[87, 95]]}, "info": {"id": "dnrti_test_000530", "source": "dnrti_test"}}
+{"text": "In another instance , APT41 targeted a hotel’s reservation systems ahead of Chinese officials staying there , suggesting the group was tasked to reconnoiter the facility for security reasons .", "spans": {"THREAT_ACTOR: APT41": [[22, 27]]}, "info": {"id": "dnrti_test_000531", "source": "dnrti_test"}}
+{"text": "The limited use of these tools by APT41 suggests the group reserves more advanced TTPs and malware only for high-value targets .", "spans": {"THREAT_ACTOR: APT41": [[34, 39]]}, "info": {"id": "dnrti_test_000532", "source": "dnrti_test"}}
+{"text": "At the time of analysis , the subdomains did not host a website; however , based on BITTER APT group’s targeting patterns , it is highly likely that they were created to host faux login phishing pages designed to steal user’s credentials .", "spans": {"THREAT_ACTOR: BITTER APT": [[84, 94]]}, "info": {"id": "dnrti_test_000533", "source": "dnrti_test"}}
+{"text": "The group behind these attacks has stolen gigabytes of confidential documents , mostly from military organizations .", "spans": {"THREAT_ACTOR: group": [[4, 9]]}, "info": {"id": "dnrti_test_000534", "source": "dnrti_test"}}
+{"text": "They seem to have specialized knowledge about military operations , as they are focused on stealing specific files such as those that describe navigation routes .", "spans": {"THREAT_ACTOR: They": [[0, 4]]}, "info": {"id": "dnrti_test_000535", "source": "dnrti_test"}}
+{"text": "SectorJ04 used the spear phishing email to spread malicious Excel or malicious Word files , and downloaded the MSI files from the attacker’s server when the malicious documents were run .", "spans": {"THREAT_ACTOR: SectorJ04": [[0, 9]], "THREAT_ACTOR: attacker’s": [[130, 140]]}, "info": {"id": "dnrti_test_000536", "source": "dnrti_test"}}
+{"text": "Group-IB specialists have established that the aim of the attack was to deliver and launch the second stage of Silence’s Trojan , known as Silence.MainModule .", "spans": {"ORGANIZATION: Group-IB": [[0, 8]], "THREAT_ACTOR: Silence’s": [[111, 120]]}, "info": {"id": "dnrti_test_000537", "source": "dnrti_test"}}
+{"text": "The hackers will map a company’s network and look for strategically favorable locations for placing their malware .", "spans": {"THREAT_ACTOR: hackers": [[4, 11]]}, "info": {"id": "dnrti_test_000538", "source": "dnrti_test"}}
+{"text": "Typically , APT10 tends to employ a namesquatting scheme in their domains that aims to confuse the observer by posing as a legitimate domain .", "spans": {"THREAT_ACTOR: APT10": [[12, 17]]}, "info": {"id": "dnrti_test_000539", "source": "dnrti_test"}}
+{"text": "If the attack had succeeded , it would have given hackers control over the ATM network , while money mules would have been standing by the ATM machines at pre-set time intervals to cash them out .", "spans": {"THREAT_ACTOR: hackers": [[50, 57]]}, "info": {"id": "dnrti_test_000540", "source": "dnrti_test"}}
+{"text": "Based on the functionality of the various tools uploaded to the webshells , we believe the threat actors breach the SharePoint servers to use as a beachhead , then attempt to move laterally across the network via stolen credentials and exploiting vulnerabilities .", "spans": {"THREAT_ACTOR: threat actors": [[91, 104]]}, "info": {"id": "dnrti_test_000541", "source": "dnrti_test"}}
+{"text": "The first of them is the well-known FIN7 , which specializes in attacking various companies to get access to financial data or PoS infrastructure .", "spans": {"THREAT_ACTOR: FIN7": [[36, 40]], "ORGANIZATION: various companies": [[74, 91]]}, "info": {"id": "dnrti_test_000542", "source": "dnrti_test"}}
+{"text": "Alpha’s early role was fairly simple: engage with individuals , who he chose based on the goods they were selling , and then provide personal shipping addresses back to Omega .", "spans": {"THREAT_ACTOR: Alpha’s": [[0, 7]]}, "info": {"id": "dnrti_test_000543", "source": "dnrti_test"}}
+{"text": "Instead of using fake Google Docs phishing pages to collect personal email login credentials , Scattered Canary began using phishing pages of commonly used business applications to compromise enterprise credentials .", "spans": {"THREAT_ACTOR: Scattered Canary": [[95, 111]]}, "info": {"id": "dnrti_test_000544", "source": "dnrti_test"}}
+{"text": "In some samples deployed since March 2019 , Turla developers modified their PowerShell scripts in order to bypass the Antimalware Scan Interface (AMSI) .", "spans": {"THREAT_ACTOR: Turla": [[44, 49]]}, "info": {"id": "dnrti_test_000545", "source": "dnrti_test"}}
+{"text": "Distinct changes to Azazel by the Winnti developers include the addition of a function named ‘Decrypt2’ , which is used to decode an embedded configuration similar to the core implant .", "spans": {"TOOL: Azazel": [[20, 26]], "THREAT_ACTOR: Winnti developers": [[34, 51]]}, "info": {"id": "dnrti_test_000546", "source": "dnrti_test"}}
+{"text": "Early in Q2 , Kaspersky identified an interesting Lazarus attack targeting a mobile gaming company in South Korea that we believe was aimed at stealing application source code .", "spans": {"ORGANIZATION: Kaspersky": [[14, 23]], "THREAT_ACTOR: Lazarus": [[50, 57]]}, "info": {"id": "dnrti_test_000547", "source": "dnrti_test"}}
+{"text": "During a recent campaign , APT32 leveraged social engineering emails with Microsoft ActiveMime file attachments to deliver malicious macros .", "spans": {"THREAT_ACTOR: APT32": [[27, 32]], "MALWARE: Microsoft ActiveMime file": [[74, 99]]}, "info": {"id": "dnrti_test_000555", "source": "dnrti_test"}}
+{"text": "PittyTiger has also been seen using Heartbleed vulnerability in order to directly get valid credentials .", "spans": {"THREAT_ACTOR: PittyTiger": [[0, 10]], "VULNERABILITY: Heartbleed vulnerability": [[36, 60]]}, "info": {"id": "dnrti_test_000557", "source": "dnrti_test"}}
+{"text": "They have also been seen using Heartbleed vulnerability in order to directly get valid credentials .", "spans": {"VULNERABILITY: Heartbleed vulnerability": [[31, 55]]}, "info": {"id": "dnrti_test_000558", "source": "dnrti_test"}}
+{"text": "Tactic #1: Delivering the miner directly to a vulnerable serverSome tactics we've observed involve exploiting CVE-2017-10271 , leveraging PowerShell to download the miner directly onto the victim’s system (Figure 1) , and executing it using ShellExecute() .", "spans": {"VULNERABILITY: CVE-2017-10271": [[110, 124]], "TOOL: PowerShell": [[138, 148]]}, "info": {"id": "dnrti_test_000559", "source": "dnrti_test"}}
+{"text": "APT28 is using novel techniques involving the EternalBlue exploit and the open source tool Responder to spread laterally through networks and likely target travelers .", "spans": {"THREAT_ACTOR: APT28": [[0, 5]], "VULNERABILITY: EternalBlue exploit": [[46, 65]], "TOOL: open source tool": [[74, 90]], "TOOL: Responder": [[91, 100]]}, "info": {"id": "dnrti_test_000560", "source": "dnrti_test"}}
+{"text": "Carbanak is a remote backdoor ( initially based on Carberp ) , designed for espionage , data exfiltration and to provide remote access to infected machines .", "spans": {"VULNERABILITY: Carbanak": [[0, 8]], "TOOL: Carberp": [[51, 58]], "THREAT_ACTOR: espionage": [[76, 85]]}, "info": {"id": "dnrti_test_000561", "source": "dnrti_test"}}
+{"text": "If found on the target system , Carbanak will try to exploit a known vulnerability in Windows XP , Windows Server 2003 , Windows Vista , Windows Server 2008 , Windows 7 , Windows 8 , and Windows Server 2012 , CVE-2013-3660 , for local privilege escalation .", "spans": {"VULNERABILITY: Carbanak": [[32, 40]], "VULNERABILITY: CVE-2013-3660": [[209, 222]]}, "info": {"id": "dnrti_test_000562", "source": "dnrti_test"}}
+{"text": "To enable connections to the infected computer using the Remote Desktop Protocol ( RDP ) , Carbanak sets Termservice service execution mode to Auto .", "spans": {"TOOL: Remote Desktop Protocol": [[57, 80]], "TOOL: RDP": [[83, 86]], "VULNERABILITY: Carbanak": [[91, 99]]}, "info": {"id": "dnrti_test_000563", "source": "dnrti_test"}}
+{"text": "Just a few months later , in February 2015 , we announced the discovery of Carbanak , a cyber-criminal gang that used custom malware and APT techniques to steal millions of dollars while infecting hundreds of financial institutions in at least 30 countries .", "spans": {"VULNERABILITY: Carbanak": [[75, 83]], "THREAT_ACTOR: cyber-criminal gang": [[88, 107]], "ORGANIZATION: financial institutions": [[209, 231]]}, "info": {"id": "dnrti_test_000564", "source": "dnrti_test"}}
+{"text": "Dubbed ‘Operation Sheep’ , this massive data stealing campaign is the first known campaign seen in the wild to exploit the Man-in-the-Disk vulnerability revealed by Check Point Research earlier last year .", "spans": {"THREAT_ACTOR: ‘Operation Sheep’": [[7, 24]], "VULNERABILITY: Man-in-the-Disk": [[123, 138]]}, "info": {"id": "dnrti_test_000565", "source": "dnrti_test"}}
+{"text": "The malware was first seen packed with VMProtect; when unpacked the sample didn’t show any similarities with previously known malware .", "spans": {"MALWARE: malware": [[4, 11]]}, "info": {"id": "dnrti_test_000596", "source": "dnrti_test"}}
+{"text": "The malware starts communicating with the C&C server by sending basic information about the infected machine .", "spans": {"MALWARE: malware": [[4, 11]]}, "info": {"id": "dnrti_test_000597", "source": "dnrti_test"}}
+{"text": "The malware basically provides a remote CMD/PowerShell terminal for the attackers , enabling them to execute scripts/commands and receive the results via HTTP requests .", "spans": {"MALWARE: malware": [[4, 11]], "TOOL: CMD/PowerShell": [[40, 54]], "THREAT_ACTOR: attackers": [[72, 81]]}, "info": {"id": "dnrti_test_000598", "source": "dnrti_test"}}
+{"text": "After app installation , whenever SWAnalytics senses victims opening up infected applications or rebooting their phones , it silently uploads their entire contacts list to Hangzhou Shun Wang Technologies controlled servers .", "spans": {"MALWARE: SWAnalytics": [[34, 45]]}, "info": {"id": "dnrti_test_000599", "source": "dnrti_test"}}
+{"text": "This module monitors a wide range of device activities including application installation / remove / update , phone restart and battery charge .", "spans": {"MALWARE: module": [[5, 11]]}, "info": {"id": "dnrti_test_000600", "source": "dnrti_test"}}
+{"text": "It turns out that contacts data isn’t the only unusual data SWAnalytics is interested in .", "spans": {"MALWARE: SWAnalytics": [[60, 71]]}, "info": {"id": "dnrti_test_000601", "source": "dnrti_test"}}
+{"text": "With default settings , SWAnalytics will scan through an Android device’s external storage , looking for directory tencent/MobileQQ/WebViewCheck” .", "spans": {"MALWARE: SWAnalytics": [[24, 35]]}, "info": {"id": "dnrti_test_000602", "source": "dnrti_test"}}
+{"text": "By listing sub-folders , SWAnalytics is able to infer QQ accounts which have never been used on the device .", "spans": {"MALWARE: SWAnalytics": [[25, 36]]}, "info": {"id": "dnrti_test_000603", "source": "dnrti_test"}}
+{"text": "To make this data harvesting operation flexible , SWAnalytics equips the ability to receive and process configuration files from a remote Command-and-Control .", "spans": {"MALWARE: SWAnalytics": [[50, 61]]}, "info": {"id": "dnrti_test_000604", "source": "dnrti_test"}}
+{"text": "Just to highlight its capabilities , TajMahal is able to steal data from a CD burnt by a victim as well as from the printer queue .", "spans": {"MALWARE: TajMahal": [[37, 45]]}, "info": {"id": "dnrti_test_000605", "source": "dnrti_test"}}
+{"text": "The newer variant of KopiLuwak is now capable of exfiltrating files to the C&C as well as downloading files and saving them to the infected machine .", "spans": {"MALWARE: KopiLuwak": [[21, 30]]}, "info": {"id": "dnrti_test_000606", "source": "dnrti_test"}}
+{"text": "The tool does all that a typical Trojan needs to accomplish: upload , download and execute files , fingerprint target systems .", "spans": {"MALWARE: Trojan": [[33, 39]]}, "info": {"id": "dnrti_test_000607", "source": "dnrti_test"}}
+{"text": "The PowerShell version of the Trojan also has the ability to get screenshots .", "spans": {"MALWARE: PowerShell": [[4, 14]]}, "info": {"id": "dnrti_test_000608", "source": "dnrti_test"}}
+{"text": "Initial reports about HIGHNOON and its variants reported publicly as Winnti dating back to at least 2013 indicated the tool was exclusive to a single group , contributing to significant conflation across multiple distinct espionage operations .", "spans": {"MALWARE: HIGHNOON": [[22, 30]], "THREAT_ACTOR: Winnti": [[69, 75]]}, "info": {"id": "dnrti_test_000609", "source": "dnrti_test"}}
+{"text": "BalkanRAT enables the attacker to remotely control the compromised computer via a graphical interface , i.e , manually; BalkanDoor enables them to remotely control the compromised computer via a command line , i.e , possibly en masse .", "spans": {"MALWARE: BalkanRAT": [[0, 9]], "MALWARE: BalkanDoor": [[120, 130]]}, "info": {"id": "dnrti_test_000610", "source": "dnrti_test"}}
+{"text": "The backdoor can connect to any of the C&Cs from a hardcoded list – a measure to increase resilience .", "spans": {"MALWARE: backdoor": [[4, 12]]}, "info": {"id": "dnrti_test_000611", "source": "dnrti_test"}}
+{"text": "China Chopper is a tool that allows attackers to remotely control the target system that needs to be running a web server application before it can be targeted by the tool .", "spans": {"MALWARE: China Chopper": [[0, 13]], "THREAT_ACTOR: attackers": [[36, 45]]}, "info": {"id": "dnrti_test_000612", "source": "dnrti_test"}}
+{"text": "China Chopper contains a remote shell (Virtual Terminal) function that has a first suggested command of netstat an|find ESTABLISHED .", "spans": {"MALWARE: China Chopper": [[0, 13]]}, "info": {"id": "dnrti_test_000613", "source": "dnrti_test"}}
+{"text": "The tool investigates the Local Security Authority Subsystem memory space in order to find , decrypt and display retrieved passwords .", "spans": {"MALWARE: tool": [[4, 8]]}, "info": {"id": "dnrti_test_000614", "source": "dnrti_test"}}
+{"text": "Additional capabilities of the More_eggs malware include the download and execution of files and scripts and running commands using cmd.exe .", "spans": {"MALWARE: More_eggs malware": [[31, 48]], "MALWARE: cmd.exe": [[132, 139]]}, "info": {"id": "dnrti_test_000615", "source": "dnrti_test"}}
+{"text": "Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory .", "spans": {"MALWARE: Mimikatz": [[0, 8]]}, "info": {"id": "dnrti_test_000618", "source": "dnrti_test"}}
+{"text": "The exploit installs Silence’s loader , designed to download backdoors and other malicious programs .", "spans": {"VULNERABILITY: exploit": [[4, 11]], "THREAT_ACTOR: Silence’s": [[21, 30]]}, "info": {"id": "dnrti_test_000619", "source": "dnrti_test"}}
+{"text": "The threat actors behind the Sea Turtle campaign were successful in compromising entities by manipulating and falsifying DNS records at various levels in the domain name space .", "spans": {"THREAT_ACTOR: threat actors": [[4, 17]]}, "info": {"id": "dnrti_test_000625", "source": "dnrti_test"}}
+{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload .", "spans": {"MALWARE: documents": [[12, 21]], "VULNERABILITY: CVE-2017-0199": [[32, 45]]}, "info": {"id": "dnrti_test_000627", "source": "dnrti_test"}}
+{"text": "It appears that the group values hardcoded into the malware is associated with the targeted organization , as several are Saudi Arabian organizations within the telecommunications and defense industries .", "spans": {"THREAT_ACTOR: group": [[20, 25]]}, "info": {"id": "dnrti_test_000631", "source": "dnrti_test"}}
+{"text": "This threat group has conducted broad targeting across a variety of industries , including financial , government , energy , chemical , and telecommunications , and has largely focused its operations within the Middle East .", "spans": {"THREAT_ACTOR: threat group": [[5, 17]]}, "info": {"id": "dnrti_test_000632", "source": "dnrti_test"}}
+{"text": "This threat group has conducted broad targeting across a variety of industries , including financial , government , energy , chemical , and telecommunications .", "spans": {"THREAT_ACTOR: threat group": [[5, 17]]}, "info": {"id": "dnrti_test_000633", "source": "dnrti_test"}}
+{"text": "Join us in a live webinar as we discuss this threat group whom we assess to be working on behalf of the Iranian Government , with a mission that would benefit nation-state geopolitical and economic needs .", "spans": {"THREAT_ACTOR: threat group": [[45, 57]], "ORGANIZATION: Iranian Government": [[104, 122]]}, "info": {"id": "dnrti_test_000634", "source": "dnrti_test"}}
+{"text": "The group conducts operations primarily in the Middle East , targeting financial , government , energy , chemical , telecommunications and other industries .", "spans": {"THREAT_ACTOR: group": [[4, 9]]}, "info": {"id": "dnrti_test_000635", "source": "dnrti_test"}}
+{"text": "HELIX KITTEN is likely an Iranian-based adversary group , active since at least late 2015 , targeting organizations in the aerospace , energy , financial , government , hospitality and telecommunications business verticals .", "spans": {"THREAT_ACTOR: HELIX KITTEN": [[0, 12]], "THREAT_ACTOR: group": [[50, 55]]}, "info": {"id": "dnrti_test_000636", "source": "dnrti_test"}}
+{"text": "The certificates Blackfly stole were also from South Korean companies , primarily in the video game and software development industry .", "spans": {"ORGANIZATION: companies": [[60, 69]]}, "info": {"id": "dnrti_test_000637", "source": "dnrti_test"}}
+{"text": "Suckfly 's attacks on government organizations that provide information technology services to other government branches is not limited to India .", "spans": {"ORGANIZATION: government organizations": [[22, 46]]}, "info": {"id": "dnrti_test_000638", "source": "dnrti_test"}}
+{"text": "In this report we continue our research of the actor 's operations with a specific focus on a selection of custom information technology ( IT ) tools and tactics the threat actor leveraged during the early stages of the targeted attack lifecycle .", "spans": {}, "info": {"id": "dnrti_test_000639", "source": "dnrti_test"}}
+{"text": "CTU researchers have evidence that the TG-3390 compromised U.S and UK organizations in the following verticals : manufacturing ( specifically aerospace ( including defense contractors ) , automotive , technology , energy , and pharmaceuticals ) , education , and legal , as well as organizations focused on international relations .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: TG-3390": [[39, 46]], "ORGANIZATION: defense contractors": [[164, 183]]}, "info": {"id": "dnrti_test_000640", "source": "dnrti_test"}}
+{"text": "Based on analysis of the group 's SWCs , TG-3390 operations likely affect organizations in other countries and verticals .", "spans": {"TOOL: SWCs": [[34, 38]], "THREAT_ACTOR: TG-3390": [[41, 48]]}, "info": {"id": "dnrti_test_000641", "source": "dnrti_test"}}
+{"text": "TG-3390 operates a broad and long-running campaign of SWCs and has compromised approximately 100 websites as of this publication .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]]}, "info": {"id": "dnrti_test_000642", "source": "dnrti_test"}}
+{"text": "CTU researchers have evidence that the threat group compromised U.S and UK organizations in the following verticals : manufacturing ( specifically aerospace ( including defense contractors ) , automotive , technology , energy , and pharmaceuticals ) , education , and legal , as well as organizations focused on international relations .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "ORGANIZATION: defense contractors": [[169, 188]]}, "info": {"id": "dnrti_test_000643", "source": "dnrti_test"}}
+{"text": "In 2016 , the threat actors conducted a strategic web compromise ( SWC ) on the website of an international industry organization that affected aerospace , academic , media , technology , government , and utilities organizations around the world .", "spans": {"TOOL: SWC": [[67, 70]], "ORGANIZATION: international industry organization": [[94, 129]], "ORGANIZATION: utilities organizations": [[205, 228]]}, "info": {"id": "dnrti_test_000645", "source": "dnrti_test"}}
+{"text": "In addition , BRONZE UNION activity on multiple U.S.-based defense manufacturer networks included the threat actors seeking information associated with aerospace technologies , combat processes , and naval defense systems .", "spans": {}, "info": {"id": "dnrti_test_000646", "source": "dnrti_test"}}
+{"text": "Leafminer attempts to infiltrate target networks through various means of intrusion : watering hole websites , vulnerability scans of network services on the internet , and brute-force login attempts .", "spans": {"THREAT_ACTOR: Leafminer": [[0, 9]]}, "info": {"id": "dnrti_test_000647", "source": "dnrti_test"}}
+{"text": "Leafminer also utilized Process Doppelganging , a detection evasion technique first discussed at the Black Hat EU conference last year .", "spans": {"THREAT_ACTOR: Leafminer": [[0, 9]]}, "info": {"id": "dnrti_test_000648", "source": "dnrti_test"}}
+{"text": "On September 15 and 19 , 2017 , Proofpoint detected and blocked spearphishing emails from this group targeting a US shipbuilding company and a US university research center with military ties .", "spans": {"ORGANIZATION: Proofpoint": [[32, 42]], "THREAT_ACTOR: group": [[95, 100]], "ORGANIZATION: shipbuilding company": [[116, 136]]}, "info": {"id": "dnrti_test_000649", "source": "dnrti_test"}}
+{"text": "Between August 2 and 4 , the actor sent targeted spearphishing emails containing malicious URLs linking to documents to multiple defense contractors .", "spans": {"THREAT_ACTOR: actor": [[29, 34]], "ORGANIZATION: defense contractors": [[129, 148]]}, "info": {"id": "dnrti_test_000650", "source": "dnrti_test"}}
+{"text": "Between August 2 and 4 , the Leviathan sent targeted spearphishing emails containing malicious URLs linking to documents to multiple defense contractors .", "spans": {"THREAT_ACTOR: Leviathan": [[29, 38]], "ORGANIZATION: defense contractors": [[133, 152]]}, "info": {"id": "dnrti_test_000651", "source": "dnrti_test"}}
+{"text": "The Leviathan generally emailed Microsoft Excel documents with malicious macros to US universities with military interests , most frequently related to the Navy .", "spans": {"THREAT_ACTOR: Leviathan": [[4, 13]], "ORGANIZATION: Navy": [[156, 160]]}, "info": {"id": "dnrti_test_000652", "source": "dnrti_test"}}
+{"text": "Instead , the Spring Dragon group is known to have employed spearphish exploits , strategic web compromises , and watering holes attack .", "spans": {"THREAT_ACTOR: Spring Dragon group": [[14, 33]], "VULNERABILITY: spearphish exploits": [[60, 79]]}, "info": {"id": "dnrti_test_000653", "source": "dnrti_test"}}
+{"text": "On November 10 , 2015 , threat actors sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs .", "spans": {"THREAT_ACTOR: threat actors": [[24, 37]], "ORGANIZATION: individual": [[72, 82]]}, "info": {"id": "dnrti_test_000654", "source": "dnrti_test"}}
+{"text": "On November 10 , 2015 , Lotus Blossom sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs .", "spans": {"THREAT_ACTOR: Lotus Blossom": [[24, 37]], "ORGANIZATION: individual": [[72, 82]]}, "info": {"id": "dnrti_test_000655", "source": "dnrti_test"}}
+{"text": "The Magic Hound attacks did not rely on exploit code to compromise targeted systems , instead relying on Excel and Word documents containing malicious macros .", "spans": {}, "info": {"id": "dnrti_test_000656", "source": "dnrti_test"}}
+{"text": "The Magic Hound campaign used Word and Excel documents containing malicious macros as a delivery method , specifically attempting to load MagicHound.Rollover .", "spans": {"TOOL: MagicHound.Rollover": [[138, 157]]}, "info": {"id": "dnrti_test_000657", "source": "dnrti_test"}}
+{"text": "APT33 often conducts spear-phishing operations using a built-in phishing module .", "spans": {"THREAT_ACTOR: APT33": [[0, 5]]}, "info": {"id": "dnrti_test_000659", "source": "dnrti_test"}}
+{"text": "In a recent attack , APT33 sent spear-phishing emails to workers in the aviation industry .", "spans": {"THREAT_ACTOR: APT33": [[21, 26]]}, "info": {"id": "dnrti_test_000660", "source": "dnrti_test"}}
+{"text": "These emails included recruitment-themed lures and links to malicious HTML application ( HTA ) files .", "spans": {"TOOL: HTML application": [[70, 86]], "MALWARE: HTA": [[89, 92]]}, "info": {"id": "dnrti_test_000661", "source": "dnrti_test"}}
+{"text": "APT34 often uses compromised accounts to conduct spear-phishing operations .", "spans": {"THREAT_ACTOR: APT34": [[0, 5]], "TOOL: compromised accounts": [[17, 37]]}, "info": {"id": "dnrti_test_000662", "source": "dnrti_test"}}
+{"text": "APT33 leverages a mix of public and non-public tools and often conducts spear-phishing operations using a built-in phishing module from \" ALFA TEaM Shell \" , a publicly available web shell .", "spans": {"THREAT_ACTOR: APT33": [[0, 5]], "TOOL: public and non-public tools": [[25, 52]], "TOOL: ALFA TEaM Shell": [[138, 153]], "TOOL: publicly available web shell": [[160, 188]]}, "info": {"id": "dnrti_test_000663", "source": "dnrti_test"}}